This guide explains how the stack fits together and why it's designed this way.
When someone requests a movie or TV show, here's what happens:
┌─────────────┐ ┌──────────────┐ ┌───────────┐ ┌─────────────┐ ┌──────────┐
│ Seerr │────▶│ Sonarr/Radarr│────▶│ Prowlarr │────▶│ qBittorrent │────▶│ Jellyfin │
│ (request) │ │ (manage) │ │ (indexers)│ │ SABnzbd │ │ (watch) │
│ │ │ │ │ │ │ (download) │ │ │
└─────────────┘ └──────────────┘ └───────────┘ └─────────────┘ └──────────┘
│ │ │ │ │
│ │ │ │ │
└────────────────────┴───────────────────┴──────────────────┘ │
Through VPN (Gluetun) Not through VPN
- Seerr - User requests a show or movie
- Sonarr/Radarr - Searches for releases, sends to download client
- Prowlarr - Provides indexers (torrent + Usenet) to Sonarr/Radarr
- qBittorrent - Downloads torrents (through VPN)
- SABnzbd - Downloads from Usenet (through VPN)
- Jellyfin - Streams the completed files
Why both qBittorrent and SABnzbd? Torrents are free but can be slow/unreliable. Usenet costs ~$5/month but is faster, more reliable, and has no ratio requirements. Most users configure both - Sonarr/Radarr will try Usenet first, fall back to torrents.
Why VPN? Your ISP can see BitTorrent traffic. The VPN encrypts this so they only see "encrypted traffic to VPN server".
Why not everything through VPN? Streaming from Jellyfin doesn't need protection (you're watching your own files) and VPN would slow it down.
┌─────────────────────────────────────────┐
│ GLUETUN (VPN) │
│ │
Internet ◄───VPN Tunnel───────│ qBit Sonarr Radarr Prowlarr Flare │
│ ▲ ▲ ▲ ▲ │
│ │ │ │ │ │
│ └─────────┴───────┴────────┘ │
│ All share localhost │
└─────────────────────────────────────────┘
│
─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─
│
┌──────────────────┴──────────────────────┐
Internet ◄──Cloudflare Tunnel─│ Jellyfin Seerr │
(remote) │ (stream) (requests) │
│ │
LAN only ◄────────────────────│ Pi-hole Sonarr Radarr ... │
(local) │ (DNS) (manage) (manage) │
└─────────────────────────────────────────┘
Note: Download services go through VPN to hide torrent traffic from your ISP. Streaming services don't need VPN protection. Remote access uses Cloudflare Tunnel (not VPN) - see Access Levels.
Services inside Gluetun's network use localhost to talk to each other. Services outside must use the gluetun hostname.
Inside Gluetun (same network): Outside Gluetun:
───────────────────────────── ─────────────────
Sonarr → qBittorrent Seerr → Sonarr
└── localhost:8085 └── gluetun:8989
Radarr → qBittorrent Bazarr → Radarr
└── localhost:8085 └── gluetun:7878
Prowlarr → Sonarr
└── localhost:8989
All services run on the arr-stack network with static IPs:
arr-stack network (172.20.0.0/24)
───────────────────────────────────────────────────────────────────────────────────
│ IP │ Service │ Notes │ Required for │
├──────────────┼──────────────┼────────────────────────────────┼──────────────────│
│ 172.20.0.3 │ Gluetun │ VPN gateway + arr services │ Core │
│ 172.20.0.4 │ Jellyfin │ Media server │ Core │
│ 172.20.0.8 │ Seerr │ Request portal │ Core │
│ 172.20.0.9 │ Bazarr │ Subtitles │ Core │
│ 172.20.0.5 │ Pi-hole │ DNS server │ Core │
│ 172.20.0.2 │ Traefik │ Reverse proxy │ + local DNS │
│ 172.20.0.12 │ Cloudflared │ Tunnel to Cloudflare │ + remote access │
│ 172.20.0.13 │ Uptime Kuma │ Monitoring │ Optional │
│ 172.20.0.14 │ duc │ Disk usage │ Optional │
│ 172.20.0.15 │ Beszel │ System monitoring │ Optional │
│ 172.20.0.16 │ DIUN │ Image update notifier │ Optional │
───────────────────────────────────────────────────────────────────────────────────
┌─────────────────────────────────────────────────────────────────────────┐
│ CORE │
│ Access via NAS_IP:port │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ :8096 │ │ :8989 │ │ :7878 │ │ :5055 │ ... │
│ │ Jellyfin │ │ Sonarr │ │ Radarr │ │ Seerr │ │
│ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
│
│ + Pi-hole + Traefik
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ + LOCAL DNS │
│ Access via .lan domains │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │
│ │ jellyfin.lan │ │ sonarr.lan │ │ radarr.lan │ ... │
│ └───────────────┘ └───────────────┘ └───────────────┘ │
│ │
│ Your device → Pi-hole (DNS) → Traefik → Service │
└─────────────────────────────────────────────────────────────────────────┘
│
│ + Cloudflare Tunnel
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ + REMOTE ACCESS │
│ Access from outside your home │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ jellyfin.domain.com │ │ seerr.domain.com │ ... │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
│ Phone → Cloudflare → Tunnel → Traefik → Service │
└─────────────────────────────────────────────────────────────────────────┘
All containers run with hardened defaults:
no-new-privileges— Prevents processes from gaining additional privileges viasetuid/setgidbinariescap_drop: ALL— Drops all Linux capabilities by default
Two YAML anchors define security profiles in each compose file:
| Anchor | Used by | Capabilities |
|---|---|---|
x-security |
All non-LSIO services | None by default (services add back only what they need) |
x-security-lsio |
Sonarr, Radarr, Prowlarr, qBittorrent, SABnzbd, Bazarr | CHOWN, SETUID, SETGID, DAC_OVERRIDE (s6-overlay needs these to switch users during init) |
Services that write to Docker volumes as root add back CHOWN + DAC_OVERRIDE (Jellyfin, Seerr, Uptime Kuma, DUC, Beszel, DIUN, Configarr). Services with read-only or no volumes don't need any (FlareSolverr, Cloudflared, Traefik, Deunhealth, Beszel-agent).
Additional requirements:
- Gluetun — adds
NET_ADMIN(required to create VPN tunnel interfaces) - Uptime Kuma — adds
FOWNER(sets ownership on created files) - Pi-hole — adds
NET_ADMIN,NET_RAW,CHOWN,SETUID,SETGID,SETFCAP,SYS_NICE,DAC_OVERRIDE, and disablesno-new-privileges(FTL usessetcapat startup)
Static IPs: Prevents "container not found" errors after restarts. Services always know where to find each other.
Separate compose files: Deploy only what you need. Core users don't need Traefik or Cloudflared.
VPN for downloads only: Protects privacy where it matters, doesn't slow down streaming.
Pi-hole for DNS: Provides internal Docker DNS and ad-blocking. Optionally enables .lan domains (+ local DNS).
Named volumes: Data persists across container updates. Easy to backup with the included script.
No fail2ban: External access goes through Cloudflare Tunnel, which handles rate limiting and bot protection at the edge. LAN services aren't exposed to the internet. Services with auth (qBittorrent, Pi-hole, Traefik dashboard) have their own brute-force protections. fail2ban would add complexity with no practical benefit.