Support / questions: #clonarr on the TRaSH Guides Discord (under Community Apps). Report bugs: GitHub issues.
A fully visual TRaSH Guides sync tool for Radarr and Sonarr. Browse, customize, and sync Custom Formats, Quality Profiles, Scores, and Quality Sizes — no YAML configs, no CLI, just a browser.
Build profiles from scratch or start from TRaSH templates, compare your Arr profiles against TRaSH to see what's missing or wrong, test how releases score in the Scoring Sandbox, track every change with sync history and rollback, and sync to multiple Radarr and Sonarr instances. Auto-sync keeps your profiles in sync when TRaSH Guides updates, with Discord and Gotify notifications.
Free, open source, and self-hosted.
- Browse all TRaSH Quality Profiles (SQP-1 through SQP-5, HD Bluray, UHD Remux, Anime, language-specific, and more)
- Sync profiles to Radarr/Sonarr — creates quality groups, sets cutoff, applies CF scores
- Create new profiles or Update existing ones with dry-run preview
- Sync behavior rules (Add/Remove/Reset) — control how sync handles missing CFs, score overrides, and removed CFs
- Override system — customize language (Radarr), scores, cutoff, quality items, and upgrades per-instance without modifying the TRaSH profile
- Auto-sync — automatically sync when TRaSH Guides updates, with Discord and Gotify notifications
- Sortable sync rules — sort by TRaSH Profile or Arr Profile name
- Compare your Arr profiles against TRaSH Guides side-by-side
- Table layout for Required CFs and CF Groups — see current vs TRaSH values at a glance
- Profile Settings comparison — Language, Upgrade Allowed, Min/Cutoff scores
- Filter chips — All / Only diffs / Wrong score / Missing / Extra / Matching
- Golden Rule picker — automatically selects the correct HD/UHD variant based on what's in use
- Per-card Sync selected — choose which changes to apply per section (not all-or-nothing)
- Score override badges — shows when a score difference is intentional (from your sync rule overrides)
- Toggle all per card header for quick select/deselect
- History tab — dedicated change log for all synced profiles between TRaSH Sync and Compare
- Ring-buffer storage — last 10 change events per profile (syncs with no changes don't create entries)
- CF set-diff tracking — catches all CF changes including score-0 CFs (group enable/disable)
- Detailed change log — CFs added/removed, scores before/after, quality items toggled, settings changed
- Sortable columns — TRaSH Profile, Arr Profile, Last Changed, Events
- Rollback — restore a profile to a previous state with one click. Auto-disables auto-sync to prevent overwrite
- Browse all TRaSH Custom Formats organized by category (Audio, HDR, Streaming, Unwanted, etc.)
- Create and update CFs with spec-level comparison
- CF Creator — build custom CFs with regex specs, test patterns, and TRaSH-compatible scoring
- Build custom profiles from scratch or start from a TRaSH template
- Init card with tabs — choose between TRaSH template or import from Arr instance
- General + Quality cards — matching the Edit view's visual language with blue/purple stripes
- Import from instance — pulls all CFs including score-0 extras via sync history, resolves custom CFs
- Shared Quality Items editor — drag-and-drop quality ordering and grouping (same editor as Edit view)
- TRaSH group system — formatItems (mandatory CFs) + CF groups (optional, toggleable)
- Three-state CF pills — Req (required in group), Opt (optional in group), Fmt (in formatItems)
- Golden Rule and Miscellaneous variant dropdowns as sub-section in Quality card
- Export — TRaSH JSON (strict official format) + optional group includes snippets. Recyclarr YAML export is currently paused while we verify the output against current Recyclarr docs
- Import — Recyclarr YAML, TRaSH JSON, Clonarr backup, Arr instance profiles.
.ymlfiles and Recyclarr include files are supported in both paste and upload modes
- Test how releases score against any profile — paste release names or search via Prowlarr
- Compact table with matched CFs, quality, group, score, and PASS/FAIL per release
- Custom Prowlarr search categories — configurable per app type for indexers that don't cascade root IDs
- Numeric release group fallback — correctly parses trailing numeric groups (e.g.
