fix(media): resolve arr stack deployment failures

- prowlarr: remove serviceFilePerms (DynamicUser has no static user)
- sonarr/radarr: move media dir creation to system-level tmpfiles rules
  to avoid unsafe path transition from /torrents (qbittorrent:media)
- jellyseerr: override DynamicUser=false, create static user/group,
  use serviceFilePerms for ZFS-backed configDir permissions

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

services/jellyseerr.nix

@@ -10,6 +10,9 @@
     (lib.serviceMountWithZpool "jellyseerr" service_configs.zpool_ssds [
       service_configs.jellyseerr.configDir
     ])
+    (lib.serviceFilePerms "jellyseerr" [
+      "Z ${service_configs.jellyseerr.configDir} 0700 jellyseerr jellyseerr"
+    ])
   ];
 
   services.jellyseerr = {
@@ -18,10 +21,19 @@
     configDir = service_configs.jellyseerr.configDir;
   };
 
-  # Allow DynamicUser to write to custom configDir on ZFS
-  systemd.services.jellyseerr.serviceConfig.ReadWritePaths = [
-    service_configs.jellyseerr.configDir
-  ];
+  systemd.services.jellyseerr.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "jellyseerr";
+    Group = "jellyseerr";
+  };
+
+  users.users.jellyseerr = {
+    isSystemUser = true;
+    group = "jellyseerr";
+    home = service_configs.jellyseerr.configDir;
+  };
+
+  users.groups.jellyseerr = { };
 
   services.caddy.virtualHosts."jellyseerr.${service_configs.https.domain}".extraConfig = ''
     import ${config.age.secrets.caddy_auth.path}