diff --git a/modules/media.nix b/modules/media.nix
index 1cb753a..d9d22c7 100644
--- a/modules/media.nix
+++ b/modules/media.nix
@@ -108,7 +108,7 @@
 
             spec = {
               containers.deluge = {
-                image = globals.images.deluge;
+                image = utils.mkNixNGImage "deluge";
                 imagePullPolicy = "IfNotPresent";
 
                 env = {
@@ -139,6 +139,12 @@
                 config.persistentVolumeClaim.claimName = "deluge";
                 media.persistentVolumeClaim.claimName = "media";
               };
+
+              securityContext = {
+                fsGroup = 51;
+                # FIXME
+                fsGroupChangePolicy = "Always";
+              };
             };
           };
         };
diff --git a/nixng-configurations/bazarr.nix b/nixng-configurations/bazarr.nix
index 03d7b6a..703ee94 100644
--- a/nixng-configurations/bazarr.nix
+++ b/nixng-configurations/bazarr.nix
@@ -1,9 +1,23 @@
-{...}: {
+{
+  lib,
+  nglib,
+  config,
+  ...
+}: {
   dinit.enable = true;
-  init.services.bazarr.shutdownOnExit = true;
+
+  init.services.bazarr = {
+    shutdownOnExit = true;
+    group = lib.mkForce "media";
+  };
 
   services.bazarr = {
     enable = true;
     configDir = "/config";
   };
+
+  users.groups.media = nglib.mkDefaultRec {
+    gid = config.ids.gids.media;
+    members = ["bazarr"];
+  };
 }
diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix
index c42e58e..9fa19e8 100644
--- a/nixng-configurations/default.nix
+++ b/nixng-configurations/default.nix
@@ -22,6 +22,7 @@ flake-utils.lib.eachDefaultSystem (system: let
     bazarr = ./bazarr.nix;
     prowlarr = ./prowlarr.nix;
     blog = ./blog.nix;
+    deluge = ./deluge.nix;
   };
 in {
   nixngConfigurations = builtins.mapAttrs (name: configFile:
@@ -43,6 +44,7 @@ in {
         self.nixngModules.radarr
         self.nixngModules.sonarr
         self.nixngModules.prowlarr
+        self.nixngModules.deluge
         {
           nixpkgs.overlays = [
             (final: _prev: {
diff --git a/nixng-configurations/deluge.nix b/nixng-configurations/deluge.nix
new file mode 100644
index 0000000..3f44f37
--- /dev/null
+++ b/nixng-configurations/deluge.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  nglib,
+  lib,
+  ...
+}: {
+  dinit.enable = true;
+  init.services = {
+    deluged = {
+      shutdownOnExit = true;
+      group = lib.mkForce "media";
+    };
+
+    deluge-web = {
+      shutdownOnExit = true;
+      group = lib.mkForce "media";
+    };
+  };
+
+  services.deluge = {
+    enable = true;
+    configDir = "/config";
+    web.enable = true;
+  };
+
+  users.groups.media = nglib.mkDefaultRec {
+    gid = config.ids.gids.media;
+    members = ["deluge"];
+  };
+}
diff --git a/nixng-configurations/jellyseerr.nix b/nixng-configurations/jellyseerr.nix
index b86802e..71d757f 100644
--- a/nixng-configurations/jellyseerr.nix
+++ b/nixng-configurations/jellyseerr.nix
@@ -1,4 +1,8 @@
-{...}: {
+{
+  config,
+  nglib,
+  ...
+}: {
   dinit.enable = true;
   init.services.jellyseerr.shutdownOnExit = true;
 
