{...}: {
  users = {
    users = let
      shareUser = {
        isSystemUser = true;
        group = "share";
      };
    in {
      min = shareUser;
    };
    groups."share" = {};
  };

  systemd.tmpfiles.rules = [
    "d /terra/terrarium 0775 root share - -"
  ];

  services.samba = {
    enable = true;
    openFirewall = true;

    securityType = "user";

    extraConfig = ''
      browseable = yes
      smb encrypt = required

      valid users = @share
    '';

    shares = {
      terrarium = {
        "path" = "/terra/terrarium";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
        "create mask" = "0664";
        "directory mask" = "0775";
      };
    };
  };
}