-126811) - Per-row selection and filter — check rows and filter to selected subset
- Drag reorder — manually sort the release list
- Copy-box modal — shareable plain-text summary per release with title, CFs, and scores
- Profile comparison — score the same releases against two profiles side-by-side
- Score editor — temporarily modify CF scores and add/remove CFs to test changes
- Language CFs excluded — language-aware CFs stripped from scoring (Parse API can't evaluate without TMDB context)
- Sortable columns (score, quality, group, status)
- General + Quality cards with per-section override toggles (blue/purple stripe design)
- Inline Quality Items editor — expand inside the Quality card with drag-and-drop grouping
- Override summary bar — shows active overrides with per-section reset
- Sonarr language handling — language field hidden for Sonarr (removed in Sonarr v4)
- Sync TRaSH quality size recommendations to your instance
- Per-quality custom overrides with auto-sync option
- Browse and apply TRaSH naming schemes (movies + series)
- Sidebar layout — left navigation with sections: Instances, TRaSH Guides, Prowlarr, Notifications, Display, Advanced
- Settings for Prowlarr connection, search categories, auto-sync, Discord/Gotify notifications, and debug logging
- Instance comparison — see how your instance differs from TRaSH
- Orphaned score cleanup
- Bulk CF deletion with keep-list
- Backup and restore profiles + CFs
- Browser navigation — back/forward buttons work (URL hash routing with History API)
- TRaSH changelog — clickable dropdown in header showing recent guide updates
- Notifications — Discord, Gotify, Pushover, NTFY, Apprise (auto-sync results, TRaSH update summaries, configurable priority per severity)
- Reverse-proxy subpath hosting — host at
https://your-domain.com/clonarrviaURL_BASEenv var - Login brute-force protection — 5 failed attempts/IP/minute → temporary 429 lockout
- Advanced Mode — Profile Builder, Scoring Sandbox, CF Group Builder, and contributor-only TRaSH schema fields when enabled
- Multi-instance — manage multiple Radarr and Sonarr instances
- Dynamic language support — all languages from your Arr instance available in dropdowns
New to Clonarr? See the Getting Started guide for a step-by-step walkthrough with screenshots.
docker run -d \
--name clonarr \
--restart unless-stopped \
-p 6060:6060 \
-v /path/to/config:/config \
-e TZ=Europe/Oslo \
ghcr.io/prophetse7en/clonarr:latestOpen the Web UI at http://your-host:6060.
- Open
http://your-host:6060— you'll be redirected to/setupon first run to create an admin account (see Authentication below) - After login, go to Settings and add your Radarr/Sonarr instance (URL + API key)
- Click Pull in the header to clone the TRaSH Guides repository
- Browse profiles on the Radarr or Sonarr tab and click Sync to deploy
The TRaSH repository is cloned to /config/data/trash-guides/ and updated automatically (default: every 24 hours).
| Variable | Required | Default | Description |
|---|---|---|---|
TZ |
No | UTC |
Container timezone |
PUID |
No | 99 |
User ID for file ownership |
PGID |
No | 100 |
Group ID for file ownership |
PORT |
No | 6060 |
Web UI port (inside container) |
CONFIG_DIR |
No | /config |
Persistent config root. If changed, mount the same path as a volume. |
DATA_DIR |
No | ${CONFIG_DIR}/data |
TRaSH Guides cache/data directory. Usually leave this under CONFIG_DIR. |
URL_BASE |
No | (empty) | URL path prefix for reverse proxy subpath hosting, such as /clonarr. Leave empty for standard root-path access. |
TRUSTED_NETWORKS |
No | (empty — uses Radarr-parity defaults) | Lock Trusted Networks at host level. Comma-separated IPs/CIDRs (192.168.86.0/24, 10.66.0.0/24). When set, the UI field is disabled and cannot be changed via the web interface — only by editing the template and restarting. Useful for defense-in-depth: prevents a UI-takeover attacker from expanding the trust boundary. |
TRUSTED_PROXIES |
No | (empty) | Lock Trusted Proxies at host level. Comma-separated IPs. Same UI-disabled behavior as TRUSTED_NETWORKS. Only needed when Clonarr sits behind a reverse proxy that terminates TLS (SWAG, Authelia, Traefik). |
| Container Path | Purpose |
|---|---|
/config |
Configuration, profiles, sync history, and TRaSH Guides cache |
| Port | Purpose |
|---|---|
6060 |
Web UI |
services:
clonarr:
image: ghcr.io/prophetse7en/clonarr:latest
container_name: clonarr
restart: unless-stopped
ports:
- "6060:6060"
environment:
- TZ=Europe/Oslo
- PUID=99
- PGID=100
volumes:
- ./clonarr-config:/configgit clone https://github.com/prophetse7en/clonarr.git
cd clonarr
docker build -t clonarr .
docker run -d --name clonarr -p 6060:6060 \
-v ./config:/config clonarrThe container includes a built-in healthcheck that verifies the web UI and TRaSH data status. Docker (and platforms like Unraid/Portainer) will show the container as healthy when the API is responsive.
