diff --git a/hosts/nixos/hs/system.nix b/hosts/nixos/hs/system.nix
index ac09eec..594e077 100644
--- a/hosts/nixos/hs/system.nix
+++ b/hosts/nixos/hs/system.nix
@@ -9,6 +9,7 @@
     ../../../modules/traefik.nix
     ../../../modules/borg/client.nix
     ../../../modules/login-display.nix
+    ../../../modules/dufs.nix
   ];
 
   # GRUB bootloader with ZFS support
@@ -263,4 +264,11 @@
     };
   };
 
+  # Dufs WebDAV file server
+  services.dufs = {
+    sharedPath = "/mnt/storage/Media/nsfw";
+    port = 5099;
+    auth = "yanlin:jbaRRsciNUXTRqswdggKPICG27TNvyTRUfod2RBD";
+  };
+
 }
diff --git a/hosts/nixos/vps/proxy.nix b/hosts/nixos/vps/proxy.nix
index c48bf11..eadfe07 100644
--- a/hosts/nixos/vps/proxy.nix
+++ b/hosts/nixos/vps/proxy.nix
@@ -111,6 +111,19 @@
           };
         };
 
+        # Dufs file server
+        files = {
+          rule = "Host(`files.yanlincs.com`)";
+          entrypoints = "websecure";
+          service = "files";
+          tls = {
+            certResolver = "cloudflare";
+            domains = [{
+              main = "*.yanlincs.com";
+            }];
+          };
+        };
+
       };
       services = {
         # Redirect service
@@ -185,6 +198,15 @@
           };
         };
 
+        # Dufs backend (via WireGuard)
+        files = {
+          loadBalancer = {
+            servers = [{
+              url = "http://10.2.2.20:5099";
+            }];
+          };
+        };
+
       };
       middlewares = {
         # Redirect middleware
diff --git a/modules/dufs.nix b/modules/dufs.nix
new file mode 100644
index 0000000..e9a67ee
--- /dev/null
+++ b/modules/dufs.nix
@@ -0,0 +1,52 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.dufs;
+in
+{
+  options.services.dufs = {
+    sharedPath = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Path to the folder to share via WebDAV. Set to null to disable dufs.";
+      example = "/mnt/storage/shared";
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 5099;
+      description = "Port to listen on";
+    };
+
+    auth = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Basic authentication in format 'username:password'. Will be automatically formatted for dufs.";
+      example = "admin:secret123";
+    };
+  };
+
+  config = lib.mkIf (cfg.sharedPath != null) {
+    # Install dufs package
+    environment.systemPackages = [ pkgs.dufs ];
+
+    # Create systemd service
+    systemd.services.dufs = {
+      description = "Dufs WebDAV File Server";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = "root";  # Run as root to access any system path
+        ExecStart = "${pkgs.dufs}/bin/dufs ${cfg.sharedPath} --port ${toString cfg.port} --bind 0.0.0.0"
+          + lib.optionalString (cfg.auth != null) " --auth ${cfg.auth}@/:rw";
+        Restart = "on-failure";
+        RestartSec = "10s";
+      };
+    };
+
+    # Open firewall port (optional, since traffic comes through WireGuard)
+    # networking.firewall.allowedTCPPorts = [ cfg.port ];
+  };
+}