Nixos Modules - Options Documentation

nixarr.enable

Whether or not to enable the nixarr module. Has the following features:

• Run services through a VPN: You can run any service that this module supports through a VPN, fx nixarr.transmission.vpn.enable = true;
• Automatic Directories, Users and Permissions: The module automatically creates directories and users for your media library. It also sets sane permissions.
• State Management: All services support state management and all state that they manage is located by default in /data/.state/nixarr/*
• Optional Automatic Port Forwarding: This module has a UPNP support that lets services request ports from your router automatically, if you enable it.

Also comes with the nixarr command that helps you manage your library.

It is possible, but not recommended, to run the “*Arrs” behind a VPN, because it can cause rate limiting issues. Generally, you should use VPN on transmission and maybe jellyfin, depending on your setup.

The following services are supported:

• Anchorr
• Audiobookshelf
• Autobrr
• Bazarr
• Jellyfin
• Seerr
• Lidarr
• Plex
• Prowlarr
• qBittorrent
• Radarr
• Shelfmark
• Recyclarr
• SABnzbd
• Sonarr
• Transmission

Remember to read the options!

Type: boolean

  false

  true

nixarr.anchorr.enable

Whether or not to enable the Anchorr service.

Type: boolean

  false

  true

nixarr.anchorr.package

The package used for the Anchorr service.

Type: package

  pkgs.callPackage ./package.nix {}

nixarr.anchorr.configFile

Path to a custom config.json for Anchorr.

Type: null or absolute path

  null

nixarr.anchorr.configuration

Anchorr configuration as a Nix attribute set. Generated as config.json.

Type: JSON value

  { }

  {
    discord = {
      bot_id = "123456789";
      guild_id = "987654321";
    };
  }

nixarr.anchorr.discordTokenFile

Path to a file containing the Discord bot token.

Type: null or absolute path

  null

  "/data/.secret/anchorr/discord-token"

nixarr.anchorr.environmentFiles

List of environment files (e.g., from sops-nix) containing secrets.

Type: list of absolute path

  [ ]

  [ config.sops.secrets.anchorr_env.path ]

nixarr.anchorr.expose.https.enable

Required options:

• nixarr.anchorr.expose.https.acmeMail
• nixarr.anchorr.expose.https.domainName

Conflicting options: nixarr.anchorr.vpn.enable

Expose the Anchorr web service to the internet with https support, allowing anyone to access it.

Warning: Do not enable this without setting up Anchorr authentication through localhost first!

Type: boolean

  false

  true

nixarr.anchorr.expose.https.acmeMail

The ACME mail required for the letsencrypt bot.

Type: null or string

  null

  "mail@example.com"

nixarr.anchorr.expose.https.domainName

The domain name to host Anchorr on.

Type: null or string

  null

  "anchorr.example.com"

nixarr.anchorr.expose.https.upnp.enable

Whether to enable UPNP to try to open ports 80 and 443 on your router…

Type: boolean

  false

  true

nixarr.anchorr.jellyseerr.apiKeyFile

Path to a file containing the Jellyseerr API key.

Type: null or absolute path

  null

  "/data/.secret/anchorr/jellyseerr-api-key"

nixarr.anchorr.jellyseerr.url

URL of the Jellyseerr instance.

Type: string

  "http://localhost:5055"

  "http://192.168.1.50:5055"

nixarr.anchorr.openFirewall

Open firewall for Anchorr

Type: boolean

  !nixarr.anchorr.vpn.enable

  true

nixarr.anchorr.port

Anchorr web-UI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  8282

  12345

nixarr.anchorr.secretsFile

Environment file containing secrets like DISCORD_TOKEN, TMDB_API_KEY, etc. This is a legacy option, prefer environmentFiles.

Type: null or absolute path

  null

  "/data/.secret/anchorr/env"

nixarr.anchorr.stateDir

The location of the state directory for the Anchorr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/anchorr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/anchorr"

  "/nixarr/.state/anchorr"

nixarr.anchorr.tmdbApiKeyFile

Path to a file containing the TMDB API key.

Type: null or absolute path

  null

  "/data/.secret/anchorr/tmdb-api-key"

nixarr.anchorr.vpn.enable

Required options: nixarr.vpn.enable

Conflicting options: nixarr.anchorr.expose.https.enable

Route Anchorr traffic through the VPN.

Type: boolean

  false

  true

nixarr.audiobookshelf.enable

Whether or not to enable the Audiobookshelf service.

Conflicting options: nixarr.plex.enable

Type: boolean

  false

  true

nixarr.audiobookshelf.package

The audiobookshelf package to use.

Type: package

  pkgs.audiobookshelf

nixarr.audiobookshelf.expose.https.enable

Required options:

• nixarr.audiobookshelf.expose.https.acmeMail
• nixarr.audiobookshelf.expose.https.domainName

Conflicting options: nixarr.audiobookshelf.vpn.enable

Expose the Audiobookshelf web service to the internet with https support, allowing anyone to access it.

Warning: Do not enable this without setting up Audiobookshelf authentication through localhost first!

Type: boolean

  false

  true

nixarr.audiobookshelf.expose.https.acmeMail

The ACME mail required for the letsencrypt bot.

Type: null or string

  null

  "mail@example.com"

nixarr.audiobookshelf.expose.https.domainName

The domain name to host Audiobookshelf on.

Type: null or string

  null

  "audiobookshelf.example.com"

nixarr.audiobookshelf.expose.https.upnp.enable

Whether to enable UPNP to try to open ports 80 and 443 on your router…

Type: boolean

  false

  true

nixarr.audiobookshelf.host

The host Audiobookshelf binds to.

Type: string

  "127.0.0.1"

  "0.0.0.0"

nixarr.audiobookshelf.openFirewall

Open firewall for Audiobookshelf

Type: boolean

  false

  true

nixarr.audiobookshelf.port

Default port for Audiobookshelf. The default is 8000 in nixpkgs, but that’s far too common a port to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9292

  8000

nixarr.audiobookshelf.stateDir

The location of the state directory for the Audiobookshelf service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/audiobookshelf

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/audiobookshelf"

  "/nixarr/.state/audiobookshelf"

nixarr.audiobookshelf.vpn.enable

Required options: nixarr.vpn.enable

Conflicting options: nixarr.audiobookshelf.expose.https.enable

Route Audiobookshelf traffic through the VPN.

Type: boolean

  false

  true

nixarr.audiobookshelf.vpn.configureNginx

Required options: [nixarr.audiobookshelf.vpn.enable)(#nixarr.audiobookshelf.vpn.enable)

Configure nginx as a reverse proxy for the Audiobookshelf web ui.

Type: boolean

  nixarr.audiobookshelf.vpn.enable

  false

nixarr.autobrr.enable

Whether or not to enable the Autobrr service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.autobrr.package

The autobrr package to use.

Type: package

  pkgs.autobrr

nixarr.autobrr.exporter.enable

Whether to enable the Prometheus metrics exporter for Autobrr. If null, follows the global nixarr.exporters.enable setting.

Type: null or boolean

  null

  true

nixarr.autobrr.exporter.port

Port for the Prometheus metrics exporter.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9712

  9712

nixarr.autobrr.openFirewall

Open firewall for the Autobrr port.

Type: boolean

  false

  true

nixarr.autobrr.settings

Autobrr configuration options.

See https://autobrr.com/configuration/autobrr for more information.

sessionSecret is automatically generated upon first installation and will be overridden. This is done to ensure that the secret is not hard-coded in the configuration file. The actual secret file is generated in the systemd service at /data/.state/nixarr/autobrr/session-secret.

Type: open submodule of (TOML value)

  {
    checkForUpdates = false;
    host = "0.0.0.0";
    port = 7474;
  }

  {
    logLevel = "DEBUG";
  }

nixarr.autobrr.stateDir

The location of the state directory for the Autobrr service.

