{
  config,
  pkgs,
  lib,
  ...
}: let
  service = "ensure_perms";
  cfg = config.holocron.${service};

  # define variables for paths
  archives_path = "/holocron/archives";
  media_path = "/holocron/media";
  users_path = "/holocron/users";
in {
  options.holocron.ensure_perms = {
    enable = lib.mkEnableOption "enables perms ensurence script";
  };

  config = lib.mkIf cfg.enable {
  # service to run periodically to reset the perms on all zpools
  # everything works fine without this, just for peace of mind
  # and to clean up the ownership from the arr stack in /holocron/media
    systemd.services.${service} = {
      description = "ensure file permissions for archives, media and user folders";
      serviceConfig.ExecStart = ''
        #!/bin/bash

        # Fix ownership for archives directory
        chown -R root:archives ${archives_path}
        chmod -R 2770 ${archives_path}

        # Fix ownership for media directory
        chown -R root:media ${media_path}
        chmod -R 2770 ${media_path}

        # Fix user directories
        for user_dir in ${users_path}/*; do
          if [ -d "$user_dir" ]; then
            user=$(basename "$user_dir")
            chown -R "$user:$user" "$user_dir"
            chmod -R 700 "$user_dir"
          fi
        done
      '';
      wantedBy = ["multi-user.target"];
      type = "oneshot";
    };

    # timer to run the service periodically (e.g., daily)
    systemd.timers.${service} = {
      description = "run script to ensure_perms daily";
      timerConfig.OnCalendar = "daily"; # Can be adjusted to hourly, weekly, etc.
      unit = "${service}.service";
    };
  };
}