media-acquisition/compose/traefik/arr.yml

# Traefik file-provider snippet for the media-acquisition stack.
#
# Symlink (or cp) this file into /opt/docker/traefik/config/arr.yml on
# nullstone. Traefik picks up file-provider configs without restart.
#
# All routes are LAN+Tailscale-only (trusted-only@file middleware) AND
# require Authentik forward-auth. Add the arr-stack Authentik group as
# needed.
#
# Backends are 127.0.0.1:<port> because gluetun publishes the qbt/prowlarr/
# sonarr/radarr ports on host loopback (network_mode: service:gluetun).

http:
  routers:
    qbt:
      rule: "Host(`qbt.s8n.ru`)"
      entryPoints: [websecure]
      service: qbt
      tls:
        certResolver: gandi
      middlewares:
        - trusted-only@file
        - authentik-forwardauth@file

    prowlarr:
      rule: "Host(`prowlarr.s8n.ru`)"
      entryPoints: [websecure]
      service: prowlarr
      tls:
        certResolver: gandi
      middlewares:
        - trusted-only@file
        - authentik-forwardauth@file

    sonarr:
      rule: "Host(`sonarr.s8n.ru`)"
      entryPoints: [websecure]
      service: sonarr
      tls:
        certResolver: gandi
      middlewares:
        - trusted-only@file
        - authentik-forwardauth@file

    radarr:
      rule: "Host(`radarr.s8n.ru`)"
      entryPoints: [websecure]
      service: radarr
      tls:
        certResolver: gandi
      middlewares:
        - trusted-only@file
        - authentik-forwardauth@file

    # Catalog service has no public route — Sonarr/Radarr hit it via
    # host.docker.internal:5055 from inside their gluetun netns.

  services:
    qbt:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8080"

    prowlarr:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:9696"

    sonarr:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8989"

    radarr:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:7878"