Deploying a Kubernetes-Based Media Server

Mar 6, 2024

How to deploy a full ARR stack — Jellyfin, Radarr, Sonarr, Jackett, and qBittorrent — on Kubernetes with NFS storage and Traefik ingress.

Warning

Archived. This setup ran on k3s, which I’ve since replaced with Talos + FluxCD GitOps. Keeping this post up as a reference for the manifest structure and NFS setup on Kubernetes.

Running a media stack in Docker Compose is easy enough, but once you’re already managing a Kubernetes cluster it makes sense to move it there — persistent volumes, health checks, and restarts all handled the same way as everything else. This is the full ARR stack: Jellyfin for streaming, Radarr and Sonarr for media management, Prowlarr for indexers, qBittorrent for downloads, and Gluetun as a VPN sidecar. Config lives on Longhorn; media is stored on a Synology DS223 mounted via NFS 4.1 as a PersistentVolume.

Components

Application	Role
Jellyfin	Media streaming
Radarr	Movie library management
Sonarr	TV show management
Prowlarr	Torrent indexer manager
qBittorrent	Download client
Gluetun	VPN sidecar for qBittorrent

Synology NAS NFS Setup

If you’re using a Synology NAS, this is the NFS share rule I use — applied before mounting on the Kubernetes side.

NFS rule configuration on Synology NAS

PersistentVolumes and PVCs

Media Storage

Create nfs-media-pv-and-pvc.yaml:

1
apiVersion: v1
2
kind: PersistentVolume
3
metadata:
4
  name: jellyfin-videos
5
spec:
6
  capacity:
7
    storage: 400Gi
8
  accessModes:
9
    - ReadWriteOnce
10
  nfs:
11
    path: /volume1/server/k3s/media
12
    server: storage.merox.cloud
13
  persistentVolumeReclaimPolicy: Retain
14
  mountOptions:
15
    - hard
16
    - nfsvers=4.1
17
  storageClassName: ""
18
---
13 collapsed lines
19
apiVersion: v1
20
kind: PersistentVolumeClaim
21
metadata:
22
  name: jellyfin-videos
23
  namespace: media
24
spec:
25
  accessModes:
26
    - ReadWriteOnce
27
  resources:
28
    requests:
29
      storage: 400Gi
30
  volumeName: jellyfin-videos
31
  storageClassName: ""

kubectl apply -f nfs-media-pv-and-pvc.yaml

Download Storage

Create nfs-download-pv-and-pvc.yaml:

1
apiVersion: v1
2
kind: PersistentVolume
3
metadata:
4
  name: qbitt-download
5
spec:
6
  capacity:
7
    storage: 400Gi
8
  accessModes:
9
    - ReadWriteOnce
10
  nfs:
11
    path: /volume1/server/k3s/media/download
12
    server: storage.merox.cloud
13
  persistentVolumeReclaimPolicy: Retain
14
  mountOptions:
15
    - hard
16
    - nfsvers=4.1
17
  storageClassName: ""
18
---
13 collapsed lines
19
apiVersion: v1
20
kind: PersistentVolumeClaim
21
metadata:
22
  name: qbitt-download
23
  namespace: media
24
spec:
25
  accessModes:
26
    - ReadWriteOnce
27
  resources:
28
    requests:
29
      storage: 400Gi
30
  volumeName: qbitt-download
31
  storageClassName: ""

kubectl apply -f nfs-download-pv-and-pvc.yaml

Longhorn PVC for App Configs

Create app-config-pvc.yaml (repeat for each app):

1
apiVersion: v1
2
kind: PersistentVolumeClaim
3
metadata:
4
  name: app # radarr for example
5
  namespace: media
6
spec:
7
  accessModes:
8
    - ReadWriteOnce
9
  storageClassName: longhorn
10
  resources:
11
    requests:
12
      storage: 5Gi

kubectl apply -f app-config-pvc.yaml

Caution

You need a separate PVC for each application: Jellyfin, Sonarr, Radarr, Prowlarr, and qBittorrent.

