The upstream module sets ProtectSystem=strict which makes the entire
filesystem read-only. ReadWritePaths is needed to allow the static
jellyseerr user to write to the ZFS-backed configDir.
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
- prowlarr: remove serviceFilePerms (DynamicUser has no static user)
- sonarr/radarr: move media dir creation to system-level tmpfiles rules
to avoid unsafe path transition from /torrents (qbittorrent:media)
- jellyseerr: override DynamicUser=false, create static user/group,
use serviceFilePerms for ZFS-backed configDir permissions
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