Install via Community Apps: Search for clonarr in the Apps tab — click Install and configure your settings.
Or install manually: Go to Docker → Add Container, set Repository to ghcr.io/prophetse7en/clonarr:latest, and add the required paths and ports (see above).
The Web UI is available at http://your-unraid-ip:6060. Config is stored in /mnt/user/appdata/clonarr by default.
Updating: Click the Clonarr icon in the Docker tab and select Force Update to pull the latest image.
Clonarr clones the TRaSH Guides repository and parses all Custom Format definitions, quality profiles, CF groups, and scoring data. It then provides a web UI to browse, customize, and sync this data to your Radarr/Sonarr instances via their v3 API.
TRaSH Guides repo (git clone)
→ Go backend parses CF/profile/group JSON
→ REST API (40+ endpoints)
→ Alpine.js SPA assembled from embedded partials
→ Sync: dry-run plan → apply (CF create/update + profile create/update)
By default, config is stored in /config/clonarr.json. Profiles are stored as individual JSON files in /config/profiles/.
Clonarr is built on the work of several projects:
- TRaSH Guides — All Custom Format data, quality profiles, scoring systems, and naming schemes. Clonarr is a frontend for TRaSH's guide data.
- Recyclarr — YAML import compatibility. Recyclarr YAML import works (including v7 configs for migration) and include files are supported. Recyclarr YAML export is currently paused while we verify the output against current Recyclarr docs (v8-only — v7 generation has been dropped).
- Notifiarr — Inspiration for the sync behavior rules (Add/Remove/Reset) and profile sync workflow.
- Radarr / Sonarr — API v3 integration for CF management, profile sync, quality sizes, naming, and the Parse API used by the Scoring Sandbox.
As of v2.0.6, Clonarr requires a login before you can reach the web UI. The model mirrors Radarr/Sonarr's Security panel:
Authentication — how users log in:
- Forms (login page) (default) — standard username/password form + session cookie (30-day TTL).
- Basic — HTTP Basic Auth (browser popup). Use this only when a reverse proxy in front is already handling login.
- None — disables auth entirely. Requires password confirmation to enable because the blast radius is catastrophic: anyone who reaches the port is admin. Only safe on a host not reachable from other devices.
Authentication Required — who must log in:
- Disabled for Trusted Networks (default) — devices on the "trusted" CIDR list skip the login page. Convenient for LAN-only deployments.
- Enabled (all traffic) — every request needs credentials, even from your own LAN.
- Open
http://your-host:6060— you'll be redirected to/setup - Create an admin username and password (min 10 characters, 2+ of upper/lower/digit/symbol)
- You're logged in automatically and land in the main UI
Credentials are bcrypt-hashed (cost 12) and stored in ${CONFIG_DIR}/auth.json (default /config/auth.json). Sessions persist across container restarts via ${CONFIG_DIR}/sessions.json.
By default "trusted" means all private IPv4 + IPv6 ranges (RFC1918, link-local, ULA, loopback — Radarr-parity). Anything in this list gets full admin access without a password — that includes every other container on your Docker host and every device on your home WiFi.
To tighten: go to Settings → Security and list specific IPs/CIDRs:
192.168.86.0/24— whole home VLAN10.66.0.0/24— WireGuard tunnel192.168.86.22/32— a single device
Loopback (127.x) is always trusted so Docker healthchecks work regardless of this list.
Host-level lockdown: set the TRUSTED_NETWORKS env var in your Unraid template or docker-compose.yml. When set, the UI field is disabled — the trust boundary can only be changed by editing the template and restarting the container. Defends against UI-takeover attackers (session hijack, XSS, local-bypass peer). See Environment Variables above.
