diff --git a/hosts/ward/guests/samba.nix b/hosts/ward/guests/samba.nix
index 58e44a2..4419c13 100644
--- a/hosts/ward/guests/samba.nix
+++ b/hosts/ward/guests/samba.nix
@@ -1,5 +1,20 @@
-{lib, ...}: {
+{
+  config,
+  lib,
+  ...
+}: let
+  smbUsers = config.repo.secrets.local.samba.users;
+  smbGroups = config.repo.secrets.local.samba.groups;
+in {
+  age.secrets."samba-passdb.tdb" = {
+    rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
+    mode = "600";
+  };
+
   services.samba = {
+    enable = true;
+    openFirewall = true;
+
     # Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP
     # requests, since all of our clients hardcode the server shares.
     enableNmbd = false;
@@ -21,9 +36,17 @@
       # Allow access to local network and TODO: wireguard
       "hosts allow = 192.168.1.0/22 192.168.100.0/24"
 
+      # Set sane logging options
+      "log level = 0 auth:2 passdb:2"
+      "log file = /dev/null"
+      "max log size = 0"
+      "logging = systemd"
+
       # TODO: allow based on wireguard ip without username and password
       # Users always have to login with an account and are never mapped
       # to a guest account.
+      "passdb backend = tdbsam:${config.age.secrets."samba-passdb.tdb".path}"
+      "server role = standalone"
       "guest account = nobody"
       "map to guest = never"
 
@@ -50,20 +73,23 @@
       "fruit:delete_empty_adfiles = yes"
     ];
     shares = let
-      mkShare = path: {
-        inherit path;
-        public = "no";
-        writable = "yes";
-        "create mask" = "0660";
-        "directory mask" = "0770";
-        "force create mode" = "0660";
-        "force directory mode" = "0770";
-        "acl allow execute always" = "yes";
-      };
+      mkShare = path: cfg:
+        {
+          inherit path;
+          public = "no";
+          writable = "yes";
+          "create mask" = "0770";
+          "directory mask" = "0770";
+          # "force create mode" = "0660";
+          # "force directory mode" = "0770";
+          #"acl allow execute always" = "yes";
+        }
+        // cfg;
 
       mkGroupShare = group:
         mkShare "/shares/groups/${group}" {
           "valid users" = "@${group}";
+          "force user" = "family";
           "force group" = group;
         };
 
@@ -71,9 +97,27 @@
         mkShare "/shares/users/${user}" {
           "valid users" = user;
         };
-    in {
-      family = mkGroupShare "family";
-      myuser = mkUserShare "myuser";
-    };
+    in
+      {}
+      // lib.mapAttrs (name: _: mkUserShare name) smbUsers
+      // lib.mapAttrs (name: _: mkGroupShare name) smbGroups;
   };
+
+  users.users = let
+    mkUser = name: id: groups: {
+      isNormalUser = true;
+      uid = id;
+      group = name;
+      extraGroups = groups;
+      createHome = false;
+      home = "/var/empty";
+      useDefaultShell = false;
+      autoSubUidGidRange = false;
+    };
+  in
+    {}
+    // lib.mapAttrs (name: cfg: mkUser name cfg.id cfg.groups) smbUsers
+    // lib.mapAttrs (name: cfg: mkUser name cfg.id []) smbGroups;
+
+  users.groups = lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);
 }
diff --git a/hosts/ward/secrets/samba/host.pub b/hosts/ward/secrets/samba/host.pub
index 8907406..2c8d874 100644
--- a/hosts/ward/secrets/samba/host.pub
+++ b/hosts/ward/secrets/samba/host.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2o/BF7dSaGgbmgYwHlT+jKu2ojlhNs/fXjcBDTAtcN
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMV+QsCngZ1k6Ta5pqz2wRHsiSlEwlfl7pgSRfHzF5Y
diff --git a/hosts/ward/secrets/samba/local.nix.age b/hosts/ward/secrets/samba/local.nix.age
new file mode 100644
index 0000000..e26661c
--- /dev/null
+++ b/hosts/ward/secrets/samba/local.nix.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 rGyfugBW1UJ6ufBn8FUWby1AG3ZnBDnNXMBGEXOi/GM
+I87QSk3ZBL4FZjdwFd7RS2aRNizPRn/gAdQEUDrnTak
+-> piv-p256 xqSe8Q ArQj/8FR6hO8vrqY+1e/YN+h46hSCMg0c3tqZ6U3ApMS
++XzFGrEz4z2tU6N7b2taf6j8V4WJi4NfQq4IJHV53l0
+-> #=2[OV-grease cKs OHnI
+iLqxxLbFIrTYFSDGKsOtZ8j7nw
+--- Uu8dPdMbw1Zvs8ZuzNbm/LBoeexh3sEiXht6IrkYf8A
+…!ÂÕB¦Øß*ÇZœZ20&bÉÊ×~d-Ñ;¤,…J2î˜§ãôažtæ>P}gÕ…z’sóMÝ„6ŽíU°àYÞâFÌÖ”©o@ã‡rS«ÖVÅKA7å$“ƒ—˜ñXD‰	6ìÿåGæüæˆm»i!IDCF¥'˜¥Å¯¯‘Û¯C™[w$iG.U:P8Ó¾û¿…h›µ¯iæô¨ØèüÉ¿ŠÕ‹Æ{ŠÅá×vç8Zp¾9ÿ¢ÿuP£ÝÚVj˜e×€ÊJ`CÎ:K0¬W0èviÿG–!÷2T˜2ùŠÏCGÔpzVÐð€ìƒ —nN&ïœŽ2é8)¶%¢Fäo‘gù¾û¨VëeeUiz
+"Ô¤ÙÍ!Ž)î%áHÞcswã'ª(íÍ¦" Îtl•EþUŠâ[]I¾`.>K¡ÖfÂÄWŽ&ƒ·çQ–®h¥·{+ž7V
\ No newline at end of file
diff --git a/hosts/ward/secrets/samba/samba-passdb.tdb.age b/hosts/ward/secrets/samba/samba-passdb.tdb.age
new file mode 100644
index 0000000..20bda72
Binary files /dev/null and b/hosts/ward/secrets/samba/samba-passdb.tdb.age differ
diff --git a/hosts/ward/secrets/samba/samba-password-hashes.age b/hosts/ward/secrets/samba/samba-password-hashes.age
new file mode 100644
index 0000000..0d22581
Binary files /dev/null and b/hosts/ward/secrets/samba/samba-password-hashes.age differ