diff --git a/hosts/elisabeth/secrets/samba/netbird-env.age b/hosts/elisabeth/secrets/samba/netbird-env.age
index f000c26..0a96152 100644
--- a/hosts/elisabeth/secrets/samba/netbird-env.age
+++ b/hosts/elisabeth/secrets/samba/netbird-env.age
@@ -1,15 +1,16 @@
 age-encryption.org/v1
--> X25519 FTk4whtXQ4QKgotU+0iBZxrUcUVQReiHyhGwv/3pC2w
-PGSxFJqC21n737Jyc4pQgv/7tsblQBB47dZlfNynOC0
--> piv-p256 XTQkUA A1mVNcwBxkH0rysZRt1irvyi0k0ME5sccJox/xS1FRC4
-Sy6Zz0a+Y5Z7J6F9M/b1OEKOau5JQm5JAUFsl4Ewk6k
--> piv-p256 ZFgiIw AsVavBKMJ+/39us+c0k7niiJab3Ev4Dj+SOo8SH73g3S
-ZoUlA/qcdfJ6ctaCeQ/OQYu2wFrIqJ5aR0/aPXCjl4o
--> piv-p256 5vmPtQ AnX/v0upSdNStu6uCpC3nVdqWsxX/iUjTpDvKwsdJfNs
-lUR+WRlyxqqRuO0hBai6hdYk4ytpEL8SbQHxmR7sK94
--> piv-p256 ZFgiIw Ax5SdGlJs1Gqusw6Lag/9bOuib7Ts3bksfdVN/FGRB4D
-Euvy40vrJVrC+W27xYHb0muLuK5SIPmY0zv3+SJgAy4
--> z:&o*}s-grease 4eL2m
-xIA4Vo9Z8niU+0+FsD8P6RsdLC/duMh4XtoLu3jYwuh3vA
---- TKHpQOtXIUtjoH4HNwcW5gKI8g9Ou6pXbNtt5ba0qQY
-–qà{+ëÝp‚˜l>µ¯]v‡í˜7„Kl£Ý…B"‹àP»Ð¼)Ô3oÂK[«(3õ>§ÐXU"€þ¯£å=^Ž£j”Á•²ƒ¿TUw°Ýu
\ No newline at end of file
+-> X25519 8KelKlNhyqDN8pddQTPpmaoXCsR7uft/cB2C1T79WwU
+d5/gmNM0BA7WVS4Ln+6e1IBysWjTwZXDMS9t+TQMdBA
+-> piv-p256 XTQkUA AwfejTufQTCGTbBRgZASantr/GBbw4Mnp1IvAECk8YxH
+noyk11Kk6dkvN/6wB6I+yREBeesc/KH6OJWvvvXZvvY
+-> piv-p256 ZFgiIw AhntWFLj+OSpO8uJLeEmiWWPH4KzeZcJv29++AA9gPC6
+TvfAw/aL0Urtrl0QTwbHm+U92igPgjizw5JVu9Xr27M
+-> piv-p256 5vmPtQ AgBlp4aFbmUE9fVASSuXWIL60Ryz7Vt4vDmR2lNu5ob5
+NYfzjIwTshjDJgV/Ijkzw7qEUC9kx9SyDcr9M3wCzLM
+-> piv-p256 ZFgiIw AtXr3k6gmYxEupwpS7pSOdnF2720SCJj7V0Ci5lijrJS
+z2klub/HC+YWunOR/NzMh9KPrdVD/UUm17VX/mXP31U
+-> hen,g-grease Qg6] a X\b M[r_v^iK
+neSxR7VWYbpUF4T0xYBS8T3PcnJWEK++hBJTrdv2u6h52c1v3MF0GTQvy9aoKKca
+SLQDw7QpxA
+--- 2dt1yCMXFxH1V1xXFG6NXW1NzlhcLX+8Ft1tFz5/k5Y
+Çƒ“ÿßøG¼ŸíŒ®v›~uÊ!<"c<ùŽz¥/QPºƒ‰èSŠ®šóuñ½•3~÷›lý)Ay‡ÚÙ'¹ÛHëÒ-¦¢êfŠ×ŸOîýºŽa
\ No newline at end of file
diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix
index 4345c0a..e64090f 100644
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@@ -28,6 +28,7 @@
     port
     str
     submodule
+    bool
     path
     ;
 
@@ -63,10 +64,17 @@ in {
                 '';
               };
 
-              autoStart = mkEnableOption ''                automatically starting this tunnel on startup.
-                              Need a setup key to work.
+              autoStart = mkEnableOption ''
+                automatically starting this tunnel on startup.
+                Needs a setup key to work.
               '';
 
+              userAccess = mkOption {
+                type = bool;
+                description = "Allow unprivileged users access to the control socket";
+                default = false;
+              };
+
               environmentFile = mkOption {
                 type = path;
                 description = "An additional environment file for this service.";
@@ -143,6 +151,19 @@ in {
         cfg.tunnels
       );
 
