Code Monkey home page Code Monkey logo

docker-compose-nas's Introduction

Docker Compose NAS

After searching for the perfect NAS solution, I realized what I wanted could be achieved with some Docker containers on a vanilla Linux box. The result is an opinionated Docker Compose configuration capable of browsing indexers to retrieve media resources and downloading them through a WireGuard VPN with port forwarding. SSL certificates and remote access through Tailscale are supported.

Requirements: Any Docker-capable recent Linux box with Docker Engine and Docker Compose V2. I am running it in Ubuntu Server 22.04; I also tested this setup on a Synology DS220+ with DSM 7.1.

Docker-Compose NAS Homepage

Table of Contents


Application Description Image URL
Sonarr PVR for newsgroup and bittorrent users linuxserver/sonarr /sonarr
Radarr Movie collection manager for Usenet and BitTorrent users linuxserver/radarr /radarr
Bazarr Companion application to Sonarr and Radarr that manages and downloads subtitles linuxserver/bazarr /bazarr
Prowlarr Indexer aggregator for Sonarr and Radarr linuxserver/prowlarr:latest /prowlarr
PIA WireGuard VPN Encapsulate qBittorrent traffic in PIA using WireGuard with port forwarding. thrnz/docker-wireguard-pia
qBittorrent Bittorrent client with a complete web UI
Uses VPN network
Using Libtorrent 1.x
linuxserver/qbittorrent:libtorrentv1 /qbittorrent
Unpackerr Automated Archive Extractions golift/unpackerr
Jellyfin Media server designed to organize, manage, and share digital media files to networked devices linuxserver/jellyfin /jellyfin
Jellyseer Manages requests for your media library fallenbagel/jellyseerr /jellyseer
Homepage Application dashboard gethomepage/homepage /
Traefik Reverse proxy traefik
Watchtower Automated Docker images update containrrr/watchtower
Autoheal Monitor and restart unhealthy Docker containers willfarrell/autoheal
Lidarr Optional - Music collection manager for Usenet and BitTorrent users
Enable with COMPOSE_PROFILES=lidarr
linuxserver/lidarr /lidarr
SABnzbd Optional - Free and easy binary newsreader
Enable with COMPOSE_PROFILES=sabnzbd
linuxserver/sabnzbd /sabnzbd
FlareSolverr Optional - Proxy server to bypass Cloudflare protection in Prowlarr
Enable with COMPOSE_PROFILES=flaresolverr
AdGuard Home Optional - Network-wide software for blocking ads & tracking
Enable with COMPOSE_PROFILES=adguardhome
Tandoor Optional - Smart recipe management
Enable with COMPOSE_PROFILES=tandoor
vabene1111/recipes /recipes
Joplin Optional - Note taking application
Enable with COMPOSE_PROFILES=joplin
joplin/server /joplin
Home Assistant Optional - Open source home automation that puts local control and privacy first
Enable with COMPOSE_PROFILES=homeassistant
Immich Optional - Self-hosted photo and video management solution
Enable with COMPOSE_PROFILES=immich

Optional containers are not enabled by default, they need to be enabled, see Optional Services for more information.

Quick Start

cp .env.example .env, edit to your needs then docker compose up -d.

For the first time, run ./ to update the applications base URLs and set the API keys in .env.

Get your qBittorrent password from docker compose logs qbittorrent and change it in the UI and in .env.

If you want to show Jellyfin information in the homepage, create it in Jellyfin settings and fill JELLYFIN_API_KEY.

Environment Variables

Variable Description Default
COMPOSE_FILE Docker compose files to load
COMPOSE_PROFILES Docker compose profiles to load (flaresolverr, adguardhome, sabnzbd)
USER_ID ID of the user to use in Docker containers 1000
GROUP_ID ID of the user group to use in Docker containers 1000
TIMEZONE TimeZone used by the container. America/New_York
CONFIG_ROOT Host location for configuration files .
DATA_ROOT Host location of the data files /mnt/data
DOWNLOAD_ROOT Host download location for qBittorrent, should be a subfolder of DATA_ROOT /mnt/data/torrents
PIA_LOCATION Servers to use for PIA. see list here ca (Montreal, Canada)
PIA_USER PIA username
PIA_PASS PIA password
HOSTNAME Hostname of the NAS, could be a local IP or a domain name localhost
ADGUARD_HOSTNAME Optional - AdGuard Home hostname used, if enabled
ADGUARD_USERNAME Optional - AdGuard Home username to show details in the homepage, if enabled
ADGUARD_PASSWORD Optional - AdGuard Home password to show details in the homepage, if enabled
QBITTORRENT_USERNAME qBittorrent username to access the web UI admin
QBITTORRENT_PASSWORD qBittorrent password to access the web UI None, please set your password
DNS_CHALLENGE Enable/Disable DNS01 challenge, set to false to disable. true
DNS_CHALLENGE_PROVIDER Provider for DNS01 challenge, see list here. cloudflare
LETS_ENCRYPT_CA_SERVER Let's Encrypt CA Server used to generate certificates, set to production by default.
Set to to test your changes with the staging server.
LETS_ENCRYPT_EMAIL E-mail address used to send expiration notifications
CLOUDFLARE_EMAIL CloudFlare Account email
CLOUDFLARE_DNS_API_TOKEN API token with DNS:Edit permission
CLOUDFLARE_ZONE_API_TOKEN API token with Zone:Read permission
SONARR_API_KEY Sonarr API key to show information in the homepage
RADARR_API_KEY Radarr API key to show information in the homepage
LIDARR_API_KEY Lidarr API key to show information in the homepage
PROWLARR_API_KEY Prowlarr API key to show information in the homepage
BAZARR_API_KEY Bazarr API key to show information in the homepage
JELLYFIN_API_KEY Jellyfin API key to show information in the homepage
JELLYSEERR_API_KEY Jellyseer API key to show information in the homepage
SABNZBD_API_KEY Sabnzbd API key to show information in the homepage
HOMEPAGE_VAR_TITLE Title of the homepage Docker-Compose NAS
HOMEPAGE_VAR_SEARCH_PROVIDER Homepage search provider, see list here google
HOMEPAGE_VAR_HEADER_STYLE Homepage header style, see list here boxed
HOMEPAGE_VAR_WEATHER_CITY Homepage weather city name
HOMEPAGE_VAR_WEATHER_LAT Homepage weather city latitude
HOMEPAGE_VAR_WEATHER_LONG Homepage weather city longitude
HOMEPAGE_VAR_WEATHER_UNIT Homepage weather unit, either metric or imperial metric

PIA WireGuard VPN

I chose PIA since it supports WireGuard and port forwarding, but you could use other providers:

For PIA + WireGuard, fill .env and fill it with your PIA credentials.

