diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 343d9a9..f4fb8f8 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -88,6 +88,7 @@
     lib.mkIf (!minimal) (
       {}
       // mkMicrovm "adguardhome"
+      // mkMicrovm "samba"
       // mkContainer "forgejo"
       // mkContainer "grafana"
       // mkContainer "influxdb"
diff --git a/hosts/ward/guests/samba.nix b/hosts/ward/guests/samba.nix
new file mode 100644
index 0000000..58e44a2
--- /dev/null
+++ b/hosts/ward/guests/samba.nix
@@ -0,0 +1,79 @@
+{lib, ...}: {
+  services.samba = {
+    # Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP
+    # requests, since all of our clients hardcode the server shares.
+    enableNmbd = false;
+    # Disable Samba's winbindd, which provides a number of services to the Name
+    # Service Switch capability found in most modern C libraries, to arbitrary
+    # applications via PAM and ntlm_auth and to Samba itself.
+    enableWinbindd = false;
+    extraConfig = lib.concatLines [
+      # Show the server host name in the printer comment box in print manager
+      # and next to the IPC connection in net view.
+      "server string = my-nas"
+      # Set the NetBIOS name by which the Samba server is known.
+      "netbios name = my-nas"
+      # Disable netbios support. We don't need to support browsing since all
+      # clients hardcode the host and share names.
+      "disable netbios = yes"
+      # Deny access to all hosts by default.
+      "hosts deny = 0.0.0.0/0"
+      # Allow access to local network and TODO: wireguard
+      "hosts allow = 192.168.1.0/22 192.168.100.0/24"
+
+      # TODO: allow based on wireguard ip without username and password
+      # Users always have to login with an account and are never mapped
+      # to a guest account.
+      "guest account = nobody"
+      "map to guest = never"
+
+      # Clients should only connect using the latest SMB3 protocol (e.g., on
+      # clients running Windows 8 and later).
+      "server min protocol = SMB3_11"
+      # Require native SMB transport encryption by default.
+      "server smb encrypt = required"
+
+      # Disable printer sharing. By default Samba shares printers configured
+      # using CUPS.
+      "load printers = no"
+      "printing = bsd"
+      "printcap name = /dev/null"
+      "disable spoolss = yes"
+      "show add printer wizard = no"
+
+      # Load in modules (order is critical!) and enable AAPL extensions.
+      "vfs objects = catia fruit streams_xattr"
+      # Enable Apple's SMB2+ extension.
+      "fruit:aapl = yes"
+      # Clean up unused or empty files created by the OS or Samba.
+      "fruit:wipe_intentionally_left_blank_rfork = yes"
+      "fruit:delete_empty_adfiles = yes"
+    ];
+    shares = let
+      mkShare = path: {
+        inherit path;
+        public = "no";
+        writable = "yes";
+        "create mask" = "0660";
+        "directory mask" = "0770";
+        "force create mode" = "0660";
+        "force directory mode" = "0770";
+        "acl allow execute always" = "yes";
+      };
+
+      mkGroupShare = group:
+        mkShare "/shares/groups/${group}" {
+          "valid users" = "@${group}";
+          "force group" = group;
+        };
+
+      mkUserShare = user:
+        mkShare "/shares/users/${user}" {
+          "valid users" = user;
+        };
+    in {
+      family = mkGroupShare "family";
+      myuser = mkUserShare "myuser";
+    };
+  };
+}
diff --git a/hosts/ward/secrets/samba/host.pub b/hosts/ward/secrets/samba/host.pub
new file mode 100644
index 0000000..8907406
--- /dev/null
+++ b/hosts/ward/secrets/samba/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2o/BF7dSaGgbmgYwHlT+jKu2ojlhNs/fXjcBDTAtcN
diff --git a/modules/config/boot.nix b/modules/config/boot.nix
index 9c4fad1..9899bad 100644
--- a/modules/config/boot.nix
+++ b/modules/config/boot.nix
@@ -14,7 +14,7 @@
       };
 
       # NOTE: Add "rd.systemd.unit=rescue.target" to debug initrd
-      kernelParams = ["log_buf_len=10M"];
+      kernelParams = ["log_buf_len=16M"]; # must be {power of two}[KMG]
       tmp.useTmpfs = true;
 
       loader.timeout = lib.mkDefault 2;
diff --git a/modules/guests/microvm.nix b/modules/guests/microvm.nix
index b7b7d74..9f9bbeb 100644
--- a/modules/guests/microvm.nix
+++ b/modules/guests/microvm.nix
@@ -29,16 +29,10 @@ in {
     lib.microvm.mac = guestCfg.microvm.mac;
 
     microvm = {
-      hypervisor = mkDefault "qemu";
+      hypervisor = mkDefault "cloud-hypervisor";
 