Deployments

Jellyfin

Create jellyfin-deployment.yaml:

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: jellyfin
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: jellyfin
11
  template:
12
    metadata:
13
      labels:
14
        app: jellyfin
18 collapsed lines
15
    spec:
16
      containers:
17
      - name: jellyfin
18
        image: jellyfin/jellyfin
19
        volumeMounts:
20
        - name: config
21
          mountPath: /config
22
        - name: videos
23
          mountPath: /data/videos
24
        ports:
25
        - containerPort: 8096
26
      volumes:
27
      - name: config
28
        persistentVolumeClaim:
29
          claimName: jellyfin-config
30
      - name: videos
31
        persistentVolumeClaim:
32
          claimName: jellyfin-videos

kubectl apply -f jellyfin-deployment.yaml

Sonarr

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: sonarr
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: sonarr
11
  template:
12
    metadata:
13
      labels:
14
        app: sonarr
28 collapsed lines
15
    spec:
16
      containers:
17
      - name: sonarr
18
        image: lscr.io/linuxserver/sonarr
19
        env:
20
        - name: PUID
21
          value: "1057"
22
        - name: PGID
23
          value: "1056"
24
        volumeMounts:
25
        - name: config
26
          mountPath: /config
27
        - name: videos
28
          mountPath: /tv
29
        - name: downloads
30
          mountPath: /downloads
31
        ports:
32
        - containerPort: 8989
33
      volumes:
34
      - name: config
35
        persistentVolumeClaim:
36
          claimName: sonarr-config
37
      - name: videos
38
        persistentVolumeClaim:
39
          claimName: jellyfin-videos
40
      - name: downloads
41
        persistentVolumeClaim:
42
          claimName: qbitt-download

Radarr

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: radarr
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: radarr
11
  template:
12
    metadata:
13
      labels:
14
        app: radarr
28 collapsed lines
15
    spec:
16
      containers:
17
      - name: radarr
18
        image: lscr.io/linuxserver/radarr
19
        env:
20
        - name: PUID
21
          value: "1057"
22
        - name: PGID
23
          value: "1056"
24
        volumeMounts:
25
        - name: config
26
          mountPath: /config
27
        - name: videos
28
          mountPath: /movies
29
        - name: downloads
30
          mountPath: /downloads
31
        ports:
32
        - containerPort: 7878
33
      volumes:
34
      - name: config
35
        persistentVolumeClaim:
36
          claimName: radarr-config
37
      - name: videos
38
        persistentVolumeClaim:
39
          claimName: jellyfin-videos
40
      - name: downloads
41
        persistentVolumeClaim:
42
          claimName: qbitt-download

Prowlarr

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: prowlarr
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: prowlarr
11
  template:
12
    metadata:
13
      labels:
14
        app: prowlarr
18 collapsed lines
15
    spec:
16
      containers:
17
      - name: prowlarr
18
        image: lscr.io/linuxserver/prowlarr
19
        env:
20
        - name: PUID
21
          value: "1057"
22
        - name: PGID
23
          value: "1056"
24
        volumeMounts:
25
        - name: config
26
          mountPath: /config
27
        ports:
28
        - containerPort: 9696
29
      volumes:
30
      - name: config
31
        persistentVolumeClaim:
32
          claimName: prowlarr-config

qBittorrent (standalone)

Warning

qBittorrent v5 renamed the API endpoints /torrents/pause and /torrents/resume to /torrents/stop and /torrents/start. If you use any scripts or integrations that call the qBittorrent API directly, update them before upgrading from v4.

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: qbittorrent
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: qbittorrent
11
  template:
12
    metadata:
13
      labels:
14
        app: qbittorrent
28 collapsed lines
15
    spec:
16
      containers:
17
      - name: qbittorrent
18
        image: lscr.io/linuxserver/qbittorrent
19
        resources:
20
          limits:
21
            memory: "2Gi"
22
          requests:
23
            memory: "512Mi"
24
        env:
25
        - name: PUID
26
          value: "1057"
27
        - name: PGID
28
          value: "1056"
29
        volumeMounts:
30
        - name: config
31
          mountPath: /config
32
        - name: downloads
33
          mountPath: /downloads
34
        ports:
35
        - containerPort: 8080
36
      volumes:
37
      - name: config
38
        persistentVolumeClaim:
39
          claimName: qbitt-config
40
      - name: downloads
41
        persistentVolumeClaim:
42
          claimName: qbitt-download

qBittorrent with Gluetun

If you want to route qBittorrent traffic through a VPN, use this version instead — Gluetun runs as a sidecar and shares the network namespace.

