diff --git a/nixarr/bazarr/bazarr-module/default.nix b/nixarr/bazarr/bazarr-module/default.nix
new file mode 100644
index 0000000..2ab8d40
--- /dev/null
+++ b/nixarr/bazarr/bazarr-module/default.nix
@@ -0,0 +1,85 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.util-nixarr.services.bazarr;
+in
+{
+  options = {
+    util-nixarr.services.bazarr = {
+      enable = mkEnableOption ("bazarr, a subtitle manager for Sonarr and Radarr");
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Open ports in the firewall for the bazarr web interface.";
+      };
+
+      listenPort = mkOption {
+        type = types.port;
+        default = 6767;
+        description = "Port on which the bazarr web interface should listen";
+      };
+
+      dataDir = mkOption {
+        type = types.path;
+        default = "/var/lib/bazarr";
+        description = "State directory for bazarr";
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "bazarr";
+        description = "User account under which bazarr runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "bazarr";
+        description = "Group under which bazarr runs.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0700 bazarr root - -"
+    ];
+
+    systemd.services.bazarr = {
+      description = "bazarr";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        SyslogIdentifier = "bazarr";
+        ExecStart = pkgs.writeShellScript "start-bazarr" ''
+          ${pkgs.bazarr}/bin/bazarr \
+            --config '${cfg.dataDir}' \
+            --port ${toString cfg.listenPort} \
+            --no-update True
+        '';
+        Restart = "on-failure";
+      };
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.listenPort ];
+    };
+
+    users.users = mkIf (cfg.user == "bazarr") {
+      bazarr = {
+        isSystemUser = true;
+        group = cfg.group;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "bazarr") {
+      bazarr = {};
+    };
+  };
+}
diff --git a/nixarr/bazarr/default.nix b/nixarr/bazarr/default.nix
index 49293cb..128a78b 100644
--- a/nixarr/bazarr/default.nix
+++ b/nixarr/bazarr/default.nix
@@ -7,6 +7,10 @@ with lib; let
   cfg = config.nixarr.bazarr;
   nixarr = config.nixarr;
 in {
+  imports = [
+    ./bazarr-module
+  ];
+  
   options.nixarr.bazarr = {
     enable = mkEnableOption "the bazarr service.";
 
@@ -41,11 +45,7 @@ in {
       }
     ];
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.stateDir}' 0700 bazarr root - -"
-    ];
-
-    services.bazarr = {
+    util-nixarr.services.bazarr = {
       enable = cfg.enable;
       user = "bazarr";
       group = "media";
diff --git a/nixarr/ddns/default.nix b/nixarr/ddns/default.nix
index bfe70e5..0a6235e 100644
--- a/nixarr/ddns/default.nix
+++ b/nixarr/ddns/default.nix
@@ -14,7 +14,7 @@ with lib; let
     # Thanks chatgpt...
     text = ''
       # Path to the JSON file
-      json_file="${cfg.njalla.keysFile}"
+      json_file="$1"
 
       # Convert the JSON object into a series of tab-separated key-value pairs using jq
       # - `to_entries[]`: Convert the object into an array of key-value pairs.
@@ -120,7 +120,7 @@ in {
       {
         assertion = cfg.njalla.vpn.enable -> (
           cfg.njalla.vpn.keysFile != null &&
-          nixarr.vpn.enable
+          config.nixarr.vpn.enable
         );
         message = ''
           The nixarr.ddns.njalla.enable option requires the
@@ -166,17 +166,22 @@ in {
           description = "Sets the Njalla DDNS records";
 
           serviceConfig = {
-            ExecStart = getExe ddns-njalla;
+            ExecStart = ''${getExe ddns-njalla} "${cfg.njalla.keysFile}"'';
             Type = "oneshot";
           };
         };
       })
-      (mkIf cfg.njalla.vpn.enable {
+      (mkIf (cfg.njalla.vpn.enable && config.nixarr.vpn.enable) {
         ddnsNjallaVpn = {
           description = "Sets the Njalla DDNS records over VPN";
 
