diff --git a/services/gitea.nix b/services/gitea.nix
index 69647a9..0bd615d 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -31,7 +31,7 @@
   };
 
   systemd.tmpfiles.rules = [
-    "d ${config.services.gitea.stateDir} 0755 ${config.services.gitea.user} ${config.services.gitea.group}"
+    "d ${config.services.gitea.stateDir} 0750 ${config.services.gitea.user} ${config.services.gitea.group}"
   ];
 
   services.postgresql = {
diff --git a/services/jellyfin.nix b/services/jellyfin.nix
index 485f900..30bffb1 100644
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@@ -14,6 +14,7 @@
 
   services.jellyfin = rec {
     enable = true;
+
     # used for local streaming
     openFirewall = true;
 
@@ -21,6 +22,11 @@
     cacheDir = dataDir + "_cache";
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.jellyfin.dataDir} 0750 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
+    "d ${config.services.jellyfin.cacheDir} 0750 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
+  ];
+
   users.users.${config.services.jellyfin.user}.extraGroups = [
     "video"
     "render"
diff --git a/services/minecraft.nix b/services/minecraft.nix
index 7040e27..06adeb3 100644
--- a/services/minecraft.nix
+++ b/services/minecraft.nix
@@ -114,7 +114,7 @@ in
   };
 
   systemd.tmpfiles.rules = [
-    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0755 minecraft minecraft"
+    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0750 minecraft minecraft"
   ];
 
   users.users.${username}.extraGroups = [
diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix
index a22d5b3..7723729 100644
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@@ -26,22 +26,26 @@
     enable = true;
     package = pkgs.qbittorrent-nox;
     webuiPort = service_configs.ports.torrent;
+
     serverConfig.LegalNotice.Accepted = true;
-    serverConfig.Preferences.WebUI = {
-      AlternativeUIEnabled = true;
-      RootFolder = "${pkgs.fetchzip {
-        url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.18.0/vuetorrent.zip";
-        sha256 = "Z+N1RgcF67R6hWEfmfBls1+YLWkhEJQuOVqXXJCyptE=";
-      }}";
 
-      # disable auth because we use caddy for auth
-      AuthSubnetWhitelist = "0.0.0.0/0";
-      AuthSubnetWhitelistEnabled = true;
-    };
+    serverConfig.Preferences = {
+      WebUI = {
+        AlternativeUIEnabled = true;
+        RootFolder = "${pkgs.fetchzip {
+          url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.18.0/vuetorrent.zip";
+          sha256 = "Z+N1RgcF67R6hWEfmfBls1+YLWkhEJQuOVqXXJCyptE=";
+        }}";
 
-    serverConfig.Preferences.Downloads = {
-      SavePath = service_configs.torrent.SavePath;
-      TempPath = service_configs.torrent.TempPath;
+        # disable auth because we use caddy for auth
+        AuthSubnetWhitelist = "0.0.0.0/0";
+        AuthSubnetWhitelistEnabled = true;
+      };
+
+      Downloads = {
+        SavePath = service_configs.torrent.SavePath;
+        TempPath = service_configs.torrent.TempPath;
+      };
     };
 
     serverConfig.BitTorrent.Session = {