{ config, pkgs, lib, ... }:
let
  cfg = config.my.services.samba;
  makePublicShare = path: {
    name = builtins.baseNameOf path;
    value = {
      inherit path;
      browseable = "yes";
      writeable = "no";
      "guest ok" = "yes";
      "guest only" = "yes";
      "force user" = "nobody";
    };
  };
in
{
  options.my.services.samba = with lib; {
    enable = mkEnableOption "Samba";
    publicShares = mkOption {
      type = with types; listOf str;
      default = [ ];
      example = literalExample ''
        [
          "/data/fast/music"
        ]
      '';
      description = "Which directories to share publicly";
    };
  };

  config = lib.mkIf cfg.enable {
    services.samba = {
      enable = true;
      securityType = "user";
      extraConfig = ''
        workgroup = WORKGROUP
        server string = tahoe
        netbios name = tahoe
        security = user
        guest account = nobody
        mangled names = no
        client min protocol = SMB2
        map to guest = bad user
        ntlm auth = true
      '';
      shares = with lib; (listToAttrs (map makePublicShare cfg.publicShares));
    };

    networking.firewall.allowedTCPPorts = [ 445 139 ];
    networking.firewall.allowedUDPPorts = [ 137 138 ];
  };
}