The location of the server it will connect to is set by LOC=ca, defaulting to Montreal - Canada.

You need to fill the credentials in the PIA_* environment variable, otherwise the VPN container will exit and qBittorrent will not start.

Sonarr, Radarr & Lidarr

File Structure

Sonarr, Radarr, and Lidarr must be configured to support hardlinks, to allow instant moves and prevent using twice the storage (Bittorrent downloads and final file). The trick is to use a single volume shared by the Bittorrent client and the *arrs. Subfolders are used to separate the TV shows from the movies.

The configuration is well explained by this guide.

In summary, the final structure of the shared volume will be as follows:

├── torrents = shared folder qBittorrent downloads
│  ├── movies = movies downloads tagged by Radarr
│  └── tv = movies downloads tagged by Sonarr
└── media = shared folder for Sonarr and Radarr files
   ├── movies = Radarr
   └── tv = Sonarr
   └── music = Lidarr

Go to Settings > Management. In Sonarr, set the Root folder to /data/media/tv. In Radarr, set the Root folder to /data/media/movies. In Lidarr, set the Root folder to /data/media/music.

Download Client

Then qBittorrent can be configured at Settings > Download Clients. Because all the networking for qBittorrent takes place in the VPN container, the hostname for qBittorrent is the hostname of the VPN container, ie vpn, and the port is 8080:


The indexers are configured through Prowlarr. They synchronize automatically to Radarr and Sonarr.

Radarr and Sonarr may then be added via Settings > Apps. The Prowlarr server is http://prowlarr:9696/prowlarr, the Radarr server is http://radarr:7878/radarr Sonarr http://sonarr:8989/sonarr, and Lidarr http://lidarr:8686/lidarr.

Their API keys can be found in Settings > Security > API Key.


Since qBittorrent v4.6.2, a temporary password is generated on startup. Get it with docker compose logs qbittorrent:

The WebUI administrator username is: admin
The WebUI administrator password was not set. A temporary password is provided for this session: <some_password>

Use this password to access the UI, then go to Settings > Web UI and set your own password, then set it in .env's QBITTORRENT_PASSWORD variable.

The login page can be disabled on for the local network in by enabling Bypass authentication for clients.

Set the default save path to /data/torrents in Settings, and restrict the network interface to WireGuard (wg0).

To use the VueTorrent WebUI just go to qBittorrent, Options, Web UI, Use Alternative WebUI, and enter /vuetorrent. Special thanks to gabe565 for the easy enablement with (


To enable hardware transcoding, depending on your system, you may need to update the following block:

  - /dev/dri/renderD128:/dev/dri/renderD128
  - /dev/dri/card0:/dev/dri/card0

Generally, running Docker on Linux you will want to use VA-API, but the exact mount paths may differ depending on your hardware.


The homepage comes with sensible defaults; some settings can ben controlled via environment variables in .env.

If you to customize further, you can modify the files in /homepage/*.yaml according to the documentation. Due to how the Docker socket is configured for the Docker integration, files must be edited as root.

The files in /homepage/tpl/*.yaml only serve as a base to set up the homepage configuration on first run.


Jellyseer gives you content recommendations, allows others to make requests to you, and allows logging in with Jellyfin credentials.

To setup, go to https://hostname/jellyseerr/setup, and set the URLs as follows:

  • Jellyfin: http://jellyfin:8096/jellyfin
  • Radarr:
    • Hostname: radarr
    • Port: 7878
    • URL Base: /radarr
  • Sonarr
    • Hostname: sonarr
    • Port: 8989
    • URL Base: /sonarr

Traefik and SSL Certificates

While you can use the private IP to access your NAS, how cool would it be for it to be accessible through a subdomain with a valid SSL certificate?

Traefik makes this trivial by using Let's Encrypt and one of its supported ACME challenge providers.

Let's assume we are using as custom subdomain.

The idea is to create an A record pointing to the private IP of the NAS, for example:	1	IN	A

The record will be publicly exposed but not resolve given this is a private IP.

Given the NAS is not accessible from the internet, we need to do a dnsChallenge. Here we will be using CloudFlare, but the mechanism will be the same for all DNS providers baring environment variable changes, see the Traefik documentation above and Lego's documentation.

Then, fill the CloudFlare .env entries.

If you want to test your configuration first, use the Let's Encrypt staging server by updating LETS_ENCRYPT_CA_SERVER's value in .env:


If it worked, you will see the staging certificate at You may remove the ./letsencrypt/acme.json file and restart the services to issue the real certificate.

You are free to use any DNS01 provider. Simply replace DNS_CHALLENGE_PROVIDER with your own provider, see complete list here. You will also need to inject the environments variables specific to your provider.

Certificate generation can be disabled by setting DNS_CHALLENGE to false.

Accessing from the outside with Tailscale

If we want to make it reachable from outside the network without opening ports or exposing it to the internet, I found Tailscale to be a great solution: create a network, run the client on both the NAS and the device you are connecting from, and they will see each other.

In this case, the A record should point to the IP Tailscale assigned to the NAS, eg	1	IN	A

See here for installation instructions.

However, this means you will always need to be connected to Tailscale to access your NAS, even locally. This can be remedied by overriding the DNS entry for the NAS domain like in your local DNS resolver such as Pi-Hole.

This way, when connected to the local network, the NAS is accessible directly from the private IP, and from the outside you need to connect to Tailscale first, then the NAS domain will be accessible.

Optional Services

Optional services are not launched by default and enabled by appending their profile name to the COMPOSE_PROFILES environment variable (see Docker documentation).

Say you want to enable FlareSolverr, you should have COMPOSE_PROFILES=flaresolverr.

Multiple optional services can be enabled separated by commas: COMPOSE_PROFILES=flaresolverr,adguardhome.


In Prowlarr, add the FlareSolverr indexer with the URL http://flaresolverr:8191/


Enable SABnzbd by setting COMPOSE_PROFILES=sabnzbd. It will be accessible at /sabnzbd.

If that is not the case, the url_base parameter in sabnzbd.ini should be set to /sabnzbd.

Additionally, host_whitelist value should be set to your hostname.

AdGuard Home

Enable AdGuard Home by setting COMPOSE_PROFILES=adguardhome.

Set the ADGUARD_HOSTNAME, I chose a different subdomain to use secure DNS without the folder.

On first run, specify the port 3000 and enable listen on all interfaces to make it work with Tailscale.

If after running docker compose up -d, you're getting network docker-compose-nas declared as external, but could not be found, run docker network create docker-compose-nas first.


In Settings > Encryption Settings, set the certificates path to /opt/adguardhome/certs/certs/<YOUR_HOSTNAME>.crt and the private key to /opt/adguardhome/certs/private/<YOUR_HOSTNAME>.key, those files are created by Traefik cert dumper from the ACME certificates Traefik generates in JSON.


