diff --git a/hosts/desktopnix/net.nix b/hosts/desktopnix/net.nix
index 030356e..b0d5d91 100644
--- a/hosts/desktopnix/net.nix
+++ b/hosts/desktopnix/net.nix
@@ -21,4 +21,5 @@
     };
   };
   networking.nftables.firewall.zones.untrusted.interfaces = ["lan01"];
+  wireguard.samba-patrick.client.via = "elisabeth-samba";
 }
diff --git a/hosts/patricknix/net.nix b/hosts/patricknix/net.nix
index dd5c498..ebacb8e 100644
--- a/hosts/patricknix/net.nix
+++ b/hosts/patricknix/net.nix
@@ -13,6 +13,7 @@
     devoloog-sae19.rekeyFile = ./secrets/iwd/devoloog-sae19.age;
     devoloog-sae20.rekeyFile = ./secrets/iwd/devoloog-sae20.age;
   };
+  wireguard.samba-patrick.client.via = "elisabeth-samba";
   networking.nftables.firewall.zones.untrusted.interfaces = ["lan01" "lan02" "wlan01"];
   networking = {
     inherit (config.secrets.secrets.local.networking) hostId;
diff --git a/modules/config/home-manager.nix b/modules/config/home-manager.nix
index ec668ac..9c8a332 100644
--- a/modules/config/home-manager.nix
+++ b/modules/config/home-manager.nix
@@ -2,6 +2,7 @@
   stateVersion,
   inputs,
   pkgs,
+  nodes,
   ...
 }: {
   imports = [./impermanence/users.nix];
@@ -10,6 +11,7 @@
     useUserPackages = true;
     verbose = true;
     extraSpecialArgs = {
+      inherit nodes;
       spicePkgs = inputs.spicetify-nix.packages.${pkgs.system}.default;
     };
     sharedModules = [
diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix
index 113ab60..6eb864d 100644
--- a/modules/services/paperless.nix
+++ b/modules/services/paperless.nix
@@ -67,6 +67,7 @@ in {
     client.via = "elisabeth";
     firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.paperless.port];
   };
+
   age.secrets.paperless-admin-passwd = {
     generator.script = "alnum";
     mode = "440";
diff --git a/modules/services/samba.nix b/modules/services/samba.nix
index 3f99680..8935af9 100644
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@@ -38,6 +38,13 @@
       ];
     };
   };
+  wireguard.samba-patrick.server = {
+    host = config.secrets.secrets.global.domains.web;
+    port = 51830;
+    reservedAddresses = ["10.43.0.0/20" "fd00:1765::/112"];
+    openFirewall = true;
+  };
+
   services.samba = {
     enable = true;
     securityType = "user";
@@ -62,7 +69,7 @@
       # Deny access to all hosts by default.
       "hosts deny = 0.0.0.0/0"
       # Allow access to local network
-      "hosts allow = 192.168.178. 127.0.0.1 10.0.0. localhost"
+      "hosts allow = 192.168.178. 127.0.0.1 10.43.0. localhost"
 
       "guest account = nobody"
