diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix
index 08d717a..e1ab204 100644
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -21,6 +21,7 @@
     ./services/pgadmin.nix
     ./services/plex.nix
     ./services/postgres.nix
+    ./services/samba.nix
     ./services/taskserver.nix
     ./services/vaultwarden.nix
     ./services/vscode-server.nix
diff --git a/hosts/tsuki/services/samba.nix b/hosts/tsuki/services/samba.nix
new file mode 100644
index 0000000..81c4ad0
--- /dev/null
+++ b/hosts/tsuki/services/samba.nix
@@ -0,0 +1,80 @@
+{ config, lib, ... }:
+{
+  # 100.120.148.116
+  services.samba = {
+    enable = true;
+    # openFirewall = true;
+
+    extraConfig = ''
+      workgroup = TSUKI
+      server string = smbnix
+      netbios name = smbnix
+
+      security = user
+
+      use sendfile = yes
+      min protocol = SMB2
+      smb encrypt = desired
+
+      # note: localhost is the ipv6 localhost ::1
+      hosts allow = 100.107.69.8 100.100.65.88
+      hosts deny = 0.0.0.0/0
+
+      guest ok = no
+      map to guest = never
+    '';
+
+    shares = {
+      cirno = {
+        path = "/data/cirno";
+        browseable = "yes";
+        "valid users" = "h7x4";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0600";
+        "directory mask" = "0700";
+        "force user" = "h7x4";
+        "force group" = "users";
+        "comment" = "cirno data drive";
+      };
+      backup-import = {
+        path = "/data/backup/import";
+        browseable = "yes";
+        "valid users" = "h7x4";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0600";
+        "directory mask" = "0700";
+        "force user" = "h7x4";
+        "force group" = "users";
+        "comment" = "backup import drive";
+      };
+      media = {
+        path = "/data/media";
+        browseable = "yes";
+        "valid users" = "h7x4";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "media";
+        "force group" = "media";
+        "comment" = "media drive";
+      };
+    };
+  };
+
+  networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 139 445 ];
+  networking.firewall.interfaces."tailscale0".allowedUDPPorts = [ 137 138 ];
+
+
+  systemd.slices.system-samba = {
+    description = "Samba slice";
+    after = [ "system.slice" ];
+    requires = [ "system.slice" ];
+  };
+
+  systemd.services.samba-smbd.serviceConfig.Slice = "system-samba.slice";
+  systemd.services.samba-nmbd.serviceConfig.Slice = "system-samba.slice";
+  systemd.services.samba-winbindd.serviceConfig.Slice = "system-samba.slice";
+}