From cebdd3ea96e36e0cbef560471d6e3b644e8c219f Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Fri, 17 Apr 2026 00:53:24 -0400
Subject: [PATCH] arr: fix prowlarrUrl for cross-netns reachability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prowlarr runs in the wg VPN namespace; Sonarr/Radarr run in the host
namespace. Configuring the Prowlarr sync with prowlarrUrl=localhost:9696
made Sonarr/Radarr try to connect to their own localhost, where
Prowlarr does not exist — the host netns. Every indexer sync emitted
'Prowlarr URL is invalid' with Connection refused (localhost:9696).

Use vpnNamespaces.wg.namespaceAddress (192.168.15.1) so host-netns
clients hit the wg-side veth where Prowlarr is listening.

Also re-enables healthChecks on prowlarr-init: the /applications/testall
endpoint now validates clean (manually verified via API).
---
 services/arr/init.nix | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/services/arr/init.nix b/services/arr/init.nix
index 7f3cf90..0ac1ac4 100644
--- a/services/arr/init.nix
+++ b/services/arr/init.nix
@@ -17,15 +17,17 @@
         BindAddress = "*";
         EnableSsl = false;
       };
-      # Synced-app health checks require Sonarr/Radarr to reverse-connect to
-      # prowlarrUrl, which is unreachable across the wg namespace boundary.
-      healthChecks = false;
+      # Prowlarr runs in the wg netns; Sonarr/Radarr in the host netns.
+      # From host netns, Prowlarr is reachable at the wg namespace address,
+      # not at localhost (which resolves to the host's own netns).
+      # Health checks can now run — the reverse-connect is reachable.
+      healthChecks = true;
       syncedApps = [
         {
           name = "Sonarr";
           implementation = "Sonarr";
           configContract = "SonarrSettings";
-          prowlarrUrl = "http://localhost:${builtins.toString service_configs.ports.private.prowlarr.port}";
+          prowlarrUrl = "http://${config.vpnNamespaces.wg.namespaceAddress}:${builtins.toString service_configs.ports.private.prowlarr.port}";
           baseUrl = "http://${config.vpnNamespaces.wg.bridgeAddress}:${builtins.toString service_configs.ports.private.sonarr.port}";
           apiKeyFrom = "${service_configs.sonarr.dataDir}/config.xml";
           serviceName = "sonarr";
@@ -34,7 +36,7 @@
           name = "Radarr";
           implementation = "Radarr";
           configContract = "RadarrSettings";
-          prowlarrUrl = "http://localhost:${builtins.toString service_configs.ports.private.prowlarr.port}";
+          prowlarrUrl = "http://${config.vpnNamespaces.wg.namespaceAddress}:${builtins.toString service_configs.ports.private.prowlarr.port}";
           baseUrl = "http://${config.vpnNamespaces.wg.bridgeAddress}:${builtins.toString service_configs.ports.private.radarr.port}";
           apiKeyFrom = "${service_configs.radarr.dataDir}/config.xml";
           serviceName = "radarr";