Every install gets an API key (visible in Settings → Security, rotatable). Send it on requests as:
X-Api-Key: <your-key>
or as a query parameter (legacy — leaks to access logs and browser history):
?apikey=<your-key>
Use this for Homepage widgets, Uptime Kuma, and scripts. API-key auth bypasses both the login requirement and CSRF protection.
Behind SWAG / Authelia / Traefik / Caddy that terminates TLS:
- Set Trusted Proxies to the proxy's IP (or use
TRUSTED_PROXIESenv var to lock at host level). - Ensure the proxy sends
X-Forwarded-ForandX-Forwarded-Proto: https. - Pick either Forms (Clonarr handles login) or Basic (reverse proxy handles login upstream).
Clonarr will only trust X-Forwarded-* headers when the direct peer IP matches a configured Trusted Proxy — prevents header spoofing from other containers on the same bridge network.
If you want Clonarr at a path prefix instead of a subdomain, set URL_BASE on the container to match the prefix your proxy uses, then point the proxy at port 6060.
environment:
- URL_BASE=/clonarrExample NGINX block:
location /clonarr/ {
proxy_pass http://clonarr-host:6060/clonarr/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}Leading slash required, no trailing slash. Leave URL_BASE empty for root-path access (default).
No email reset flow — by design, ${CONFIG_DIR}/auth.json is authoritative. To recover:
- Stop the container
- Delete
${CONFIG_DIR}/auth.json(default/config/auth.json; credentials only — profiles, sync history, TRaSH data all live elsewhere) - Start the container
- Open the web UI — you'll be redirected to
/setupagain to create new credentials
This is safe on a machine where you have /config access. If someone ELSE can delete that file, they can also take over your Clonarr — which is expected behavior for a local admin tool.
- Login is required by default. Admin password is bcrypt-hashed in
${CONFIG_DIR}/auth.json— never plaintext. - Brute-force protection. 5 failed logins from the same IP within a minute → blocked until a minute has passed since the oldest of those 5 attempts (HTTP 429 +
Retry-After). Same on the setup and change-password endpoints. Failed attempts are logged with the source IP so fail2ban can pick them up if you want firewall-level bans. - Long passwords are welcome. Minimum 10 characters; 16+ skips the upper/lower/digit/symbol class rule, so passphrases like
correct horse battery staplepass. - Custom format names can't collide with TRaSH CFs. Saving a custom CF with a name that matches a TRaSH guides CF (or another custom for the same app) is refused — sharing a name caused syncs to flip-flop the score back and forth. Names are case-sensitive (
PCOKandPcokare distinct), matching Radarr/Sonarr's own rule. - Secrets stay on disk. Arr API keys, Discord/Gotify/Pushover/NTFY/Apprise tokens are stored in plaintext in
${CONFIG_DIR}/clonarr.json(mode 0600). Protect that file the same way you protect Radarr/Sonarr'sconfig.xml. - CSRF protection on every state-changing request. Scripts authenticating with
X-Api-Keybypass CSRF — that's intentional, key-holders are trusted. - Outbound webhooks check destinations. Discord and Pushover (the two where users paste a URL from a third party) go through an HTTP client that refuses internal IPs and re-checks on every request — defeats DNS-rebinding attacks where a malicious webhook hostname secretly resolves to a LAN address. Self-hosted Gotify / ntfy / Apprise use a standard client (you control the destination).
- Security headers set on every response:
X-Frame-Options: DENY(no embedding in iframes),X-Content-Type-Options: nosniff,Referrer-Policy: same-origin.
See SECURITY.md for the full posture, supported-version policy, and how to report a vulnerability.
While Clonarr has been tested extensively, it may contain bugs that could affect your Radarr/Sonarr configuration. Always use Dry Run before applying sync changes, and keep backups of your Arr instances.
The authors are not responsible for any unintended changes to your media automation setup. Use at your own risk.
For questions, help, or bug reports:
- Discord:
#prophetse7en-appson the TRaSH Guides Discord (under Community Apps) - GitHub: prophetse7en/clonarr/issues
Clonarr is developed with active AI assistance (Claude, Anthropic) under human direction. Architectural decisions, code review, testing against real Radarr/Sonarr instances, and releases are done by ProphetSe7en. Issues and PRs go through a human review.
For maintainers working on the modular UI, manifest-driven settings, or Docker-first local testing flow, see Development Notes.
MIT