jsbeckr/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fe6ce5249e6c8b9ef3d2874c9b8f0cb1a78013ea
homelab/docs/rrr.md
Jens fe6ce5249e add knecht
2026-04-04 14:34:22 +02:00

4.7 KiB
Raw Blame History

rrr — Media Automation Stack

Purpose: Automated media acquisition pipeline (TV + movies) routed entirely through MullvadVPN.

Service Image Web UI
gluetun qmcgaw/gluetun:latest
Sonarr lscr.io/linuxserver/sonarr:latest https://sonarr.home.jens.pub
Radarr lscr.io/linuxserver/radarr:latest https://radarr.home.jens.pub
Prowlarr `lscr.io/linuxserver/prowlarr:latest> https://prowlarr.home.jens.pub
SABnzbd lscr.io/linuxserver/sabnzbd:latest https://sabnzbd.home.jens.pub
Compose ../services/rrr/docker-compose.yml

Architecture

All traffic from this stack is forced through MullvadVPN via gluetun. Sonarr, Radarr, Prowlarr, and NZBGet all set network_mode: service:gluetun, which means they share gluetun's network namespace. Any outbound connection from these containers exits through the WireGuard tunnel — they have no direct internet access.

Traefik (proxy network)
   │
   └── gluetun (proxy network + WireGuard tunnel to Mullvad)
          │  (shared network namespace via network_mode: service:gluetun)
          ├── sonarr    :8989  — TV show management
          ├── radarr    :7878  — Movie management
          ├── prowlarr  :9696  — Indexer management (feeds Sonarr + Radarr)
          └── sabnzbd   :8080  — Usenet downloader

Since all four containers share one network namespace, they communicate with each other via localhost:<port>. Use these addresses when configuring integrations:

Connection Address
Prowlarr → Sonarr http://localhost:8989
Prowlarr → Radarr http://localhost:7878
Sonarr → SABnzbd http://localhost:8080
Radarr → SABnzbd http://localhost:8080

Traefik labels live on gluetun (not the individual apps) because gluetun is the only container attached to the proxy network. Each router explicitly references its service with the correct backend port.

Sonarr, Radarr, and NZBGet all mount the same DOWNLOADS_PATH so completed downloads are immediately available for import.

Environment Variables

Set these in Portainer's stack environment variables when deploying.

Variable Description
WIREGUARD_PRIVATE_KEY WireGuard private key from Mullvad account
WIREGUARD_ADDRESSES WireGuard IP assigned by Mullvad (e.g. 10.66.109.243/32)
SERVER_CITIES Optional preferred cities (e.g. Gothenburg,Stockholm)
PUID Host user ID for volume file ownership (id -u)
PGID Host group ID for volume file ownership (id -g)
TZ Timezone (e.g. Europe/Berlin)
TV_PATH Host path to TV library
MOVIES_PATH Host path to movies library
DOWNLOADS_PATH Host path to NZBGet downloads directory

To get the WireGuard credentials: log in to mullvad.net → Account → WireGuard configuration → Generate key → download the config file. Copy PrivateKey and Address from that file.

Volumes

Volume Mount Purpose
gluetun_data /gluetun gluetun state and cert cache
sonarr_config /config Sonarr database and settings
radarr_config /config Radarr database and settings
prowlarr_config /config Prowlarr database and settings
sabnzbd_config /config SABnzbd config and scripts
${TV_PATH} /tv TV library (Sonarr)
${MOVIES_PATH} /movies Movies library (Radarr)
${DOWNLOADS_PATH} /downloads Shared download dir (all)

Networks

  • gluetun: proxy (external) — only container Traefik can reach
  • sonarr / radarr / prowlarr / nzbget: network_mode: service:gluetun — no independent network attachment
Reference in New Issue View Git Blame Copy Permalink