Type: absolute path

  "${nixarr.stateDir}/autobrr"

  "/nixarr/.state/autobrr"

nixarr.autobrr.vpn.enable

Required options: nixarr.vpn.enable

Route Autobrr traffic through the VPN.

Type: boolean

  false

  true

nixarr.autobrr.vpn.configureNginx

Required options: [nixarr.autobrr.vpn.enable)(#nixarr.autobrr.vpn.enable)

Configure nginx as a reverse proxy for the Autobrr web ui.

Type: boolean

  nixarr.autobrr.vpn.enable

  false

nixarr.bazarr.enable

Whether or not to enable the Bazarr service.

Type: boolean

  false

  true

nixarr.bazarr.package

The bazarr package to use.

Type: package

  pkgs.bazarr

nixarr.bazarr.openFirewall

Open firewall for Bazarr

Type: boolean

  false

  true

nixarr.bazarr.port

Port for Bazarr to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  6767

nixarr.bazarr.settings-sync.radarr.enable

Automatically configure Radarr connection in Bazarr.

Type: boolean

  false

nixarr.bazarr.settings-sync.radarr.config

Configuration for Radarr connection in Bazarr.

Type: submodule

  { }

nixarr.bazarr.settings-sync.radarr.config.apiKeyFile

Path to file containing the API key for Radarr.

Type: absolute path

  "${nixarr.stateDir}/secrets/radarr.api-key"

nixarr.bazarr.settings-sync.radarr.config.base_url

Base URL path for Radarr (without leading/trailing slashes).

Type: string

  ""

nixarr.bazarr.settings-sync.radarr.config.ip

IP address or hostname of the Radarr server.

Type: string

  "127.0.0.1"

nixarr.bazarr.settings-sync.radarr.config.port

Port of the Radarr server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  nixarr.radarr.port

nixarr.bazarr.settings-sync.radarr.config.ssl

Whether to use SSL when connecting to Radarr.

Type: boolean

  false

nixarr.bazarr.settings-sync.radarr.config.sync_only_monitored_movies

Only sync monitored movies from Radarr.

Type: boolean

  false

nixarr.bazarr.settings-sync.sonarr.enable

Automatically configure Sonarr connection in Bazarr.

Type: boolean

  false

nixarr.bazarr.settings-sync.sonarr.config

Configuration for Sonarr connection in Bazarr.

Type: submodule

  { }

nixarr.bazarr.settings-sync.sonarr.config.apiKeyFile

Path to file containing the API key for Sonarr.

Type: absolute path

  "${nixarr.stateDir}/secrets/sonarr.api-key"

nixarr.bazarr.settings-sync.sonarr.config.base_url

Base URL path for Sonarr (without leading/trailing slashes).

Type: string

  ""

nixarr.bazarr.settings-sync.sonarr.config.ip

IP address or hostname of the Sonarr server.

Type: string

  "127.0.0.1"

nixarr.bazarr.settings-sync.sonarr.config.port

Port of the Sonarr server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  nixarr.sonarr.port

nixarr.bazarr.settings-sync.sonarr.config.ssl

Whether to use SSL when connecting to Sonarr.

Type: boolean

  false

nixarr.bazarr.settings-sync.sonarr.config.sync_only_monitored_episodes

Only sync monitored episodes from Sonarr.

Type: boolean

  false

nixarr.bazarr.settings-sync.sonarr.config.sync_only_monitored_series

Only sync monitored series from Sonarr.

Type: boolean

  false

nixarr.bazarr.stateDir

The location of the state directory for the Bazarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/bazarr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/bazarr"

  "/nixarr/.state/bazarr"

nixarr.bazarr.vpn.enable

Required options: nixarr.vpn.enable

Route Bazarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.bazarr.vpn.configureNginx

Required options: [nixarr.bazarr.vpn.enable)(#nixarr.bazarr.vpn.enable)

Configure nginx as a reverse proxy for the Bazarr web ui.

Type: boolean

  nixarr.bazarr.vpn.enable

  false

nixarr.ddns.nineteenEightyFour.enable

Required options:

• nixarr.ddns.nineteenEightyFour.keysFile

Whether or not to enable DDNS for a 1984 domain.

Type: boolean

  false

  true

nixarr.ddns.nineteenEightyFour.keysFile

A path to a JSON-file containing key value pairs of domains and keys.

To get the keys, create an A record. Remember to enable DDNS on that record. Then get your key at:

https://1984.hosting/domains/freednsapi/

The JSON-file you pass in this option should contain:

  {
    "jellyfin.example.com": "E9L3eWL81e0IMwUNQrCvnA9KchBgLw9IUZb3Tb7156VdPtkyMjOEvx0KB97r5RgC"
  }

You can, of course, add more key-value pairs than just one. However for this provider, all the API keys should be the same.

Type: null or string

  null

  "/data/.secret/1984/keys-file.json"

nixarr.ddns.njalla.enable

Required options:

• nixarr.ddns.njalla.keysFile

Whether or not to enable DDNS for a Njalla domain.

Type: boolean

  false

  true

nixarr.ddns.njalla.keysFile

A path to a JSON-file containing key value pairs of domains and keys.

To get the keys, create a dynamic njalla record. Upon creation you should see something like the following command suggested:

  curl "https://njal.la/update/?h=jellyfin.example.com&k=zeubesojOLgC2eJC&auto"

Then the JSON-file you pass here should contain:

  {
    "jellyfin.example.com": "zeubesojOLgC2eJC"
  }

You can, of course, add more key-value pairs than just one.

Type: null or string

  null

  "/data/.secret/njalla/keys-file.json"

nixarr.exporters.enable

Whether to enable Enable Prometheus exporters for all supported nixarr services.

Type: boolean

  false

  true

nixarr.jellyfin.enable

Whether or not to enable the Jellyfin service.

Conflicting options: nixarr.plex.enable

Type: boolean

  false

  true

nixarr.jellyfin.package

The jellyfin package to use.

Type: package

  pkgs.jellyfin

nixarr.jellyfin.api.enable

Whether or not to enable the Jellyfin API setup service for use with nixarr-py.

Type: boolean

  false

  true

nixarr.jellyfin.api.adminPasswordFile

Path to a file containing the password of the Jellyfin user used by Nixarr scripts.

Type: absolute path not in the Nix store

  "/data/.state/nixarr/secrets/jellyfin.pw"

nixarr.jellyfin.api.adminUsername

The username of the Jellyfin user used by Nixarr scripts.

Type: string

  "jellyfin"

nixarr.jellyfin.api.apiKeyFile

Path to a file containing the Jellyfin API key used by Nixarr scripts.

Type: absolute path not in the Nix store

  "/data/.state/nixarr/secrets/jellyfin.api-key"

nixarr.jellyfin.api.autoCreateAdminPasswordFile

Whether to automatically create the password file with a random password if it doesn’t exist or is empty.

Type: boolean

  true

nixarr.jellyfin.api.autoCreateAdminUserAndCompleteWizard

Whether to create the configured admin user and complete the Jellyfin initial setup wizard automatically, if the wizard hasn’t been completed.

Type: boolean

  true

nixarr.jellyfin.api.autoCreateApiKeyAndFile

Whether to automatically create the Jellyfin API key for Nixarr if it doesn’t exist, and populate the API key file if it doesn’t exist or is empty.

Type: boolean

  true

nixarr.jellyfin.api.autoCreateDeviceUuidFile

Whether to automatically create the device UUID file with a random UUID if it doesn’t exist or is empty.

Type: boolean

  true

nixarr.jellyfin.api.deviceUuidFile

Path to a file containing the Jellyfin device UUID used by Nixarr scripts.

Type: absolute path not in the Nix store

  "/data/.state/nixarr/secrets/jellyfin.device-uuid"

nixarr.jellyfin.api.nixarr-py-config

The configuration for the Jellyfin section of the nixarr-py config file. Derived from other options.

