diff --git a/hieradata/roles/apps/media/lidarr.eyaml b/hieradata/roles/apps/media/lidarr.eyaml
new file mode 100644
index 0000000..f42cfb5
--- /dev/null
+++ b/hieradata/roles/apps/media/lidarr.eyaml
@@ -0,0 +1,2 @@
+---
+lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
diff --git a/hieradata/roles/apps/media/lidarr.yaml b/hieradata/roles/apps/media/lidarr.yaml
new file mode 100644
index 0000000..b2f60b7
--- /dev/null
+++ b/hieradata/roles/apps/media/lidarr.yaml
@@ -0,0 +1,52 @@
+---
+hiera_include:
+  - lidarr
+  - profiles::nginx::simpleproxy
+
+# manage lidarr
+lidarr::params::user: lidarr
+lidarr::params::group: media
+lidarr::params::manage_group: false
+lidarr::params::archive_version: 2.3.3
+lidarr::params::port: 8000
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - lidarr.main.unkin.net
+  - lidarr.service.consul
+  - lidarr.query.consul
+  - "lidarr.service.%{facts.country}-%{facts.region}.consul"
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'lidarr.query.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - lidarr.main.unkin.net
+  - lidarr.service.consul
+  - lidarr.query.consul
+  - "lidarr.service.%{facts.country}-%{facts.region}.consul"
+profiles::nginx::simpleproxy::proxy_port: 8000
+profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
+profiles::nginx::simpleproxy::proxy_path: '/'
+
+# configure consul service
+nginx::client_max_body_size: 10M
+consul::services:
+  lidarr:
+    service_name: 'lidarr'
+    tags:
+      - 'media'
+      - 'lidarr'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'lidarr_http_check'
+        name: 'Lidarr HTTP Check'
+        http: "https://%{facts.networking.fqdn}:443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: lidarr
+    disposition: write
diff --git a/hieradata/roles/apps/media/prowlarr.eyaml b/hieradata/roles/apps/media/prowlarr.eyaml
new file mode 100644
index 0000000..05b8389
--- /dev/null
+++ b/hieradata/roles/apps/media/prowlarr.eyaml
@@ -0,0 +1,2 @@
+---
+prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
diff --git a/hieradata/roles/apps/media/prowlarr.yaml b/hieradata/roles/apps/media/prowlarr.yaml
new file mode 100644
index 0000000..8279455
--- /dev/null
+++ b/hieradata/roles/apps/media/prowlarr.yaml
@@ -0,0 +1,52 @@
+---
+hiera_include:
+  - prowlarr
+  - profiles::nginx::simpleproxy
+
+# manage prowlarr
+prowlarr::params::user: prowlarr
+prowlarr::params::group: media
+prowlarr::params::manage_group: false
+prowlarr::params::archive_version: 1.19.0
+prowlarr::params::port: 8000
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - prowlarr.main.unkin.net
+  - prowlarr.service.consul
+  - prowlarr.query.consul
+  - "prowlarr.service.%{facts.country}-%{facts.region}.consul"
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'prowlarr.query.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - prowlarr.main.unkin.net
+  - prowlarr.service.consul
+  - prowlarr.query.consul
+  - "prowlarr.service.%{facts.country}-%{facts.region}.consul"
+profiles::nginx::simpleproxy::proxy_port: 8000
+profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
+profiles::nginx::simpleproxy::proxy_path: '/'
+
+# configure consul service
+nginx::client_max_body_size: 10M
+consul::services:
+  prowlarr:
+    service_name: 'prowlarr'
+    tags:
+      - 'media'
+      - 'prowlarr'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'prowlarr_http_check'
+        name: 'Prowlarr HTTP Check'
+        http: "https://%{facts.networking.fqdn}:443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: prowlarr
+    disposition: write
diff --git a/hieradata/roles/apps/media/radarr.yaml b/hieradata/roles/apps/media/radarr.yaml
index 15b37e6..bdb949d 100644
--- a/hieradata/roles/apps/media/radarr.yaml
+++ b/hieradata/roles/apps/media/radarr.yaml
@@ -7,12 +7,7 @@ hiera_include:
 radarr::params::user: radarr
 radarr::params::group: media
 radarr::params::manage_group: false
-radarr::params::base_path: /opt/radarr
-radarr::params::install_path: /opt/radarr/bin
 radarr::params::archive_version: 5.7.0
-radarr::params::archive_name: Radarr.master.linux-core-x64.tar.gz
-radarr::params::service_enable: true
-radarr::params::service_name: radarr
 radarr::params::port: 8000
 
 
diff --git a/hieradata/roles/apps/media/readarr.eyaml b/hieradata/roles/apps/media/readarr.eyaml
new file mode 100644
index 0000000..e63bd85
--- /dev/null
+++ b/hieradata/roles/apps/media/readarr.eyaml
@@ -0,0 +1,2 @@
+---
+readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
diff --git a/hieradata/roles/apps/media/readarr.yaml b/hieradata/roles/apps/media/readarr.yaml
new file mode 100644
index 0000000..d7785c8
--- /dev/null
+++ b/hieradata/roles/apps/media/readarr.yaml
@@ -0,0 +1,52 @@
+---
+hiera_include:
+  - readarr
+  - profiles::nginx::simpleproxy
+
+# manage readarr
+readarr::params::user: readarr
+readarr::params::group: media
+readarr::params::manage_group: false
+readarr::params::archive_version: 0.3.28
