diff --git a/modules/media.nix b/modules/media.nix
index d9d22c7..b70402e 100644
--- a/modules/media.nix
+++ b/modules/media.nix
@@ -142,8 +142,7 @@
 
               securityContext = {
                 fsGroup = 51;
-                # FIXME
-                fsGroupChangePolicy = "Always";
+                fsGroupChangePolicy = "OnRootMismatch";
               };
             };
           };
@@ -193,7 +192,7 @@
 
               securityContext = {
                 # TODO: don't hardcode this
-                fsGroup = 409;
+                fsGroup = 51;
                 fsGroupChangePolicy = "OnRootMismatch";
               };
             };
diff --git a/nixng-configurations/jellyseerr.nix b/nixng-configurations/jellyseerr.nix
index 71d757f..034306c 100644
--- a/nixng-configurations/jellyseerr.nix
+++ b/nixng-configurations/jellyseerr.nix
@@ -1,17 +1,20 @@
 {
   config,
+  lib,
   nglib,
   ...
 }: {
   dinit.enable = true;
-  init.services.jellyseerr.shutdownOnExit = true;
+  init.services.jellyseerr = {
+    shutdownOnExit = true;
+    group = lib.mkForce "media";
+  };
 
   services.jellyseerr = {
     enable = true;
     configDir = "/app/config";
   };
 
-  # TODO: should actually make this the main GID I think
   users.groups.media = nglib.mkDefaultRec {
     gid = config.ids.gids.media;
     members = ["jellyseerr"];
diff --git a/nixng-modules/bazarr.nix b/nixng-modules/bazarr.nix
index 94def37..c5e5ffe 100644
--- a/nixng-modules/bazarr.nix
+++ b/nixng-modules/bazarr.nix
@@ -26,6 +26,7 @@ in {
       group = lib.mkDefault "bazarr";
 
       script = pkgs.writeShellScript "bazarr-run" ''
+        umask 0002
         ${lib.getExe cfg.package} \
           --no-update \
           --config '${cfg.configDir}'
diff --git a/nixng-modules/jellyseerr.nix b/nixng-modules/jellyseerr.nix
index cfe64b1..745ba4c 100644
--- a/nixng-modules/jellyseerr.nix
+++ b/nixng-modules/jellyseerr.nix
@@ -34,7 +34,10 @@ in {
   config = lib.mkIf cfg.enable {
     init.services.jellyseerr = {
       enabled = true;
-      script = lib.getExe cfg.package;
+      script = pkgs.writeShellScript "jellyseerr-run" ''
+        umask 0002
+        ${lib.getExe cfg.package}
+      '';
       user = lib.mkDefault "jellyseerr";
       group = lib.mkDefault "jellyseerr";
     };
@@ -48,15 +51,15 @@ in {
       };
     };
 
-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
+    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "jellyseerr") (nglib.mkDefaultRec {
       description = "jellyseerr";
       group = cfgInit.group;
       createHome = false;
       home = "/var/empty";
       useDefaultShell = true;
       uid = config.ids.uids.jellyseerr;
-    };
+    });
 
-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;};
+    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "jellyseerr") (nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;});
   };
 }
diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix
index dfcfa9f..965f387 100644
--- a/nixng-modules/radarr.nix
+++ b/nixng-modules/radarr.nix
@@ -26,6 +26,7 @@ in {
       group = lib.mkDefault "radarr";
 
       script = pkgs.writeShellScript "radarr-run.sh" ''
+        umask 0002
         ${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}'
       '';
     };
diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix
index 68ee377..425033f 100644
--- a/nixng-modules/sonarr.nix
+++ b/nixng-modules/sonarr.nix
@@ -26,6 +26,7 @@ in {
       group = lib.mkDefault "sonarr";
 
       script = pkgs.writeShellScript "sonarr-run" ''
+        umask 0002
         ${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir}
       '';
     };