Always-On VPN with Custom systemd Scripts
This post documents how I believe you should be securing your indexers; primarily Prowlarr, Sonarr and Radarr, along with the automation services that depend on it behind an always-on VPN using custom systemd scripts.
These services do not download torrents themselves, but they make constant outbound requests to indexers and third-party APIs. I don’t want that traffic coming directly from my home IP.
The goal is simple and strict: if the VPN isn’t up, the indexers should not be running.