{
  services.samba = {
    enable = true;
    openFirewall = true;
    settings = {
      global = {
        "workgroup" = "WORKGROUP";
        "hosts allow" = "192.168.";
        "hosts deny" = "0.0.0.0/0";
        "guest account" = "nobody";
        "map to guest" = "bad user";
        "security" = "user";
      };
      "public" = {
        "path" = "/nas/chandler/public";
        "browseable" = "yes";
        "read only" = "yes";
        "guest ok" = "yes"; # aka "public = yes"
      };
      kathe = {
        path = "/nas/katherine";
        browseable = "yes";
        "valid users" = "kathe";
        "read only" = "no";
        "guest ok" = "no";
      };
    };
  };
}