Type: attribute set of anything (read only)

  {
    admin_password_file = "/data/.state/nixarr/secrets/jellyfin.pw";
    admin_username = "jellyfin";
    api_key_file = "/data/.state/nixarr/secrets/jellyfin.api-key";
    base_url = "http://localhost:8096";
    device_uuid_file = "/data/.state/nixarr/secrets/jellyfin.device-uuid";
  }

nixarr.jellyfin.expose.https.enable

Required options:

• nixarr.jellyfin.expose.https.acmeMail
• nixarr.jellyfin.expose.https.domainName

Conflicting options: nixarr.jellyfin.vpn.enable

Expose the Jellyfin web service to the internet with https support, allowing anyone to access it.

Warning: Do not enable this without setting up Jellyfin authentication through localhost first!

Type: boolean

  false

  true

nixarr.jellyfin.expose.https.acmeMail

The ACME mail required for the letsencrypt bot.

Type: null or string

  null

  "mail@example.com"

nixarr.jellyfin.expose.https.domainName

The domain name to host Jellyfin on.

Type: null or string

  null

  "jellyfin.example.com"

nixarr.jellyfin.expose.https.upnp.enable

Whether to enable UPNP to try to open ports 80 and 443 on your router…

Type: boolean

  false

  true

nixarr.jellyfin.openFirewall

Open firewall for Jellyfin

Type: boolean

  false

  true

nixarr.jellyfin.port

Port for Jellyfin to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) (read only)

  8096

nixarr.jellyfin.stateDir

The location of the state directory for the Jellyfin service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/jellyfin

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/jellyfin"

  "/nixarr/.state/jellyfin"

nixarr.jellyfin.vpn.enable

Required options: nixarr.vpn.enable

Conflicting options: nixarr.jellyfin.expose.https.enable

Route Jellyfin traffic through the VPN.

Type: boolean

  false

  true

nixarr.jellyfin.vpn.configureNginx

Required options: [nixarr.jellyfin.vpn.enable)(#nixarr.jellyfin.vpn.enable)

Configure nginx as a reverse proxy for the Jellyfin web ui.

Type: boolean

  nixarr.jellyfin.vpn.enable

  false

nixarr.komga.enable

Whether or not to enable the Komga service.

Conflicting options: nixarr.plex.enable

Type: boolean

  false

  true

nixarr.komga.expose.https.enable

Required options:

• nixarr.komga.expose.https.acmeMail
• nixarr.komga.expose.https.domainName

Conflicting options: nixarr.komga.vpn.enable

Expose the Komga web service to the internet with https support, allowing anyone to access it.

Warning: Do not enable this without setting up Komga authentication through localhost first!

Type: boolean

  false

  true

nixarr.komga.expose.https.acmeMail

The ACME mail required for the letsencrypt bot.

Type: null or string

  null

  "mail@example.com"

nixarr.komga.expose.https.domainName

The domain name to host Komga on.

Type: null or string

  null

  "komga.example.com"

nixarr.komga.expose.https.upnp.enable

Whether to enable UPNP to try to open ports 80 and 443 on your router…

Type: boolean

  false

  true

nixarr.komga.openFirewall

Open firewall for Komga

Type: boolean

  false

  true

nixarr.komga.stateDir

The location of the state directory for the Komga service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/komga

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/komga"

  "/nixarr/.state/komga"

nixarr.komga.vpn.enable

Required options: nixarr.vpn.enable

Conflicting options: nixarr.komga.expose.https.enable

Route Komga traffic through the VPN.

Type: boolean

  false

  true

nixarr.komga.vpn.configureNginx

Required options: [nixarr.komga.vpn.enable)(#nixarr.komga.vpn.enable)

Configure nginx as a reverse proxy for the Komga web ui.

Type: boolean

  nixarr.komga.vpn.enable

  false

nixarr.lidarr.enable

Whether or not to enable the Lidarr service.

Type: boolean

  false

  true

nixarr.lidarr.package

The lidarr package to use.

Type: package

  pkgs.lidarr

nixarr.lidarr.exporter.enable

Whether to enable the Lidarr Prometheus exporter. Only has an effect if nixarr.exporters.enable and nixarr.lidarr.enable are true.

Type: boolean

  true

nixarr.lidarr.exporter.listenAddr

Address for Lidarr exporter to listen on. Note: This is forced to “0.0.0.0” if the service is VPN-confined.

Type: string

  "0.0.0.0"

nixarr.lidarr.exporter.port

Port for Lidarr metrics

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9709

nixarr.lidarr.openFirewall

Open firewall for Lidarr

Type: boolean

  false

  true

nixarr.lidarr.port

Port for Lidarr to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  8686

nixarr.lidarr.stateDir

The location of the state directory for the Lidarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/lidarr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/lidarr"

  "/nixarr/.state/lidarr"

nixarr.lidarr.vpn.enable

Required options: nixarr.vpn.enable

Route Lidarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.lidarr.vpn.configureNginx

Required options: [nixarr.lidarr.vpn.enable)(#nixarr.lidarr.vpn.enable)

Configure nginx as a reverse proxy for the Lidarr web ui.

Type: boolean

  nixarr.lidarr.vpn.enable

  false

nixarr.mediaDir

The location of the media directory for the services.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  mediaDir = /home/user/nixarr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "/data/media"

  "/nixarr"

nixarr.mediaUsers

Extra users to add to the media group.

Type: list of string

  [ ]

  [
    "user"
  ]

nixarr.nixarr-py.package

The nixarr-py package.

Type: package

  pkgs.callPackage ./. {}

nixarr.openssh.expose.vpn.enable

Required options:

• nixarr.vpn.enable

Run the openssh service through a vpn, exposing it to the internet.

Warning: This lets anyone on the internet connect through SSH, make sure the SSH configuration is secure! Disallowing password authentication and only allowing SSH-keys is considered secure.

Note: This option does not enable the SSHD service you still need to setup sshd in your nixos configuration, fx:

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    # Get this port from your VPN provider
    ports [ 12345 ];
  };

  users.extraUsers.username.openssh.authorizedKeys.keyFiles = [
    ./path/to/public/key/machine.pub
  ];

Then replace username with your username and the keyFiles path to a ssh public key file from the machine that you want to have access. Don’t use password authentication as it is insecure!

Type: boolean

  false

  true

nixarr.plex.enable

Whether or not to enable the Plex service.

Type: boolean

  false

  true

nixarr.plex.package

The plex package to use.

Type: package

  pkgs.plex

nixarr.plex.expose.https.enable

Required options:

• nixarr.plex.expose.https.acmeMail
• nixarr.plex.expose.https.domainName

Conflicting options: nixarr.plex.vpn.enable

Expose the Plex web service to the internet with https support, allowing anyone to access it.

Warning: Do not enable this without setting up Plex authentication through localhost first!

Type: boolean

  false

  true

nixarr.plex.expose.https.acmeMail

The ACME mail required for the letsencrypt bot.

Type: null or string

  null

  "mail@example.com"

nixarr.plex.expose.https.domainName

The domain name to host Plex on.

Type: null or string

  null

  "plex.example.com"

nixarr.plex.expose.https.upnp.enable

Whether to enable UPNP to try to open ports 80 and 443 on your router…

Type: boolean

  false

  true

nixarr.plex.openFirewall

Open firewall for Plex

Type: boolean

  false

  true

nixarr.plex.stateDir

The location of the state directory for the Plex service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/plex

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/plex"

  "/nixarr/.state/plex"

nixarr.plex.vpn.enable

Required options: nixarr.vpn.enable

Conflicting options: nixarr.plex.expose.https.enable

Route Plex traffic through the VPN.

Type: boolean

  false

  true

nixarr.plex.vpn.configureNginx

Required options: [nixarr.plex.vpn.enable)(#nixarr.lidarr.vpn.enable)

Configure nginx as a reverse proxy for the Plex web ui.

Type: boolean

  nixarr.plex.vpn.enable

  false

nixarr.prowlarr.enable

Whether or not to enable the Prowlarr service. This has a seperate service since running two instances is the standard way of being able to query both ebooks and audiobooks.

