nixos/services/radarr.nix
rope 12253c23dd arr: patch AuthenticationRequired to suppress auth enforcement
Newer *arr versions added AuthenticationRequired to config.xml and now
block access if it's not explicitly set. Patch it to
DisabledForLocalAddresses alongside the existing AuthenticationMethod
patch, since Authelia handles auth at the reverse proxy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 21:01:11 +01:00

46 lines
1.7 KiB
Nix

# services/radarr.nix
{ config, pkgs, lib, ... }:
{
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
# Radarr
services.radarr = {
enable = true;
openFirewall = true; # Opens port 7878
dataDir = "/var/lib/radarr";
user = "radarr";
group = "media";
};
# Disable built-in auth — Authelia handles it at the reverse proxy
systemd.services.radarr.preStart = lib.mkAfter ''
config_file="/var/lib/radarr/config.xml"
if [ -f "$config_file" ]; then
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
if grep -q '<AuthenticationRequired>' "$config_file"; then
sed -i 's|<AuthenticationRequired>.*</AuthenticationRequired>|<AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>|' "$config_file"
else
sed -i 's|</Config>| <AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>\n</Config>|' "$config_file"
fi
fi
'';
# Ensure files created by radarr are group-writable
systemd.services.radarr.serviceConfig.UMask = lib.mkForce "0002";
# Media group is already created in qbittorrent-nox.nix
# Just make sure radarr is in it
users.users.radarr = {
isSystemUser = true;
group = "media";
extraGroups = [ "media" ];
};
# Set up directory structure with proper permissions
systemd.tmpfiles.rules = [
# Media folders - radarr writes here
"d /mnt/storage/torrents/movies 2775 radarr media -"
"Z /mnt/storage/torrents/movies 2775 radarr media -"
];
};
}