diff --git a/services/jellyseerr.nix b/services/jellyseerr.nix
index 95eabc9..e9bea70 100644
--- a/services/jellyseerr.nix
+++ b/services/jellyseerr.nix
@@ -10,6 +10,9 @@
     (lib.serviceMountWithZpool "jellyseerr" service_configs.zpool_ssds [
       service_configs.jellyseerr.configDir
     ])
+    (lib.serviceFilePerms "jellyseerr" [
+      "Z ${service_configs.jellyseerr.configDir} 0700 jellyseerr jellyseerr"
+    ])
   ];
 
   services.jellyseerr = {
@@ -18,10 +21,19 @@
     configDir = service_configs.jellyseerr.configDir;
   };
 
-  # Allow DynamicUser to write to custom configDir on ZFS
-  systemd.services.jellyseerr.serviceConfig.ReadWritePaths = [
-    service_configs.jellyseerr.configDir
-  ];
+  systemd.services.jellyseerr.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "jellyseerr";
+    Group = "jellyseerr";
+  };
+
+  users.users.jellyseerr = {
+    isSystemUser = true;
+    group = "jellyseerr";
+    home = service_configs.jellyseerr.configDir;
+  };
+
+  users.groups.jellyseerr = { };
 
   services.caddy.virtualHosts."jellyseerr.${service_configs.https.domain}".extraConfig = ''
     import ${config.age.secrets.caddy_auth.path}
diff --git a/services/prowlarr.nix b/services/prowlarr.nix
index cd0e021..c5e9c69 100644
--- a/services/prowlarr.nix
+++ b/services/prowlarr.nix
@@ -10,9 +10,6 @@
     (lib.serviceMountWithZpool "prowlarr" service_configs.zpool_ssds [
       service_configs.prowlarr.dataDir
     ])
-    (lib.serviceFilePerms "prowlarr" [
-      "Z ${service_configs.prowlarr.dataDir} 0700 prowlarr prowlarr"
-    ])
     (lib.vpnNamespaceOpenPort service_configs.ports.prowlarr "prowlarr")
   ];
 
diff --git a/services/radarr.nix b/services/radarr.nix
index 5d29e00..fbd20e6 100644
--- a/services/radarr.nix
+++ b/services/radarr.nix
@@ -15,7 +15,6 @@
     ])
     (lib.serviceFilePerms "radarr" [
       "Z ${service_configs.radarr.dataDir} 0700 ${config.services.radarr.user} ${config.services.radarr.group}"
-      "d ${service_configs.media.moviesDir} 0775 ${config.services.radarr.user} ${service_configs.media_group}"
     ])
   ];
 
diff --git a/services/sonarr.nix b/services/sonarr.nix
index 2e1d0d4..ac3da89 100644
--- a/services/sonarr.nix
+++ b/services/sonarr.nix
@@ -15,10 +15,15 @@
     ])
     (lib.serviceFilePerms "sonarr" [
       "Z ${service_configs.sonarr.dataDir} 0700 ${config.services.sonarr.user} ${config.services.sonarr.group}"
-      "d ${service_configs.media.tvDir} 0775 ${config.services.sonarr.user} ${service_configs.media_group}"
     ])
   ];
 
+  systemd.tmpfiles.rules = [
+    "d /torrents/media 2775 root ${service_configs.media_group} -"
+    "d ${service_configs.media.tvDir} 2775 root ${service_configs.media_group} -"
+    "d ${service_configs.media.moviesDir} 2775 root ${service_configs.media_group} -"
+  ];
+
   services.sonarr = {
     enable = true;
     dataDir = service_configs.sonarr.dataDir;