From 1f07b05c126714b86151e13d596544c94f150f0c Mon Sep 17 00:00:00 2001 From: ediblerope Date: Mon, 4 May 2026 19:25:07 +0100 Subject: [PATCH] sabnzbd: tighten host_whitelist for *arr local calls + group consistency Two small follow-ups to the SAB module: - Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname verification failed" error becomes a real footgun if it ever flips. - Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent. No functional change since group = "media" already. Also wires SABnzbd into arr-interconnect: extracts api_key from sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr category) and Radarr (radarr category). Idempotent like the existing qBittorrent block; silently skips on first boot before SAB has materialised its config. Co-Authored-By: Claude Opus 4.7 --- services/arr-interconnect.nix | 88 +++++++++++++++++++++++++++++++++++ services/sabnzbd.nix | 13 ++++-- 2 files changed, 97 insertions(+), 4 deletions(-) diff --git a/services/arr-interconnect.nix b/services/arr-interconnect.nix index 63aba45..654a05c 100644 --- a/services/arr-interconnect.nix +++ b/services/arr-interconnect.nix @@ -22,6 +22,14 @@ let BAZARR_KEY=$(grep -oP '(?<=apikey = ).*' /var/lib/bazarr/data/config/config.ini || true) fi + # SAB writes its api_key into [misc] of sabnzbd.ini on first run; until + # the user opens the UI once and the key materialises, the SAB blocks + # below silently skip. + SABNZBD_KEY="" + if [ -f "/var/lib/sabnzbd/sabnzbd.ini" ]; then + SABNZBD_KEY=$(grep -oP '^api_key\s*=\s*\K\S+' /var/lib/sabnzbd/sabnzbd.ini | head -n1 || true) + fi + # --- Helpers --- wait_for() { local name="$1" url="$2" key="$3" @@ -189,6 +197,84 @@ let fi fi + ########################################################################## + # Sonarr → SABnzbd (usenet download client for TV) + ########################################################################## + if [ -n "$SONARR_KEY" ] && [ -n "$SABNZBD_KEY" ]; then + if ! exists_by_name "$BASE:8989/api/v3/downloadclient" "$SONARR_KEY" "SABnzbd"; then + echo "Adding SABnzbd to Sonarr..." + curl -sf -X POST \ + -H "Content-Type: application/json" \ + -H "X-Api-Key: $SONARR_KEY" \ + "$BASE:8989/api/v3/downloadclient" \ + -d "$(jq -n --arg key "$SABNZBD_KEY" '{ + enable: true, + protocol: "usenet", + priority: 1, + removeCompletedDownloads: true, + removeFailedDownloads: true, + name: "SABnzbd", + implementation: "Sabnzbd", + configContract: "SabnzbdSettings", + implementationName: "SABnzbd", + fields: [ + {name: "host", value: "localhost"}, + {name: "port", value: 8085}, + {name: "useSsl", value: false}, + {name: "urlBase", value: ""}, + {name: "apiKey", value: $key}, + {name: "username", value: ""}, + {name: "password", value: ""}, + {name: "tvCategory", value: "tv-sonarr"}, + {name: "recentTvPriority", value: -100}, + {name: "olderTvPriority", value: -100} + ], + tags: [] + }')" > /dev/null && echo " done" || echo " failed" + else + echo "Sonarr → SABnzbd already configured" + fi + fi + + ########################################################################## + # Radarr → SABnzbd (usenet download client for movies) + ########################################################################## + if [ -n "$RADARR_KEY" ] && [ -n "$SABNZBD_KEY" ]; then + if ! exists_by_name "$BASE:7878/api/v3/downloadclient" "$RADARR_KEY" "SABnzbd"; then + echo "Adding SABnzbd to Radarr..." + curl -sf -X POST \ + -H "Content-Type: application/json" \ + -H "X-Api-Key: $RADARR_KEY" \ + "$BASE:7878/api/v3/downloadclient" \ + -d "$(jq -n --arg key "$SABNZBD_KEY" '{ + enable: true, + protocol: "usenet", + priority: 1, + removeCompletedDownloads: true, + removeFailedDownloads: true, + name: "SABnzbd", + implementation: "Sabnzbd", + configContract: "SabnzbdSettings", + implementationName: "SABnzbd", + fields: [ + {name: "host", value: "localhost"}, + {name: "port", value: 8085}, + {name: "useSsl", value: false}, + {name: "urlBase", value: ""}, + {name: "apiKey", value: $key}, + {name: "username", value: ""}, + {name: "password", value: ""}, + {name: "movieCategory", value: "radarr"}, + {name: "recentMoviePriority", value: -100}, + {name: "olderMoviePriority", value: -100} + ], + tags: [] + }')" > /dev/null && echo " done" || echo " failed" + else + echo "Radarr → SABnzbd already configured" + fi + fi + ########################################################################## # Bazarr → Sonarr (subtitle management for TV) ########################################################################## @@ -284,6 +370,7 @@ in "prowlarr.service" "bazarr.service" "qbittorrent-nox.service" + "sabnzbd.service" ]; wants = [ "sonarr.service" @@ -291,6 +378,7 @@ in "prowlarr.service" "bazarr.service" "qbittorrent-nox.service" + "sabnzbd.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/services/sabnzbd.nix b/services/sabnzbd.nix index cb173a3..ef9ab89 100644 --- a/services/sabnzbd.nix +++ b/services/sabnzbd.nix @@ -1,18 +1,22 @@ { config, pkgs, lib, ... }: let + # SAB rejects requests whose Host header isn't in host_whitelist. We need: + # - sabnzbd.nordhammer.it (the nginx-fronted public path) + # - 127.0.0.1 + localhost (so Sonarr/Radarr can hit SAB locally via + # arr-interconnect without hitting "Hostname verification failed") patchConfig = pkgs.writeShellScript "sabnzbd-patch-config" '' CONFIG=/var/lib/sabnzbd/sabnzbd.ini - HOSTNAME=sabnzbd.nordhammer.it + WHITELIST="sabnzbd.nordhammer.it,127.0.0.1,localhost" if [ ! -f "$CONFIG" ]; then - printf '[misc]\nhost_whitelist = %s\nport = 8085\n' "$HOSTNAME" > "$CONFIG" + printf '[misc]\nhost_whitelist = %s\nport = 8085\n' "$WHITELIST" > "$CONFIG" exit 0 fi if ${pkgs.gnugrep}/bin/grep -q "^host_whitelist" "$CONFIG"; then - ${pkgs.gnused}/bin/sed -i "s/^host_whitelist =.*/host_whitelist = $HOSTNAME/" "$CONFIG" + ${pkgs.gnused}/bin/sed -i "s/^host_whitelist =.*/host_whitelist = $WHITELIST/" "$CONFIG" else - ${pkgs.gnused}/bin/sed -i "/^\[misc\]/a host_whitelist = $HOSTNAME" "$CONFIG" + ${pkgs.gnused}/bin/sed -i "/^\[misc\]/a host_whitelist = $WHITELIST" "$CONFIG" fi ''; in @@ -22,6 +26,7 @@ in users.users.sabnzbd = { isSystemUser = true; group = "media"; + extraGroups = [ "media" ]; }; systemd.tmpfiles.rules = [