diff --git a/services/arr/init.nix b/services/arr/init.nix
index 7f3cf90..0ac1ac4 100644
--- a/services/arr/init.nix
+++ b/services/arr/init.nix
@@ -17,15 +17,17 @@
         BindAddress = "*";
         EnableSsl = false;
       };
-      # Synced-app health checks require Sonarr/Radarr to reverse-connect to
-      # prowlarrUrl, which is unreachable across the wg namespace boundary.
-      healthChecks = false;
+      # Prowlarr runs in the wg netns; Sonarr/Radarr in the host netns.
+      # From host netns, Prowlarr is reachable at the wg namespace address,
+      # not at localhost (which resolves to the host's own netns).
+      # Health checks can now run — the reverse-connect is reachable.
+      healthChecks = true;
       syncedApps = [
         {
           name = "Sonarr";
           implementation = "Sonarr";
           configContract = "SonarrSettings";
-          prowlarrUrl = "http://localhost:${builtins.toString service_configs.ports.private.prowlarr.port}";
+          prowlarrUrl = "http://${config.vpnNamespaces.wg.namespaceAddress}:${builtins.toString service_configs.ports.private.prowlarr.port}";
           baseUrl = "http://${config.vpnNamespaces.wg.bridgeAddress}:${builtins.toString service_configs.ports.private.sonarr.port}";
           apiKeyFrom = "${service_configs.sonarr.dataDir}/config.xml";
           serviceName = "sonarr";
@@ -34,7 +36,7 @@
           name = "Radarr";
           implementation = "Radarr";
           configContract = "RadarrSettings";
-          prowlarrUrl = "http://localhost:${builtins.toString service_configs.ports.private.prowlarr.port}";
+          prowlarrUrl = "http://${config.vpnNamespaces.wg.namespaceAddress}:${builtins.toString service_configs.ports.private.prowlarr.port}";
           baseUrl = "http://${config.vpnNamespaces.wg.bridgeAddress}:${builtins.toString service_configs.ports.private.radarr.port}";
           apiKeyFrom = "${service_configs.radarr.dataDir}/config.xml";
           serviceName = "radarr";