If you want to use the AdGuard Home DHCP server, for example because your router does not allow changing its DNS server, you will need to select the eth0 DHCP interface matching, then specify the Gateway IP to match your router address ( for example) and set a range of IP addresses assigned to local devices.

In adguardhome/docker-compose.yml, set the network interface dhcp-relay should listen to. By default, it is set to enp2s0, but you may need to change it to your host's network interface, verify it with ip a.

In the configuration (adguardhome/conf/AdGuardHome.yaml), set the DHCP options 6th key to your NAS internal IP address:

      - 6 ips,

Enable DHCP Relay by setting COMPOSE_PROFILES=adguardhome-dhcp.

Expose DNS Server with Tailscale

Based on Tailscale's documentation, it is easy to use your AdGuard server everywhere. Just make sure that AdGuard Home listens to all interfaces.


See here.


See here.

Home Assistant

See here.


See here.


You can override the configuration of a service or add new services by creating a new docker-compose.override.yml file, then appending it to the COMPOSE_FILE environment variable: COMPOSE_FILE=docker-compose.yml:docker-compose.override.yml

See official documentation.

For example, use a different VPN provider:

      - NET_ADMIN               # Required
      - NET_RAW                 # Required
    environment:                # Review
      - [email protected]     # Required
      - "PASS=pas$word"         # Required
      - CONNECT=United_States
      - TECHNOLOGY=NordLynx
      - NETWORK=  # So it can be accessed within the local network

Optional: Using the VPN for *arr apps

If you want to use the VPN for Prowlarr and other *arr applications, add the following block to all the desired containers:

    network_mode: "service:vpn"
        condition: service_healthy

Change the healthcheck to mark the containers as unhealthy when internet connection is not working by appending a URL to the healthcheck, eg: test: [ "CMD", "curl", "--fail", "", "" ]

Then in Prowlarr, use localhost rather than vpn as the hostname, since they are on the same network.

Synology Quirks

Docker compose NAS can run on DSM 7.1, with a few extra steps.

Free Ports 80 and 443

By default, ports 80 and 443 are used by Nginx but not actually used for anything useful. Free them by creating a new task in the Task Scheduler > Create > Triggered Task > User-defined script. Leave the Event as Boot-up and the root user, go to Task Settings and paste the following in User-defined script:

sed -i -e 's/80/81/' -e 's/443/444/' /usr/syno/share/nginx/server.mustache /usr/syno/share/nginx/DSM.mustache /usr/syno/share/nginx/WWWService.mustache

synosystemctl restart nginx

Install Synology WireGuard

Since WireGuard is not part of DSM's kernel, an external package must be installed for the vpn container to run.

For DSM 7.1, download and install the package corresponding to your NAS CPU architecture from here.

As specified in the project's README, the package must be run as root from the command line: sudo /var/packages/WireGuard/scripts/start

Free Port 1900

Jellyfin will fail to run by default since the port 1900 is not free. You may free it by going to Control Panel > File Services > Advanced > SSTP > Untick Enable Windows network discovery.

User Permissions

By default, the user and groups are set to 1000 as it is the default on Ubuntu and many other Linux distributions. However, that is not the case in Synology; the first user should have an ID of 1026 and a group of 100. You may check yours with id. Update the USER_ID and GROUP_ID in .env with your IDs. Not updating them may result in permission issues.


Synology DHCP Server and Adguard Home Port Conflict

If you are using the Synology DHCP Server package, it will use port 53 even if it does not need it. This is because it uses Dnsmasq to handle DHCP requests, but does not serve DNS queries. The port can be released by editing (as root) /usr/local/lib/systemd/system/pkg-dhcpserver.service and adding -p 0: ExecStart=/var/packages/DhcpServer/target/dnsmasq-2.x/usr/bin/dnsmasq --user=DhcpServer --group=DhcpServer --cache-size=200 --conf-file=/etc/dhcpd/dhcpd.conf --dhcp-lease-max=2147483648 -p 0 Reboot the NAS and the port 53 will be free for Adguard.

Use Separate Paths for Torrents and Storage

If you want to use separate paths for torrents download and long term storage, to use different disks for example, set your docker-compose.override.yml to:

      - ./sonarr:/config
      - ${DATA_ROOT}/media/tv:/data/media/tv
      - ${DOWNLOAD_ROOT}/tv:/data/torrents/tv
      - ./radarr:/config
      - ${DATA_ROOT}/media/movies:/data/media/movies
      - ${DOWNLOAD_ROOT}/movies:/data/torrents/movies

Note you will lose the hard link ability, ie your files will be duplicated.

In Sonarr and Radarr, go to Settings > Importing > Untick Use Hardlinks instead of Copy

NFS Share

This can be useful to share the media folder to a local player like Kodi or computers in the local network, but may not be necessary if Jellyfin is going to be used to access the media.

Install the NFS kernel server: sudo apt install nfs-kernel-server

Then edit /etc/exports to configure your shares:


This will share the media folder to anybody on your local network (192.168.0.x). I purposely left out the sync flag that would slow down file transfer. On some devices you may need to use the insecure option for the share to be available.

Restart the NFS server to apply the changes: sudo /etc/init.d/nfs-kernel-server restart

On other machines, you can see the shared folder by adding the following to your /etc/fstab: /mnt/nas nfs ro,hard,intr,auto,_netdev 0 0

Static IP

Set a static IP, assuming and using Google DNS servers: sudo nano /etc/netplan/00-installer-config.yaml

# This is the network config written by 'subiquity'
      dhcp4: no
          addresses: [,]
  version: 2

Apply the plan: sudo netplan apply. You can check the server uses the right IP with ip a.

Laptop Specific Configuration

If the server is installed on a laptop, you may want to disable the suspension when the lid is closed: sudo nano /etc/systemd/logind.conf


  • #HandleLidSwitch=suspend by HandleLidSwitch=ignore
  • #LidSwitchIgnoreInhibited=yes by LidSwitchIgnoreInhibited=no

Then restart: sudo service systemd-logind restart

docker-compose-nas's People


adrienpoupa avatar andyburke avatar eduardosmaniotto avatar kphilippart avatar timothynfarmer avatar treethought avatar woxwik avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

docker-compose-nas's Issues

traefik container "Unable to obtain ACME certificate for domains"

Hi, seem to be unable to get the docker image to run. The traefik container always fails with this log:

time="2023-05-13T22:04:30Z" level=info msg="Configuration loaded from flags."
time="2023-05-13T22:04:33Z" level=error msg="Unable to obtain ACME certificate for domains "localhost": cannot get ACME client ACME challenge not specified, please select TLS or HTTP or DNS Challenge" routerName=jellyfin@docker rule="(Host(localhost) && PathPrefix(/jellyfin))" providerName=myresolver.acme ACME CA=""
time="2023-05-13T22:04:35Z" level=error msg="Unable to obtain ACME certificate for domains "localhost": cannot get ACME client ACME challenge not specified, please select TLS or HTTP or DNS Challenge" providerName=myresolver.acme rule="(Host(localhost) && PathPrefix(/jellyfin))" routerName=jellyfin@docker ACME CA=""
time="2023-05-13T22:05:01Z" level=error msg="Unable to obtain ACME certificate for domains "localhost": cannot get ACME client ACME challenge not specified, please select TLS or HTTP or DNS Challenge" ACME CA="" routerName=prowlarr@docker rule="(Host(localhost) && PathPrefix(/prowlarr))" providerName=myresolver.acme """

Client-side exception on accessing qBittorrent

I am unable to access the qBittorrent web UI and receive the below error.

