# MediaStack

Automated media server VM running on PVE1 Proxmox (VM 113).  
All traffic routes through WireGuard VPN → DO server — bypasses home ISP entirely.

## VM Info
| Item | Value |
|------|-------|
| VM ID | 113 |
| Name | MediaStack-35 |
| IP | 10.48.200.35 |
| Hypervisor | PVE1 (10.48.200.90) |
| OS | Ubuntu 24.04 |
| SSH | root via PVE1 key (`ssh -i /root/.ssh/id_rsa root@10.48.200.35` from PVE1) |

## Services
| Service | Port | Binary | Data |
|---------|------|--------|------|
| qBittorrent | 8080 | `/usr/bin/qbittorrent-nox` | `/home/qbittorrent/.config/qBittorrent/` |
| Sonarr | 8989 | `/opt/Sonarr/Sonarr` | `/var/lib/sonarr` |
| Radarr | 7878 | `/opt/Radarr/Radarr` | `/var/lib/radarr` |
| Prowlarr | 9696 | `/opt/Prowlarr/Prowlarr` | `/var/lib/prowlarr` |
| NFS server | 2049 | nfs-kernel-server | `/etc/exports` |
| JARVIS agent | — | `/opt/jarvis-agent/agent.py` | `/opt/jarvis-agent/` |
| qemu-guest-agent | — | system | — |

## API Keys
| Service | Key |
|---------|-----|
| Sonarr | `b43e04350a594846b4ee95261c29e9e0` |
| Radarr | `53c4268360444feeae5f98c0cc24e0e3` |
| Prowlarr | `9d0ce6c5660743b5bf1c7951efc62252` |
| qBittorrent | admin / Joker1974!!! |

## Media Paths
| Purpose | Path |
|---------|------|
| Downloads | `/media/downloads/complete` |
| Movies | `/media/movies` (NFS → Jellyfin) |
| TV Shows | `/media/tv` (NFS → Jellyfin) |
| Music | `/media/music` |

## Jellyfin NFS Mounts (VM 112, 10.48.200.33)
| Remote | Local mount |
|--------|-------------|
| `10.48.200.35:/media/movies` | `/mnt/mediastack/movies` |
| `10.48.200.35:/media/tv` | `/mnt/mediastack/tv` |

## WireGuard VPN
- Interface: `wg0`, VM IP: `10.200.0.4/24`
- Routes through **CT110** (WireGuard-19, `10.48.200.19:51821`) → **DO server** (165.22.1.228)
- All internet traffic exits via DO — ISP never sees download activity
- **Kill-switch:** external traffic blocked if VPN drops; LAN `10.48.200.0/24` always allowed
- CT110 public key: `RXxDgIAaie4n0BxBA48rlmt9BJyp2GEktENeQDlc4hA=`
- MediaStack public key: `SjVwsfPvNFDeLxS6vYesiLVrA8BhdYkquSlMCxpeI2Q=`

## DNS
FortiGate blocks outbound port 53 to external DNS servers.  
Fix: dnsmasq installed on PVE1 (10.48.200.90), forwards to Tailscale DNS (100.100.100.100).  
MediaStack resolv config: `/etc/systemd/resolved.conf.d/dns.conf` → `DNS=10.48.200.90`

## Indexer
- IPTorrents configured in Prowlarr via cookie auth
- Prowlarr auto-syncs all indexers to Sonarr and Radarr

## Known Issues & Fixes
| Issue | Fix |
|-------|-----|
| musl vs glibc binary crash | Use `linux-core-x64` releases (glibc), NOT `linux-musl-x64` |
| WireGuard kill-switch blocks SSH | ACCEPT LAN rule must use `-A` (append), not `-I` (insert), so it runs before the REJECT rule |
| DNS fails on first boot | PVE1 dnsmasq forwards DNS; set `DNS=10.48.200.90` in systemd-resolved |
| qBittorrent random temp password | Permanent password set; login is admin / Joker1974!!! |
| JARVIS agent config keys | Needs `jarvis_url`, `registration_key`, `ssl_verify: false` — see `config/jarvis-agent/config.json.example` |

## Repository Layout
```
config/
  wireguard/    wg0.conf (private key redacted)
  systemd/      service unit files for all services
  nfs/          /etc/exports
  dns/          systemd-resolved DNS override
  jarvis-agent/ config.json.example
```