Applications Azure

Bazarr on Ubuntu 24.04 on Azure User Guide

| Product: Bazarr on Ubuntu 24.04 LTS on Azure

Overview

This guide covers the deployment and configuration of Bazarr on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Bazarr is an open source companion to Sonarr and Radarr that manages subtitles for the TV series and movies in your library. It watches for the subtitle languages you want, works out which are missing or could be upgraded, searches your configured subtitle providers, downloads the best matches, and files them alongside the media automatically.

The image installs the official Bazarr 1.6.0 release (recorded in /opt/bazarr/VERSION) into a dedicated Python virtual environment and runs it under systemd as the unprivileged bazarr system user, listening on port 6767. All application state lives under /var/lib/bazarr, with the configuration at /var/lib/bazarr/config/config.yaml and the database at /var/lib/bazarr/db/bazarr.db.

Secure by default. A stock Bazarr starts with authentication switched off, which would leave an unprotected deployment open to anyone who can reach it, including full access to its API key. This image does not ship in that state. Forms authentication is enforced, and a unique administrator password and API key are generated on each virtual machine's first boot. The server stores only a one way digest of the password in its configuration, never the plain text; the plain credentials are placed in a root only file for the administrator to read. The service will not even start until that secured configuration is in place, so there is no window in which a fresh instance serves without a login. Nothing usable is baked into the image, so no two deployments share a credential.

What is included:

  • Bazarr 1.6.0 installed from the official release archive, verified against the checksum published by the project before it is unpacked

  • Run inside a dedicated Python virtual environment under systemd as the unprivileged bazarr system user with a hardened service sandbox (NoNewPrivileges, PrivateTmp, ProtectSystem=full, ProtectHome)

  • Forms authentication enforced with a unique admin password and a unique 32 character API key generated per VM on first boot

  • All state under /var/lib/bazarr, so backup and migration are a single directory

  • An unauthenticated /api/system/ping health endpoint for load balancer probes, so monitoring needs no credential even though the interface and API do

  • Automatic self updates turned off, so a running instance never silently drifts from the published image

  • A built in self test at /usr/local/bin/bazarr-selftest that proves the credential path end to end

  • Ubuntu 24.04 LTS base with the latest security patches applied at build time

  • Azure Linux Agent for seamless cloud integration and SSH key injection

  • 24/7 cloudimg support with a guaranteed 24 hour response SLA

Prerequisites

  • An Azure subscription with permission to deploy virtual machines

  • An SSH key pair for administrative access to the VM as the azureuser account

  • A Network Security Group allowing inbound TCP 6767 from the networks that should reach the service, and 22 (SSH) from your management network only

  • A recommended size of Standard_B2s or larger

Step 1: Deploy from the Azure Portal

  1. Locate the Bazarr on Ubuntu 24.04 LTS image in the Azure Marketplace and select Create.

  2. Choose your subscription, resource group and region.

  3. Select a VM size (Standard_B2s or larger) and provide your SSH public key for the azureuser account.

  4. On the Networking tab, allow inbound 6767 from your users, and restrict 22 to your management network.

  5. Review and create. When the VM is running, browse to http://<your-public-ip>:6767/.

Step 2: Deploy from the Azure CLI

Deploy the image from the command line, restricting SSH to your management network. Replace the placeholder values with your own before running:

az vm create \
  --resource-group my-resource-group \
  --name bazarr \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_rsa.pub \
  --public-ip-sku Standard

# Allow the web UI from your users and SSH from your management network only
az vm open-port --resource-group my-resource-group --name bazarr --port 6767 --priority 1001
az network nsg rule create --resource-group my-resource-group --nsg-name bazarrNSG \
  --name allow-ssh --priority 1002 --destination-port-ranges 22 \
  --source-address-prefixes <your-mgmt-cidr> --access Allow --protocol Tcp

When the VM is running, browse to http://<public-ip>:6767/.

Step 3: Retrieve your per instance credentials

Each VM generates its own admin password and API key on first boot, written to a root only file. Read it over SSH:

ssh azureuser@<vm-ip> 'sudo cat /root/bazarr-credentials.txt'

The file contains BAZARR_URL, BAZARR_ADMIN_USER, BAZARR_ADMIN_PASSWORD and BAZARR_API_KEY for this specific VM. Keep it secret. The server only ever stores a one way digest of the password in its configuration, never the plain text.

Step 4: Sign in to Bazarr

Browse to http://<vm-ip>:6767/. Because authentication is enforced, Bazarr presents its sign in page. Enter the username and password from Step 3.