Type: boolean

  false

  true

nixarr.prowlarr.package

The prowlarr package to use.

Type: package

  pkgs.prowlarr

nixarr.prowlarr.exporter.enable

Whether to enable the Prowlarr Prometheus exporter. Only has an effect if nixarr.exporters.enable and nixarr.prowlarr.enable are true.

Type: boolean

  true

nixarr.prowlarr.exporter.listenAddr

Address for Prowlarr exporter to listen on. Note: This is forced to “0.0.0.0” if the service is VPN-confined.

Type: string

  "0.0.0.0"

nixarr.prowlarr.exporter.port

Port for Prowlarr metrics

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9711

nixarr.prowlarr.openFirewall

Open firewall for Prowlarr

Type: boolean

  false

  true

nixarr.prowlarr.port

Port for Prowlarr to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9696

nixarr.prowlarr.settings-sync.enable-nixarr-apps

Enable syncing information about Nixarr-managed applications to Prowlarr by default. You can override this per application.

Type: boolean

  false

nixarr.prowlarr.settings-sync.apps

List of applications to configure in Prowlarr. This is in addition to the Nixarr-managed application sync options.

Type: list of (open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string))

  [ ]

nixarr.prowlarr.settings-sync.apps.*.fields

Additional fields to set on the application configuration. Other configuration options are left unchanged from their defaults (for new applications) or existing values (for overwritten applications).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrSset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

  {
    somePassword = {
      secret = "/path/to/secret/file";
    };
    syncCategories = [
      2030
    ];
    syncRejectBlocklistedTorrentHashesWhileGrabbing = true;
  }

nixarr.prowlarr.settings-sync.apps.*.implementation

The implementation name of the application in Prowlarr. This is used to find the default configuration when adding a new application, and must match the existing application’s implementation name when overwriting an existing application.

Type: string

nixarr.prowlarr.settings-sync.apps.*.name

The name Prowlarr uses for this instance of an application. Note that app names must be unique among all apps (not just apps of this type), ignoring case.

Type: string

nixarr.prowlarr.settings-sync.apps.*.tags

List of tag labels to associate with this application. Overwrites any existing tags on the application.

Type: list of string

  [ ]

nixarr.prowlarr.settings-sync.indexers

List of indexers to configure in Prowlarr.

To see available top-level properties and fields members for each indexer, run nixarr show-prowlarr-schemas indexer | jq '.' as root. You may want to filter by sort_name to find the indexer you want to configure.

Type: list of (open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string))

  [ ]

  [
    {
      fields = {
        apiKey = {
          secret = "/path/to/secret/file";
        };
      };
      name = "My special indexer name";
      priority = 30;
      sort_name = "nzbgeek";
      tags = [
        "tag1"
        "tag2"
      ];
    }
  ]

nixarr.prowlarr.settings-sync.indexers.*.app_profile_name

The app profile to associate with this indexer. Must already exist. We look up this profile by name to set the appProfileId field on the indexer configuration.

Type: string

  "Standard"

nixarr.prowlarr.settings-sync.indexers.*.fields

Fields to set on the configuration for an indexer. Other configuration options are left unchanged from their defaults (for new indexers) or existing values (for overwritten indexers).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrSset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

nixarr.prowlarr.settings-sync.indexers.*.name

The name Prowlarr uses for this indexer. If not provided, the default name from the indexer definition is used.

Note that indexer names must be unique among all indexers, ignoring case.

Type: null or string

  null

nixarr.prowlarr.settings-sync.indexers.*.sort_name

The sort name of the indexer definition to base this indexer on. This is used to find the default configuration when adding a new indexer, and must match the existing indexer’s sort name when overwriting an existing indexer.

Type: string

nixarr.prowlarr.settings-sync.indexers.*.tags

List of tag labels to associate with this indexer. Overwrites any existing tags on the indexer.

Type: list of string

  [ ]

nixarr.prowlarr.settings-sync.lidarr.enable

Whether to sync the config for this Nixarr-managed application to Prowlarr.

Type: boolean

  false

nixarr.prowlarr.settings-sync.lidarr.config

Configuration for this application in Prowlarr.

To see available top-level properties and fields members, run nixarr show-prowlarr-schemas application | jq '.[] | select(.implementation == "Lidarr")' as root.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  {
    name = "Lidarr";
    implementation = "Lidarr";
    fields = {
      prowlarrUrl = "http://127.0.0.1:<prowlarr port>/<prowlarr base-url>";
      baseUrl = "http://127.0.0.1:<lidarr port>/<lidarr base-url>";
      apiKey.secret = "${nixarr.stateDir}/secrets/lidarr.api-key";
    };
  }

  {
    fields = {
      syncCategories = [
        2030
      ];
    };
    name = "My special service name";
    tags = [
      "tag1"
      "tag2"
    ];
  }

nixarr.prowlarr.settings-sync.lidarr.config.fields

Additional fields to set on the application configuration. Other configuration options are left unchanged from their defaults (for new applications) or existing values (for overwritten applications).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrSset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

  {
    somePassword = {
      secret = "/path/to/secret/file";
    };
    syncCategories = [
      2030
    ];
    syncRejectBlocklistedTorrentHashesWhileGrabbing = true;
  }

nixarr.prowlarr.settings-sync.lidarr.config.implementation

The implementation name of the application in Prowlarr. This is used to find the default configuration when adding a new application, and must match the existing application’s implementation name when overwriting an existing application.

Type: string

nixarr.prowlarr.settings-sync.lidarr.config.name

The name Prowlarr uses for this instance of an application. Note that app names must be unique among all apps (not just apps of this type), ignoring case.

Type: string

nixarr.prowlarr.settings-sync.lidarr.config.tags

List of tag labels to associate with this application. Overwrites any existing tags on the application.

Type: list of string

  [ ]

nixarr.prowlarr.settings-sync.radarr.enable

Whether to sync the config for this Nixarr-managed application to Prowlarr.

Type: boolean

  false

nixarr.prowlarr.settings-sync.radarr.config

Configuration for this application in Prowlarr.

To see available top-level properties and fields members, run nixarr show-prowlarr-schemas application | jq '.[] | select(.implementation == "Radarr")' as root.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  {
    name = "Radarr";
    implementation = "Radarr";
    fields = {
      prowlarrUrl = "http://127.0.0.1:<prowlarr port>/<prowlarr base-url>";
      baseUrl = "http://127.0.0.1:<radarr port>/<radarr base-url>";
      apiKey.secret = "${nixarr.stateDir}/secrets/radarr.api-key";
    };
  }

  {
    fields = {
      syncCategories = [
        2030
      ];
    };
    name = "My special service name";
    tags = [
      "tag1"
      "tag2"
    ];
  }

nixarr.prowlarr.settings-sync.radarr.config.fields

Additional fields to set on the application configuration. Other configuration options are left unchanged from their defaults (for new applications) or existing values (for overwritten applications).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrSset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

  {
    somePassword = {
      secret = "/path/to/secret/file";
    };
    syncCategories = [
      2030
    ];
    syncRejectBlocklistedTorrentHashesWhileGrabbing = true;
  }

nixarr.prowlarr.settings-sync.radarr.config.implementation

The implementation name of the application in Prowlarr. This is used to find the default configuration when adding a new application, and must match the existing application’s implementation name when overwriting an existing application.

Type: string

nixarr.prowlarr.settings-sync.radarr.config.name

The name Prowlarr uses for this instance of an application. Note that app names must be unique among all apps (not just apps of this type), ignoring case.

Type: string

nixarr.prowlarr.settings-sync.radarr.config.tags

List of tag labels to associate with this application. Overwrites any existing tags on the application.

Type: list of string

  [ ]

nixarr.prowlarr.settings-sync.sonarr.enable

Whether to sync the config for this Nixarr-managed application to Prowlarr.