+          vpnconfinement = {
+            enable = true;
+            vpnnamespace = "wg";
+          };
+
           serviceConfig = {
-            ExecStart = getExe ddns-njalla;
+            ExecStart = ''${getExe ddns-njalla} "${cfg.njalla.vpn.keysFile}"'';
             Type = "oneshot";
           };
         };
diff --git a/nixarr/jellyfin/default.nix b/nixarr/jellyfin/default.nix
index bb0e4fb..0da0c93 100644
--- a/nixarr/jellyfin/default.nix
+++ b/nixarr/jellyfin/default.nix
@@ -244,10 +244,11 @@ in with lib; {
       # Port mappings
       # TODO: openports if expose.vpn
       vpnnamespaces.wg = mkIf cfg.vpn.enable {
-        portMappings = [{ From = defaultPort; To = defaultPort; }];
-        openVPNPorts = optionalString cfg.expose.vpn.enable [
-          { port = cfg.expose.vpn.port; protocol = "tcp"; }
-        ];
+        portMappings = [{ from = defaultPort; to = defaultPort; }];
+        openVPNPorts = optional cfg.expose.vpn.enable {
+          port = cfg.expose.vpn.port;
+          protocol = "tcp";
+        };
       };
     };
 }
diff --git a/nixarr/nixarr.nix b/nixarr/nixarr.nix
index 14d5372..20f0521 100644
--- a/nixarr/nixarr.nix
+++ b/nixarr/nixarr.nix
@@ -207,9 +207,10 @@ in {
     # TODO: wtf to do about openports
     vpnnamespaces.wg = mkIf cfg.vpn.enable {
       enable = true;
-      openVPNPorts = optionalList cfg.vpn.vpnTestService.enable [
-        { port = cfg.vpn.vpnTestService.port; protocol = "tcp"; }
-      ];
+      openVPNPorts = optional cfg.vpn.vpnTestService.enable { 
+        port = cfg.vpn.vpnTestService.port; 
+        protocol = "tcp"; 
+      };
       accessibleFrom = [
         "192.168.1.0/24"
         "127.0.0.1"
diff --git a/nixarr/transmission/default.nix b/nixarr/transmission/default.nix
index d318c3d..46bc728 100644
--- a/nixarr/transmission/default.nix
+++ b/nixarr/transmission/default.nix
@@ -224,19 +224,16 @@ in {
     ];
 
     systemd.tmpfiles.rules = [
-      "d '${cfg.stateDir}' 0700 torrenter root - -"
+      "d '${cfg.stateDir}' 0750 torrenter torrenter - -"
       # This is fixes a bug in nixpks (https://github.com/NixOS/nixpkgs/issues/291883)
-      "d '${cfg.stateDir}/.config/transmission-daemon' 0700 torrenter root - -"
-    ] ++ (
-      if cfg-cross-seed.enable then
-        [ "d '${cfg-cross-seed.stateDir}' 0700 cross-seed root - -" ]
-      else []
-    );
+      "d '${cfg.stateDir}/.config/transmission-daemon' 0750 torrenter torrenter - -"
+    ] ++ optional cfg-cross-seed.enable
+      "d '${cfg-cross-seed.stateDir}' 0700 cross-seed root - -";
 
     util-nixarr.services.cross-seed = mkIf cfg-cross-seed.enable {
       enable = true;
       dataDir = cfg-cross-seed.stateDir;
-      #group = "media";
+      group = "torrenter";
       settings = {
         torrentDir = "${nixarr.mediaDir}/torrents";
         outputDir = "${nixarr.mediaDir}/torrents/.cross-seed";
@@ -336,7 +333,7 @@ in {
 
     # Port mappings
     vpnnamespaces.wg = mkIf cfg.vpn.enable {
-      portMappings = [{ From = cfg.uiPort; To = cfg.uiPort; }];
+      portMappings = [{ from = cfg.uiPort; to = cfg.uiPort; }];
       openVPNPorts = [
         { port = cfg.peerPort; protocol = "both"; }
       ];