diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix
index 2445646..be90d8d 100644
--- a/hosts/snowbelle/configuration.nix
+++ b/hosts/snowbelle/configuration.nix
@@ -88,40 +88,37 @@
 
   # Open ports in the firewall.
   networking.firewall.allowedTCPPorts = [
-    80      # http
-    111     # portmapper for nfs
-    139     # smb
-    443     # https
-    445     # cifs
-    1883
-    2049    # nfs
-    2222    # syncthing
-    3030    # jellyfin
-    3131    # audiobookshelf
-    3232    # 
-    3333    # qbittorrent
-    3434    # yacreader
-    3535    # prowlarr
-    3636    # sonarr
-    3737    # radarr
-    3838    # bazarr
-    3939    # flaresolverr
-    3923    # copyparty
-    4141    # hass
-    4142    # mqtt
-    4242    # immich
-    4444    # gitea
-    5050    # kiwix
-    5656    # archivebox
-    7070    # vaultwarden
-    7567    # gitea ssh
-    7777    # glance
-    8080    # nginx webui
-    8181    # uptime kuma
-    25777   # minecraft
-    25565
-    25566
-    25567
+    80      # set - http
+    111     # set - portmapper for nfs
+    139     # set - smb
+    443     # set - https
+    445     # set - cifs
+    1883    # set - mqtt
+    2049    # set - nfs
+    2222    # srv - syncthing
+    7100    # srv - jellyfin
+    7101    # srv - audiobookshelf
+    7102    # srv - yacreader
+    7103    # srv - qbittorrent
+    7104    # srv - prowlarr
+    7105    # srv - sonarr
+    7106    # srv - radarr
+    7107    # srv - bazarr
+    7108    # srv - flaresolverr
+    5701    # srv - archivebox
+    7502    # srv - kiwix
+    7567    # srv - gitea ssh
+    7700    # srv - glance
+    7701    # srv - vaultwarden
+    7702    # srv - immich
+    7703    # srv - gitea
+    7704    # srv - hass
+    7705    # srv - zigbee2mqtt
+    7901    # srv - uptime kuma
+    25777   # srv - minecraft
+    25565   #        ^  ^  ^
+    25566   #        |  |  |
+    25567   #        |  |  |
   ];
 
   networking.firewall.allowedUDPPorts = [ 51820 ];
diff --git a/modules/homelab/services/.template.nix b/modules/homelab/services/.template.nix
deleted file mode 100644
index 49423f5..0000000
--- a/modules/homelab/services/.template.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ pkgs, config, lib, ... }:
-
-let
-  cfg = config.modules.services.<name>;
-in
-{
-  options.modules.system.docker = {
-    enable = lib.mkEnableOption "enables <name>";
-#    extra options
-#    mode = lib.mkOption {
-#      type = lib.types.enum [ "server" "client" ];
-#      default = "client";
-#      description = "whether syncthing should run as a client (user) or server (system-wide).";
-#    };
-
-  };
-
-  config = lib.mkIf cfg.enable {
-
-  };
-}
diff --git a/modules/homelab/services/default.nix.template b/modules/homelab/services/default.nix.template
new file mode 100644
index 0000000..36e7d24
--- /dev/null
+++ b/modules/homelab/services/default.nix.template
@@ -0,0 +1,61 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.<service_name>;
+  ids = <gid_and_uid_number>;
+in
+{
+  options.modules.services.<service_name> = {
+    enable = lib.mkEnableOption "enables <service_name>";
+#    extra options
+#    mode = lib.mkOption {
+#      type = lib.types.enum [ "server" "client" ];
+#      default = "client";
+#      description = "whether syncthing should run as a client (user) or server (system-wide).";
+#    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare <service_name> group
+    users.groups.<service_name> = { gid = ids; };
+
+    # declare <service_name> user
+    users.users.<service_name> = {
+      description = "<service_name> media server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/<service_name>";
+      createHome = true;
+      group = "<service_name>";
+      extraGroups = [ "media" "video" "render" ];
+    };
+
+    # enable the <service_name> service
+    services.<service_name> = {
+      enable = true;
+      openFirewall = true;        # Opens 8096/8920 automatically
+      user = "<service_name>";          # Default: <service_name>
+      group = "<service_name>";         # Default: <service_name>
+      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
+    };
+
+    # override umask to make permissions work out
+    systemd.services.<service_name>.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+    #networking.firewall.allowedTCPPorts = [ 8096 ];
+
+    # reverse proxy entryo
+    services.nginx.virtualHosts."media.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+      };
+    };
+  };
+}
diff --git a/modules/homelab/services/jellyfin/default.nix b/modules/homelab/services/jellyfin/default.nix
index c61f589..be6583d 100644
--- a/modules/homelab/services/jellyfin/default.nix
+++ b/modules/homelab/services/jellyfin/default.nix
@@ -2,6 +2,7 @@
 
 let
   cfg = config.modules.services.jellyfin;
+  ids = 701;
 in
 {
   options.modules.services.jellyfin = {
@@ -18,12 +19,12 @@ in
   config = lib.mkIf cfg.enable {
     
     # declare jellyfin group
-    users.groups.jellyfin = { gid = 701; };
+    users.groups.jellyfin = { gid = ids; };
 
     # declare jellyfin user
     users.users.jellyfin = {
       description = "jellyfin media server user";
-      uid = 701;
+      uid = ids;
       isSystemUser = true;
       home = "/var/lib/jellyfin";
       createHome = true;