Newer *arr versions added AuthenticationRequired to config.xml and now block access if it's not explicitly set. Patch it to DisabledForLocalAddresses alongside the existing AuthenticationMethod patch, since Authelia handles auth at the reverse proxy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
45 lines
1.6 KiB
Nix
45 lines
1.6 KiB
Nix
# sonarr.nix
|
|
{ config, pkgs, lib, ... }:
|
|
{
|
|
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
|
|
|
# Sonarr
|
|
services.sonarr = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
dataDir = "/var/lib/sonarr";
|
|
user = "sonarr";
|
|
group = "media";
|
|
};
|
|
|
|
# Disable built-in auth — Authelia handles it at the reverse proxy
|
|
systemd.services.sonarr.preStart = lib.mkAfter ''
|
|
config_file="/var/lib/sonarr/config.xml"
|
|
if [ -f "$config_file" ]; then
|
|
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
|
|
if grep -q '<AuthenticationRequired>' "$config_file"; then
|
|
sed -i 's|<AuthenticationRequired>.*</AuthenticationRequired>|<AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>|' "$config_file"
|
|
else
|
|
sed -i 's|</Config>| <AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>\n</Config>|' "$config_file"
|
|
fi
|
|
fi
|
|
'';
|
|
|
|
# Ensure files created by sonarr are group-writable
|
|
systemd.services.sonarr.serviceConfig.UMask = lib.mkForce "0002";
|
|
|
|
# Media group is already created in qbittorrent-nox.nix
|
|
# Just make sure sonarr is in it
|
|
users.users.sonarr = {
|
|
isSystemUser = true;
|
|
group = "media";
|
|
extraGroups = [ "media" ];
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
# Shows - sonarr organises, bazarr writes subtitles
|
|
"d /mnt/storage/torrents/shows 2775 sonarr media -"
|
|
"Z /mnt/storage/torrents/shows 2775 sonarr media -"
|
|
];
|
|
};
|
|
}
|