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: qbittorrent
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: qbittorrent
11
  template:
12
    metadata:
13
      labels:
14
        app: qbittorrent
64 collapsed lines
15
    spec:
16
      containers:
17
        - name: qbittorrent
18
          image: lscr.io/linuxserver/qbittorrent
19
          resources:
20
            limits:
21
              memory: "2Gi"
22
            requests:
23
              memory: "512Mi"
24
          env:
25
           - name: PUID
26
             value: "1057"
27
           - name: PGID
28
             value: "1056"
29
          volumeMounts:
30
            - name: config
31
              mountPath: /config
32
            - name: downloads
33
              mountPath: /downloads
34
          ports:
35
            - containerPort: 8080
36

37
        - name: gluetun
38
          image: ghcr.io/qdm12/gluetun:v3.40.0
39
          env:
40
            - name: VPN_SERVICE_PROVIDER
41
              value: "surfshark"
42
            - name: VPN_TYPE
43
              value: "wireguard"
44
            - name: SERVER_COUNTRIES
45
              value: "Netherlands"
46
            - name: WIREGUARD_ADDRESSES
47
              value: "10.14.0.2/16"  # from SurfShark WireGuard config — Address field
48
            - name: FIREWALL_INPUT_PORTS
49
              value: "50413,8080"  # torrent port + web UI port
50
            - name: FIREWALL_OUTBOUND_SUBNETS
51
              value: "10.0.0.0/8"
52
            - name: DNS_KEEP_NAMESERVER
53
              value: "on"
54
            - name: DOT
55
              value: "off"
56
            - name: WIREGUARD_PRIVATE_KEY
57
              valueFrom:
58
                secretKeyRef:
59
                  name: surfshark-secret
60
                  key: WIREGUARD_PRIVATE_KEY
61
          securityContext:
62
            capabilities:
63
              add:
64
                - NET_ADMIN
65
          volumeMounts:
66
            - name: tun
67
              mountPath: /dev/net/tun
68

69
      volumes:
70
        - name: config
71
          persistentVolumeClaim:
72
            claimName: qbitt-config
73
        - name: downloads
74
          persistentVolumeClaim:
75
            claimName: qbitt-download
76
        - name: tun
77
          hostPath:
78
            path: /dev/net/tun

Note

I use SurfShark with WireGuard — faster than OpenVPN and natively supported by Gluetun. Generate your WireGuard key from the SurfShark dashboard under VPN → Manual Setup → WireGuard. Note: SurfShark does not support port forwarding, so peers cannot initiate inbound connections — downloads still work fine but may be slower without seeding peers.

ClusterIP Services

Each app needs a ClusterIP service so Traefik can route to it internally. Create app-service.yaml per application:

1
apiVersion: v1
2
kind: Service
3
metadata:
4
  name: app # radarr for example
5
  namespace: media
6
spec:
7
  type: ClusterIP
8
  ports:
9
    - port: 80
10
      targetPort: 7878
11
  selector:
12
    app: app # radarr for example

kubectl apply -f app-service.yaml

Traefik Middleware

Create default-headers-media.yaml:

1
apiVersion: traefik.io/v1alpha1
2
kind: Middleware
3
metadata:
4
  name: default-headers-media
5
  namespace: media
6
spec:
7
  headers:
8
    browserXssFilter: true
9
    contentTypeNosniff: true
10
    forceSTSHeader: true
11
    stsIncludeSubdomains: true
12
    stsPreload: true
13
    stsSeconds: 15552000
14
    customFrameOptionsValue: SAMEORIGIN
15
    customRequestHeaders:
16
      X-Forwarded-Proto: https

kubectl apply -f default-headers-media.yaml

IngressRoutes

Create app-ingress-route.yaml per application:

1
apiVersion: traefik.io/v1alpha1
2
kind: IngressRoute
3
metadata:
4
  name: app # radarr for example
5
  namespace: media
6
  annotations:
7
    kubernetes.io/ingress.class: traefik-external
8
spec:
9
  entryPoints:
10
    - websecure
11
  routes:
12
    - match: Host(`movies.merox.cloud`) # change to your domain
13
      kind: Rule
14
      services:
15
        - name: app # radarr for example
16
          port: 80
17
    - match: Host(`movies.merox.cloud`) # change to your domain
18
      kind: Rule
19
      services:
20
        - name: app # radarr for example
21
          port: 80
22
      middlewares:
23
        - name: default-headers-media
24
  tls:
25
    secretName: mycert-tls # change to your cert name

kubectl apply -f app-ingress-route.yaml

Caution

Add the hostname declared in your IngressRoute to your DNS server before applying.

Manifest Files

All manifests are available here — copy and deploy what you need:

All manifest files 🔗