Application error: a client-side exception has occurred (see the browser console for more information).

This seems to be the case regardless of whether I access via the VPN or not (tested by commenting out network_mode: "service:vpn" in the docker-compose.yaml). qBittorrent logs return the below.

(N) 2023-10-29T14:00:50 - Using built-in Web UI.
(W) 2023-10-29T14:00:50 - Couldn't load Web UI translation for selected locale (C).

This indicates an error with no locale being set but I am unable to set one without UI access.

qBittorrent connection refused.


I'm having an issue to see qBittorrent. This is the error I can see from the homepage:

API Error: Unknown error
URL: http://vpn:8080/api/v2/torrents/info
Raw Error:
    "errno": -111,
    "code": "ECONNREFUSED",
    "syscall": "connect",
    "address": "",
    "port": 8080

Everything is under a subdomain. I've created an A record pointing to my local IP. Let's encrypt is returning certs and everything seems ok... except qBittorrent.
I also notice the service is restarting after a while (maybe 1 minute or so)

Some logs:


docker logs vpn
Fetching next-gen PIA server list
Verified OK
Verified server list
Registering public key with PIA endpoint; id: spain, cn: madrid403, ip: ***
Generating /etc/wireguard/wg0.conf
Using PIA DNS servers:,
Port forwarding is available at this location
Successfully generated /etc/wireguard/wg0.conf
Fri Nov  3 11:06:04 UTC 2023: Bringing up WireGuard interface wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n

interface: wg0
  public key: ***
  private key: (hidden)
  listening port: 55182
  fwmark: 0xca6c

peer: ***
  allowed ips:

Fri Nov  3 11:06:04 UTC 2023: WireGuard successfully started
Fri Nov  3 11:06:04 UTC 2023: Allowing network access to on eth0
Fri Nov  3 11:06:04 UTC 2023: Firewall enabled: Blocking non-WireGuard traffic
Fri Nov  3 11:06:04 UTC 2023: Allowing network access to on eth0
Fri Nov  3 11:06:04 UTC 2023: Adding route to
Fri Nov  3 11:06:04 UTC 2023: Starting port forward script
Fri Nov  3 11:06:04 UTC 2023: Verifying API requests. CN: madrid403
Fri Nov  3 11:06:04 UTC 2023: Getting PF token
Fri Nov  3 11:06:04 UTC 2023: Reusing previous PF token
Fri Nov  3 11:06:04 UTC 2023: Obtained PF token. Expires at 2024-01-03T05:26:30.973490606Z
Fri Nov  3 11:06:04 UTC 2023: Server accepted PF bind
Fri Nov  3 11:06:04 UTC 2023: Forwarding on port 38678
Fri Nov  3 11:06:04 UTC 2023: Rebind interval: 900 seconds
Fri Nov  3 11:06:04 UTC 2023: Port dumped to /pia-shared/port.dat
Fri Nov  3 11:06:04 UTC 2023: This script should remain running to keep the forwarded port alive
Fri Nov  3 11:06:04 UTC 2023: Press Ctrl+C to exit
Fri Nov  3 11:06:04 UTC 2023: Running /scripts/
Fri Nov  3 11:06:04 UTC 2023: Allowing incoming traffic on port 38678
Fri Nov  3 11:06:04 UTC 2023: Running user-defined command: /pia-shared/
Setting qBittorrent port settings (38678)...
Ok.qBittorrent port updated successfully (38678)...

And qBittorrent:

******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8080

The Web UI administrator username is: admin
The Web UI administrator password has not been changed from the default: adminadmin
This is a security risk, please change your password in program preferences.
[migrations] started
[migrations] no migrations found
usermod: no changes

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by

To support LSIO projects visit:


User UID:    1000
User GID:    1000

[custom-init] No custom files found, skipping...
WebUI will be started shortly after internal preparations. Please wait...
[] done.

A hand is more than welcome!

Thank you for this project. You saved me a lot of time! Kudos to you!

Permission denied error when attempting to download a torrent

Hi there.

I am not able to get a torrent to start downloading in qBittorrent .
It fails with a 'permission denied' error when attempting to write to the host file system.

Here is the error from qbittorrent.log:
(W) 2023-08-14T14:49:58 - File error alert. Torrent: "2023-05-03-raspios-bullseye-armhf.img.xz". File: "/mnt/data/torrents/2023-05-03-raspios-bullseye-armhf.img.xz". Reason: "2023-05-03-raspios-bullseye-armhf.img.xz mkdir (/mnt/data/torrents/2023-05-03-raspios-bullseye-armhf.img.xz) error: Permission denied"

I have an external USB drive mounted in /mnt/data with 777 permissions. There is also a directory called torrents inside the data directory.

I am using these settings in the .env file:


The user and group ids are correctly assigned.

I have noticed a couple of discrepancies that I don't understand.
In the qBittorrent section of the Readme it says: Set the default save path to /data/torrents in Settings
I guess this should say /mnt/data/torrents right?

Also I noticed that in the qBittorrent section of the docker-compse.yml, it has:

  - ./qbittorrent:/config
  - ${DOWNLOAD_ROOT}:/data/torrents

Is the DOWNLOAD_ROOT mapping correct here? In the qbittorrent container documentation they use this:

  - /path/to/appdata/config:/config
  - /path/to/downloads:/downloads

You can see that the DOWNLOAD_ROOT should map to /downloads. Is that right?

