{ lib, mediaStackPaths, ... }:
{
  services.sonarr = {
    enable = true;
    dataDir = mediaStackPaths.sonarrDataDir;
  };

  users.groups.sonarr = { };
  users.users.sonarr = {
    isSystemUser = true;
    group = "sonarr";
    extraGroups = [ "media" ];
  };

  systemd.services.sonarr.serviceConfig.ReadWritePaths = lib.mkAfter [
    mediaStackPaths.sonarrDataDir
  ];

  networking.firewall.allowedTCPPorts = [ 8989 ];
}