On pod start the nzbget container raced gluetun: /etc/resolv.conf points at
10.128.0.1 (reachable only via the WireGuard tunnel), so for the ~20s gluetun
needs to establish the tunnel every DNS lookup from nzbget returned EAI_AGAIN.
Any in-queue download that had articles fetched during that window dropped
below the HealthCheck threshold (~97.9%) and was auto-cancelled — even items
that would otherwise complete (saw 97.6-97.8% health = "very nearly fine").
Override the nzbget container's entrypoint to poll DNS resolution and only
exec /init once it succeeds. That's the direct test of "tunnel is up + DNS
works", which is what nzbget needs.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
nzbget's usenet downloads (NNTP/563) were egressing DIRECT: the HTTP_PROXY env
pointed at a standalone gluetun that isn't even running, and NNTP ignores HTTP
proxies anyway. Adopt the qbittorrent pattern instead: run gluetun as a sidecar
in the nzbget pod so the shared netns + kill-switch force ALL traffic through
the tunnel, regardless of protocol.
- Add gluetun sidecar (own AirVPN device via gluetun-wireguard-nzbget secret,
FIREWALL_INPUT_PORTS=6789 to keep the WebUI reachable, DOT=off + DNS_ADDRESS
per the AirVPN-blocks-DoT gotcha).
- Remove the useless HTTP_PROXY/NO_PROXY envs from nzbget.
- Delete the standalone gluetun chart/values/application (was not running; only
nzbget referenced it).
Trade-off: if the tunnel drops, downloads stop (no leak) rather than falling
back to direct — same behaviour as qbittorrent.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
nzbget does not expand OS env vars in nzbget.conf (its ${...} only
references other nzbget options), so the previous secretKeyRef-as-env
approach left the literal ${NEWSHOSTING_USER} in the config and auth
failed with 400 DENIED.
Add initContainers support to the chart and an init step that seds the
Server1 (newshosting) block into nzbget.conf on every start: non-secret
settings in git, username/password from the usenet-creds Secret. Rotating
the secret + restarting re-renders the creds; no password lands in git.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
prowlarr was pinned to a stale digest (v2.0.5.5160) via
.argocd-source-prowlarr.yaml; remove the file so the live app's
helm.parameters (which already has the current :latest digest =
v2.3.5.5327) takes effect.
qbittorrent: bump 5.1.0 -> 5.2.0.
gilgamezh