Thanks in advance

Jellyseerr and Jellyfin stuck at sync

Thanks for the great setup. Everything works fine, but I am running into a problem with Jellyseerr and Jellyfin. When I select to use Jellyfin in Jellyseerr it gets stuck on syncing. I can't click continue because of it. Also, the logs don't seem to be very helpful. Any pointers? Added as Jellyfin URL: http://jellyfin:8096/jellyfin.

docker-compose logs jellyseerr

Attaching to jellyseerr
jellyseerr | yarn run v1.22.19
jellyseerr | $ NODE_ENV=production node dist/index.js
jellyseerr | 2024-03-11T01:04:11.188Z [info]: Commit Tag: $GIT_SHA 
jellyseerr | 2024-03-11T01:04:11.459Z [info]: Starting Overseerr version 1.7.0 
jellyseerr | warn - You have enabled experimental features (scrollRestoration, largePageDataBytes) in next.config.js.
jellyseerr | warn - Experimental features are not covered by semver, and may cause unexpected or broken application behavior. Use at your own risk.
jellyseerr | 
jellyseerr | 2024-03-11T01:04:12.193Z [info][Notifications]: Registered notification agents 
jellyseerr | 2024-03-11T01:04:12.215Z [info][Jobs]: Scheduled jobs loaded 
jellyseerr | 2024-03-11T01:04:12.329Z [info][Server]: Server ready on port 5055 
jellyseerr | 2024-03-11T01:05:00.011Z [debug][Jobs]: Starting scheduled job: Download Sync 
jellyseerr | 2024-03-11T01:05:00.015Z [info][Jobs]: Starting scheduled job: Plex Recently Added Scan 
jellyseerr | 2024-03-11T01:05:00.016Z [info][Plex Scan]: Scan starting {"sessionId":"f55a9d1b-8a28-465a-bdb9-452967fdf1da"}
jellyseerr | 2024-03-11T01:05:00.024Z [error][Plex Scan]: Scan interrupted {"errorMessage":"connect ECONNREFUSED"}
jellyseerr | 2024-03-11T01:06:00.008Z [debug][Jobs]: Starting scheduled job: Download Sync 

docker-compose logs jellyfin

jellyfin | [21:06:40] [INF] [11] Emby.Server.Implementations.Session.SessionManager: Creating new access token for user 3c7f8df2-075e-4cd7-9ee3-2fdbd6f33d87
jellyfin | [21:06:40] [INF] [36] Emby.Server.Implementations.HttpServer.WebSocketManager: WS request
jellyfin | [21:09:28] [INF] [41] Emby.Server.Implementations.Session.SessionWebSocketListener: Sending ForceKeepAlive message to 1 inactive WebSockets.
jellyfin | [21:09:40] [INF] [22] Emby.Server.Implementations.Session.SessionWebSocketListener: Sending ForceKeepAlive message to 1 inactive WebSockets.
jellyfin | [21:09:52] [INF] [22] Emby.Server.Implementations.Session.SessionWebSocketListener: Lost 1 WebSockets.
Screenshot 2024-03-11 at 00 38 31

Jellyfin Bad Gateway

i encounter a "Bad Gateway" error when I try to open the jellyfin page. Is there any step or config that could be related to this error?

Slow Qbit speeds (Doesn't crack 1MBps)

I couldn't figure out for the longest time why my qbit container was getting absolute butt cheeks for speed. I used to get 40-50MBps and then a few months ago I started not being able to get above 1 MBps. Finally last night I found a solution. I'm just posting this here in case anyone struggles with the same problem. I thought it was an issue with my vpn provider not supporting port forwarding but after splurging on another vpn service I was still seeing the same issues.

I won't pretend to understand the internals of the torrent protocol (more specifically libtorrent) but reverting QBIT to be the last version where it used libtorrent 1.x instead of 2.x resulted in me getting my speeds back.

Changing the image line of this config was the secret sauce:


Can't acces jellyfin with the mobile app ?

Hello, I am currently testing your solution and everything is working perfectly.

But I can't access my jellyfin server from the mobile app, yet the app detects the server but still won't connect to it.

However, the server is local and my phone is on the same network.

On the screenshots you can see that when you click on the selected server it tests all possible solutions but still fails.



Different path prefix for heimdall

First of all thank you for this, it works like a charm!
just fyi I raplaced cloudflare part with
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
and it also works like a charm, the only difference is that you initially have to have domain pointing to your public IP and open the ports, once you get the certificate you can point your domain back to local IP and close the ports.

changing path prefix for heimdall to

  • traefik.http.routers.heimdall.rule=(Host(${HOSTNAME}) && PathPrefix(/heimdall) || PathPrefix(/heimdall))
    turns into 404, any idea why or how to fix that?

And if one were to add nextcloud or photoprism or similar, how would that same path be replaced? just like
- traefik.http.routers.heimdall.rule=(Host(${HOSTNAME}) && PathPrefix(/nextcloud) || PathPrefix(/nextcloud))

Since heimdall is not working why would nextcloud and would you have any idea how to fix it and make nextcloud/heimdall stil accessible? My idea is to add a few more services to this and make it one giant media stack.


Autorenew SSL Cert?

The steps to generate the first letsencrypt cert were successful, but I am getting an email saying it will expire. What are the steps to renew, and is there any way to automate this?


LE certificates error "could not find the start of authority"

I did the configuration as suggested in the repository except for the VPN. Everything seems to be working as expected, but I cannot get the SSL certificates to work.

I'm using cloudflare domain and DNS.

I'm getting this error in the traefik container:

level=debug msg="legolog: [INFO] [] AuthURL:"
level=debug msg="legolog: [INFO] [] acme: Could not find solver for: tls-alpn-01"
level=debug msg="legolog: [INFO] [] acme: Could not find solver for: http-01"
level=debug msg="legolog: [INFO] [] acme: use dns-01 solver"
level=debug msg="legolog: [INFO] [] acme: Preparing to solve DNS-01"
level=debug msg="legolog: [INFO] [] acme: Cleaning DNS-01 challenge"
level=debug msg="legolog: [WARN] [] acme: cleaning up failed: cloudflare: could not find the start of authority for NOERROR "
level=debug msg="legolog: [INFO] Deactivating auth:"
level=debug msg="Serving default certificate for request: \"localhost\""
level=error msg="Unable to obtain ACME certificate for domains \"\": unable to generate a certificate for the domains []: error: one or more domains had a problem:\n[] [] acme: error presenting token: cloudflare: could not find the start of authority for NOERROR\n" routerName=sonarr@docker rule="(Host(``) && PathPrefix(`/sonarr`))" providerName=myresolver.acme ACME CA=""

Here's the changes that I've made in the docker compose:

version: "3.9"
      - --log.level=DEBUG
      # network_mode: "service:vpn"
      # depends_on:
      #   vpn:
      #     condition: service_healthy
        - homepage.widget.url=http://qbittorrent:8080
  # vpn:
    # devices:
    #   - /dev/dri/renderD128:/dev/dri/renderD128
    #   - /dev/dri/card0:/dev/dri/card0

Jellyfin does not work through traefik

Hi, Thanks for creating this stack it is very helpful.

I am able to get everything to work except Jellyfin through traefik.

