Files
infra/ai-memory/project_mediastack.md

71 lines
3.5 KiB
Markdown

---
name: project-mediastack
description: MediaStack VM on PVE1 — Sonarr/Radarr/Prowlarr/qBittorrent behind WireGuard VPN through CT110→DO
metadata:
node_type: memory
type: project
originSessionId: b1e93a6a-f101-4ea4-aafb-9cb7e2958821
---
## VM Details (updated 2026-06-24)
- **VM ID:** 103 | **Name:** MediaStack-35 | **IP:** 10.48.200.35
- **Hypervisor:** PVE1 (10.48.200.90)
- **Disk:** 50GB on **GoFlex** storage (moved off SynologyProx 2026-06-24 due to I/O errors)
- **OS:** Ubuntu 24.04 (noble cloud image)
- **QEMU guest agent:** installed and running (installed 2026-06-24)
- **SSH:** PVE1 key → `ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa root@10.48.200.35`
- **GitHub:** `myronblair/mediastack` cloned at `/opt/mediastack`
## Services, Ports & Credentials
| Service | Port | Login | API Key |
|---------|------|-------|---------|
| qBittorrent | :8080 | admin / Joker1974!!! | — |
| Sonarr | :8989 | — | `b43e04350a594846b4ee95261c29e9e0` |
| Radarr | :7878 | — | `53c4268360444feeae5f98c0cc24e0e3` |
| Prowlarr | :9696 | — | `9d0ce6c5660743b5bf1c7951efc62252` |
All services run as root (NFS ACL requires root for writes).
## VPN Architecture (updated 2026-06-24)
### wg0 — Internet kill-switch (primary VPN)
- **Interface:** `wg0` | **VPN IP:** `10.200.0.4/24`
- **Endpoint:** CT110 at `10.48.200.67:51821` → NordVPN (us9156, 2.56.190.66:51820) → internet
- **Exit IP:** `2.56.190.69` (NordVPN US, verified 2026-06-29)
- **Kill-switch:** iptables rules — REJECT all non-wg0 non-fwmark traffic; LAN 10.48.200.0/24 always allowed
- **Config:** `/etc/wireguard/wg0.conf` — fwmark hardcoded as `51820` (not dynamic, avoids PostDown race)
- **Auto-start:** `systemctl enable wg-quick@wg0` (enabled 2026-06-24)
- **DNS:** `10.48.200.90` (PVE1 dnsmasq)
- **MediaStack pubkey:** `CaG79S1fJeJDlYCMhHz8BrDfizBq+OiGnO5VzFIk3gE=`
- **CT110 pubkey:** `Fqb1KLfHe1r3+Hwhem7YGZB2KikGYy/8pPsOIP4rn18=` (updated 2026-06-29 — old key was RXxD...)
- **NordVPN exit IP:** 2.56.190.69 (us9156.nordvpn.com) — verified 2026-06-29
### wg1 — Jellyfin media access (NOT internet VPN)
- MediaStack is WireGuard server on `wg1` (port 51820, 10.200.0.1/24)
- Jellyfin (10.48.200.33) connects as peer (10.200.0.3)
- Used for NFS media file access only
## Media Storage
- Downloads: `/mnt/nas/video/downloads` (Synology NAS NFS)
- Movies: `/mnt/nas/video/movies` | TV: `/mnt/nas/video/tv`
- Old paths `/media/movies` and `/media/tv` are NFS mounts from NAS (Jellyfin backward compat)
- Jellyfin fstab: `10.48.200.35:/media/movies /mnt/mediastack/movies nfs defaults,_netdev 0 0`
## Indexer — IPTorrents
- Cookie auth in Prowlarr: `uid=2237410; pass=JzLP2niTWxBJAZIU3yvtLbJzD55kdLeB`
- Cookies expire — if indexer fails, log into iptorrents.com in browser, copy uid+pass cookies
## JARVIS Agent
- Agent ID: `MediaStack_2c00b1b8` | Config: `/opt/jarvis-agent/config.json`
- Registration key: `f846a9aaf7ce9a61742c63c87c4186052a71d2a580c65518` | `ssl_verify: false`
## PBS Backup
- Nightly at 21:00 → SynologyProx storage
- Backs up VM regardless of which storage the disk lives on
## Known Issues
- **wg-quick down/up over SSH kills the connection** — PostDown briefly removes LAN ACCEPT before REJECT; SSH reply is dropped. Always use VM console for wg0 cycling, or use `nohup` background.
- **NFS write failures** = services not running as root
- **Radarr "0 active indexers"** = blocked in DB; fix: `sqlite3 /var/lib/radarr/radarr.db "DELETE FROM IndexerStatus WHERE ProviderId=1;"`
- **Stale NFS file handle on Jellyfin** = lazy unmount + remount on Jellyfin VM