diff --git a/services/arr/prowlarr.nix b/services/arr/prowlarr.nix
index fc2001f..543eb1b 100644
--- a/services/arr/prowlarr.nix
+++ b/services/arr/prowlarr.nix
@@ -32,6 +32,17 @@
   };
   users.groups.prowlarr = { };
 
+  # The upstream prowlarr module hardcodes root:root in tmpfiles for custom dataDirs
+  # (systemd.tmpfiles.settings."10-prowlarr"), which gets applied by
+  # systemd-tmpfiles-setup.service on every boot/deploy, resetting the directory
+  # ownership and making Prowlarr unable to access its SQLite databases.
+  # Override to use the correct user as we disable DynamicUser
+  systemd.tmpfiles.settings."10-prowlarr".${service_configs.prowlarr.dataDir}.d = lib.mkForce {
+    user = "prowlarr";
+    group = "prowlarr";
+    mode = "0700";
+  };
+
   systemd.services.prowlarr.serviceConfig = {
     DynamicUser = lib.mkForce false;
     User = "prowlarr";