When I try to go to I get Application error: a client-side exception has occurred (see the browser console for more information).

The console doesnt have any useful info and neither does does the traefik and jellyfin logs.

I am able to use all other services just fine.
Also if I expose the 8096 port in docker-compose.yml for Jellyfin I am able to access Jellyfin through

I have tried setting up various options from but have had no luck fixing this issue.

Any ideas?

adguard not resolving

This is probably my own issue but I can't seem to get the adguard hostname/ip to resolve. I have tried looking for dhcp settings I'm missing or something similar, but an numeric or url or ip address I try in the .env doesn't resolve. There are no issues in the container logs for docker. If its something I'm missing, perhaps just giving an example of how to do it correctly would help in the readme! Not sure whats happening exactly, and thank you for the help, and this repo.

qbittorrent healthcheck fails with error 403

The healthcheck for qbittorrent is defined as
test: [ "CMD", "curl", "--fail", "" ]

When I execute that command it fails with error 403.
The healthcheck succeeds if I only check for /

# docker compose exec -it qbittorrent curl --fail ""                         
curl: (22) The requested URL returned error: 403                           
# docker compose exec -it qbittorrent curl --fail ""                                               
<!DOCTYPE html> 

Not very familiar with qbt, maybe it makes sense to use another check.

Why i got API Error in qbittorrent widget?


Here is my docker compose file:

version: "3.9"
    image: traefik:v2.9
    container_name: traefik
    restart: always
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web-secure.address=:443
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - "8081:80"
      - "443:443"
      - ./letsencrypt:/letsencrypt
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    container_name: sonarr
      - PUID=${USER_ID}
      - PGID=${GROUP_ID}
      - TZ=${TIMEZONE}
      - ./sonarr:/config
      - ${DATA_ROOT}:/data
    restart: always
      - traefik.enable=true
      - traefik.http.routers.sonarr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/sonarr`))
      - traefik.http.routers.sonarr.tls=true
      - traefik.http.routers.sonarr.tls.certresolver=myresolver
      - homepage.icon=sonarr.png
      - homepage.href=/sonarr
      - homepage.description=Series management
      - homepage.weight=0
      - homepage.widget.type=sonarr
      - homepage.widget.url=http://sonarr:8989/sonarr
      - homepage.widget.key=${SONARR_API_KEY}
    container_name: radarr
      - PUID=${USER_ID}
      - PGID=${GROUP_ID}
      - TZ=${TIMEZONE}
      - ./radarr:/config
      - ${DATA_ROOT}:/data
    restart: always
      - traefik.enable=true
      - traefik.http.routers.radarr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/radarr`))
      - traefik.http.routers.radarr.tls=true
      - traefik.http.routers.radarr.tls.certresolver=myresolver
      - homepage.icon=radarr.png
      - homepage.href=/radarr
      - homepage.description=Movies management
      - homepage.weight=1
      - homepage.widget.type=radarr
      - homepage.widget.url=http://radarr:7878/radarr
      - homepage.widget.key=${RADARR_API_KEY}
    container_name: prowlarr
      - PUID=${USER_ID}
      - PGID=${GROUP_ID}
      - TZ=${TIMEZONE}
      - ./prowlarr:/config
    restart: always
      - traefik.enable=true
      - traefik.http.routers.prowlarr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/prowlarr`))
      - traefik.http.routers.prowlarr.tls=true
      - traefik.http.routers.prowlarr.tls.certresolver=myresolver
      - homepage.icon=prowlarr.png
      - homepage.href=/prowlarr
      - homepage.description=Indexers management
      - homepage.weight=4
      - homepage.widget.type=prowlarr
      - homepage.widget.url=http://prowlarr:9696/prowlarr
      - homepage.widget.key=${PROWLARR_API_KEY}
    container_name: qbittorrent
      - PUID=${USER_ID}
      - PGID=${GROUP_ID}
      - TZ=${TIMEZONE}
      - WEBUI_PORT=8080
      - ./qbittorrent:/config
      - ${DOWNLOAD_ROOT}:/data/torrents
    restart: always
      - traefik.enable=true
      - traefik.http.routers.qbittorrent.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/qbittorrent`))
      - traefik.http.routers.qbittorrent.tls=true
      - traefik.http.routers.qbittorrent.tls.certresolver=myresolver
      - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix
      - traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent
      - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.regex=(^.*\/qbittorrent$$)
      - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.replacement=$$1/
      - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.permanent=false
      #- com.centurylinklabs.watchtower.depends-on=/vpn
      - homepage.icon=qbittorrent.png
      - homepage.href=/qbittorrent
      - homepage.description=Bittorrent client
      - homepage.weight=5
      - homepage.widget.type=qbittorrent
      - homepage.widget.url=http://qbittorrent:8080/qbittorrent      
      - homepage.widget.username=admin
      - homepage.widget.password=adminadmin
    container_name: jellyfin
      - PUID=${USER_ID}
      - PGID=${GROUP_ID}
      - TZ=${TIMEZONE}
      - JELLYFIN_PublishedServerUrl=${HOSTNAME}/jellyfin
      - ./jellyfin:/config
      - ${DATA_ROOT}:/data
      - "7359:7359/udp"
      - "1900:1900/udp"
      - /dev/dri/renderD128:/dev/dri/renderD128
      - /dev/dri/card0:/dev/dri/card0
    restart: always
      - traefik.enable=true
      - traefik.http.routers.jellyfin.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/jellyfin`))
      - traefik.http.routers.jellyfin.tls=true
      - traefik.http.routers.jellyfin.tls.certresolver=myresolver
      - homepage.icon=jellyfin.png
      - homepage.href=/jellyfin
      - homepage.description=Media server
      - homepage.weight=3
      - homepage.widget.type=jellyfin
      - homepage.widget.url=http://jellyfin:8096/jellyfin
      - homepage.widget.key=${JELLYFIN_API_KEY}
    container_name: homepage
      - ./homepage:/app/config
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${DATA_ROOT}:/data
    restart: always
    command: [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"]
      - traefik.enable=true
      - traefik.http.routers.homepage.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/`))
      - traefik.http.routers.homepage.tls=true
      - traefik.http.routers.homepage.tls.certresolver=myresolver
    image: containrrr/watchtower
    container_name: watchtower
    restart: always
      - /var/run/docker.sock:/var/run/docker.sock

name: docker-compose-nas

Here my .env


Unable to complete application test, cannot connect to Sonarr. Name does not resolve (vpn:8989)

Due to my location I have to put Prowlarr behind the VPN in order to add indexers successfully. This works fine and I have adjusted the widget URL to account for this.

All works well but this then breaks the app in Sonarr and Radarr. Makes sense as the Prowlarr URL has changed from http://prowlarr:9696/prowlarr to http://vpn:9696/prowlarr.

