--- name: project-mediastack description: MediaStack VM on PVE1 — Sonarr/Radarr/Prowlarr/qBittorrent behind WireGuard VPN through CT110→DO metadata: node_type: memory type: project originSessionId: b1e93a6a-f101-4ea4-aafb-9cb7e2958821 --- ## VM Details (updated 2026-06-24) - **VM ID:** 103 | **Name:** MediaStack-35 | **IP:** 10.48.200.35 - **Hypervisor:** PVE1 (10.48.200.90) - **Disk:** 50GB on **GoFlex** storage (moved off SynologyProx 2026-06-24 due to I/O errors) - **OS:** Ubuntu 24.04 (noble cloud image) - **QEMU guest agent:** installed and running (installed 2026-06-24) - **SSH:** PVE1 key → `ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa root@10.48.200.35` - **GitHub:** `myronblair/mediastack` cloned at `/opt/mediastack` ## Services, Ports & Credentials | Service | Port | Login | API Key | |---------|------|-------|---------| | qBittorrent | :8080 | admin / Joker1974!!! | — | | Sonarr | :8989 | — | `b43e04350a594846b4ee95261c29e9e0` | | Radarr | :7878 | — | `53c4268360444feeae5f98c0cc24e0e3` | | Prowlarr | :9696 | — | `9d0ce6c5660743b5bf1c7951efc62252` | All services run as root (NFS ACL requires root for writes). ## VPN Architecture (updated 2026-06-24) ### wg0 — Internet kill-switch (primary VPN) - **Interface:** `wg0` | **VPN IP:** `10.200.0.4/24` - **Endpoint:** CT110 at `10.48.200.67:51821` → NordVPN (us9156, 2.56.190.66:51820) → internet - **Exit IP:** `2.56.190.69` (NordVPN US, verified 2026-06-29) - **Kill-switch:** iptables rules — REJECT all non-wg0 non-fwmark traffic; LAN 10.48.200.0/24 always allowed - **Config:** `/etc/wireguard/wg0.conf` — fwmark hardcoded as `51820` (not dynamic, avoids PostDown race) - **Auto-start:** `systemctl enable wg-quick@wg0` (enabled 2026-06-24) - **DNS:** `10.48.200.90` (PVE1 dnsmasq) - **MediaStack pubkey:** `CaG79S1fJeJDlYCMhHz8BrDfizBq+OiGnO5VzFIk3gE=` - **CT110 pubkey:** `Fqb1KLfHe1r3+Hwhem7YGZB2KikGYy/8pPsOIP4rn18=` (updated 2026-06-29 — old key was RXxD...) - **NordVPN exit IP:** 2.56.190.69 (us9156.nordvpn.com) — verified 2026-06-29 ### wg1 — Jellyfin media access (NOT internet VPN) - MediaStack is WireGuard server on `wg1` (port 51820, 10.200.0.1/24) - Jellyfin (10.48.200.33) connects as peer (10.200.0.3) - Used for NFS media file access only ## Media Storage - Downloads: `/mnt/nas/video/downloads` (Synology NAS NFS) - Movies: `/mnt/nas/video/movies` | TV: `/mnt/nas/video/tv` - Old paths `/media/movies` and `/media/tv` are NFS mounts from NAS (Jellyfin backward compat) - Jellyfin fstab: `10.48.200.35:/media/movies /mnt/mediastack/movies nfs defaults,_netdev 0 0` ## Indexer — IPTorrents - Cookie auth in Prowlarr: `uid=2237410; pass=JzLP2niTWxBJAZIU3yvtLbJzD55kdLeB` - Cookies expire — if indexer fails, log into iptorrents.com in browser, copy uid+pass cookies ## JARVIS Agent - Agent ID: `MediaStack_2c00b1b8` | Config: `/opt/jarvis-agent/config.json` - Registration key: `f846a9aaf7ce9a61742c63c87c4186052a71d2a580c65518` | `ssl_verify: false` ## PBS Backup - Nightly at 21:00 → SynologyProx storage - Backs up VM regardless of which storage the disk lives on ## Known Issues - **wg-quick down/up over SSH kills the connection** — PostDown briefly removes LAN ACCEPT before REJECT; SSH reply is dropped. Always use VM console for wg0 cycling, or use `nohup` background. - **NFS write failures** = services not running as root - **Radarr "0 active indexers"** = blocked in DB; fix: `sqlite3 /var/lib/radarr/radarr.db "DELETE FROM IndexerStatus WHERE ProviderId=1;"` - **Stale NFS file handle on Jellyfin** = lazy unmount + remount on Jellyfin VM