       # Give them some juice by default
-      # TODO     aaaaaaaaaaaaaaaaaaaaaaaaaaa
-      # TODO     aaaaaaaaaaaaaaaaaaaaaaaaaaa
-      # TODO     aaaaaaaaaaaaaaaaaaaaaaaaaaa
-      # TODO     aaaaaaaaaaaaaaaaaaaaaaaaaaa
-      # TODO     aaaaaaaaaaaaaaaaaaaaaaaaaaa
-      # TODO     aaaaaaaaaaaaaaaaaaaaaaaaaaa
-      mem = mkDefault 1024;
+      mem = mkDefault 2048;
 
       # Add a writable store overlay, but since this is always ephemeral
       # disable any store optimization from nix.
diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age
index ca74497..2b478b7 100644
Binary files a/secrets/generated/sentinel/loki-basic-auth-hashes.age and b/secrets/generated/sentinel/loki-basic-auth-hashes.age differ
diff --git a/secrets/generated/ward-samba/promtail-loki-basic-auth-password.age b/secrets/generated/ward-samba/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..2427073
--- /dev/null
+++ b/secrets/generated/ward-samba/promtail-loki-basic-auth-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 VXnt/2EgidEeT+xP1NLiCISqVSxXxQIk6jyUYp2UvyY
+8+s2jh+w5jHilXrN0/jLk9qcNTrzbBH+8SruiVxKimM
+-> piv-p256 xqSe8Q A0c1eWdEhyDZBwW35WMeoEkL2UHZ48+T9U/5MJIFMT64
+UcSEjybPFh0SBuQeP7HPXBRyrAgpvHjNaUZAt/DQoY4
+-> |0zgU|-grease 63{Dc,7[
+Iwt2EGyPbA7zyjPoAMNcYwc8uOhtGnq5uJ5g33mB4632cKTwEUh3/sULcrg
+--- 5lYc3xSfV/0oiVJPUoI6NBTmlnILT4JIynUaDgSzn6E
+åý%óãAëPÕ¹§~ß÷£³I´æ8ZF”‘ÌvrBdnö‡èÛò>XÌÇVÝJ"MR¹pƒN¸¢ÖõžIëô@øãOci“±FðVf/÷Á¥
\ No newline at end of file
diff --git a/secrets/generated/ward-samba/telegraf-influxdb-token.age b/secrets/generated/ward-samba/telegraf-influxdb-token.age
new file mode 100644
index 0000000..88f2d48
--- /dev/null
+++ b/secrets/generated/ward-samba/telegraf-influxdb-token.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 6UhPPx1l2ceeVs13Y5BSia3JQIi6f8OazknTMGENTi0
+NqiM2cikBRckHaPaMq0mabnK4dFHNnNjjtmkSqmSeog
+-> piv-p256 xqSe8Q Avc3Ub0saSzmzsvo9EH9KQde3hFIwTDgp1wWWFX++Mmf
+s9bGQC7JDix9yK8JJ0JnzMV6ELRYBXBMEcWcU4KKtv4
+-> ?-grease Fzc>D# %\]sGPqI
+FIDEJhsloQM+DdMbAT5D3W5/Qq9Au1W+s+zcZCC1T/YSqWwMgqiv0g4yZD0LJ2cq
+HzCQwsIMTulawmM
+--- fYkQkfbRMQIQwchhdTvB9+NCicxDA21tOVIDLfiFr6E
+Êë#4c˜JG›¬¿ÊGåcP\D§[ñÀZšh65ðAõ¾ç’v¾ðûÂ//á¶µå€dtÃk~×ðõxòÊ|w›)Ã- Ç>+
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-samba.age b/secrets/wireguard/proxy-sentinel/keys/ward-samba.age
new file mode 100644
index 0000000..cd610b6
Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/keys/ward-samba.age differ
diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-samba.pub b/secrets/wireguard/proxy-sentinel/keys/ward-samba.pub
new file mode 100644
index 0000000..f87ceba
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-samba.pub
@@ -0,0 +1 @@
+asqe5nbJExWAkFYKMI5dU+kOHc8xjXVZhVHHA20vIhM=
diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-samba.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-samba.age
new file mode 100644
index 0000000..6e23897
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-samba.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 cQvEGnbo1Wo9FS4XUPCKHp0/pKHkvwg4urp1ZMORHmE
+CXuF3BABclq0QalxNKB5yinv/GOLMJnHSipUq7ACj20
+-> piv-p256 xqSe8Q ApAldhAhhZ1A6c22RQoHAjyIV0fhjHSrfOJoHLXJ3ADd
+iEZNUFnM8Dgdk1vzjRIcKSrAlqpUFfzpQ/6i4M81aj4
+-> Hc?]K-grease
+RQ2gyBQ
+--- EPuuqmyDIh8sGGCiXyHzSgFB8b7Gm8PK+HU3xOJQW/8
+s]@¡CŒw—9	ø_pH00Æ…ÏÃ~tHOÕ¸X'Ù÷aˆRÓâZè”?ÊÃ»|L04‡[JÁ|t‰ŒÊ[4rÝo
\ No newline at end of file