diff --git a/lib/constants.nix b/lib/constants.nix
index 2afaf08..d024b7e 100644
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -4,10 +4,12 @@
     uids = {
       matrix-syncv3 = 400;
       gitea-runner = 401;
+      jellyseerr = 402;
     };
     gids = {
       matrix-syncv3 = 400;
       gitea-runner = 401;
+      jellyseerr = 402;
     };
   };
 
diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
index 4e198ab..98f816c 100644
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
@@ -22,7 +22,7 @@ in
 
     configuration = { lib, pkgs, config, ... }:
     let
-      inherit (lib);
+      inherit (lib) mkForce;
     in
     {
       imports = [ ./networking.nix ];
@@ -37,14 +37,22 @@ in
           };
         };
 
-        users = {
-          groups.media.gid = 2000;
+        users = with lib.my.c.ids; {
           users = {
             "${config.my.user.config.name}".extraGroups = [ "media" ];
 
             transmission.extraGroups = [ "media" ];
             radarr.extraGroups = [ "media" ];
             sonarr.extraGroups = [ "media" ];
+            jellyseerr = {
+              isSystemUser = true;
+              uid = uids.jellyseerr;
+              group = "jellyseerr";
+            };
+          };
+          groups = {
+            media.gid = 2000;
+            jellyseerr.gid = gids.jellyseerr;
           };
         };
 
@@ -55,6 +63,12 @@ in
 
             radarr.serviceConfig.UMask = "0002";
             sonarr.serviceConfig.UMask = "0002";
+            jellyseerr.serviceConfig = {
+              # Needs to be able to read its secrets
+              DynamicUser = mkForce false;
+              User = "jellyseerr";
+              Group = "jellyseerr";
+            };
 
             # https://github.com/NixOS/nixpkgs/issues/258793#issuecomment-1748168206
             transmission.serviceConfig = {
@@ -96,6 +110,10 @@ in
           jackett.enable = true;
           radarr.enable = true;
           sonarr.enable = true;
+          jellyseerr = {
+            enable = true;
+            openFirewall = true;
+          };
 
           jellyfin.enable = true;
         };
diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
index 58a2ff9..8d44265 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -288,6 +288,10 @@ in
         }
         (ssoServer "generic")
       ];
+      "gib.${pubDomain}" = {
+        locations."/".proxyPass = "http://jackflix-ctr.${domain}:5055";
+        useACMEHost = pubDomain;
+      };
 
       "jackflix.${pubDomain}" =
       let
diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix
index 74f3cba..c94b360 100644
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -335,6 +335,16 @@ in
       (persistSimpleSvc "jackett")
       (persistSimpleSvc "radarr")
       (persistSimpleSvc "sonarr")
+      (mkIf config.services.jellyseerr.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = "/var/lib/jellyseerr";
+            mode = "0750";
+            user = "jellyseerr";
+            group = "jellyseerr";
+          }
+        ];
+      })
       (mkIf config.services.minio.enable {
         my.tmproot.persistence.config.directories = [
           {