diff --git a/machines/vega/services/samba.nix b/machines/vega/services/samba.nix
new file mode 100644
index 0000000..893544b
--- /dev/null
+++ b/machines/vega/services/samba.nix
@@ -0,0 +1,93 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  sambaUser = lib.filterAttrs (
+    name: user: user.isNormalUser && builtins.elem "samba" user.extraGroups
+  ) config.users.users;
+
+  sharedFolders = {
+    GLOM.users = [
+      "w"
+      "kurogeek"
+      "berwn"
+    ];
+  };
+in
+{
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        security = "user";
+        workgroup = "WORKGROUP";
+        "server string" = "Glom Vega";
+        interfaces = "eth* en*";
+        "max log size" = "50";
+        "dns proxy" = false;
+        "syslog only" = true;
+        "map to guest" = "Bad User";
+        "guest account" = "nobody";
+      };
+    }
+    // lib.mapAttrs (share: opts: {
+      path = "/mnt/hdd/samba/${share}";
+      comment = share;
+      "force user" = share;
+      "force group" = share;
+      public = "yes";
+      "guest ok" = "yes";
+      "create mask" = "0640";
+      "directory mask" = "0750";
+      writable = "yes";
+      browseable = "yes";
+      printable = "no";
+      # TODO
+      # "valid users" = toString opts.users;
+    }) sharedFolders;
+  };
+
+  users.users = lib.mapAttrs (share: opts: {
+    isSystemUser = true;
+    group = share;
+  }) sharedFolders;
+
+  users.groups = lib.mapAttrs (share: opts: { }) sharedFolders;
+
+  systemd.services.samba-smbd.postStart =
+    lib.concatMapStrings (
+      user:
+      let
+        password = config.clan.core.vars.generators."${user}-smb-password".files.password.path;
+      in
+      ''
+        mkdir -p /mnt/hdd/samba/${user}
+        chown ${user}:users /mnt/hdd/samba/${user}
+        # if a password is unchanged, this will error
+        (echo $(<${password}); echo $(<${password})) | ${config.services.samba.package}/bin/smbpasswd -s -a ${user}
+      ''
+    ) (lib.attrNames sambaUser)
+    + lib.concatMapStrings (share: ''
+      mkdir -p /mnt/hdd/samba/${share}
+      chown ${share}:${share} /mnt/hdd/samba/${share}
+    '') (lib.attrNames sharedFolders);
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.avahi = {
+    publish.enable = true;
+    publish.userServices = true;
+    # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile`
+    nssmdns4 = true;
+    # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
+    enable = true;
+    openFirewall = true;
+  };
+}