Updating the Prowlarr URL does not fix the issue. Working on the assumption that therefore Sonarr and Radarr should also sit behind the VPN but updating their respective URL's still returns the same error.


I revert everything back pre-VPN and everything seems to then work fine but indexers are broken.

[Synology] Issue with Qbittorrent container

Deploying on Synology DS918+
I disabled the DSM usage of port 80 and 443 to allow using this following these directions.
sed -i -e 's/80/81/' -e 's/443/444/' /usr/syno/share/nginx/server.mustache /usr/syno/share/nginx/DSM.mustache /usr/syno/share/nginx/WWWService.mustache
then running
synosystemctl restart nginx

I then followed your quick start instructions on the readme

what ends up happeing is the vpn fires up , *arrs run and jellyfin runs but the qbittorrent does not seem to work and does not end up in the new docker network

when going to host/qbittorrent on the browser it just times out

add whisparr support / Jdownloader


im quite new to docker and will try out your packge, but didnt have the time yet.

Can you please add whisparr optionally to your package?

You can find it here:

Also is it possible to integrate JDownlaoder into the bunch?
Mind, that I did not try your package or any of the Rrr Apps at all yet, so this may already be possible?
Can you tell me how that would work?

Also is it possible to integrate replacing jellyfin optionally with plex?

I will be running the containers on a Synology NAS.


File structure and hardlinks

Thank you for your great work !

I can't figure out how hardlinks work.
I have the same file structure as you:

├── torrents
│  ├── movies
│  └── tv
└── media
   ├── movies
   └── tv

qBittorent downloads files in /data/torrents. /data/torrents/movies and /data/torrents/tv both stay empty.
My files permissions for all files and directories inside data: drwxrwxr-x xxx xxx

If go inside a container using this cmd: docker exec -ti sonarr bash my files permission has a different user and grp:
drwxrwxr-x abc abc . Is it normal ?

the "create hardlink" in both Radarr and Sonarr configuration are ticked

Even though everything seems correctly configured, files from /data/torrents are not automatically linked to /data/media. What did I miss ?

Thanks in advance for your help.

Add Usenet Capability


Love this repo... wondering how I would go about modifying it such that I have a sabnzbd container that can be resolved via ''

Unsure which parts of the config need to change and how but would appreciate any guidance :)

I can't connect to the home page


I followed all the procedures, my docker is active, however when I type my IP to access the services if I leave http://mon-ip I get the error 404 page not found, if I want to access Sonarr etc, it turns in the void.

My docker runs on Ubuntu server, my client is on w10 with firewall disabled...

Do you have any clues?


/data bind mount works for sonarr but not radarr

So i am able to setup sonarr just fine but with radarr when i follow the steps to set /data as the root directory it is blank. If i bin/bash into the container and cd then ls it all shows up. Do i have an issue with permissions? I have matched the file structure as stated in the readme.

Local use


Would you make a structure to use it in a local way?

I mean, i just want to use it in my lan network, i don't want the parts for cloudflare, let's encrypt, vpn, etc.

Thanks in advance.

can not compose docker on Synology NAS and different VPN provider


sorry, if this is a dumb question, but I have only installed docker containers through the Synology Container Manager so far.

I cloned the github and created a new shared folder on my NAS DS218+.

I read the Synology Quirks and adjusted the settings accordingly like UID and disable SSTP.

Then "cp .env.example .env" and edited the file.

But when running "docker compose up -d" via SSH as root I get:
unknown shorthand flag: 'd' in -d

And with "docker compose up" I get
docker: 'compose' is not a docker command.

Also can you help me set ProtonVPN as the provider for Qbitorrent?

It can be done with this container:

Id like to use OpenVPN instead of wireguard, because I read the Wireguard binary may be deleted with a DSM Update.

I read it can be done by creating a docker-compose.override.yml but im not sure how that would need to look like as i have never written a compose file.

Also how do I disable the DNS / Certificate Setup?

If I connect to my Wireguard VPN Server on my Router will I still be able to use Tailscale to connect directly?
Or do I need a Certificate for that?

I attached my .env file.



Qbit won't seed


Not sure if this is an issue with this config or if it's a setting with my VPN/Router/etc. that I haven't properly configured. However, I am unable to seed anything post download and I don't want to destroy my ratio on my trackers.

Is there any setting I need to change on either QBIT itself or perhaps PIA to enable uploading? Do I need to do anything with proxy settings?

Thanks in advance

replaced jellyfin and wireguard-pia by plex and expressvpn

Hi. Thanks for the great package.
I would like to replace jellyfin and wireguard-pia with plex and expressvpn.

I already have a plex server running on another container (I know how to include it in the same network as this package).
But the expressvpn ... it's a bit more complicated i think.
Here is the compose fille i've use and i's getting an error 404 when accessing the homepage container.
I've removed the jellyfin and replaced the wireguard.
I had to change port for expressvpn from 8080 to 8082. Was getting "Error response from daemon: driver failed programming external connectivity on endpoint traefik (bfceefef6fd5aab2fbf085c9e434ad264edec5b099e0384c38d2cb031d0a73e9): Bind for failed: port is already allocated"
Had to comment . Was getting "cp: can't stat '/app/config/tpl/*.yaml': No such file or directory"

If you know of an easy way to integrate them, let me know (maybe something obvious will jump)

