sabnzbd: tighten host_whitelist for *arr local calls + group consistency

Two small follow-ups to the SAB module:

- Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's
  local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname
  verification failed" error becomes a real footgun if it ever flips.
- Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent.
  No functional change since group = "media" already.

Also wires SABnzbd into arr-interconnect: extracts api_key from
sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr
category) and Radarr (radarr category). Idempotent like the existing
qBittorrent block; silently skips on first boot before SAB has materialised
its config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-05-04 19:25:07 +01:00
parent 955524f489
commit 1f07b05c12
2 changed files with 97 additions and 4 deletions

View file

@ -1,18 +1,22 @@
{ config, pkgs, lib, ... }:
let
# SAB rejects requests whose Host header isn't in host_whitelist. We need:
# - sabnzbd.nordhammer.it (the nginx-fronted public path)
# - 127.0.0.1 + localhost (so Sonarr/Radarr can hit SAB locally via
# arr-interconnect without hitting "Hostname verification failed")
patchConfig = pkgs.writeShellScript "sabnzbd-patch-config" ''
CONFIG=/var/lib/sabnzbd/sabnzbd.ini
HOSTNAME=sabnzbd.nordhammer.it
WHITELIST="sabnzbd.nordhammer.it,127.0.0.1,localhost"
if [ ! -f "$CONFIG" ]; then
printf '[misc]\nhost_whitelist = %s\nport = 8085\n' "$HOSTNAME" > "$CONFIG"
printf '[misc]\nhost_whitelist = %s\nport = 8085\n' "$WHITELIST" > "$CONFIG"
exit 0
fi
if ${pkgs.gnugrep}/bin/grep -q "^host_whitelist" "$CONFIG"; then
${pkgs.gnused}/bin/sed -i "s/^host_whitelist =.*/host_whitelist = $HOSTNAME/" "$CONFIG"
${pkgs.gnused}/bin/sed -i "s/^host_whitelist =.*/host_whitelist = $WHITELIST/" "$CONFIG"
else
${pkgs.gnused}/bin/sed -i "/^\[misc\]/a host_whitelist = $HOSTNAME" "$CONFIG"
${pkgs.gnused}/bin/sed -i "/^\[misc\]/a host_whitelist = $WHITELIST" "$CONFIG"
fi
'';
in
@ -22,6 +26,7 @@ in
users.users.sabnzbd = {
isSystemUser = true;
group = "media";
extraGroups = [ "media" ];
};
systemd.tmpfiles.rules = [