First, I would like to thank this community for being an understanding, open-minded and Novice friendly like myself. I have learned a lot in the past few weeks thanks to this community, unlike Reddit’s toxic communities where asking a question is illegal.

I have built most of my NAS; the only missing component (CPU) I will be collecting in the morning. I just wanted to ask general questions or tips. Dos and Donts. I will be using Unraid as OS.

  • @[email protected]
    link
    fedilink
    English
    311 months ago

    Please let me know what you find for jellyfin with arrs and VPN. I have found that the VPN always interferes with jellyfin and other stuff and haven’t been able to figure out gluetun.

    • @[email protected]
      link
      fedilink
      English
      5
      edit-2
      11 months ago
      
      version: "3.4"
      
      volumes:
        sonarr-config:
          name: sonarr-config
          driver_opts:
            type: nfs
            o: addr=192.168.37.25,nolock,soft,rw
            device: :/zfspool1/dockerData/arr-stack/sonarr
        radarr-config:
          name: radarr-config
          driver_opts:
            type: nfs
            o: addr=192.168.37.25,nolock,soft,rw
            device: :/zfspool1/dockerData/arr-stack/radarr
        prowlarr-config:
          name: prowlarr-config
          driver_opts:
            type: nfs
            o: addr=192.168.37.25,nolock,soft,rw
            device: :/zfspool1/dockerData/arr-stack/prowlarr
        sabnzbd-config:
          name: sabnzbd-config
          driver_opts:
            type: nfs
            o: addr=192.168.37.25,nolock,soft,rw
            device: :/zfspool1/dockerData/arr-stack/sabnzbd
        qbittorrent-config:
          name: qbittorrent-config
          driver_opts:
            type: nfs
            o: addr=192.168.37.25,nolock,soft,rw
            device: :/zfspool1/dockerData/arr-stack/qbittorrent
        media-tv:
          name: media-tv
          driver_opts:
            type: nfs
            o: addr=192.168.37.31,nolock,soft,rw
            device: :/mnt/user/media/TV Shows
        media-movies:
          name: media-movies
          driver_opts:
            type: nfs
            o: addr=192.168.37.31,nolock,soft,rw
            device: :/mnt/user/media/Movies
        media-downloads:
          name: media-downloads
          driver_opts:
            type: nfs
            o: addr=192.168.37.31,nolock,soft,rw
            device: :/mnt/user/downloads
      
      networks:
        traefik_proxy:
          name: traefik_proxy
          external: true
      
      
      services:
        arr-stack-gluetun:
          container_name: arr-stack-gluetun
          hostname: arr-stack-gluetun
          image: qmcgaw/gluetun
          deploy:
            resources:
              limits:
                cpus: '4'
                memory: 4G
              reservations:
                cpus: '2'
                memory: 1G
          cap_add:
            - NET_ADMIN
          restart: unless-stopped
          env_file:
             - ../stack.env #get mullvad key from here "WIREGUARD_PRIVATE_KEY", "WIREGUARD_ADDRESSES", "SERVER_CITIES"
          networks:
            # only this container needs access to the proxy network. It also doesn't need any ports exposed to access
            # the other services like qbit, etc. Traefik points to this container and because the other services use
            # the service network type they can be accessed through here. 
            traefik_proxy:
              ipv4_address: 172.18.0.6
          environment:
       
            - VPN_SERVICE_PROVIDER=private internet access
            - OPENVPN_USER=xxxxxxxxz
            - SERVER_HOSTNAMES=lu.privacy.network
            - TZ=America/Chicago
          labels:
            - "traefik.enable=true"
            - "traefik.docker.network=traefik_proxy"
      
            # qbittorrent traefik labels
            - "traefik.http.routers.arr-stack-qbittorrent.entrypoints=websecure"
            - "traefik.http.routers.arr-stack-qbittorrent.rule=Host(`torrent.local.domain.com`)"
            - "traefik.http.routers.arr-stack-qbittorrent.tls=true"
            - "traefik.http.routers.arr-stack-qbittorrent.service=arr-stack-qbittorrent"
            - "traefik.http.services.arr-stack-qbittorrent.loadbalancer.server.port=8085"
            - "traefik.http.routers.arr-stack-qbittorrent.middlewares=authentik"
      
            # prowlarr traefik labels
            - "traefik.http.routers.arr-stack-prowlarr.entrypoints=websecure"
            - "traefik.http.routers.arr-stack-prowlarr.rule=Host(`prowlarr.local.domain.com`)"
            - "traefik.http.routers.arr-stack-prowlarr.tls=true"
            - "traefik.http.routers.arr-stack-prowlarr.service=arr-stack-prowlarr"
            - "traefik.http.services.arr-stack-prowlarr.loadbalancer.server.port=9696"
            - "traefik.http.routers.arr-stack-prowlarr.middlewares=authentik"
      
            # sabnzbd traefik labels
            - "traefik.http.routers.arr-stack-sabnzbd.entrypoints=websecure"
            - "traefik.http.routers.arr-stack-sabnzbd.rule=Host(`sabnzbd.local.domain.com`)"
            - "traefik.http.routers.arr-stack-sabnzbd.tls=true"
            - "traefik.http.routers.arr-stack-sabnzbd.service=arr-stack-sabnzbd"
            - "traefik.http.services.arr-stack-sabnzbd.loadbalancer.server.port=8080"
            - "traefik.http.routers.arr-stack-sabnzbd.middlewares=authentik"
      
