diff --git a/.gitignore b/.gitignore
index 2fd12e8..169841b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 .DS_Store
 __pycache__
+compose.override.yml
 
 # website
 website/gitea
@@ -23,8 +24,8 @@ terraria/worlds
 terraria/password.txt
 
 # nas
-nas/mount.json
-nas/user.json
+nas/*.json
+nas/users.sh
 
 # backup
 data.zip
diff --git a/README.md b/README.md
index edfb91c..8d0d609 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ Services deployed on [matthewtran.com](https://matthewtran.com).
 - minecraft
 - minecraft bedrock
 - terraria
-- nas (LAN only)
+- nas (`<server>/share` on LAN)
 
 ## setup
 
@@ -26,12 +26,14 @@ Services deployed on [matthewtran.com](https://matthewtran.com).
 5. Configure, build, and start services.
     - Create `website/sendgrid.key` with a [SendGrid API key](https://app.sendgrid.com/settings/api_keys).
     - Create `terraria/password.txt` if needed.
+    - Create `nas/mounts.json` which contains a list of `"<name>":"<directory>"` for the SMB share.
+    - Create `nas/users.json` which contains a list of `"<user>":"<password>"` for the SMB share.
     - `scripts/setup_repo.py`
     - Restore backups if needed. Make sure to set correct ownership. For example, `chown -R 2000:2000 website/gitea`.
     - `docker compose build`
     - `docker compose up -d`
 6. Optionally, add additional drives. This script formats the drive as LUKS/BTRFS with the key file stored in `/opt/luks` and auto-mounts on boot. Make sure to backup the key file elsewhere.
-    - `scripts/setup_drive.py <drive> <mount path>`
+    - `scripts/setup_drive.py <drive> <mount>`
 7. Optionally, run `scripts/setup_peer.py <name>` for each WireGuard client.
 8. Optionally, add the following DNS entries at the registrar.
     | hosts                   | type   | data                     |
diff --git a/nas/Dockerfile b/nas/Dockerfile
index 2726056..46ab3da 100644
--- a/nas/Dockerfile
+++ b/nas/Dockerfile
@@ -6,11 +6,15 @@ RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y samba
 
+# create required files and user
 RUN groupadd -g 2003 me && useradd -u 2003 -g 2003 -m me
 USER me
 WORKDIR /home/me
-
-# TODO copy config files
 RUN mkdir share samba samba/log samba/lock samba/state samba/cache samba/pid samba/private samba/ncalrpc
-COPY --chown=me:me smb.conf ./
-COPY --chown=me:me entry.sh ./
+COPY --chown=me:me smb.conf entry.sh ./
+
+# create additional users
+USER root
+COPY users.sh ./
+RUN /bin/sh users.sh && rm users.sh
+USER me
diff --git a/nas/entry.sh b/nas/entry.sh
index 47c37ad..35f285c 100644
--- a/nas/entry.sh
+++ b/nas/entry.sh
@@ -1,4 +1,6 @@
 #!/bin/sh
 
-# TODO sigterm?
-smbd -s smb.conf -l=/home/me/samba/log --foreground --no-process-group
+smbd -s smb.conf -l=/home/me/samba/log
+trap 'echo "stopping smbd..."' TERM
+tail -f /dev/null &
+wait $!
diff --git a/nas/smb.conf b/nas/smb.conf
index b843d2a..45d5eb7 100644
--- a/nas/smb.conf
+++ b/nas/smb.conf
@@ -1,7 +1,26 @@
 [global]
 workgroup = WORKGROUP
-min protocol = SMB3
 smb ports = 8445
+load printers = no
+disable spoolss = yes
+
+server role = standalone
+security = user
+passdb backend = tdbsam
+map to guest = Never
+
+server min protocol = SMB3
+server smb encrypt = required
+server smb3 encryption algorithms = AES-256-GCM
+server smb3 signing algorithms = AES-128-GMAC AES-128-CMAC HMAC-SHA256
+server signing = mandatory
+
+client min protocol = SMB3
+client smb encrypt = required
+client smb3 encryption algorithms = AES-256-GCM
+client smb3 signing algorithms = AES-128-GMAC AES-128-CMAC HMAC-SHA256
+client signing = required
+client ipc signing = required
 
 lock directory = /home/me/samba/lock
 state directory = /home/me/samba/state
@@ -17,8 +36,5 @@ directory mask = 0770
 force user = me
 force group = me
 
-# TODO auth + encrypt
-guest ok = yes
-
 [share]
 path = /home/me/share
diff --git a/scripts/setup_repo.py b/scripts/setup_repo.py
index 4f8cb2b..55685df 100755
--- a/scripts/setup_repo.py
+++ b/scripts/setup_repo.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 
+import json
 import shutil
 from pathlib import Path
 
@@ -26,5 +27,23 @@ if __name__ == "__main__":
             Path(p).mkdir(parents=True, exist_ok=True)
             shutil.chown(p, group=group)
 
-    # TODO generate volumes to mount
-    # TODO generate users
+    # add users to nas
+    users = json.load(open("nas/users.json", "r"))
+    with open("nas/users.sh", "w") as f:
+        for id, user in enumerate(users):
+            id = 3000 + id
+            f.write(f"groupadd -g {id} {user}\n")
+            f.write(f"useradd -M -s /bin/false -u {id} -g {id} {user}\n")
+            f.write(f"su - me -c 'echo \"{users[user]}\\n{users[user]}\\n\" | pdbedit -s smb.conf -a {user}'\n")
+
+    # add volumes to nas
+    mounts = json.load(open("nas/mounts.json"))
+    with open("compose.override.yml", "w") as f:
+        if mounts:
+            f.writelines(s + "\n" for s in [
+                "services:",
+                "  nas:",
+                "    volumes:",
+            ] + [
+                f"      - {mounts[m]}:/home/me/share/{m}" for m in mounts
+            ])