Type: boolean

  false

nixarr.prowlarr.settings-sync.sonarr.config

Configuration for this application in Prowlarr.

To see available top-level properties and fields members, run nixarr show-prowlarr-schemas application | jq '.[] | select(.implementation == "Sonarr")' as root.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  {
    name = "Sonarr";
    implementation = "Sonarr";
    fields = {
      prowlarrUrl = "http://127.0.0.1:<prowlarr port>/<prowlarr base-url>";
      baseUrl = "http://127.0.0.1:<sonarr port>/<sonarr base-url>";
      apiKey.secret = "${nixarr.stateDir}/secrets/sonarr.api-key";
    };
  }

  {
    fields = {
      syncCategories = [
        2030
      ];
    };
    name = "My special service name";
    tags = [
      "tag1"
      "tag2"
    ];
  }

nixarr.prowlarr.settings-sync.sonarr.config.fields

Additional fields to set on the application configuration. Other configuration options are left unchanged from their defaults (for new applications) or existing values (for overwritten applications).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrSset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

  {
    somePassword = {
      secret = "/path/to/secret/file";
    };
    syncCategories = [
      2030
    ];
    syncRejectBlocklistedTorrentHashesWhileGrabbing = true;
  }

nixarr.prowlarr.settings-sync.sonarr.config.implementation

The implementation name of the application in Prowlarr. This is used to find the default configuration when adding a new application, and must match the existing application’s implementation name when overwriting an existing application.

Type: string

nixarr.prowlarr.settings-sync.sonarr.config.name

The name Prowlarr uses for this instance of an application. Note that app names must be unique among all apps (not just apps of this type), ignoring case.

Type: string

nixarr.prowlarr.settings-sync.sonarr.config.tags

List of tag labels to associate with this application. Overwrites any existing tags on the application.

Type: list of string

  [ ]

nixarr.prowlarr.settings-sync.tags

List of tag labels to create in Prowlarr. Note that tag labels must be unique ignoring case.

Type: list of string

  [ ]

nixarr.prowlarr.settings-sync.whisparr.enable

Whether to sync the config for this Nixarr-managed application to Prowlarr.

Type: boolean

  false

nixarr.prowlarr.settings-sync.whisparr.config

Configuration for this application in Prowlarr.

To see available top-level properties and fields members, run nixarr show-prowlarr-schemas application | jq '.[] | select(.implementation == "Whisparr")' as root.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  {
    name = "Whisparr";
    implementation = "Whisparr";
    fields = {
      prowlarrUrl = "http://127.0.0.1:<prowlarr port>/<prowlarr base-url>";
      baseUrl = "http://127.0.0.1:<whisparr port>/<whisparr base-url>";
      apiKey.secret = "${nixarr.stateDir}/secrets/whisparr.api-key";
    };
  }

  {
    fields = {
      syncCategories = [
        2030
      ];
    };
    name = "My special service name";
    tags = [
      "tag1"
      "tag2"
    ];
  }

nixarr.prowlarr.settings-sync.whisparr.config.fields

Additional fields to set on the application configuration. Other configuration options are left unchanged from their defaults (for new applications) or existing values (for overwritten applications).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrSset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

  {
    somePassword = {
      secret = "/path/to/secret/file";
    };
    syncCategories = [
      2030
    ];
    syncRejectBlocklistedTorrentHashesWhileGrabbing = true;
  }

nixarr.prowlarr.settings-sync.whisparr.config.implementation

The implementation name of the application in Prowlarr. This is used to find the default configuration when adding a new application, and must match the existing application’s implementation name when overwriting an existing application.

Type: string

nixarr.prowlarr.settings-sync.whisparr.config.name

The name Prowlarr uses for this instance of an application. Note that app names must be unique among all apps (not just apps of this type), ignoring case.

Type: string

nixarr.prowlarr.settings-sync.whisparr.config.tags

List of tag labels to associate with this application. Overwrites any existing tags on the application.

Type: list of string

  [ ]

nixarr.prowlarr.stateDir

The location of the state directory for the Prowlarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/prowlarr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/prowlarr"

  "/nixarr/.state/prowlarr"

nixarr.prowlarr.vpn.enable

Required options: nixarr.vpn.enable

Route Prowlarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.prowlarr.vpn.configureNginx

Required options: [nixarr.prowlarr.vpn.enable)(#nixarr.prowlarr.vpn.enable)

Configure nginx as a reverse proxy for the Prowlarrweb ui.

Type: boolean

  nixarr.prowlarr.vpn.enable

  false

nixarr.qbittorrent.enable

Whether or not to enable the qBittorrent service.

qBittorrent is a free, open source BitTorrent client with a feature-rich Web UI. This module configures qBittorrent-nox (headless version) with optional alternative WebUI support.

Type: boolean

  false

  true

nixarr.qbittorrent.package

The qbittorrent-nox package to use.

Type: package

  pkgs.qbittorrent-nox

nixarr.qbittorrent.exporter.enable

Whether to enable the qBittorrent Prometheus exporter. Only has an effect if nixarr.exporters.enable and nixarr.qbittorrent.enable are true.

Type: boolean

  true

nixarr.qbittorrent.exporter.listenAddr

Address for qBittorrent exporter to listen on. Note: This is forced to “0.0.0.0” if the service is VPN-confined.

Type: string

  "0.0.0.0"

nixarr.qbittorrent.exporter.port

Port for qBittorrent exporter metrics

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9713

nixarr.qbittorrent.extraAllowedIps

Extra IP addresses allowed to access the qBittorrent WebUI.

Type: list of string

  [ ]

  [
    "10.19.5.10"
  ]

nixarr.qbittorrent.extraConfig

Extra configuration options for qBittorrent. These are merged with the generated qBittorrent.conf settings.

See the qBittorrent wiki for available options.

Type: attribute set

  { }

  {
    Preferences = {
      "Downloads\\PreAllocation" = true;
    };
  }

nixarr.qbittorrent.openFirewall

Open firewall for the WebUI port.

Type: boolean

  false

  true

nixarr.qbittorrent.peerPort

qBittorrent peer traffic port. If VPN is enabled, this port will be opened in the VPN namespace.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  6881

  50000

nixarr.qbittorrent.privateTrackers.disableDhtPex

Disable DHT, PeX, and LSD, which is required by some private trackers.

This also enables anonymous mode in qBittorrent.

Type: boolean

  false

  true

nixarr.qbittorrent.qui.enable

Enable qui as the WebUI for qBittorrent. qui is a modern WebUI by the autobrr team that runs as a separate proxy service.

When enabled, qui will be available on the webuiPort and will proxy requests to qBittorrent’s internal API.

Type: boolean

  true

nixarr.qbittorrent.qui.package

The qui package to use.

Type: package

  pkgs.qui

nixarr.qbittorrent.qui.internalPort

Internal port for qBittorrent’s native WebUI. qui will proxy to this. This port is not exposed externally.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  8085

nixarr.qbittorrent.stateDir

The location of the state directory for the qBittorrent service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/qbittorrent

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/qbittorrent"

  "/nixarr/.state/qbittorrent"

nixarr.qbittorrent.vpn.enable

Required options: nixarr.vpn.enable

Route qBittorrent traffic through the VPN.

Type: boolean

  false

  true

nixarr.qbittorrent.webui.package

Alternative static WebUI package to use. Set to null to use the default qBittorrent WebUI.

Available options include:

• pkgs.vuetorrent - VueTorrent WebUI (available in nixos-25.05)
• null - Default qBittorrent WebUI (default)

Note: For qui, use the qui.enable option instead as qui runs as a separate proxy service.

Type: null or package

  null

  pkgs.vuetorrent

nixarr.qbittorrent.webui.path

Relative path within the WebUI package to the WebUI files.

Type: string

  "share/vuetorrent"

nixarr.qbittorrent.webuiPort

qBittorrent WebUI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  5252

  8080

nixarr.radarr.enable

Whether or not to enable the Radarr service.