       "map to guest = bad user"
diff --git a/secrets/wireguard/samba-patrick/keys/desktopnix.age b/secrets/wireguard/samba-patrick/keys/desktopnix.age
new file mode 100644
index 0000000..d1540ce
Binary files /dev/null and b/secrets/wireguard/samba-patrick/keys/desktopnix.age differ
diff --git a/secrets/wireguard/samba-patrick/keys/desktopnix.pub b/secrets/wireguard/samba-patrick/keys/desktopnix.pub
new file mode 100644
index 0000000..a2c8eaa
--- /dev/null
+++ b/secrets/wireguard/samba-patrick/keys/desktopnix.pub
@@ -0,0 +1 @@
+eA1ooGt8mnAn0zWPjwHYZn2WUXkVt1vRsXV8e/Mr7Vc=
diff --git a/secrets/wireguard/samba-patrick/keys/elisabeth-samba.age b/secrets/wireguard/samba-patrick/keys/elisabeth-samba.age
new file mode 100644
index 0000000..2b0356b
Binary files /dev/null and b/secrets/wireguard/samba-patrick/keys/elisabeth-samba.age differ
diff --git a/secrets/wireguard/samba-patrick/keys/elisabeth-samba.pub b/secrets/wireguard/samba-patrick/keys/elisabeth-samba.pub
new file mode 100644
index 0000000..a48b210
--- /dev/null
+++ b/secrets/wireguard/samba-patrick/keys/elisabeth-samba.pub
@@ -0,0 +1 @@
+DgNhJbWzoGYi9GNwAS9QrKbYSobPlWG6wwehNLUJZio=
diff --git a/secrets/wireguard/samba-patrick/keys/patricknix.age b/secrets/wireguard/samba-patrick/keys/patricknix.age
new file mode 100644
index 0000000..e81cded
--- /dev/null
+++ b/secrets/wireguard/samba-patrick/keys/patricknix.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 jSOPR4LRd0tfr2ygMnIBz+NL2f63QvjDPHwhE7+ezEA
+pIFPGdJy11+xZ6lh5tYouOoUqz8n9w5SUhdeHxP0yjU
+-> piv-p256 XTQkUA AjmrbTNVLJ9YWq/BLnn8t9nnuKMs13QASclnSJbKGLgL
+xsJwc9qPCrHKFODIfLlQwjFFdBQ7OWaPxcDFCQOcTbo
+-> piv-p256 ZFgiIw A7sPNQpa+8ok9V1AFczo+YZJ/S9xyU1lctkVXCgJgzFS
+9L4Ff6o75Ir31atvH/OGKJN/XBofrQtWsCOZh09GmDA
+-> piv-p256 5vmPtQ A2FD9DnhSA9DMl2krxLHQGOaULNzQsN6CCbxFJc+x4z8
+TOxi0USIzxF61IbP7wd/sNZbWu+llnfz1W3fZQ/HSOs
+-> piv-p256 ZFgiIw AyCJNFSiZ7EoCbAjB6QUwsXLeqr3GUtL3vugCuCL4KFP
+0ZRhdIES7WQ6Kv8jciPGa/5HjFpGNK5TIZUIBB+A+lE
+-> KQfRA-grease gq} | kD
+G+FJybvwLHnk06k
+--- M8jZW4khQpHjC8OvQouNonLilK9dnant0IUzqYbYHCk
+Ãü<uPq"èã.ÚZ49{ì»û	ªK$mÉÄ³s7YÒVPuf£àÕ·?Ü+mt!|´ñ-Bþ J”…I1§¤¹¹¿$p(
\ No newline at end of file
diff --git a/secrets/wireguard/samba-patrick/keys/patricknix.pub b/secrets/wireguard/samba-patrick/keys/patricknix.pub
new file mode 100644
index 0000000..951053c
--- /dev/null
+++ b/secrets/wireguard/samba-patrick/keys/patricknix.pub
@@ -0,0 +1 @@
+pWodJY+hhGrJxW1ovQnWxWxZXcXfEBDFfq7HXIzymF8=
diff --git a/secrets/wireguard/samba-patrick/psks/desktopnix+elisabeth-samba.age b/secrets/wireguard/samba-patrick/psks/desktopnix+elisabeth-samba.age