+      systemd.tmpfiles.settings."10-netbird-access" = lib.flip lib.mapAttrs' cfg.tunnels (
+        _: {
+          stateDir,
+          userAccess,
+          ...
+        }: (nameValuePair "/run/${stateDir}" {
+          d.mode =
+            if userAccess
+            then "0755"
+            else "0750";
+        })
+      );
+
       systemd.services =
         mapAttrs'
         (
@@ -195,20 +216,20 @@ in {
                 RestrictSUIDSGID = true;
 
                 # Hardening
-                CapabilityBoundingSet = "";
-                PrivateUsers = true;
-                ProtectProc = "invisible";
-                ProcSubset = "pid";
-                RestrictAddressFamilies = [
-                  "AF_INET"
-                  "AF_INET6"
-                  "AF_NETLINK"
-                ];
-                SystemCallArchitectures = "native";
-                SystemCallFilter = [
-                  "@system-service"
-                  "@pkey"
-                ];
+                #CapabilityBoundingSet = "";
+                #PrivateUsers = true;
+                #ProtectProc = "invisible";
+                #ProcSubset = "pid";
+                #RestrictAddressFamilies = [
+                #  "AF_INET"
+                #  "AF_INET6"
+                #  "AF_NETLINK"
+                #];
+                #SystemCallArchitectures = "native";
+                #SystemCallFilter = [
+                #  "@system-service"
+                #  "@pkey"
+                #];
                 UMask = "0077";
               };
 
diff --git a/modules/netbird-server.nix b/modules/netbird-server.nix
index a33788b..80a2ace 100644
--- a/modules/netbird-server.nix
+++ b/modules/netbird-server.nix
@@ -222,20 +222,20 @@ in {
           RestrictSUIDSGID = true;
 
           # Hardening
-          CapabilityBoundingSet = "";
-          PrivateUsers = true;
-          ProtectProc = "invisible";
-          ProcSubset = "pid";
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_NETLINK"
-          ];
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "@pkey"
-          ];
+          #CapabilityBoundingSet = "";
+          #PrivateUsers = true;
+          #ProtectProc = "invisible";
+          #ProcSubset = "pid";
+          #RestrictAddressFamilies = [
+          #  "AF_INET"
+          #  "AF_INET6"
+          #  "AF_NETLINK"
+          #];
+          #SystemCallArchitectures = "native";
+          #SystemCallFilter = [
+          #  "@system-service"
+          #  "@pkey"
+          #];
           UMask = "0077";
         };
         unitConfig = {
diff --git a/modules/services/samba.nix b/modules/services/samba.nix
index 69befe1..2a81340 100644
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@@ -17,7 +17,7 @@
 
   imports = [../netbird-client.nix];
   services.netbird.tunnels = {
-    samba = {
+    netbird-samba = {
       environment.NB_MANAGEMENT_URL = "https://netbird.${config.secrets.secrets.global.domains.web}";
       autoStart = true;
       port = 56789;
@@ -63,6 +63,8 @@
     openFirewall = true;
   };
 
+  networking.nftables.firewall.zones.untrusted.interfaces = ["samba-patrick" "netbird-samba"];
+
   services.samba = {
     enable = true;
     securityType = "user";
@@ -84,10 +86,8 @@
       # Disable netbios support. We don't need to support browsing since all
       # clients hardcode the host and share names.
       "disable netbios = yes"
-      # Deny access to all hosts by default.
-      "hosts deny = 0.0.0.0/0"
       # Allow access to local network
-      "hosts allow = 192.168.178. 127.0.0.1 10.43.0. localhost"
+      "hosts allow = 192.168.178. 10. localhost"
 
       "guest account = nobody"
       "map to guest = bad user"
@@ -322,15 +322,27 @@
         mode = "0660";
       };
     }));
-  environment.persistence = lib.mkMerge (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v:
-    lib.optionalAttrs ((v ? "#persistRoot") && (v."#persistRoot" != "")) {
-      ${v."#persistRoot"}.directories = [
-        {
-          directory = "${v.path}";
-          user = "${v."force user"}";
-          group = "${v."force group"}";
-          mode = "0770";
-        }
-      ];
-    }));
+  environment.persistence = lib.mkMerge (lib.flatten [
+    (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v:
+      lib.optionalAttrs ((v ? "#persistRoot") && (v."#persistRoot" != "")) {
+        ${v."#persistRoot"}.directories = [
+          {
+            directory = "${v.path}";
+            user = "${v."force user"}";
+            group = "${v."force group"}";
+            mode = "0770";
+          }
+        ];
+      }))
+    (lib.flip lib.mapAttrsToList config.services.netbird.tunnels (
+      _: v: {
+        "/state".directories = [
+          {
+            directory = "/var/lib/${v.stateDir}";
+            mode = "0770";
+          }
+        ];
+      }
+    ))
+  ]);
 }