Type: boolean

  false

  true

nixarr.radarr.package

The radarr package to use.

Type: package

  pkgs.radarr

nixarr.radarr.exporter.enable

Whether to enable the Radarr Prometheus exporter. Only has an effect if nixarr.exporters.enable and nixarr.radarr.enable are true.

Type: boolean

  true

nixarr.radarr.exporter.listenAddr

Address for Radarr exporter to listen on. Note: This is forced to “0.0.0.0” if the service is VPN-confined.

Type: string

  "0.0.0.0"

nixarr.radarr.exporter.port

Port for Radarr metrics

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9708

nixarr.radarr.openFirewall

Open firewall for Radarr

Type: boolean

  false

  true

nixarr.radarr.port

Port for Radarr to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  7878

nixarr.radarr.settings-sync.downloadClients

List of download clients to configure in Radarr.

To see available top-level properties and fields members for each download client, run nixarr show-radarr-schemas download_client | jq '.' as root.

Type: list of (open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string))

  [ ]

nixarr.radarr.settings-sync.downloadClients.*.enable

Whether the download client is enabled. Note that this option is merely copied by Nixarr to Radarr; it doesn’t control any Nixarr behavior.

Type: boolean

  true

nixarr.radarr.settings-sync.downloadClients.*.fields

Fields to set on the configuration for a download client. Other configuration options are left unchanged from their defaults (for new download clients) or existing values (for overwritten download clients).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

nixarr.radarr.settings-sync.downloadClients.*.implementation

The implementation name of the download client in Radarr. This is used to find the default configuration when adding a new download client, and must match the existing download client’s implementation name when overwriting an existing download client.

Type: string

nixarr.radarr.settings-sync.downloadClients.*.name

The name Radarr uses for this download client. Note that names must be unique among all download clients, ignoring case.

Type: string

nixarr.radarr.settings-sync.transmission.enable

Automatically configure Transmission as a download client in Radarr.

Type: boolean

  false

nixarr.radarr.settings-sync.transmission.config

Configuration for Transmission as a download client in Radarr.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  {
    name = "Transmission";
      implementation = "Transmission";
      enable = true;
      fields = {
        host = "localhost";
        port = nixarr.transmission.uiPort;
        useSsl = false;
      };
    }

nixarr.radarr.settings-sync.transmission.config.enable

Whether the download client is enabled. Note that this option is merely copied by Nixarr to Radarr; it doesn’t control any Nixarr behavior.

Type: boolean

  true

nixarr.radarr.settings-sync.transmission.config.fields

Fields to set on the configuration for a download client. Other configuration options are left unchanged from their defaults (for new download clients) or existing values (for overwritten download clients).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

nixarr.radarr.settings-sync.transmission.config.implementation

The implementation name of the download client in Radarr. This is used to find the default configuration when adding a new download client, and must match the existing download client’s implementation name when overwriting an existing download client.

Type: string

nixarr.radarr.settings-sync.transmission.config.name

The name Radarr uses for this download client. Note that names must be unique among all download clients, ignoring case.

Type: string

nixarr.radarr.stateDir

The location of the state directory for the Radarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/radarr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/radarr"

  "/nixarr/.state/radarr"

nixarr.radarr.vpn.enable

Required options: nixarr.vpn.enable

Route Radarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.radarr.vpn.configureNginx

Required options: [nixarr.radarr.vpn.enable)(#nixarr.radarr.vpn.enable)

Configure nginx as a reverse proxy for the Radarr web ui.

Type: boolean

  nixarr.radarr.vpn.enable

  false

nixarr.recyclarr.enable

Whether or not to enable the Recyclarr service. This service does not need to be run behind a VPN.

Type: boolean

  false

  true

nixarr.recyclarr.package

The recyclarr package to use.

Type: package

  pkgs.recyclarr

nixarr.recyclarr.configFile

Path to the recyclarr YAML configuration file. See Recyclarr’s documentation for more information.

The API keys for Radarr and Sonarr can be referenced in the config file using the RADARR_API_KEY and SONARR_API_KEY environment variables (with macro !env_var).

Note: You cannot set both configFile and configuration options.

Type: null or absolute path

  null

  "./recyclarr.yaml"

nixarr.recyclarr.configuration

Recyclarr YAML configuration as a Nix attribute set. For detailed configuration options and examples, see the official configuration reference.

The API keys for Radarr and Sonarr can be referenced using the RADARR_API_KEY and SONARR_API_KEY environment variables (with the string “!env_var RADARR_API_KEY”).

Note: You cannot set both configFile and configuration options.

Type: null or Yaml value

  null

  {
    sonarr = {
      series = {
        base_url = "http://localhost:8989";
        api_key = "!env_var SONARR_API_KEY";
        quality_definition = {
          type = "series";
        };
        delete_old_custom_formats = true;
        custom_formats = [
          {
            trash_ids = [
              "85c61753df5da1fb2aab6f2a47426b09" # BR-DISK
              "9c11cd3f07101cdba90a2d81cf0e56b4" # LQ
            ];
            assign_scores_to = [
              {
                name = "WEB-DL (1080p)";
                score = -10000;
              }
            ];
          }
        ];
      };
    };
    radarr = {
      movies = {
        base_url = "http://localhost:7878";
        api_key = "!env_var RADARR_API_KEY";
        quality_definition = {
          type = "movie";
        };
        delete_old_custom_formats = true;
        custom_formats = [
          {
            trash_ids = [
              "570bc9ebecd92723d2d21500f4be314c" # Remaster
              "eca37840c13c6ef2dd0262b141a5482f" # 4K Remaster
            ];
            assign_scores_to = [
              {
                name = "HD Bluray + WEB";
                score = 25;
              }
            ];
          }
        ];
      };
    };
  }

nixarr.recyclarr.schedule

When to run recyclarr in systemd calendar format.

Type: string

  "daily"

nixarr.recyclarr.stateDir

The location of the state directory for the Recyclarr service.

Type: absolute path

  "${nixarr.stateDir}/recyclarr"

  "/nixarr/.state/recyclarr"

nixarr.sabnzbd.enable

Whether to enable Enable the SABnzbd service…

Type: boolean

  false

  true

nixarr.sabnzbd.package

The sabnzbd package to use.

Type: package

  pkgs.sabnzbd

nixarr.sabnzbd.guiPort

The port that SABnzbd’s GUI will listen on for incomming connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  6336

  9999

nixarr.sabnzbd.openFirewall

Open firewall for SABnzbd

Type: boolean

  false

  true

nixarr.sabnzbd.stateDir

The location of the state directory for the SABnzbd service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/sabnzbd

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/sabnzbd"

  "/nixarr/.state/sabnzbd"

nixarr.sabnzbd.vpn.enable

Required options: nixarr.vpn.enable

Route SABnzbd traffic through the VPN.

Type: boolean

  false

  true

nixarr.sabnzbd.vpn.configureNginx

Required options: [nixarr.sabnzbd.vpn.enable)(#nixarr.sabnzbd.vpn.enable)

Configure nginx as a reverse proxy for the Sabnzbd web ui.

Type: boolean

  nixarr.sabnzbd.vpn.enable

  false

nixarr.sabnzbd.whitelistHostnames

A list that specifies what URLs that are allowed to represent your SABnzbd instance.

Note: If you see an error message like this when trying to connect to SABnzbd from another device:

  Refused connection with hostname "your.hostname.com"

Then you should add your hostname (“hostname.com” above) to this list.

SABnzbd only allows connections matching these URLs in order to prevent DNS hijacking. See https://sabnzbd.org/wiki/extra/hostname-check.html for more info.

Type: list of string

  [ config.networking.hostName ]

  [ "mediaserv" "media.example.com" ]

nixarr.sabnzbd.whitelistRanges

A list of IP ranges that will be allowed to connect to SABnzbd’s web GUI. This only needs to be set if SABnzbd needs to be accessed from another machine besides its host.