            # sonarr traefik labels
            - "traefik.http.routers.arr-stack-sonarr.entrypoints=websecure"
            - "traefik.http.routers.arr-stack-sonarr.rule=Host(`sonarr.local.domain.com`)"
            - "traefik.http.routers.arr-stack-sonarr.tls=true"
            - "traefik.http.routers.arr-stack-sonarr.service=arr-stack-sonarr"
            - "traefik.http.services.arr-stack-sonarr.loadbalancer.server.port=8989"
            - "traefik.http.routers.arr-stack-sonarr.middlewares=authentik"
      
            # radarr traefik labels
            - "traefik.http.routers.arr-stack-radarr.entrypoints=websecure"
            - "traefik.http.routers.arr-stack-radarr.rule=Host(`radarr.local.domain.com`)"
            - "traefik.http.routers.arr-stack-radarr.tls=true"
            - "traefik.http.routers.arr-stack-radarr.service=arr-stack-radarr"
            - "traefik.http.services.arr-stack-radarr.loadbalancer.server.port=7878"
            - "traefik.http.routers.arr-stack-radarr.middlewares=authentik"
          
        # _____________________________Downloaders__________________________
        arr-stack-qbittorrent:
          image: ghcr.io/linuxserver/qbittorrent:4.6.0
          container_name: arr-stack-qbittorrent
          network_mode: service:arr-stack-gluetun
          volumes:
            - qbittorrent-config:/config
            - media-downloads:/downloads:z
          deploy:
            resources:
              limits:
                cpus: '4'
                memory: 4G
              reservations:
                cpus: '2'
                memory: 1G
          depends_on:
            - arr-stack-gluetun
          environment:
            - WEBUI_PORT=8085
            - TZ=America/Chicago
            
            #file permissions need to be the same for all apps
            - PUID=1000
            - PGID=1000
            - UMASK_SET=022
          restart: unless-stopped
          labels:
          # Note 1: Default user is admin, pass is adminadmin
          # Note 2: Tools-> options-> web UI -> bypass localhost and whitelist:
          #    172.18.0.0/24, torrent.local.domain.com, arr-stack-gluetun
      
        arr-stack-sabnzbd:
          image: ghcr.io/linuxserver/sabnzbd:4.1.0
          container_name: arr-stack-sabnzbd
          network_mode: service:arr-stack-gluetun
          deploy:
            resources:
              limits:
                cpus: '4'
                memory: 4G
              reservations:
                cpus: '2'
                memory: 1G
          volumes:
            - sabnzbd-config:/config
            - media-downloads:/downloads:z
          depends_on:
            - arr-stack-gluetun
          environment:
            - TZ=America/Chicago
            #file permissions need to be the same for all apps
            - PUID=1000
            - PGID=1000
            #- UMASK_SET=022
          restart: unless-stopped
          
        # ______________________________Arrs__________________________________
        arr-stack-prowlarr:
          image: ghcr.io/linuxserver/prowlarr:1.9.4
          container_name: arr-stack-prowlarr
          deploy:
            resources:
              limits:
                cpus: '4'
                memory: 4G
              reservations:
                cpus: '2'
                memory: 1G
          environment:
            - PUID=1000
            - PGID=1000
            - UMASK=022
            - TZ=America/Chicago 
          volumes:
            - prowlarr-config:/config
          restart: unless-stopped
          network_mode: service:arr-stack-gluetun
          depends_on:
            - arr-stack-gluetun
           # - arr-stack-qbittorrent
           # - arr-stack-sabnzbd
       
          
        arr-stack-sonarr:
          image: ghcr.io/linuxserver/sonarr:3.0.10
          container_name: arr-stack-sonarr
          deploy:
            resources:
              limits:
                cpus: '4'
                memory: 4G
              reservations:
                cpus: '2'
                memory: 1G
          volumes:
            - sonarr-config:/config
            - media-tv:/media/TV Shows
            - media-downloads:/downloads:z # this is only needed if qbit-torrent is used. It must be added to remote path in the app(complete foler)
          environment:
            - PUID=1000
            - PGID=1000
            - UMASK=022
            - TZ=America/Chicago 
          restart: unless-stopped
          network_mode: service:arr-stack-gluetun
          depends_on:
            - arr-stack-gluetun
      
        arr-stack-radarr:
          image: ghcr.io/linuxserver/radarr:5.0.3
          container_name: arr-stack-radarr
          deploy:
            resources:
              limits:
                cpus: '4'
                memory: 4G
              reservations:
                cpus: '2'
                memory: 1G
          volumes:
            - radarr-config:/config
            - media-movies:/media/Movies
            - media-downloads:/downloads:z # this is only needed if qbit-torrent is used. It must be added to remote path in the app(complete foler)
          environment:
            - PUID=1000
            - PGID=1000
            - UMASK=022
            - TZ=America/Chicago 
          restart: unless-stopped
          network_mode: service:arr-stack-gluetun
          depends_on:
            - arr-stack-gluetun
      
      
      

      Stuff like this is why I moved my docker from unraid to a VM where I can use docker compose. Docker compose is really the only way to get a clean setup with complex stuff like this. That being said I recommend beginners use unraid. You don’t need a full vpn for torrents, a socks5 proxy will be fine and doesn’t require and special docker settings.

      My setup uses traefik reverse proxy. Internal HTTPS (let’s encrypte wild card) and external HTTPS depending on what I want.

      It uses authentik for single sign on and in this case provides LDAP for jellyfin and also provides web authentication for arr services.

      The glutun container can be configured with any VPN and all services can only access the internet via the VPN.

      My NAS is unraid, my docker host is a VM on proxmox. Media files are stored on HDDs on unraid and everything else is on on the docker SSD. Volumes are connected to where they need to be via NFS shares.

      There are limits for cpu and ram so one container can’t bring everything down.

      The containers themselves all communicate via their own docker network and only the reverse proxy (traefik) allows access to the UI.