sabnzbd: tighten host_whitelist for *arr local calls + group consistency
Two small follow-ups to the SAB module: - Extend host_whitelist to also include 127.0.0.1 + localhost. SAB's local-IP bypass usually handles this, but Sonarr/Radarr's "Hostname verification failed" error becomes a real footgun if it ever flips. - Add extraGroups = [ "media" ] for parity with sonarr/radarr/qbittorrent. No functional change since group = "media" already. Also wires SABnzbd into arr-interconnect: extracts api_key from sabnzbd.ini and POSTs a Sabnzbd download client into Sonarr (tv-sonarr category) and Radarr (radarr category). Idempotent like the existing qBittorrent block; silently skips on first boot before SAB has materialised its config. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
955524f489
commit
1f07b05c12
2 changed files with 97 additions and 4 deletions
|
|
@ -22,6 +22,14 @@ let
|
||||||
BAZARR_KEY=$(grep -oP '(?<=apikey = ).*' /var/lib/bazarr/data/config/config.ini || true)
|
BAZARR_KEY=$(grep -oP '(?<=apikey = ).*' /var/lib/bazarr/data/config/config.ini || true)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# SAB writes its api_key into [misc] of sabnzbd.ini on first run; until
|
||||||
|
# the user opens the UI once and the key materialises, the SAB blocks
|
||||||
|
# below silently skip.
|
||||||
|
SABNZBD_KEY=""
|
||||||
|
if [ -f "/var/lib/sabnzbd/sabnzbd.ini" ]; then
|
||||||
|
SABNZBD_KEY=$(grep -oP '^api_key\s*=\s*\K\S+' /var/lib/sabnzbd/sabnzbd.ini | head -n1 || true)
|
||||||
|
fi
|
||||||
|
|
||||||
# --- Helpers ---
|
# --- Helpers ---
|
||||||
wait_for() {
|
wait_for() {
|
||||||
local name="$1" url="$2" key="$3"
|
local name="$1" url="$2" key="$3"
|
||||||
|
|
@ -189,6 +197,84 @@ let
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
##########################################################################
|
||||||
|
# Sonarr → SABnzbd (usenet download client for TV)
|
||||||
|
##########################################################################
|
||||||
|
if [ -n "$SONARR_KEY" ] && [ -n "$SABNZBD_KEY" ]; then
|
||||||
|
if ! exists_by_name "$BASE:8989/api/v3/downloadclient" "$SONARR_KEY" "SABnzbd"; then
|
||||||
|
echo "Adding SABnzbd to Sonarr..."
|
||||||
|
curl -sf -X POST \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-H "X-Api-Key: $SONARR_KEY" \
|
||||||
|
"$BASE:8989/api/v3/downloadclient" \
|
||||||
|
-d "$(jq -n --arg key "$SABNZBD_KEY" '{
|
||||||
|
enable: true,
|
||||||
|
protocol: "usenet",
|
||||||
|
priority: 1,
|
||||||
|
removeCompletedDownloads: true,
|
||||||
|
removeFailedDownloads: true,
|
||||||
|
name: "SABnzbd",
|
||||||
|
implementation: "Sabnzbd",
|
||||||
|
configContract: "SabnzbdSettings",
|
||||||
|
implementationName: "SABnzbd",
|
||||||
|
fields: [
|
||||||
|
{name: "host", value: "localhost"},
|
||||||
|
{name: "port", value: 8085},
|
||||||
|
{name: "useSsl", value: false},
|
||||||
|
{name: "urlBase", value: ""},
|
||||||
|
{name: "apiKey", value: $key},
|
||||||
|
{name: "username", value: ""},
|
||||||
|
{name: "password", value: ""},
|
||||||
|
{name: "tvCategory", value: "tv-sonarr"},
|
||||||
|
{name: "recentTvPriority", value: -100},
|
||||||
|
{name: "olderTvPriority", value: -100}
|
||||||
|
],
|
||||||
|
tags: []
|
||||||
|
}')" > /dev/null && echo " done" || echo " failed"
|
||||||
|
else
|
||||||
|
echo "Sonarr → SABnzbd already configured"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
##########################################################################
|
||||||
|
# Radarr → SABnzbd (usenet download client for movies)
|
||||||
|
##########################################################################
|
||||||
|
if [ -n "$RADARR_KEY" ] && [ -n "$SABNZBD_KEY" ]; then
|
||||||
|
if ! exists_by_name "$BASE:7878/api/v3/downloadclient" "$RADARR_KEY" "SABnzbd"; then
|
||||||
|
echo "Adding SABnzbd to Radarr..."
