Webdav - cannot write anything

comod · January 22, 2025, 4:30pm

How to get webdav working? can read, not write.

config:

{

  services.webdav = {
    enable = true;
    settings = {
      address = "127.0.0.1";  # Bind only to localhost for Traefik
      port = 58081;  # WebDAV service port
      scope = "/zfs/obsidian";  # Directory served via WebDAV
      modify = true;  # Allow write operations
      auth = true;  # Enable authentication
      logLevel = "debug"; 
      users = [
        {
          username = "xxx";
          password = "xxx";
        }
      ];
    };
  };

  # Create the WebDAV directory and set permissions
  systemd.tmpfiles.rules = [
    "d /zfs/obsidian 0775 1000 1000 -"
  ];

  # Configure Traefik reverse proxy
  services.traefik.dynamicConfigOptions = {
    http.routers.webdav = {
      entryPoints = [ "http" ];  # Use "websecure" for HTTPS
      rule = "Host(`webdav.local`)";
      service = "webdav";
    };
    http.services.webdav.loadBalancer.servers = [
      { url = "http://127.0.0.1:58081"; }  # Match the WebDAV port
    ];
  };
}

test:

curl -v -u xxx:xxx -X MKCOL http://webdav.local/zfs/obsidian/new

result:
< HTTP/1.1 403 Forbidden

nobodyinperson · January 7, 2026, 2:31pm

I got it to work by allowing create (C) and update (U) permissions (permissions = "RCU"):

    # Expose paperless consumption dir via unencrypted simple webdav
    # On the scanner, set target: http://<yourmachine>:28982
    # (no user, no password, no path)
    services.webdav = {
      enable = true;
      # create files as paperless user
      # (so paperless-consumer can read and clean them up)
      user = config.services.paperless.user;
      settings = {
        address = "0.0.0.0"; # allow external connections
        port = config.services.paperless.port + 1; # 28982
        # only make paperless' consumption directory accessible
        directory = config.services.paperless.consumptionDir;
        permissions = "CRU"; # allow Create Read Update (not Delete)
        # optional: login credentials
        # (but this is unencrypted HTTP and world-readabld in nix store like this...)
        # users = [{
        #   username = "scanner";
        #   password = "scanner";
        # }];
      };
    };
    networking.firewall.allowedTCPPorts = # open firewall
      [ config.services.webdav.settings.port ];

(edited out a lot of unnecessary stuff, maybe LLM hallucinations or the webdav service changed their config format at some point )