new file mode 100644
index 0000000..f8577f3
--- /dev/null
+++ b/secrets/wireguard/samba-patrick/psks/desktopnix+elisabeth-samba.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 t6oAnWOe58WatE7xAZutNkbfMJALCfOblGzwF4SXuhg
+ARg4y/JHxyujLAQeZokxcjVlIz20vPbI614wwUzxLSw
+-> piv-p256 XTQkUA Akz23XTjEEXje1/maOahUvHngVn5ArcL4pLfwg3mOc3F
+SqH9c1CyeIl3ujKYOZ/mfpfHBEBjfzJEOzFhYXuB5B8
+-> piv-p256 ZFgiIw A+6EYdHMjm8qRIpXCdr5c/sfJDH678LKM0ZWDrUrxAZP
+6WE0/kNs5RERwjR2sMHKpAFRaeX18eoVWPheZjzPqZQ
+-> piv-p256 5vmPtQ AsLoUNVHvNydMli9OfXGzoYanobiI0bWZYLsPfu1SdF1
+20dL9iybblGRE06YV/bPnTJ9rGffIQJu/VQ1WYNMPU8
+-> piv-p256 ZFgiIw AxqCgK+ogTBYaJ0HQF9m8ZBUtufpCsD6wKoIavCl+Cdb
+2Vi+AvG3D/U/kV7VtNd1P3Z5VW5Lzz4Ll/DeTqFHQnk
+-> l*B1BIs-grease eIX .o<9F39h fI8
+s0/BUCj4reWqfTxkvA
+--- L1ENSVVcxVSROI+zYhmFHASbsfIOkjn0nXNc4nfFdQY
+´î——ØRPUf_ÚEqÑTy°¾àt½²—y¨w¬áfc@ü¸MÁ“AØÃpÉ¡}'Cæ–«*ùñéÑGU‡}Ìîœ£Þ…Á
\ No newline at end of file
diff --git a/secrets/wireguard/samba-patrick/psks/elisabeth-samba+patricknix.age b/secrets/wireguard/samba-patrick/psks/elisabeth-samba+patricknix.age
new file mode 100644
index 0000000..f5f3b00
--- /dev/null
+++ b/secrets/wireguard/samba-patrick/psks/elisabeth-samba+patricknix.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> X25519 eFLhzD4YvPXNBOZC2Ud6cB0FPRWo6+x1qTH8YEKy+Cg
+rPUgaR4mLNbPz/zfCOnN7BQ/prNzoYGW5rPrRMOEgvk
+-> piv-p256 XTQkUA A1eUqEvO/tkHgPlr7DFqQBdddMMvKJvvZ6bFgl6SqTUE
++J2gi8D9Bg6dEr5OLOmnhy8/kfGQDXQpTCnYTWLp0IM
+-> piv-p256 ZFgiIw AoHGWuCfTy0aIy1ZIp+H64wXzuoR9Yd2rsDxJL6Rjr9Y
+W+u/mTIo5TwYdZc1nnC6rPa6WU15eXSg86RFdLCTFkg
+-> piv-p256 5vmPtQ A6BO2wkSQ8rZnJg1ykx6WhyZpQMMiLYovm2AHa567VdO
+XB9NpGBZJU48rSddjmfk3uEMCugR2vktv0NajTpPF4M
+-> piv-p256 ZFgiIw AthYefErdON2SVYJaysT8twtGxfM0xrdUf1Qu74MtG/C
+nZb7ozfvgf4JipSWKWjdztdxubdwokv1aBtLfn4HxNo
+-> PsVq=WN-grease
+kFWRaojwHfs1RYduR3IrPISIUXHrwjiJEZtciWI8A+1BFv9H8B/7r+Ews3i2JfhE
+LwCsAaK40IdWZbe47+67K8wNo60do+NKW0W6qemkYgziVlP0
+--- o/fKSKsuClle7KXgbq2gXn7t78C2iCvOM2uuU/9Mt8g
+‰S˜Ÿï=“ê‘q“* É¾8UI/#4¹ÔçUñð
+áð
+žýØ/‘ŸbçøÜÉýÎþ649§Gj«?!‡^¡½‡twËV‰ìwL—
\ No newline at end of file
diff --git a/users/patrick/smb.nix b/users/patrick/smb.nix
index cacd257..9699bba 100644
--- a/users/patrick/smb.nix
+++ b/users/patrick/smb.nix
@@ -1,6 +1,10 @@
-{nixosConfig, ...}: {
+{
+  nixosConfig,
+  nodes,
+  ...
+}: {
   home.smb = let
-    address = "192.168.178.12";
+    address = nodes.elisabeth-samba.config.wireguard.samba-patrick.ipv4;
     credentials = nixosConfig.age.secrets.smb-creds.path;
   in [
     {