diff --git a/agenix/hosts/mediaserver/config.nix b/agenix/hosts/mediaserver/config.nix
index 8c841d4..ea608f8 100644
--- a/agenix/hosts/mediaserver/config.nix
+++ b/agenix/hosts/mediaserver/config.nix
@@ -31,5 +31,11 @@
       owner = "media_user";
       group = "media_group";
     };
+
+    unpackerr-config = {
+      file = ./unpackerr/config.age;
+      owner = "media_user";
+      group = "media_group";
+    };
   };
 }
diff --git a/agenix/hosts/mediaserver/unpackerr/config.age b/agenix/hosts/mediaserver/unpackerr/config.age
new file mode 100644
index 0000000..45ec0d9
Binary files /dev/null and b/agenix/hosts/mediaserver/unpackerr/config.age differ
diff --git a/secrets.nix b/secrets.nix
index b29a3a6..44a8592 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -69,4 +69,6 @@ in
   "agenix/hosts/mediaserver/tubearchivist/environmentES.age".publicKeys = mediaserver;
 
   "agenix/hosts/mediaserver/aria2/config.age".publicKeys = mediaserver;
+
+  "agenix/hosts/mediaserver/unpackerr/config.age".publicKeys = mediaserver;
 }
diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix
index d17e7c5..8d6a7a6 100644
--- a/system/hosts/mediaserver.nix
+++ b/system/hosts/mediaserver.nix
@@ -26,6 +26,7 @@ in
     (import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
     (import ../nixos/wireguard-firewall-mediaserver.nix (args // { inherit secret; }))
     ../nixos/prowlarr.nix
+    ../nixos/unpackerr.nix
     ../nixos/sonarr.nix
     ../nixos/radarr.nix
     ../nixos/sabnzbd.nix
diff --git a/system/nixos/unpackerr.nix b/system/nixos/unpackerr.nix
new file mode 100644
index 0000000..aa41170
--- /dev/null
+++ b/system/nixos/unpackerr.nix
@@ -0,0 +1,27 @@
+{ pkgs, config, ... }:
+
+{
+  systemd.services.unpackerr =
+    let
+      mounts = [ "mnt-downloads.mount" ];
+    in
+    {
+      description = "unpackerr service";
+      requires = mounts;
+      bindsTo = [ "wg.service" ];
+      after = [ "wg.service" ] ++ mounts;
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = "media_user";
+        Group = "media_group";
+        NetworkNamespacePath = "/var/run/netns/wg";
+        BindReadOnlyPaths = [
+          "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+          "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+        ];
+        ExecStart = "${pkgs.unpackerr}/bin/unpackerr --config ${config.age.secrets.unpackerr-config.path}";
+      };
+    };
+}