diff --git a/hosts/dalinar/default.nix b/hosts/dalinar/default.nix
index 590eade..3041f76 100644
--- a/hosts/dalinar/default.nix
+++ b/hosts/dalinar/default.nix
@@ -93,6 +93,10 @@
   users.mutableUsers = false;
   # mkpasswd -m sha512crypt <password>
   users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0";
+  users.users.sambauser = {
+    isNormalUser = true;
+    createHome = false;
+  };
 
   environment.systemPackages = with pkgs; [
     ethtool
@@ -120,6 +124,34 @@
 
   services.zfs.autoScrub.enable = true;
 
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        security = "user";
+        workgroup = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+        "hosts allow" = "100. 172.16.0. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+      };
+      media = {
+        path = "/storage/encrypted/media/";
+        browseable = "yes";
+        writeable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = config.services.jellyfin.user;
+        "force group" = config.services.jellyfin.group;
+      };
+    };
+  };
+
   services.unbound = {
     enable = true;
     settings = {