# rrr — Media Automation Stack **Purpose:** Automated media acquisition pipeline (TV + movies) routed entirely through MullvadVPN. | Service | Image | Web UI | | --------- | -------------------------------------- | ---------------------------------------- | | gluetun | `qmcgaw/gluetun:latest` | — | | Sonarr | `lscr.io/linuxserver/sonarr:latest` | | | Radarr | `lscr.io/linuxserver/radarr:latest` | | | Prowlarr | `lscr.io/linuxserver/prowlarr:latest> | | | SABnzbd | `lscr.io/linuxserver/sabnzbd:latest` | | | Compose | [`../services/rrr/docker-compose.yml`](../services/rrr/docker-compose.yml) | | --- ## Architecture All traffic from this stack is forced through MullvadVPN via **gluetun**. Sonarr, Radarr, Prowlarr, and NZBGet all set `network_mode: service:gluetun`, which means they share gluetun's network namespace. Any outbound connection from these containers exits through the WireGuard tunnel — they have no direct internet access. ``` Traefik (proxy network) │ └── gluetun (proxy network + WireGuard tunnel to Mullvad) │ (shared network namespace via network_mode: service:gluetun) ├── sonarr :8989 — TV show management ├── radarr :7878 — Movie management ├── prowlarr :9696 — Indexer management (feeds Sonarr + Radarr) └── sabnzbd :8080 — Usenet downloader ``` Since all four containers share one network namespace, they communicate with each other via `localhost:`. Use these addresses when configuring integrations: | Connection | Address | | ------------------- | ------------------------- | | Prowlarr → Sonarr | `http://localhost:8989` | | Prowlarr → Radarr | `http://localhost:7878` | | Sonarr → SABnzbd | `http://localhost:8080` | | Radarr → SABnzbd | `http://localhost:8080` | Traefik labels live on gluetun (not the individual apps) because gluetun is the only container attached to the `proxy` network. Each router explicitly references its service with the correct backend port. Sonarr, Radarr, and NZBGet all mount the same `DOWNLOADS_PATH` so completed downloads are immediately available for import. --- ## Environment Variables Set these in Portainer's stack environment variables when deploying. | Variable | Description | | ---------------------- | ------------------------------------------------------------- | | `WIREGUARD_PRIVATE_KEY` | WireGuard private key from Mullvad account | | `WIREGUARD_ADDRESSES` | WireGuard IP assigned by Mullvad (e.g. `10.66.109.243/32`) | | `SERVER_CITIES` | Optional preferred cities (e.g. `Gothenburg,Stockholm`) | | `PUID` | Host user ID for volume file ownership (`id -u`) | | `PGID` | Host group ID for volume file ownership (`id -g`) | | `TZ` | Timezone (e.g. `Europe/Berlin`) | | `TV_PATH` | Host path to TV library | | `MOVIES_PATH` | Host path to movies library | | `DOWNLOADS_PATH` | Host path to NZBGet downloads directory | To get the WireGuard credentials: log in to mullvad.net → Account → WireGuard configuration → Generate key → download the config file. Copy `PrivateKey` and `Address` from that file. --- ## Volumes | Volume | Mount | Purpose | | ---------------- | -------------------- | ------------------------------ | | `gluetun_data` | `/gluetun` | gluetun state and cert cache | | `sonarr_config` | `/config` | Sonarr database and settings | | `radarr_config` | `/config` | Radarr database and settings | | `prowlarr_config`| `/config` | Prowlarr database and settings | | `sabnzbd_config` | `/config` | SABnzbd config and scripts | | `${TV_PATH}` | `/tv` | TV library (Sonarr) | | `${MOVIES_PATH}` | `/movies` | Movies library (Radarr) | | `${DOWNLOADS_PATH}` | `/downloads` | Shared download dir (all) | --- ## Networks - **gluetun**: `proxy` (external) — only container Traefik can reach - **sonarr / radarr / prowlarr / nzbget**: `network_mode: service:gluetun` — no independent network attachment