diff --git a/nix/machines/hopper/default.nix b/nix/machines/hopper/default.nix
index 1b6a8d5..0a323ad 100644
--- a/nix/machines/hopper/default.nix
+++ b/nix/machines/hopper/default.nix
@@ -4,7 +4,7 @@
     inputs.vpn-confinement.nixosModules.default
 
     ./hardware.nix
-    ./newlab.nix
+    ./lab
 
     ../../systemProfiles/secrets/default.nix
     ../../systemProfiles/secrets/hopper/default.nix
diff --git a/nix/machines/hopper/newlab.nix b/nix/machines/hopper/lab/default.nix
similarity index 89%
rename from nix/machines/hopper/newlab.nix
rename to nix/machines/hopper/lab/default.nix
index 4378efb..113a236 100644
--- a/nix/machines/hopper/newlab.nix
+++ b/nix/machines/hopper/lab/default.nix
@@ -15,6 +15,10 @@
   ncPort = 46523;
   kanidmPort = 8300;
 in {
+  imports = [
+    ./samba.nix
+  ];
+
   ## TODO use kanidm
   ## TODO use impermanence
   ## TODO setup fail2ban mayb
@@ -117,14 +121,11 @@ in {
         config.services.transmission.settings.rpc-port
         80 # homepage
       ];
-    in
-      (l.map (x: {
-          from = x;
-          to = x;
-        })
-        passthrough)
-      ++ [
-      ];
+    in (l.map (x: {
+        from = x;
+        to = x;
+      })
+      passthrough);
   };
 
   networking.firewall = {
@@ -436,70 +437,6 @@ in {
     credentialsFile = config.sops.secrets.transmission.path;
   };
 
-  # only used for samba
-  users.groups.xun = {};
-  users.users.xun = {
-    isSystemUser = true;
-    group = "xun";
-    extraGroups = ["transmission" "vault" "media"];
-  };
-
-  users.groups.vault = {};
-  systemd.tmpfiles.rules = [
-    "d /srv/vault 0770 root vault -"
-  ];
-  services.samba = {
-    enable = true;
-    openFirewall = true;
-    settings = {
-      global = {
-        "log level" = 6;
-        "log file" = "/var/log/samba/samba.log";
-        "server string" = config.networking.hostName;
-        "hosts allow" = "192.168.50.0/24";
-        "map to guest" = "bad user";
-      };
-      transmission = {
-        path = "/var/lib/transmission";
-        browseable = "yes";
-        "read only" = "yes";
-        "guest ok" = "no";
-        "create mask" = "0664";
-        "directory mask" = "0775";
-      };
-      vault = {
-        path = "/srv/vault";
-        browseable = "yes";
-        "read only" = "no";
-        "guest ok" = "no";
-        "create mask" = "0660";
-        "directory mask" = "0770";
-        "force user" = "xun";
-        "force group" = "xun";
-      };
-      slskd = {
-        path = "/var/lib/slskd";
-        browseable = "yes";
-        "read only" = "no";
-        "guest ok" = "no";
-        "create mask" = "0660";
-        "directory mask" = "0770";
-        "force user" = "slskd";
-        "force group" = "slskd";
-      };
-      library = {
-        path = "media/library";
-        browseable = "yes";
-        "read only" = "no";
-        "guest ok" = "no";
-        "create mask" = "0666";
-        "directory mask" = "0777";
-        "force user" = "media";
-        "force group" = "media";
-      };
-    };
-  };
-
   # TODO use this for sso with some things maybe
   # services.tailscaleAuth = {
   #   enable = true;
diff --git a/nix/machines/hopper/lab/samba.nix b/nix/machines/hopper/lab/samba.nix
new file mode 100644
index 0000000..fac3f70
--- /dev/null
+++ b/nix/machines/hopper/lab/samba.nix
@@ -0,0 +1,65 @@
+{config, ...}: {
+  # only used for samba
+  users.groups.xun = {};
+  users.users.xun = {
+    isSystemUser = true;
+    group = "xun";
+    extraGroups = ["transmission" "vault" "media"];
+  };
+
+  users.groups.vault = {};
+  systemd.tmpfiles.rules = [
+    "d /srv/vault 0770 root vault -"
+  ];
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "log level" = 6;
+        "log file" = "/var/log/samba/samba.log";
+        "server string" = config.networking.hostName;
+        "hosts allow" = "192.168.50.0/24";
+        "map to guest" = "bad user";
+      };
+      transmission = {
+        path = "/var/lib/transmission";
+        browseable = "yes";
+        "read only" = "yes";
+        "guest ok" = "no";
+        "create mask" = "0664";
+        "directory mask" = "0775";
+      };
+      vault = {
+        path = "/srv/vault";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0660";
+        "directory mask" = "0770";
+        "force user" = "xun";
+        "force group" = "xun";
+      };
+      slskd = {
+        path = "/var/lib/slskd";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0660";
+        "directory mask" = "0770";
+        "force user" = "slskd";
+        "force group" = "slskd";
+      };
+      library = {
+        path = "media/library";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0666";
+        "directory mask" = "0777";
+        "force user" = "media";
+        "force group" = "media";
+      };
+    };
+  };
+}