diff --git a/modules/homelab/services/arr/bazarr/default.nix.template b/modules/homelab/services/arr/bazarr/default.nix.template
new file mode 100644
index 0000000..36e7d24
--- /dev/null
+++ b/modules/homelab/services/arr/bazarr/default.nix.template
@@ -0,0 +1,61 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.<service_name>;
+  ids = <gid_and_uid_number>;
+in
+{
+  options.modules.services.<service_name> = {
+    enable = lib.mkEnableOption "enables <service_name>";
+#    extra options
+#    mode = lib.mkOption {
+#      type = lib.types.enum [ "server" "client" ];
+#      default = "client";
+#      description = "whether syncthing should run as a client (user) or server (system-wide).";
+#    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare <service_name> group
+    users.groups.<service_name> = { gid = ids; };
+
+    # declare <service_name> user
+    users.users.<service_name> = {
+      description = "<service_name> media server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/<service_name>";
+      createHome = true;
+      group = "<service_name>";
+      extraGroups = [ "media" "video" "render" ];
+    };
+
+    # enable the <service_name> service
+    services.<service_name> = {
+      enable = true;
+      openFirewall = true;        # Opens 8096/8920 automatically
+      user = "<service_name>";          # Default: <service_name>
+      group = "<service_name>";         # Default: <service_name>
+      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
+    };
+
+    # override umask to make permissions work out
+    systemd.services.<service_name>.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+    #networking.firewall.allowedTCPPorts = [ 8096 ];
+
+    # reverse proxy entryo
+    services.nginx.virtualHosts."media.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+      };
+    };
+  };
+}
diff --git a/modules/homelab/services/arr/flaresolverr/default.nix.template b/modules/homelab/services/arr/flaresolverr/default.nix.template
new file mode 100644
index 0000000..36e7d24
--- /dev/null
+++ b/modules/homelab/services/arr/flaresolverr/default.nix.template
@@ -0,0 +1,61 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.<service_name>;
+  ids = <gid_and_uid_number>;
+in
+{
+  options.modules.services.<service_name> = {
+    enable = lib.mkEnableOption "enables <service_name>";
+#    extra options
+#    mode = lib.mkOption {
+#      type = lib.types.enum [ "server" "client" ];
+#      default = "client";
+#      description = "whether syncthing should run as a client (user) or server (system-wide).";
+#    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare <service_name> group
+    users.groups.<service_name> = { gid = ids; };
+
+    # declare <service_name> user
+    users.users.<service_name> = {
+      description = "<service_name> media server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/<service_name>";
+      createHome = true;
+      group = "<service_name>";
+      extraGroups = [ "media" "video" "render" ];
+    };
+
+    # enable the <service_name> service
+    services.<service_name> = {
+      enable = true;
+      openFirewall = true;        # Opens 8096/8920 automatically
+      user = "<service_name>";          # Default: <service_name>
+      group = "<service_name>";         # Default: <service_name>
+      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
+    };
+
+    # override umask to make permissions work out
+    systemd.services.<service_name>.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+    #networking.firewall.allowedTCPPorts = [ 8096 ];
+
+    # reverse proxy entryo
+    services.nginx.virtualHosts."media.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+      };
+    };
+  };
+}
diff --git a/modules/homelab/services/arr/prowlarr/default.nix.template b/modules/homelab/services/arr/prowlarr/default.nix.template
new file mode 100644
index 0000000..36e7d24
--- /dev/null
+++ b/modules/homelab/services/arr/prowlarr/default.nix.template
@@ -0,0 +1,61 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.<service_name>;
+  ids = <gid_and_uid_number>;
+in
+{
+  options.modules.services.<service_name> = {
+    enable = lib.mkEnableOption "enables <service_name>";
+#    extra options
+#    mode = lib.mkOption {
+#      type = lib.types.enum [ "server" "client" ];
+#      default = "client";
+#      description = "whether syncthing should run as a client (user) or server (system-wide).";
+#    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare <service_name> group