version: "3.9"
image: traefik:v2.9
container_name: traefik
restart: always
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.web-secure.address=:443
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --certificatesresolvers.myresolver.acme.dnschallenge=${DNS_CHALLENGE:-true}
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=${DNS_CHALLENGE_PROVIDER:-cloudflare}
- --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=,
- --certificatesresolvers.myresolver.acme.caserver=${LETS_ENCRYPT_CA_SERVER:-}
- "80:80"
- "443:443"
- ./letsencrypt:/letsencrypt
- "/var/run/docker.sock:/var/run/docker.sock:ro"
container_name: sonarr
- ./sonarr:/config
- ${DATA_ROOT}:/data
restart: always
- traefik.enable=true
- traefik.http.routers.sonarr.rule=(Host(${HOSTNAME}) && PathPrefix(/sonarr))
- traefik.http.routers.sonarr.tls=true
- traefik.http.routers.sonarr.tls.certresolver=myresolver
- homepage.icon=sonarr.png
- homepage.href=/sonarr
- homepage.description=Series management
- homepage.weight=0
- homepage.widget.type=sonarr
- homepage.widget.url=http://sonarr:8989/sonarr
- homepage.widget.key=${SONARR_API_KEY}
container_name: radarr
- ./radarr:/config
- ${DATA_ROOT}:/data
restart: always
- traefik.enable=true
- traefik.http.routers.radarr.rule=(Host(${HOSTNAME}) && PathPrefix(/radarr))
- traefik.http.routers.radarr.tls=true
- traefik.http.routers.radarr.tls.certresolver=myresolver
- homepage.icon=radarr.png
- homepage.href=/radarr
- homepage.description=Movies management
- homepage.weight=1
- homepage.widget.type=radarr
- homepage.widget.url=http://radarr:7878/radarr
- homepage.widget.key=${RADARR_API_KEY}
container_name: prowlarr
- ./prowlarr:/config
restart: always
- traefik.enable=true
- traefik.http.routers.prowlarr.rule=(Host(${HOSTNAME}) && PathPrefix(/prowlarr))
- traefik.http.routers.prowlarr.tls=true
- traefik.http.routers.prowlarr.tls.certresolver=myresolver
- homepage.icon=prowlarr.png
- homepage.href=/prowlarr
- homepage.description=Indexers management
- homepage.weight=4
- homepage.widget.type=prowlarr
- homepage.widget.url=http://prowlarr:9696/prowlarr
- homepage.widget.key=${PROWLARR_API_KEY}
container_name: qbittorrent
- ./qbittorrent:/config
- ${DOWNLOAD_ROOT}:/data/torrents
restart: always
network_mode: "service:vpn"
condition: service_healthy
- traefik.enable=true
- traefik.http.routers.qbittorrent.rule=(Host(${HOSTNAME}) && PathPrefix(/qbittorrent))
- traefik.http.routers.qbittorrent.tls=true
- traefik.http.routers.qbittorrent.tls.certresolver=myresolver
- traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix
# qbittorrent/qBittorrent#5693 (comment)
- traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent
- traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.regex=(^.*/qbittorrent$$)
- traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.replacement=$$1/
- traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.permanent=false
#- com.centurylinklabs.watchtower.depends-on=/vpn
- homepage.icon=qbittorrent.png
- homepage.href=/qbittorrent
- homepage.description=Bittorrent client
- homepage.weight=5
- homepage.widget.type=qbittorrent
- homepage.widget.url=http://vpn:8080
- homepage.widget.username=admin
- homepage.widget.password=adminadmin
image: misioslav/expressvpn:latest
container_name: vpn

restart: unless-stopped

ports: # ports from which container that uses vpn connection will be available in local network
  - 8082:80 # example
  - WHITELIST_DNS=,  # Comma seperated list of dns servers you wish to use and whitelist via iptables
  - CODE=My_activation_code # Activation Code from vpn
  - SERVER=smart # By default container will connect to smart location, list of available locations you can find below

- DDNS=yourDdnsDomain # optional

- IP=yourStaticIp # optional - won't work if DDNS is setup

- BEAERER=ipInfoAccessToken # optional can be taken from

  - HEALTHCHECK=healthchecks.ioId # optional can be taken from
  - NETWORK=on #optional and set to on by default
  - PROTOCOL=lightway_udp \ #optional set default to lightway_udp see protocol and cipher section for more information
  - CIPHER=chacha20 \ #optional set default to chacha20 see protocol and cipher section for more information
  - /dev/net/tun
stdin_open: true
tty: true
command: /bin/bash
privileged: true
  - ./pia:/pia
  - ./pia-shared:/pia-shared

  test: ping -c 1 || exit 1
  interval: 30s
  timeout: 10s
  retries: 3
restart: always
  # network mode is not supported:
  - com.centurylinklabs.watchtower.enable=false

container_name: homepage
- ./homepage:/app/config
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${DATA_ROOT}:/data
restart: always

command: [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"]

  - traefik.enable=true
  - traefik.http.routers.homepage.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/`))
  - traefik.http.routers.homepage.tls=true
  - traefik.http.routers.homepage.tls.certresolver=myresolver

image: containrrr/watchtower
container_name: watchtower
restart: always
- /var/run/docker.sock:/var/run/docker.sock

name: docker-compose-nas

Add Bazarr support


Is it possible to add a Bazarr support to handle subtitles ?

I have tried it myself but I can't make it work.

container_name: bazarr
- ./bazarr:/config
- ${DATA_ROOT}:/data
restart: always
test: [ "CMD", "curl", "--fail", "" ]
interval: 5s
retries: 10
- traefik.enable=true
- traefik.http.routers.bazarr.rule=(Host(${HOSTNAME}) && PathPrefix(/bazarr))
- traefik.http.routers.bazarr.tls=true
- traefik.http.routers.bazarr.tls.certresolver=myresolver
- homepage.icon=sonarr.png
- homepage.href=/bazarr
- homepage.description=Subtitles management
- homepage.weight=0
- homepage.widget.type=bazarr
- homepage.widget.url=http://bazarr:6767/bazarr

Bazarr seems up and running but I'm not able to access the web interface. I guess it's a reverse proxy misconfiguration.

bazarr | 2024-01-20 20:06:18,448 - root (7f94d516ab48) : INFO (server:67) - BAZARR is started and waiting for request on

Thanks in advance

Plex Support

Hey, let me start by saying how great this is!

I wanted to ask if there are plans on adding Plex support. Couldn't find any issue around it so here we are 😅.


ELI5: How do we ensure traffic does not bypass VPN?

I’m looking to understand how we ensure containers configured to use the VPN container do not leak traffic if the VPN is down. Does a kill switch prevent any traffic if PIA has issues? Is there anything I can do to confirm no leaks?

Guide for adding other docker services with traefik


Love the script and the documentation makes it pretty straightforward to set up.

I'm trying to add other containers such as syncthing, pigallery. I got syncthing working easily enough but not sure how to get it to have the same URL structure ( pigallery requires nginx and those ports (80,443) are taken so again, I'm not sure how to configure that.

Would be awesome if there was documentation for adding other generic docker containers to the existing set up.

step by step guide

Is there a step by step guide or video for this build? Maybe using Nord VPN. Please?

vpn container unhealthy

I am having an error vpn container is unhealthy when doing sudo docker compose up -d.

I did not edit the .env (Actually I do not know what to modify).

Is it mandatory to use PIA ?

P.D. I am unfamiliar with Docker

Traefik and SSL Certificates Setup Steps

So to use the nas with jellyfin clients other than a pc/phone browser i have to setup this SSL certificate i think since the apps reject self signed certificates. I am a little lost on what i need to sign up for and to put in the environment file so that your scripts can do their magic. Could you expand the readme section or point to an instruction. If using a synology can i use these steps? []

Add backup service

The *arrs configurations and databases should be backed up externally in case of failure. Using rclone would probably be the most flexible option.

Continously pinging

My pihole is showing that my nas is pinging every few seconds. It is running tailscale and traefik (also syncthing)

Any idea why it would be doing this so frequently? Not sure which logs to look at.


Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.