Type: list of string

  [ ]

  "[ \"192.168.1.0/24\" \"10.0.0.0/23\" ]"

nixarr.seerr.enable

Whether or not to enable the Seerr service.

Type: boolean

  false

  true

nixarr.seerr.package

The jellyseerr package to use.

Type: package

  pkgs.jellyseerr

nixarr.seerr.expose.https.enable

Required options:

• nixarr.seerr.expose.https.acmeMail
• nixarr.seerr.expose.https.domainName

Conflicting options: nixarr.seerr.vpn.enable

Expose the Seerr web service to the internet with https support, allowing anyone to access it.

Warning: Do not enable this without setting up Seerr authentication through localhost first!

Type: boolean

  false

  true

nixarr.seerr.expose.https.acmeMail

The ACME mail required for the letsencrypt bot.

Type: null or string

  null

  "mail@example.com"

nixarr.seerr.expose.https.domainName

The domain name to host Seerr on.

Type: null or string

  null

  "seerr.example.com"

nixarr.seerr.expose.https.upnp.enable

Whether to enable UPNP to try to open ports 80 and 443 on your router…

Type: boolean

  false

  true

nixarr.seerr.openFirewall

Open firewall for Seerr

Type: boolean

  false

  true

nixarr.seerr.port

Seerr web-UI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  5055

  12345

nixarr.seerr.stateDir

The location of the state directory for the Seerr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/seerr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/seerr"

  "/nixarr/.state/seerr"

nixarr.seerr.vpn.enable

Required options: nixarr.vpn.enable

Conflicting options: nixarr.seerr.expose.https.enable

Route Seerr traffic through the VPN.

Type: boolean

  false

  true

nixarr.seerr.vpn.configureNginx

Required options: nixarr.seerr.vpn.enable

Configure nginx as a reverse proxy for the Seerr web ui.

Type: boolean

  nixarr.seerr.vpn.enable

  false

nixarr.shelfmark.enable

Whether or not to enable the Shelfmark service.

Type: boolean

  false

  true

nixarr.shelfmark.package

The shelfmark package to use.

Type: package

  pkgs.shelfmark

nixarr.shelfmark.host

The address Shelfmark binds to. Ignored when nixarr.shelfmark.vpn.enable is set, which forces 192.168.15.1.

Type: string

  "127.0.0.1"

  "0.0.0.0"

nixarr.shelfmark.openFirewall

Open firewall for Shelfmark.

Type: boolean

  false

  true

nixarr.shelfmark.port

Port for Shelfmark to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  8084

nixarr.shelfmark.stateDir

The location of the state directory for the Shelfmark service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/shelfmark

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/shelfmark"

  "/nixarr/.state/shelfmark"

nixarr.shelfmark.vpn.enable

Required options: nixarr.vpn.enable

Route Shelfmark traffic through the VPN.

Type: boolean

  false

  true

nixarr.shelfmark.vpn.configureNginx

Required options: nixarr.shelfmark.vpn.enable

Configure nginx as a reverse proxy for the Shelfmark web UI.

Type: boolean

  nixarr.shelfmark.vpn.enable

  false

nixarr.sonarr.enable

Whether or not to enable the Sonarr service.

Type: boolean

  false

  true

nixarr.sonarr.package

The sonarr package to use.

Type: package

  pkgs.sonarr

nixarr.sonarr.exporter.enable

Whether to enable the Sonarr Prometheus exporter. Only has an effect if nixarr.exporters.enable and nixarr.sonarr.enable are true.

Type: boolean

  true

nixarr.sonarr.exporter.listenAddr

Address for Sonarr exporter to listen on. Note: This is forced to “0.0.0.0” if the service is VPN-confined.

Type: string

  "0.0.0.0"

nixarr.sonarr.exporter.port

Port for Sonarr metrics

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9707

nixarr.sonarr.openFirewall

Open firewall for Sonarr

Type: boolean

  false

  true

nixarr.sonarr.port

Port for Sonarr to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  8989

nixarr.sonarr.settings-sync.downloadClients

List of download clients to configure in Sonarr.

To see available top-level properties and fields members for each download client, run nixarr show-sonarr-schemas download_client | jq '.' as root.

Type: list of (open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string))

  [ ]

nixarr.sonarr.settings-sync.downloadClients.*.enable

Whether the download client is enabled. Note that this option is merely copied by Nixarr to Sonarr; it doesn’t control any Nixarr behavior.

Type: boolean

  true

nixarr.sonarr.settings-sync.downloadClients.*.fields

Fields to set on the configuration for a download client. Other configuration options are left unchanged from their defaults (for new download clients) or existing values (for overwritten download clients).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

nixarr.sonarr.settings-sync.downloadClients.*.implementation

The implementation name of the download client in Sonarr. This is used to find the default configuration when adding a new download client, and must match the existing download client’s implementation name when overwriting an existing download client.

Type: string

nixarr.sonarr.settings-sync.downloadClients.*.name

The name Sonarr uses for this download client. Note that names must be unique among all download clients, ignoring case.

Type: string

nixarr.sonarr.settings-sync.transmission.enable

Automatically configure Transmission as a download client in Sonarr.

Type: boolean

  false

nixarr.sonarr.settings-sync.transmission.config

Configuration for Transmission as a download client in Sonarr.

Type: open submodule of attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  {
    name = "Transmission";
      implementation = "Transmission";
      enable = true;
      fields = {
        host = "localhost";
        port = nixarr.transmission.uiPort;
        useSsl = false;
      };
    }

nixarr.sonarr.settings-sync.transmission.config.enable

Whether the download client is enabled. Note that this option is merely copied by Nixarr to Sonarr; it doesn’t control any Nixarr behavior.

Type: boolean

  true

nixarr.sonarr.settings-sync.transmission.config.fields

Fields to set on the configuration for a download client. Other configuration options are left unchanged from their defaults (for new download clients) or existing values (for overwritten download clients).

In the schema, these are represented as an array of objects with .name and .value members. Each attribute in this config attrset will update the .value member of the fields item with a matching .name. For more details on each field, check the schema.

Type: attribute set of (string or boolean or signed integer or (submodule) or list of signed integer or list of string)

  { }

nixarr.sonarr.settings-sync.transmission.config.implementation

The implementation name of the download client in Sonarr. This is used to find the default configuration when adding a new download client, and must match the existing download client’s implementation name when overwriting an existing download client.

Type: string

nixarr.sonarr.settings-sync.transmission.config.name

The name Sonarr uses for this download client. Note that names must be unique among all download clients, ignoring case.

Type: string

nixarr.sonarr.stateDir

The location of the state directory for the Sonarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/sonarr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/sonarr"

  "/nixarr/.state/sonarr"

nixarr.sonarr.vpn.enable

Required options: nixarr.vpn.enable

Route Sonarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.sonarr.vpn.configureNginx

Required options: [nixarr.sonarr.vpn.enable)(#nixarr.sonarr.vpn.enable)

Configure nginx as a reverse proxy for the Sonarr web ui.

Type: boolean

  nixarr.sonarr.vpn.enable

  false

nixarr.stateDir

The location of the state directory for the services.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state

Is not supported, because /home/user is owned by user.

Type: absolute path

  "/data/.state/nixarr"

  "/nixarr/.state"

nixarr.transmission.enable

Whether or not to enable the Transmission service.

Type: boolean

  false

  true

nixarr.transmission.package

The transmission_4 package to use.

Type: package

  pkgs.transmission_4

nixarr.transmission.credentialsFile

Path to a JSON file to be merged with the settings. Useful to merge a file which is better kept out of the Nix store to set secret config parameters like rpc-password.

Type: absolute path

  "/dev/null"

  "/var/lib/secrets/transmission/settings.json"

nixarr.transmission.extraAllowedIps

Extra IP addresses allowed to access the Transmission RPC. By default 192.168.* and 127.0.0.1 (localhost) are allowed, but if your local network has a weird ip for some reason, you can add it here.