@@ -6,4 +10,10 @@
     enable = true;
     configDir = "/app/config";
   };
+
+  # TODO: should actually make this the main GID I think
+  users.groups.media = nglib.mkDefaultRec {
+    gid = config.ids.gids.media;
+    members = ["jellyseerr"];
+  };
 }
diff --git a/nixng-configurations/prowlarr.nix b/nixng-configurations/prowlarr.nix
index e12e1bb..7214747 100644
--- a/nixng-configurations/prowlarr.nix
+++ b/nixng-configurations/prowlarr.nix
@@ -1,9 +1,22 @@
-{...}: {
+{
+  lib,
+  nglib,
+  config,
+  ...
+}: {
   dinit.enable = true;
-  init.services.prowlarr.shutdownOnExit = true;
+  init.services.prowlarr = {
+    shutdownOnExit = true;
+    group = lib.mkForce "media";
+  };
 
   services.prowlarr = {
     enable = true;
     dataDir = "/config";
   };
+
+  users.groups.media = nglib.mkDefaultRec {
+    gid = config.ids.gids.media;
+    members = ["prowlarr"];
+  };
 }
diff --git a/nixng-configurations/radarr.nix b/nixng-configurations/radarr.nix
index c647100..21cd30a 100644
--- a/nixng-configurations/radarr.nix
+++ b/nixng-configurations/radarr.nix
@@ -1,9 +1,22 @@
-{...}: {
+{
+  lib,
+  nglib,
+  config,
+  ...
+}: {
   dinit.enable = true;
-  init.services.radarr.shutdownOnExit = true;
+  init.services.radarr = {
+    shutdownOnExit = true;
+    group = lib.mkForce "media";
+  };
 
   services.radarr = {
     enable = true;
     dataDir = "/config";
   };
+
+  users.groups.media = nglib.mkDefaultRec {
+    gid = config.ids.gids.media;
+    members = ["radarr"];
+  };
 }
diff --git a/nixng-configurations/sonarr.nix b/nixng-configurations/sonarr.nix
index b98f9cf..f756fde 100644
--- a/nixng-configurations/sonarr.nix
+++ b/nixng-configurations/sonarr.nix
@@ -1,9 +1,22 @@
-{...}: {
+{
+  lib,
+  config,
+  nglib,
+  ...
+}: {
   dinit.enable = true;
-  init.services.sonarr.shutdownOnExit = true;
+  init.services.sonarr = {
+    shutdownOnExit = true;
+    group = lib.mkForce "media";
+  };
 
   services.sonarr = {
     enable = true;
     dataDir = "/config";
   };
+
+  users.groups.media = nglib.mkDefaultRec {
+    gid = config.ids.gids.media;
+    members = ["sonarr"];
+  };
 }
diff --git a/nixng-modules/bazarr.nix b/nixng-modules/bazarr.nix
index e063d18..94def37 100644
--- a/nixng-modules/bazarr.nix
+++ b/nixng-modules/bazarr.nix
@@ -34,15 +34,15 @@ in {
 
     environment.systemPackages = [cfg.package];
 
-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
+    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "bazarr") (nglib.mkDefaultRec {
       description = "bazarr";
       group = cfgInit.group;
       createHome = false;
       home = "/var/empty";
       useDefaultShell = true;
       uid = config.ids.uids.bazarr;
-    };
+    });
 
