diff --git a/modules/nixos/deertopia/syncthing.nix b/modules/nixos/deertopia/syncthing.nix
index 32af8e1..134b613 100644
--- a/modules/nixos/deertopia/syncthing.nix
+++ b/modules/nixos/deertopia/syncthing.nix
@@ -21,7 +21,7 @@ in {
           ];
         };
         "org" = {
-          path = "/persist/deertopia.net/dav/org";
+          path = "/var/lib/webdav/~msyds/org";
           ignorePerms = true;
           devices = [
             "sydpc"
@@ -36,6 +36,7 @@ in {
       "jellyfin"
       "nginx"
       "media"
+      "webdav"
     ];
 
     sydnix.deertopia.nginx.vhosts."syncthing".vhost = {
diff --git a/modules/nixos/deertopia/webdav.nix b/modules/nixos/deertopia/webdav.nix
index 6e6b339..cf82578 100644
--- a/modules/nixos/deertopia/webdav.nix
+++ b/modules/nixos/deertopia/webdav.nix
@@ -13,32 +13,54 @@ in {
         type = lib.types.port;
         description = ''
           The internal WebDAV port.  The actual server will be hosted at
-          https://dav.deertopia.net:80/.
+          https://dav.deertopia.net/.
         '';
       };
+
+      user = lib.mkOption {
+        default = "webdav";
+        type = lib.types.str;
+      };
+
+      group = lib.mkOption {
+        default = "webdav";
+        type = lib.types.str;
+      };
     };
   };
 
   config = mkIf cfg.enable {
-    systemd.services.deertopia-webdav-server =
-      let htpasswdFile = "/persist/deertopia.net/htpasswd";
-          directory = "/persist/deertopia.net/dav";
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = {};
+
+    systemd.services.webdav =
+      let htpasswdFile = "/run/secrets/webdav-htpasswd";
+          directory = "/var/lib/webdav";
       in {
         description = "Deertopia's WebDAV server";
         after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
-        # TODO: Exclude .git.
-        # TODO: Respect .gitignore.
         script = ''
           ${pkgs.rclone}/bin/rclone serve webdav \
             --addr ":${builtins.toString cfg.port}" \
             --htpasswd "${htpasswdFile}" "${directory}"
         '';
-        serviceConfig.Restart = "always";
+        serviceConfig = {
+          User = cfg.user;
+          Group = cfg.group;
+          Restart = "always";
+        };
+        unitConfig = {
+          StateDirectory = "webdav";
+        };
       };
 
     # Without this, Nginx will attempt redirections to https://localhost, which
-    # is not okay, as localhost does not have any associated certs!
+    # is not okay because localhost does not have any associated certs!
     # See: https://forum.seafile.com/t/seafdav-move-command-causing-502/11582/26
     services.nginx.appendHttpConfig = ''
       map $http_destination $http_destination_webdav {
@@ -47,6 +69,25 @@ in {
       }
     '';
 
+    systemd.tmpfiles.settings."50-var-lib-webdav" =
+      let
+        e =
+          let x = { inherit (cfg) user group; mode = "2775"; };
+          in { z = x; v = x; };
+      in {
+        "/var/lib/webdav/~msyds/org" = e;
+        "/var/lib/webdav/~msyds/zotero" = e;
+      };
+
+    sydnix.sops.secrets.webdav-htpasswd = {
+      owner = cfg.user;
+      mode = "0600";
+    };
+
+    sydnix.impermanence.directories = [
+      "/var/lib/webdav"
+    ];
+
     sydnix.deertopia.nginx.vhosts."dav".vhost = {
       forceSSL = true;
       enableACME = true;
diff --git a/secrets.yaml b/secrets.yaml
index 053b19d..d786182 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -21,6 +21,7 @@ deertopia-cache-key: ENC[AES256_GCM,data:icKy8QZ59/zvQXgsTqN0PInUH3kgZBquwoAF0Lz
 buffalo-nas-creds: ENC[AES256_GCM,data:dG8aA6KtATFyfDVGqF0a1wavhXDIv9bxnw==,iv:3H6T/THSxAAWTjDi35Q17Syq0Fz6jsHItzJUPxamzhA=,tag:f8kUnPX1Ik5HT6sDuHaFaw==,type:str]
 transmission-credentials: ENC[AES256_GCM,data:HQtayxLRPATLXfS2DvPx9cNjSHk996QhSz6hiF0dnOS4Mdt1u+Ru+r7UNsfNLKOtB8j+mITizVH9S/5GryqTUB+ffJVet5Iw,iv:JRD3MVOwKPaL9S8Xa+amG32qOGaCN1c1N25kCcuVfpU=,tag:FG8ZsAEBpVAiXCYhw3MdZQ==,type:str]
 sssd-environment: ENC[AES256_GCM,data:wDRBM5m5NgFTJorxM0j2TKbFqJW6LHh3or4vlyjdi0P7rXHCoSmURZ+n,iv:et5JvjA49lcPh0oaBdYd5xjmlsP1Hu7JRttfLErxpTs=,tag:Alh1wSbRadoRN6+ij6J8Jw==,type:str]
+webdav-htpasswd: ENC[AES256_GCM,data:48cD9VTfXbcO4fjSADgI/w/QZ/PxeMHsxsl85TpQF7dVkg10feHpr6p+CkqNlkTR6nbU+DsWad8qcf312iQNFmFyjHxxrRb36OvxIz7/ypyAL/KlAclYYNNfTT8VajZGvXYYaZo3hzVsNClSdkK9msxlklEn8EV6FH7A0oXVIn3WldDn8w==,iv:a8w3zcIatg6hwTDkc5qap1ueM32WMRw84cbwskYbqaM=,tag:fJRUD/vAEe5TuAi8OV2b4g==,type:str]
 sops:
     age:
         - recipient: age10fqh0td67alzpyjyhdex5ncj9thvaty506r0t63vs2nz4ldafgaqadl8mg
@@ -41,7 +42,7 @@ sops:
             TXFLY2l0UHJ3Z0NGZjVpbTQ2UC8yaTQKA7wTmW9Ha6T2KmCr/nkXdizgv8+V6SAp
             ZhDO+uDQ1evIh2wLWMOXNJ3d/zplLCOTzR2xkqBIUp5V7MXj45RUIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-03T15:54:04Z"
-    mac: ENC[AES256_GCM,data:SxoeykS+11SX9OwkCWZOoGsZVVcO2/tu28TdEwtwMFyUpQhZg2DcZXHje4XRzWjtcl337R1UtuldEC5CBccj2zqIyAjIOZKwQkOG/kuEOAosHNztkNBptl/APDPGuuM2ji/HQNZXtyC7sm6f2QvZxMZgMZ51do6ogCNQAye4q2w=,iv:XvXqtLlpcTuHr02xxrDMs5eWZLFvPmXiaVW4iuQk88Q=,tag:M/IyMOpOZcfwxzBGp+tyug==,type:str]
+    lastmodified: "2025-09-08T15:47:20Z"
+    mac: ENC[AES256_GCM,data:dBwF8aIVL8NKNwXQVx+Pslh+NUhIiFPKyw3uh/kIesmbG05FoteFKld6pjpq5aAo4A9MAl+LdEOOsg85bEQnqsmClyXDc7ioMUhmgJ2oOzJeKNpQldtAtuQ+DFCXHLaJSMLdEQG8ER4+Z1m4K3yZqVdP4uRIUbtaF2Bre7UuPkE=,iv:0JIzhn+GaEtmyRo3I7Dyo65O9IpzpgndqSR1rJVreB8=,tag:DD3JsPLA/XMVELIzzA7wIg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2