Newer *arr versions added AuthenticationRequired to config.xml and now block access if it's not explicitly set. Patch it to DisabledForLocalAddresses alongside the existing AuthenticationMethod patch, since Authelia handles auth at the reverse proxy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
46 lines
1.7 KiB
Nix
46 lines
1.7 KiB
Nix
# services/radarr.nix
|
|
{ config, pkgs, lib, ... }:
|
|
{
|
|
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
|
|
|
# Radarr
|
|
services.radarr = {
|
|
enable = true;
|
|
openFirewall = true; # Opens port 7878
|
|
dataDir = "/var/lib/radarr";
|
|
user = "radarr";
|
|
group = "media";
|
|
};
|
|
|
|
# Disable built-in auth — Authelia handles it at the reverse proxy
|
|
systemd.services.radarr.preStart = lib.mkAfter ''
|
|
config_file="/var/lib/radarr/config.xml"
|
|
if [ -f "$config_file" ]; then
|
|
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
|
|
if grep -q '<AuthenticationRequired>' "$config_file"; then
|
|
sed -i 's|<AuthenticationRequired>.*</AuthenticationRequired>|<AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>|' "$config_file"
|
|
else
|
|
sed -i 's|</Config>| <AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>\n</Config>|' "$config_file"
|
|
fi
|
|
fi
|
|
'';
|
|
|
|
# Ensure files created by radarr are group-writable
|
|
systemd.services.radarr.serviceConfig.UMask = lib.mkForce "0002";
|
|
|
|
# Media group is already created in qbittorrent-nox.nix
|
|
# Just make sure radarr is in it
|
|
users.users.radarr = {
|
|
isSystemUser = true;
|
|
group = "media";
|
|
extraGroups = [ "media" ];
|
|
};
|
|
|
|
# Set up directory structure with proper permissions
|
|
systemd.tmpfiles.rules = [
|
|
# Media folders - radarr writes here
|
|
"d /mnt/storage/torrents/movies 2775 radarr media -"
|
|
"Z /mnt/storage/torrents/movies 2775 radarr media -"
|
|
];
|
|
};
|
|
}
|