From 88c1b8b2fee6821ea4ad5f53c3daf620c11fd3f3 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 24 Apr 2026 14:39:53 +0100 Subject: [PATCH] arr-interconnect: enforce Prowlarr local-auth bypass Sonarr/Radarr/Bazarr default to DisabledForLocalAddresses so that requests coming via the nginx reverse proxy (from 127.0.0.1) skip the app's own login, leaving Authelia as the single gate. Prowlarr defaults to Enabled, which produces a 401 behind Authelia. Idempotent: only rewrites config.xml + restarts prowlarr when it finds the "Enabled" value; logs a no-op otherwise. Added pkgs.systemd to PATH so the restart call works. Co-Authored-By: Claude Opus 4.7 --- services/arr-interconnect.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/services/arr-interconnect.nix b/services/arr-interconnect.nix index d6f5c82..7f3ae9c 100644 --- a/services/arr-interconnect.nix +++ b/services/arr-interconnect.nix @@ -2,7 +2,7 @@ let interconnectScript = pkgs.writeShellScript "arr-interconnect" '' set -euo pipefail - PATH="${lib.makeBinPath [ pkgs.curl pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.gawk pkgs.coreutils ]}:$PATH" + PATH="${lib.makeBinPath [ pkgs.curl pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.gawk pkgs.coreutils pkgs.systemd ]}:$PATH" BASE="http://127.0.0.1" @@ -303,6 +303,21 @@ let done fi + ########################################################################## + # Prowlarr auth — trust localhost so Authelia is the only gate. Other + # *arr apps default to this; Prowlarr does not. + ########################################################################## + PROWLARR_CONFIG=/var/lib/prowlarr/config.xml + if [ -f "$PROWLARR_CONFIG" ]; then + if grep -q "Enabled" "$PROWLARR_CONFIG"; then + echo "Prowlarr auth: switching to DisabledForLocalAddresses..." + sed -i 's|Enabled|DisabledForLocalAddresses|' "$PROWLARR_CONFIG" + systemctl restart prowlarr + else + echo "Prowlarr auth: already DisabledForLocalAddresses" + fi + fi + echo "Interconnect setup complete." ''; in