diff --git a/constants.nix b/constants.nix
index d49999c..3dc7ded 100644
--- a/constants.nix
+++ b/constants.nix
@@ -49,5 +49,9 @@ rec {
       fqdn = "pw." + intranet;
       port = 8222;
     };
+    webdav = {
+      fqdn = "dav." + intranet;
+      port = 8080;
+    };
   };
 }
diff --git a/hosts/rx4/secrets/secrets.yaml b/hosts/rx4/secrets/secrets.yaml
index a591f81..0aa47f7 100644
--- a/hosts/rx4/secrets/secrets.yaml
+++ b/hosts/rx4/secrets/secrets.yaml
@@ -13,6 +13,9 @@ syncthing:
     gui-pw: ENC[AES256_GCM,data:mN4rxYr5DZgvbpIkwSFIuPvviJE=,iv:Kyl3mZFOejVwEwBCKteJQpgbCosREp9C4T4JYhWz6KQ=,tag:6myk9lr/44CH/hyUPgRH0Q==,type:str]
 forgejo-runner:
     token: ENC[AES256_GCM,data:DZgi6ocpV0MplgQ6Et85vHxmkMfC4qYbLLdyRuj/4z8tJauz1w6DUQ==,iv:+SZYsv6sDn2Nc1WxhTn0dJGN9nXYZw16/HVtXJGXpHc=,tag:8Oa5mC7cUy85+lXHbRcCcg==,type:str]
+webdav:
+    user: ENC[AES256_GCM,data:vCLx,iv:Nra/FprNfd02HpvqOb5uYK+IGRFHhNwnFXWrX71c0C0=,tag:TjbKKOKBTq31o/5MxmqIsA==,type:str]
+    pass: ENC[AES256_GCM,data:jfIoob6R6OhqKa2EujRzTQbvIlA=,iv:HvB088H2Z2uLCveT4YfNEdkK5VU0lBFD5FrZhx79fg0=,tag:1RnrfeUEURx0C575GTxi9A==,type:str]
 vaultwarden:
     admin-token: ENC[AES256_GCM,data:HhD0xNZ/Ep7pCOX1j6p/M/ZZ3gs=,iv:7QT71KlYz+HQYBhiRavpiXS9sNS2PoJiM/WkxM3Hk/g=,tag:SYTRWpyA2+WMSMiRM8mvew==,type:str]
     smtp-password: ENC[AES256_GCM,data:eQo7op5+74EID6689hL0/J1pq2s=,iv:JqrEqxabWGydRuJJ/27e1q+4YnQhTQ1bKRSsOvjQ+bE=,tag:weqnrhqK+LGEfAacBcuPUA==,type:str]
@@ -36,7 +39,7 @@ sops:
             NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8
             f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-17T16:35:00Z"
-    mac: ENC[AES256_GCM,data:U2WT4ENx8I9sr3byj7fQjv3H+mQTlhTI1HL9tufryKcUGjvb35ChwkIBcvEiYLa8udOR631sWwN4dCqZ4qwtCQ3MNjR8s1P6HqhzXeAPwyxfMLPZG1mbKXvYpamkxAOq8RxVHnVsPbrvFsxc57J11SI5IUfWT5T5GPQyJ+U8gMs=,iv:/xDaNV0fgKf9z+sql4BwwyIO/LQhRm3TrMhgaYZsPuE=,tag:Y0bfT1ZuiJ05F/+EwyzbSg==,type:str]
+    lastmodified: "2026-05-02T17:10:11Z"
+    mac: ENC[AES256_GCM,data:uf5TqZaevyUUjW6pM6K8c4CZFFdwTXFGIaHmYr5Q4XFR1uW3kBsVLeQKxq26duLuQ4UiZkUpW27a/PW797Z+iIpBdqbnoQ35q7RnOW+GpnAv8TaRW1PpqQ+JR3/R0LMXsi3cMt7ioG2ad1bIHztiNz+SmePiv3Yt9WxQ7PIqBdY=,iv:dAzuyKSo0OW+j02AH0chCdLBm7Wv6PZgqZrEWhEVnxQ=,tag:k6EKWHHY4fwTd03d4TVcNg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1
diff --git a/hosts/rx4/services/default.nix b/hosts/rx4/services/default.nix
index 6cb2dc6..a61584e 100644
--- a/hosts/rx4/services/default.nix
+++ b/hosts/rx4/services/default.nix
@@ -19,10 +19,10 @@
     ./open-webui-oci.nix
     ./print-server.nix
     ./rsshub-oci.nix
-    ./samba.nix
     ./vaultwarden.nix
 