+readarr::params::port: 8000
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - readarr.main.unkin.net
+  - readarr.service.consul
+  - readarr.query.consul
+  - "readarr.service.%{facts.country}-%{facts.region}.consul"
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'readarr.query.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - readarr.main.unkin.net
+  - readarr.service.consul
+  - readarr.query.consul
+  - "readarr.service.%{facts.country}-%{facts.region}.consul"
+profiles::nginx::simpleproxy::proxy_port: 8000
+profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
+profiles::nginx::simpleproxy::proxy_path: '/'
+
+# configure consul service
+nginx::client_max_body_size: 10M
+consul::services:
+  readarr:
+    service_name: 'readarr'
+    tags:
+      - 'media'
+      - 'readarr'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'readarr_http_check'
+        name: 'Readarr HTTP Check'
+        http: "https://%{facts.networking.fqdn}:443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: readarr
+    disposition: write
diff --git a/hieradata/roles/apps/media/sonarr.yaml b/hieradata/roles/apps/media/sonarr.yaml
index 6aac080..09ab30c 100644
--- a/hieradata/roles/apps/media/sonarr.yaml
+++ b/hieradata/roles/apps/media/sonarr.yaml
@@ -7,12 +7,7 @@ hiera_include:
 sonarr::params::user: sonarr
 sonarr::params::group: media
 sonarr::params::manage_group: false
-sonarr::params::base_path: /opt/sonarr
-sonarr::params::install_path: /opt/sonarr/bin
 sonarr::params::archive_version: 4.0.5
-sonarr::params::archive_name: Sonarr.main.linux-x64.tar.gz
-sonarr::params::service_enable: true
-sonarr::params::service_name: sonarr
 sonarr::params::port: 8000
 
 # additional altnames
diff --git a/site/profiles/manifests/media/lidarr.pp b/site/profiles/manifests/media/lidarr.pp
new file mode 100644
index 0000000..953b132
--- /dev/null
+++ b/site/profiles/manifests/media/lidarr.pp
@@ -0,0 +1,16 @@
+# profiles::media::lidarr
+class profiles::media::lidarr (
+  Stdlib::Absolutepath $media_root = '/shared/media',
+) {
+
+  include profiles::ceph::client
+
+  # manage the sharedvol
+  profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
+    mount       => $media_root,
+    keyring     => '/etc/ceph/ceph.client.media.keyring',
+    cephfs_name => 'media',
+    cephfs_fs   => 'mediafs',
+    require     => Profiles::Ceph::Keyring['media'],
+  }
+}
diff --git a/site/profiles/manifests/media/prowlarr.pp b/site/profiles/manifests/media/prowlarr.pp
new file mode 100644
index 0000000..6f80fbe
--- /dev/null
+++ b/site/profiles/manifests/media/prowlarr.pp
@@ -0,0 +1,16 @@
+# profiles::media::prowlarr
+class profiles::media::prowlarr (
+  Stdlib::Absolutepath $media_root = '/shared/media',
+) {
+
+  include profiles::ceph::client
+
+  # manage the sharedvol
+  profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
+    mount       => $media_root,
+    keyring     => '/etc/ceph/ceph.client.media.keyring',
+    cephfs_name => 'media',
+    cephfs_fs   => 'mediafs',
+    require     => Profiles::Ceph::Keyring['media'],
+  }
+}
diff --git a/site/profiles/manifests/media/readarr.pp b/site/profiles/manifests/media/readarr.pp
new file mode 100644
index 0000000..f2bf24f
--- /dev/null
+++ b/site/profiles/manifests/media/readarr.pp
@@ -0,0 +1,16 @@
+# profiles::media::readarr
+class profiles::media::readarr (
+  Stdlib::Absolutepath $media_root = '/shared/media',
+) {
+
+  include profiles::ceph::client
+
+  # manage the sharedvol
+  profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
+    mount       => $media_root,
+    keyring     => '/etc/ceph/ceph.client.media.keyring',
+    cephfs_name => 'media',
+    cephfs_fs   => 'mediafs',
+    require     => Profiles::Ceph::Keyring['media'],
+  }
+}
diff --git a/site/roles/manifests/apps/media/lidarr.pp b/site/roles/manifests/apps/media/lidarr.pp
index 2691cc2..5278575 100644
--- a/site/roles/manifests/apps/media/lidarr.pp
+++ b/site/roles/manifests/apps/media/lidarr.pp
@@ -6,5 +6,6 @@ class roles::apps::media::lidarr {
   }else{
     include profiles::defaults
     include profiles::base
+    include profiles::media::lidarr
   }
 }
diff --git a/site/roles/manifests/apps/media/prowlarr.pp b/site/roles/manifests/apps/media/prowlarr.pp
index 4dd5854..03e0839 100644
--- a/site/roles/manifests/apps/media/prowlarr.pp
+++ b/site/roles/manifests/apps/media/prowlarr.pp
@@ -6,5 +6,6 @@ class roles::apps::media::prowlarr {
   }else{
     include profiles::defaults
     include profiles::base
+    include profiles::media::prowlarr
   }
 }
diff --git a/site/roles/manifests/apps/media/readarr.pp b/site/roles/manifests/apps/media/readarr.pp
index 0dfcf55..adbd553 100644
--- a/site/roles/manifests/apps/media/readarr.pp
+++ b/site/roles/manifests/apps/media/readarr.pp
@@ -6,5 +6,6 @@ class roles::apps::media::readarr {
   }else{
     include profiles::defaults
     include profiles::base
+    include profiles::media::readarr
   }
 }