{ config, ... }:
{
  config = {
    services.webdav-server-rs = {
      enable = true;
      settings = {
        server.listen = [ "/run/webdav-server-rs/webdav-server-rs.sock" ];
        accounts = {
          auth-type = "pam";
          acct-type = "unix";
        };
        pam = {
          service = "webdav-server-rs";
        };
        location = [
          {
            route = [ "/*path" ];
            auth = "true";
            handler = "virtroot";
            setuid = true;
            directory = "/srv/files";
          }
        ];
      };
    };
    systemd.services.webdav-server-rs = {
      serviceConfig = {
        RuntimeDirectory = "webdav-server-rs";
        RuntimeDirectoryMode = "0755";
      };
    };
    security.pam.services."webdav-server-rs".text = ''
      auth requisite  pam_succeed_if.so user ingroup webdav
      auth required   pam_unix.so audit likeauth nullok nodelay
      account sufficient pam_unix.so
    '';
    users.groups."webdav" = {};
    
    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
      '';
      upstreams.webdav = {
        servers = { "unix:/run/webdav-server-rs/webdav-server-rs.sock" = {}; };
      };
      virtualHosts = {
        "webdav.141.li" = {
          forceSSL = true;
          sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem";
          sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem";
          locations."/" = {
            proxyPass = "http://webdav/";
          };
        };
      };
    };
    security.acme.domains."webdav.141.li" = {
      zone = "141.li";
    };
  };
}