     # ./alditalk-extender.nix # FIXME
+    # ./webdav.nix # FIXME
   ];
 
   # bootstrap
diff --git a/hosts/rx4/services/samba.nix b/hosts/rx4/services/samba.nix
deleted file mode 100644
index 2696005..0000000
--- a/hosts/rx4/services/samba.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ config, ... }:
-
-{
-  services.samba = {
-    enable = true;
-    openFirewall = false;
-    nmbd.enable = false;
-    winbindd.enable = false;
-    settings = {
-      global = {
-        workgroup = "WORKGROUP";
-        "server string" = config.networking.hostName;
-        security = "user";
-        "map to guest" = "Bad User";
-        "guest account" = "nobody";
-      };
-      share = {
-        path = "/home/sid";
-        browseable = "yes";
-        "read only" = "yes";
-        "guest ok" = "yes";
-        "force user" = "sid";
-        "directory mask" = "0750";
-      };
-    };
-  };
-}
diff --git a/hosts/rx4/services/webdav.nix b/hosts/rx4/services/webdav.nix
new file mode 100644
index 0000000..46d01a9
--- /dev/null
+++ b/hosts/rx4/services/webdav.nix
@@ -0,0 +1,86 @@
+{ constants, config, ... }:
+
+# FIXME: floccus throws error: NetworkError when attempting to fetch resource.
+
+let
+  cfg = config.services.webdav;
+
+  inherit (constants.services.webdav) fqdn port;
+in
+{
+  services.webdav = {
+    enable = true;
+    environmentFile = config.sops.templates."webdav/env-file".path;
+
+    settings = {
+      inherit port;
+      address = "127.0.0.1";
+      prefix = "/";
+      directory = "/srv/webdav";
+      users = [
+        {
+          username = "{env}WEBDAV_USER";
+          password = "{env}WEBDAV_PASS";
+          permissions = "CRUD";
+        }
+      ];
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${cfg.settings.directory} 0750 ${cfg.user} ${cfg.group} -"
+  ];
+
+  networking.firewall.allowedTCPPorts = [ port ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${fqdn}" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          inherit port;
+        }
+      ];
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        extraConfig = ''
+          add_header 'Access-Control-Allow-Origin' '*' always;
+          add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PROPFIND, OPTIONS' always;
+          add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Depth' always;
+
+          if ($request_method = 'OPTIONS') {
+              add_header 'Access-Control-Allow-Origin' '*';
+              add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PROPFIND, OPTIONS';
+              add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Depth';
+              return 204;
+          }
+        '';
+      };
+    };
+  };
+
+  sops =
+    let
+      owner = cfg.user;
+      group = cfg.group;
+      mode = "0400";
+    in
+    {
+      secrets = {
+        "webdav/user" = {
+          inherit owner group mode;
+        };
+        "webdav/pass" = {
+          inherit owner group mode;
+        };
+      };
+      templates."webdav/env-file" = {
+        inherit owner group mode;
+        content = ''
+          WEBDAV_USER=${config.sops.placeholder."webdav/user"}
+          WEBDAV_PASS=${config.sops.placeholder."webdav/pass"}
+        '';
+      };
+    };
+}
diff --git a/hosts/sid/services/coredns.nix b/hosts/sid/services/coredns.nix
index 13c3096..c7af795 100644
--- a/hosts/sid/services/coredns.nix
+++ b/hosts/sid/services/coredns.nix
@@ -20,6 +20,7 @@
 
           ${hosts.sid.ip} ${services.netdata.fqdn}
           ${hosts.sid.ip} ${services.vaultwarden.fqdn}
+          ${hosts.sid.ip} ${services.webdav.fqdn}
 
           fallthrough
         }
diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index 81eace3..d1e6227 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -91,6 +91,14 @@ in
         };
       };
     };
+    virtualHosts."${constants.services.webdav.fqdn}" = {
+      useACMEHost = "sid-internal";
+      forceSSL = ssl;
+      locations."/" = {
+        proxyPass = "http://${constants.hosts.rx4.ip}:${toString constants.services.webdav.port}";
+        proxyWebsockets = true;
+      };
+    };
     # FIXME
     # virtualHosts."print.sid.ovh" = {
     #   enableACME = true;
diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix
index 21d04d4..d3abb11 100644
--- a/hosts/sid/services/step-ca.nix
+++ b/hosts/sid/services/step-ca.nix
@@ -82,6 +82,7 @@ in
       extraDomainNames = [
         constants.services.netdata.fqdn
         # constants.services.vaultwarden.fqdn
+        constants.services.webdav.fqdn
       ];
       server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
       group = "nginx";