-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.bazarr;};
+    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "bazarr") (nglib.mkDefaultRec {gid = config.ids.gids.bazarr;});
   };
 }
diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix
index c2dcd85..63903ab 100644
--- a/nixng-modules/default.nix
+++ b/nixng-modules/default.nix
@@ -7,5 +7,6 @@
     sonarr = import ./sonarr.nix;
     prowlarr = import ./prowlarr.nix;
     ids = import ./ids.nix;
+    deluge = import ./deluge.nix;
   };
 }
diff --git a/nixng-modules/deluge.nix b/nixng-modules/deluge.nix
new file mode 100644
index 0000000..db5917e
--- /dev/null
+++ b/nixng-modules/deluge.nix
@@ -0,0 +1,85 @@
+{
+  lib,
+  nglib,
+  config,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.deluge;
+  cfgInit = config.init.services.deluged;
+in {
+  options.services.deluge = {
+    enable = lib.mkEnableOption "deluge";
+    package = lib.mkPackageOption pkgs "deluge-2_x" {};
+
+    configDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/deluge";
+
+      description = ''
+        Directory for Deluge's run-time configuration
+      '';
+    };
+
+    web = {
+      enable = lib.mkEnableOption "Deluge web daemon";
+
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 8112;
+        description = ''
+          Deluge web UI port
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    init.services = {
+      deluged = {
+        enabled = true;
+        user = lib.mkDefault "deluge";
+        group = lib.mkDefault "deluge";
+        tmpfiles = with nglib.nottmpfiles.dsl; [(d cfg.configDir "-" cfgInit.user cfgInit.group _ _)];
+
+        script = pkgs.writeShellScript "deluged-run" ''
+          # TODO: make init-level option?
+          umask 0002
+          ${cfg.package}/bin/deluged \
+            --do-not-daemonize \
+            --config ${cfg.configDir}
+        '';
+      };
+
+      deluge-web = {
+        enabled = cfg.web.enable;
+        dependencies = ["deluged"];
+        user = lib.mkDefault "deluge";
+        group = lib.mkDefault "deluge";
+
+        script = pkgs.writeShellScript "deluge-web-run" ''
+          ${cfg.package}/bin/deluge-web \
+            --do-not-daemonize \
+            --port ${toString cfg.web.port} \
+            --config ${cfg.configDir}
+        '';
+      };
+    };
+
+    environment = {
+      systemPackages = [cfg.package];
+      variables.PYTHON_EGG_CACHE = "${config.users.users.${cfgInit.user}.home}/.cache";
+    };
+
+    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "deluge") (nglib.mkDefaultRec {
+      description = "deluge";
+      group = cfgInit.group;
+      createHome = true;
+      home = "/home/deluge";
+      useDefaultShell = true;
+      uid = config.ids.uids.deluge;
+    });
+
+    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "deluge") (nglib.mkDefaultRec {gid = config.ids.gids.deluge;});
+  };
+}
diff --git a/nixng-modules/ids.nix b/nixng-modules/ids.nix
index fa4e1fe..fce4278 100644
--- a/nixng-modules/ids.nix
+++ b/nixng-modules/ids.nix
@@ -7,15 +7,18 @@
       sonarr = 411;
       bazarr = 412;
       prowlarr = 413;
+      deluge = 414;
     };
 
     gids = {
+      media = 51;
       radicale = 408;
       jellyseerr = 409;
       radarr = 410;
       sonarr = 411;
       bazarr = 412;
       prowlarr = 413;
+      deluge = 414;
     };
   };
 }
diff --git a/nixng-modules/prowlarr.nix b/nixng-modules/prowlarr.nix
index 4a8fc29..cf79cea 100644
--- a/nixng-modules/prowlarr.nix
+++ b/nixng-modules/prowlarr.nix
@@ -34,15 +34,15 @@ in {
 
     environment.systemPackages = [cfg.package];
 
-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
+    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "prowlarr") (nglib.mkDefaultRec {
       description = "prowlarr";
       group = cfgInit.group;
       createHome = false;
       home = "/var/empty";
       useDefaultShell = true;
       uid = config.ids.uids.prowlarr;
-    };
+    });
 
-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.prowlarr;};
+    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "prowlarr") (nglib.mkDefaultRec {gid = config.ids.gids.prowlarr;});
   };
 }
diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix
index 4b9fe56..dfcfa9f 100644
--- a/nixng-modules/radarr.nix
+++ b/nixng-modules/radarr.nix
@@ -32,15 +32,15 @@ in {
 
     environment.systemPackages = [cfg.package];
 
-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
+    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "radarr") (nglib.mkDefaultRec {
       description = "radarr";
       group = cfgInit.group;
       createHome = false;
       home = "/var/empty";
       useDefaultShell = true;
       uid = config.ids.uids.radarr;
-    };
+    });
 
-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radarr;};
+    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "radarr") (nglib.mkDefaultRec {gid = config.ids.gids.radarr;});
   };
 }
diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix
index 47dc581..68ee377 100644
--- a/nixng-modules/sonarr.nix
+++ b/nixng-modules/sonarr.nix
@@ -32,15 +32,15 @@ in {
 
     environment.systemPackages = [cfg.package];
 
-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
+    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "sonarr") (nglib.mkDefaultRec {
       description = "sonarr";
       group = cfgInit.group;
       createHome = false;
       home = "/var/empty";
       useDefaultShell = true;
       uid = config.ids.uids.sonarr;
-    };
+    });
 
-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.sonarr;};
+    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "sonarr") (nglib.mkDefaultRec {gid = config.ids.gids.sonarr;});
   };
 }