|
||||||
|
curl -sf -X POST \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-H "X-Api-Key: $RADARR_KEY" \
|
||||||
|
"$BASE:7878/api/v3/downloadclient" \
|
||||||
|
-d "$(jq -n --arg key "$SABNZBD_KEY" '{
|
||||||
|
enable: true,
|
||||||
|
protocol: "usenet",
|
||||||
|
priority: 1,
|
||||||
|
removeCompletedDownloads: true,
|
||||||
|
removeFailedDownloads: true,
|
||||||
|
name: "SABnzbd",
|
||||||
|
implementation: "Sabnzbd",
|
||||||
|
configContract: "SabnzbdSettings",
|
||||||
|
implementationName: "SABnzbd",
|
||||||
|
fields: [
|
||||||
|
{name: "host", value: "localhost"},
|
||||||
|
{name: "port", value: 8085},
|
||||||
|
{name: "useSsl", value: false},
|
||||||
|
{name: "urlBase", value: ""},
|
||||||
|
{name: "apiKey", value: $key},
|
||||||
|
{name: "username", value: ""},
|
||||||
|
{name: "password", value: ""},
|
||||||
|
{name: "movieCategory", value: "radarr"},
|
||||||
|
{name: "recentMoviePriority", value: -100},
|
||||||
|
{name: "olderMoviePriority", value: -100}
|
||||||
|
],
|
||||||
|
tags: []
|
||||||
|
}')" > /dev/null && echo " done" || echo " failed"
|
||||||
|
else
|
||||||
|
echo "Radarr → SABnzbd already configured"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
##########################################################################
|
##########################################################################
|
||||||
# Bazarr → Sonarr (subtitle management for TV)
|
# Bazarr → Sonarr (subtitle management for TV)
|
||||||
##########################################################################
|
##########################################################################
|
||||||
|
|
@ -284,6 +370,7 @@ in
|
||||||
"prowlarr.service"
|
"prowlarr.service"
|
||||||
"bazarr.service"
|
"bazarr.service"
|
||||||
"qbittorrent-nox.service"
|
"qbittorrent-nox.service"
|
||||||
|
"sabnzbd.service"
|
||||||
];
|
];
|
||||||
wants = [
|
wants = [
|
||||||
"sonarr.service"
|
"sonarr.service"
|
||||||
|
|
@ -291,6 +378,7 @@ in
|
||||||
"prowlarr.service"
|
"prowlarr.service"
|
||||||
"bazarr.service"
|
"bazarr.service"
|
||||||
"qbittorrent-nox.service"
|
"qbittorrent-nox.service"
|
||||||
|
"sabnzbd.service"
|
||||||
];
|
];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
|
|
||||||
|
|
@ -1,18 +1,22 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
|
# SAB rejects requests whose Host header isn't in host_whitelist. We need:
|
||||||
|
# - sabnzbd.nordhammer.it (the nginx-fronted public path)
|
||||||
|
# - 127.0.0.1 + localhost (so Sonarr/Radarr can hit SAB locally via
|
||||||
|
# arr-interconnect without hitting "Hostname verification failed")
|
||||||
patchConfig = pkgs.writeShellScript "sabnzbd-patch-config" ''
|
patchConfig = pkgs.writeShellScript "sabnzbd-patch-config" ''
|
||||||
CONFIG=/var/lib/sabnzbd/sabnzbd.ini
|
CONFIG=/var/lib/sabnzbd/sabnzbd.ini
|
||||||
HOSTNAME=sabnzbd.nordhammer.it
|
WHITELIST="sabnzbd.nordhammer.it,127.0.0.1,localhost"
|
||||||
|
|
||||||
if [ ! -f "$CONFIG" ]; then
|
if [ ! -f "$CONFIG" ]; then
|
||||||
printf '[misc]\nhost_whitelist = %s\nport = 8085\n' "$HOSTNAME" > "$CONFIG"
|
printf '[misc]\nhost_whitelist = %s\nport = 8085\n' "$WHITELIST" > "$CONFIG"
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ${pkgs.gnugrep}/bin/grep -q "^host_whitelist" "$CONFIG"; then
|
if ${pkgs.gnugrep}/bin/grep -q "^host_whitelist" "$CONFIG"; then
|
||||||
${pkgs.gnused}/bin/sed -i "s/^host_whitelist =.*/host_whitelist = $HOSTNAME/" "$CONFIG"
|
${pkgs.gnused}/bin/sed -i "s/^host_whitelist =.*/host_whitelist = $WHITELIST/" "$CONFIG"
|
||||||
else
|
else
|
||||||
${pkgs.gnused}/bin/sed -i "/^\[misc\]/a host_whitelist = $HOSTNAME" "$CONFIG"
|
${pkgs.gnused}/bin/sed -i "/^\[misc\]/a host_whitelist = $WHITELIST" "$CONFIG"
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
|
|
@ -22,6 +26,7 @@ in
|
||||||
users.users.sabnzbd = {
|
users.users.sabnzbd = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = "media";
|
group = "media";
|
||||||
|
extraGroups = [ "media" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue