Configuration Reference
All settings are managed through the web UI at http://YOUR_SERVER_IP:9705 and persisted as JSON files under /config/. No manual file editing is required for normal use.
Per-App Hunt Settings
Each connected app (Sonarr, Radarr, Lidarr, Readarr, Whisparr) has its own settings page. Go to Settings → [App Name] to configure these.
| Setting | Default | Description |
|---|---|---|
| API URL | — | Base URL of the app, e.g. http://10.0.0.5:8989. No trailing slash. |
| API Key | — | Found in the app under Settings → General → Security → API Key. |
| Hunt Missing Items | 1 |
Number of missing items to search for per cycle. Increase gradually once you know your indexer can handle the load. |
| Hunt Upgrade Items | 1 |
Number of below-cutoff items to search for quality upgrades per cycle. |
| Sleep Duration | 900 |
Seconds to wait between cycles. Lower values hunt more frequently but put more load on your indexers. |
| Monitored Only | Enabled | When enabled, only items marked as monitored in the app are processed. |
| Skip Future Items | Enabled | Skips items whose release date is in the future, avoiding unnecessary searches. |
| Skip Series/Movie Refresh | Enabled | Skips metadata refresh before searching, reducing disk I/O and database load significantly. |
| Minimum Download Queue Size | 0 |
Pause hunting when the download queue reaches this size. Set to 0 to disable the check. |
| Hourly API Cap | 0 |
Maximum number of API search calls per hour. Set to 0 for no cap. Helps avoid indexer rate limits. |
| State Reset Interval | 168 |
Hours before processed item state is cleared so items can be re-hunted. Default is 7 days. |
| Random Selection | Enabled | Process items in random order rather than sequentially. Recommended to distribute searches evenly across your library. |
| Debug Mode | Disabled | Logs detailed API responses. Enable temporarily when troubleshooting a connection issue, then disable again. |
General Settings
Found under Settings → General. These apply globally across all apps.
| Setting | Default | Description |
|---|---|---|
| API Timeout | 120 |
Seconds before an outbound API call to an Arr app times out. Increase if your apps are slow to respond. |
| Command Wait Delay | 1 |
Seconds between polling attempts when waiting for an Arr command to complete. |
| Command Wait Attempts | 600 |
Maximum number of poll attempts before declaring a command timed out (600 × 1s = 10 minutes). |
Authentication
Seekarr supports three authentication modes, configured under Settings → Authentication.
| Mode | Use case |
|---|---|
| Standard Login | Username and password required for every session. Recommended default. |
| Local Network Bypass | Requests from private (RFC 1918) IP addresses skip authentication. Use only when Seekarr is directly reachable on a trusted LAN — not behind a reverse proxy. |
| No Login | Authentication is disabled entirely. Suitable only for fully isolated private networks or when Seekarr sits behind a reverse proxy that handles auth itself. |
Two-Factor Authentication (2FA)
TOTP-based 2FA can be enabled from your user profile after logging in. You will need an authenticator app such as Google Authenticator, Authy, or any standard TOTP client.
Password Reset
If you forget your password, delete /config/user/credentials.json and restart the container. You will be prompted to create a new account on next visit.
Reverse Proxy
When running Seekarr behind Nginx, Traefik, Caddy, or another reverse proxy, set the TRUSTED_PROXIES environment variable so that forwarded headers are trusted correctly.
| Value | Meaning |
|---|---|
* |
Trust any upstream. Simplest option for single-proxy LAN setups. |
192.168.1.10 |
Trust a specific proxy IP only. |
10.0.1.5,192.168.1.0/24 |
Comma-separated list of IPs and/or CIDR ranges. Use for load-balanced or multi-proxy setups. |
When TRUSTED_PROXIES is set, Seekarr will:
- Trust
X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Host, andX-Forwarded-Prefixheaders from matching upstream IPs only. - Strip forwarded headers arriving from untrusted connections to prevent spoofing.
- Set the
Secureflag on the session cookie so browsers send it only over HTTPS. - Honour
X-Forwarded-Prefixfor subpath deployments (e.g. serving Seekarr at/seekarr).
Do not set TRUSTED_PROXIES when Seekarr is directly internet-facing.
Nginx
location /seekarr/ {
proxy_pass http://seekarr:9705/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Prefix /seekarr;
proxy_set_header Host $host;
}And in your docker-compose.yml:
environment:
- TRUSTED_PROXIES=192.168.1.10 # your Nginx container's IPCaddy
Caddy handles TLS automatically. Add a block to your Caddyfile:
your.domain.com {
handle /seekarr/* {
uri strip_prefix /seekarr
reverse_proxy seekarr:9705 {
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Prefix /seekarr
}
}
}Set TRUSTED_PROXIES to the Caddy container's IP (or * if Caddy and Seekarr share a Docker network):
environment:
- TRUSTED_PROXIES=*Traefik
Add labels to the Seekarr service in docker-compose.yml. Replace your.domain.com and adjust the entrypoints name (websecure) to match your Traefik config:
services:
seekarr:
image: ghcr.io/diybits/seekarr:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.seekarr.rule=Host(`your.domain.com`) && PathPrefix(`/seekarr`)"
- "traefik.http.routers.seekarr.entrypoints=websecure"
- "traefik.http.routers.seekarr.tls.certresolver=letsencrypt"
- "traefik.http.middlewares.seekarr-strip.stripprefix.prefixes=/seekarr"
- "traefik.http.routers.seekarr.middlewares=seekarr-strip"
- "traefik.http.services.seekarr.loadbalancer.server.port=9705"
environment:
- TRUSTED_PROXIES=* # Traefik runs in the same Docker networkTraefik forwards X-Forwarded-For and X-Forwarded-Proto automatically. The stripprefix middleware removes /seekarr before the request reaches Seekarr, and X-Forwarded-Prefix is set so Seekarr generates correct redirect URLs.