Type: list of string

  [ ]

  [
    "10.19.5.10"
  ]

nixarr.transmission.extraSettings

Extra config settings for the Transmission service.

See the services.transmission.settings nixos options in the relevant section of the configuration.nix manual or on search.nixos.org.

Type: attribute set

  { }

  {
    trash-original-torrent-files = true;
  }

nixarr.transmission.flood.enable

Whether to enable the flood web-UI for the transmission web-UI…

Type: boolean

  false

  true

nixarr.transmission.messageLevel

Sets the message level of transmission.

Type: one of “none”, “critical”, “error”, “warn”, “info”, “debug”, “trace”

  "warn"

  "debug"

nixarr.transmission.openFirewall

Open firewall for rpc-port.

Type: boolean

  false

  true

nixarr.transmission.peerPort

Transmission peer traffic port. Also opens the firewall for listed port if not set to null (default).

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  null

  50000

nixarr.transmission.privateTrackers.cross-seed.enable

Required options: nixarr.prowlarr.enable

Whether or not to enable the cross-seed service.

Type: boolean

  false

  true

nixarr.transmission.privateTrackers.cross-seed.extraSettings

Extra settings for the cross-seed service, see the cross-seed options documentation

Type: attribute set

  { }

  {
    delay = 20;
    port = 3000;
  }

nixarr.transmission.privateTrackers.cross-seed.indexIds

List of indexer-ids, from prowlarr. These are from the RSS links for the indexers, located by the “radio” or “RSS” logo on the right of the indexer, you’ll see the links have the form:

http://localhost:9696/1/api?apikey=aaaaaaaaaaaaa

Then the id needed here is the 1.

Type: list of signed integer

  [ ]

  [
    1
    3
    7
  ]

nixarr.transmission.privateTrackers.cross-seed.stateDir

The location of the state directory for the cross-seed service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/cross-seed

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/cross-seed"

  "/nixarr/.state/cross-seed"

nixarr.transmission.privateTrackers.disableDhtPex

Disable pex and dht, which is required for some private trackers.

You don’t want to enable this unless a private tracker requires you to, and some don’t. All torrents from private trackers are set as “private”, and this automatically disables dht and pex for that torrent, so it shouldn’t even be a necessary rule to have, but I don’t make their rules ¯\(ツ)/¯.

Type: boolean

  false

  true

nixarr.transmission.stateDir

The location of the state directory for the Transmission service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/transmission

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/transmission"

  "/nixarr/.state/transmission"

nixarr.transmission.uiPort

Transmission web-UI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9091

  12345

nixarr.transmission.vpn.enable

Required options: nixarr.vpn.enable

Route Transmission traffic through the VPN.

Type: boolean

  false

  true

nixarr.transmission.vpn.configureNginx

Required options: [nixarr.transmission.vpn.enable)(#nixarr.transmission.vpn.enable)

Configure nginx as a reverse proxy for the transmission web ui.

Type: boolean

  nixarr.transmission.vpn.enable

  false

nixarr.vpn.enable

Required options: nixarr.vpn.wgConf

Whether or not to enable VPN support for the services that nixarr supports.

Type: boolean

  false

  true

nixarr.vpn.accessibleFrom

What IP’s the VPN submodule should be accessible from. By default the following are included:

• “192.168.1.0/24”
• “192.168.0.0/24”
• “127.0.0.1”

Otherwise, you would not be able to services over your local network. You might have to use this option to extend your list with your local IP range by passing it with this option.

Type: list of string

  [ ]

  [
    "192.168.2.0/24"
  ]

nixarr.vpn.exposeOnLAN

Whether to allow direct LAN access to VPN-confined services. When enabled (default), services are accessible from the local network (192.168.0.0/24 and 192.168.1.0/24). When disabled, services are only accessible from localhost (127.0.0.1), which is useful when using a reverse proxy like Caddy for all external access.

This is controlled by the VPN namespace firewall rules via the accessibleFrom configuration.

Type: boolean

  true

  false

nixarr.vpn.openTcpPorts

What TCP ports to allow traffic from. You might need this if you’re port forwarding on your VPN provider and you’re setting up services not covered in by this module that uses the VPN.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  [ ]

  [
    46382
    38473
  ]

nixarr.vpn.openUdpPorts

What UDP ports to allow traffic from. You might need this if you’re port forwarding on your VPN provider and you’re setting up services not covered in by this module that uses the VPN.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  [ ]

  [
    46382
    38473
  ]

nixarr.vpn.proxyListenAddr

The address that the nginx proxy should listen on when proxying VPN-confined services. By default, it listens on all interfaces (0.0.0.0), but you can set this to “127.0.0.1” if you want to only expose services locally and then use another reverse proxy (like Caddy) for external access.

Type: string

  "0.0.0.0"

  "127.0.0.1"

nixarr.vpn.vpnTestService.enable

Whether to enable the vpn test service. Useful for testing DNS leaks or if the VPN port forwarding works correctly. .

Type: boolean

  false

  true

nixarr.vpn.vpnTestService.port

The port that netcat listens to on the vpn test service. If set to null, then netcat will not be started.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  null

  58403

nixarr.vpn.wgConf

The path to the wireguard configuration file.

Type: null or absolute path

  null

  "/data/.secret/vpn/wg.conf"

nixarr.whisparr.enable

Whether or not to enable the whisparr service.

Type: boolean

  false

  true

nixarr.whisparr.package

The whisparr package to use.

Type: package

  pkgs.whisparr

nixarr.whisparr.openFirewall

Open firewall for whisparr

Type: boolean

  false

  true

nixarr.whisparr.port

Port for Whisparr to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  6969

nixarr.whisparr.stateDir

The location of the state directory for the whisparr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/whisparr

Is not supported, because /home/user is owned by user.

Type: absolute path

  "${nixarr.stateDir}/whisparr"

  "/nixarr/.state/whisparr"

nixarr.whisparr.vpn.enable

Required options: nixarr.vpn.enable

Route whisparr traffic through the VPN.

Type: boolean

  false

  true

nixarr.whisparr.vpn.configureNginx

Required options: [nixarr.whisparr.vpn.enable)(#nixarr.whisparr.vpn.enable)

Configure nginx as a reverse proxy for the Whisparr web ui.

Type: boolean

  nixarr.whisparr.vpn.enable

  false

nixarr.wireguard.exporter.enable

Whether to enable the Wireguard Prometheus exporter. Only has an effect if nixarr.exporters.enable and nixarr.vpn.enable are true.

Type: boolean

  true

nixarr.wireguard.exporter.listenAddr

Address for Wireguard exporter to listen on

Type: string

  "0.0.0.0"

nixarr.wireguard.exporter.port

Port for Wireguard metrics

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9586

util-nixarr.globals

Global values to be used by Nixarr, change at your own risk.

Type: attribute set

  { }

util-nixarr.services.cross-seed.enable

Whether to enable cross-seed.

Type: boolean

  false

  true

util-nixarr.services.cross-seed.credentialsFile

Secret options to be merged into the cross-seed config

Type: absolute path

  "/run/secrets/cross-seed/credentialsFile.json"

util-nixarr.services.cross-seed.dataDir

The cross-seed dataDir

Type: absolute path

  "/var/lib/cross-seed"

util-nixarr.services.cross-seed.group

Group under which cross-seed runs.

Type: null or string

  null

util-nixarr.services.cross-seed.settings

Settings for cross-seed

Type: attribute set

  { }

  ''
    {
      delay = 10;
    }
  ''

util-nixarr.services.cross-seed.user

User account under which cross-seed runs.

Type: null or string

  null

util-nixarr.upnp.enable

Whether to enable Enable port forwarding using UPNP…

Type: boolean

  false

  true

util-nixarr.upnp.openTcpPorts

What TCP ports to open using UPNP.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  [ ]

  [
    46382
    38473
  ]

util-nixarr.upnp.openUdpPorts

What UDP ports to open using UPNP.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  [ ]

  [
    46382
    38473
  ]