{ lib, ... }:
{
  flake.modules.nixos.samba-share =
    { pkgs, config, lib, ... }:
    {
      options.samba-share = {
        path = lib.mkOption {
          type = lib.types.str;
          description = "Path to the directory to share via Samba.";
        };
        allowedHosts = lib.mkOption {
          type = lib.types.str;
          description = "Space-separated list of allowed hosts/subnets (e.g. \"192.168.1. 127.0.0.1\").";
        };
      };

      config = {
        services.samba = {
          enable = true;
          openFirewall = true;
          settings = {
            global = {
              "workgroup" = "WORKGROUP";
              "security" = "user";
              "hosts allow" = config.samba-share.allowedHosts;
              "hosts deny" = "0.0.0.0/0";
              "guest account" = "nobody";
              "map to guest" = "bad user";
            };
            "share" = {
              "path" = config.samba-share.path;
              "browseable" = "yes";
              "writeable" = "yes";
              "read only" = "no";
              "guest ok" = "yes";
              "force user" = "dennis";
              "force group" = "users";
            };
          };
        };

        services.samba-wsdd = {
          enable = true;
          openFirewall = true;
        };

        services.avahi = {
          publish.enable = true;
          publish.userServices = true;
          nssmdns4 = true;
          enable = true;
          openFirewall = true;
        };
      };
    };
}