Nginx Proxy Manager
Nginx Proxy Manager (NPM) is a GUI wrapper around Nginx. No config files are needed — everything is done through the web UI.
- In NPM, go to Proxy Hosts → Add Proxy Host.
- Set Domain Names to your hostname (e.g.
seekarr.home.lan). - Set Scheme to
http, Forward Hostname/IP toseekarr(Docker service name or IP), and Forward Port to9705. - Enable Websockets Support (Seekarr uses long-polling for live updates).
- On the SSL tab, request a Let's Encrypt certificate and enable Force SSL.
- On the Advanced tab, paste the following custom Nginx snippet to forward the required headers:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;Then set TRUSTED_PROXIES to the NPM container's IP (find it with docker inspect npm | grep IPAddress), or use * if NPM and Seekarr are on the same Docker network:
environment:
- TRUSTED_PROXIES=*Note: NPM does not support subpath deployments (/seekarr prefix) through the GUI. If you need Seekarr at a subpath, use Nginx or Caddy directly.
Self-Signed Certificates
If your *Arr applications use self-signed TLS certificates, Seekarr will refuse the connection by default because the certificate cannot be verified against a trusted CA. There are three ways to handle this:
| Option | Where to configure | Trade-off |
|---|---|---|
| Custom CA bundle (recommended) | Settings → General → Custom CA Bundle Path | Full certificate validation against your own CA. Most secure. |
| Disable SSL verify | Settings → General → Enable SSL Verify (toggle off) | Skips all certificate checks. Simple, but leaves connections open to MitM attacks on untrusted networks. |
| Mount cert into container trust store | Docker volume / bind mount | System-level trust — works for all Python SSL calls, not just Seekarr's own HTTP client. |
Option 1 — Custom CA bundle path
Export your CA certificate as a PEM file, place it somewhere inside the /config volume, then enter the path in Settings → General → Custom CA Bundle Path.
Example — if your CA cert is at /your-host-path/seekarr/certs/ca.crt on the host:
# docker-compose.yml
services:
seekarr:
volumes:
- /your-host-path/seekarr:/configInside the container the cert is at /config/certs/ca.crt. Set that as the CA Bundle Path. Seekarr will use it for all *Arr API calls without touching the system trust store.
The path can point to a single PEM file or a directory of PEM files (OpenSSL c_rehash format).
Option 2 — Disable SSL verification
In Settings → General, turn off the Enable SSL Verify toggle. This disables certificate checking for all outbound *Arr API calls. Only use this on fully trusted private networks.
Note: if a Custom CA Bundle Path is set, it takes precedence over this toggle — the toggle only applies when the path field is blank.
Option 3 — Mount cert into the container trust store
This makes the CA trusted system-wide inside the container. Add a bind mount that drops your CA cert into the system CA directory:
# docker-compose.yml
services:
seekarr:
volumes:
- /your-host-path/seekarr:/config
- /path/to/your/ca.crt:/usr/local/share/ca-certificates/my-ca.crt:roThen rebuild or restart the container with the update-ca-certificates command baked in, or use an entrypoint script that runs it on start. This approach is more involved but makes the cert available to any tool inside the container, not just Seekarr.
Environment Variables
These variables are set at container start time and cannot be changed from the web UI.
| Variable | Default | Description |
|---|---|---|
TZ |
UTC |
Timezone for log timestamps, e.g. America/New_York. |
TRUSTED_PROXIES |
— | Comma-separated proxy IPs/CIDRs, or *. Required when running behind a reverse proxy. |
SECRET_KEY |
auto-generated | Flask session signing key. If not set, a random key is generated and stored at /config/secret_key on first start. Supply a fixed value to keep sessions valid across key file deletions. |
DEBUG |
— | Set to true to enable Flask debug mode and verbose logging. Not recommended in production. |
Config File Layout
Settings are stored in the /config volume. You should not need to edit these files directly, but this is useful for troubleshooting.
/config/
sonarr.json # Sonarr connection and hunt settings
radarr.json # Radarr connection and hunt settings
lidarr.json # Lidarr connection and hunt settings
readarr.json # Readarr connection and hunt settings
whisparr.json # Whisparr connection and hunt settings
general.json # Global settings (timeouts, debug mode)
user/
credentials.json # Hashed password and 2FA secret
state/
sonarr/ # IDs of already-processed Sonarr items
radarr/
...
stateful/ # Extended stateful item management
scheduler/
schedule.json # Scheduled action definitions
logs/ # Application log files
sessions.json # Active login sessions (persisted across restarts)
secret_key # Auto-generated Flask session key