+    users.groups.<service_name> = { gid = ids; };
+
+    # declare <service_name> user
+    users.users.<service_name> = {
+      description = "<service_name> media server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/<service_name>";
+      createHome = true;
+      group = "<service_name>";
+      extraGroups = [ "media" "video" "render" ];
+    };
+
+    # enable the <service_name> service
+    services.<service_name> = {
+      enable = true;
+      openFirewall = true;        # Opens 8096/8920 automatically
+      user = "<service_name>";          # Default: <service_name>
+      group = "<service_name>";         # Default: <service_name>
+      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
+    };
+
+    # override umask to make permissions work out
+    systemd.services.<service_name>.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+    #networking.firewall.allowedTCPPorts = [ 8096 ];
+
+    # reverse proxy entryo
+    services.nginx.virtualHosts."media.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+      };
+    };
+  };
+}
diff --git a/modules/homelab/services/arr/radarr/default.nix.template b/modules/homelab/services/arr/radarr/default.nix.template
new file mode 100644
index 0000000..36e7d24
--- /dev/null
+++ b/modules/homelab/services/arr/radarr/default.nix.template
@@ -0,0 +1,61 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.<service_name>;
+  ids = <gid_and_uid_number>;
+in
+{
+  options.modules.services.<service_name> = {
+    enable = lib.mkEnableOption "enables <service_name>";
+#    extra options
+#    mode = lib.mkOption {
+#      type = lib.types.enum [ "server" "client" ];
+#      default = "client";
+#      description = "whether syncthing should run as a client (user) or server (system-wide).";
+#    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare <service_name> group
+    users.groups.<service_name> = { gid = ids; };
+
+    # declare <service_name> user
+    users.users.<service_name> = {
+      description = "<service_name> media server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/<service_name>";
+      createHome = true;
+      group = "<service_name>";
+      extraGroups = [ "media" "video" "render" ];
+    };
+
+    # enable the <service_name> service
+    services.<service_name> = {
+      enable = true;
+      openFirewall = true;        # Opens 8096/8920 automatically
+      user = "<service_name>";          # Default: <service_name>
+      group = "<service_name>";         # Default: <service_name>
+      dataDir = "/var/lib/<service_name>"; # Config + metadata storage
+    };
+
+    # override umask to make permissions work out
+    systemd.services.<service_name>.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+    #networking.firewall.allowedTCPPorts = [ 8096 ];
+
+    # reverse proxy entryo
+    services.nginx.virtualHosts."media.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+      };
+    };
+  };
+}
diff --git a/modules/homelab/services/arr/sonarr/default.nix b/modules/homelab/services/arr/sonarr/default.nix
new file mode 100644
index 0000000..935673e
--- /dev/null
+++ b/modules/homelab/services/arr/sonarr/default.nix
@@ -0,0 +1,64 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.sonarr;
+  ids = 2005;
+in
+{
+  options.modules.services.sonarr = {
+    enable = lib.mkEnableOption "enables sonarr";
+#    extra options
+#    mode = lib.mkOption {
+#      type = lib.types.enum [ "server" "client" ];
+#      default = "client";
+#      description = "whether syncthing should run as a client (user) or server (system-wide).";
+#    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare sonarr group
+    users.groups.sonarr = { gid = ids; };
+
+    # declare sonarr user
+    users.users.sonarr = {
+      description = "sonarr media server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/sonarr";
+      createHome = true;
+      group = "sonarr";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the sonarr service
+    services.sonarr = {
+      enable = true;
+      openFirewall = true;          
+      user = "sonarr";              
+      group = "sonarr";             
+      dataDir = "/var/lib/sonarr";  
+      settings = {
+        server.port = 7105;    # default: 8989
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.sonarr.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+    #networking.firewall.allowedTCPPorts = [ 7105 ];
+
+    # reverse proxy entryo
+    services.nginx.virtualHosts."sonarr.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:7105";
+      };
+    };
+  };
+}