The Bazarr sign in page showing the Bazarr logo above a username field filled with admin, a masked password field with a reveal toggle, and a purple LOGIN button

Step 5: The Series view

After signing in you land in the Bazarr interface. The Series view lists the TV series that Bazarr manages subtitles for, with columns for the series name, its assigned languages profile, and its episodes. A freshly deployed VM starts empty, as shown below, because Bazarr has no media to manage until you connect it to a Sonarr instance under Settings.

The Bazarr Series view showing a table with Name, Languages Profile and Episodes columns, reporting No items found and Show 0 to 0 of 0 entries, with the left navigation offering Settings and System

Step 6: Configure Bazarr

Open Settings to configure Bazarr. The General page sets the host address, port, base URL and instance name; the Languages page defines the subtitle languages and profiles you want; Providers selects the subtitle sources; and Sonarr and Radarr connect Bazarr to your media managers so it can see your library.

The Bazarr Settings General page showing Host configuration with Address set to an asterisk for all interfaces, Port 6767, an empty Base URL, the Instance Name Bazarr, and the left navigation listing General, Languages, Providers, Subtitles, Sonarr, Radarr, Plex, Jellyfin, Notifications, Scheduler and UI

To start fetching subtitles, add at least one languages profile under Settings, Languages, enable one or more providers under Settings, Providers, and connect your Sonarr or Radarr instance under the matching settings page. Bazarr then watches your library and downloads the subtitle languages you asked for.

Step 7: Check the system status

The System, Status page reports the running Bazarr version and the environment it runs in. This is a quick way to confirm the deployment is healthy and matches the published image.

The Bazarr System Status page reporting a Health note to create a languages profile, and an About section showing Bazarr Version 1.6.0, Operating System Linux 6.17.0-1020-azure, Python Version 3.12.3, Database Engine Sqlite 3.45.1, Bazarr Directory /opt/bazarr, Bazarr Config Directory /var/lib/bazarr and the uptime and time zone

Step 8: Verify the deployment

SSH to the VM as azureuser and confirm the service is running and listening on port 6767:

systemctl is-active bazarr bazarr-firstboot
sudo ss -tlnp | grep 6767
cat /opt/bazarr/VERSION

The service reports active, Bazarr is listening on 6767, and the baked version matches the running build.

systemctl reporting bazarr and bazarr-firstboot as active, ss showing the python process listening on port 6767, and the VERSION file reporting 1.6.0

Run the built in self test. It reads this VM's credentials and proves the whole authentication path: an unauthenticated API call is refused, a wrong API key is refused, the per VM API key returns real system status, a wrong password is rejected, and the correct password opens an authenticated session:

sudo /usr/local/bin/bazarr-selftest
curl -s http://127.0.0.1:6767/api/system/ping

The bazarr-selftest output reporting OK, and the unauthenticated ping endpoint returning a JSON document with status OK

Step 9: Confirm authentication is enforced

Bazarr's REST API requires the per VM API key. Confirm that an unauthenticated call is refused and an authenticated one succeeds:

curl -s -o /dev/null -w 'no key -> HTTP %{http_code}\n' http://127.0.0.1:6767/api/system/status
KEY=$(sudo grep '^BAZARR_API_KEY=' /root/bazarr-credentials.txt | cut -d= -f2-)
curl -s -H "X-API-KEY: $KEY" http://127.0.0.1:6767/api/system/status | jq '.data|{bazarr_version,python_version,operating_system}'

The unauthenticated request returns 401. The authenticated request returns the system status, confirming the gate is active.

curl showing an unauthenticated request to the system status API returning HTTP 401, and an authenticated request with the per VM API key returning bazarr_version 1.6.0, python_version 3.12.3 and the operating system string

The /api/system/ping endpoint is deliberately unauthenticated so a load balancer or monitoring probe can check health without holding a credential.

Step 10: Per instance credentials and settings at rest

The credentials file is readable only by root, and the authentication settings are recorded in Bazarr's configuration. The secret values are masked in the screenshot below; read the real ones as shown in Step 3:

sudo ls -l /root/bazarr-credentials.txt
sudo sed -n '/^auth:/,/^[a-z]/p' /var/lib/bazarr/config/config.yaml

The file is mode 600 and owned by root, and the auth section reports type: form with the admin username. Note that no plain password is stored: it exists only as a one way digest in the configuration.

ls showing bazarr-credentials.txt as mode 600 owned by root, the credentials file with the password and API key redacted, and the config auth section reporting type form, the admin username, and a redacted apikey and password digest

Step 11: Where your data lives

All Bazarr state is under a single directory, which makes backup and migration straightforward:

sudo ls -l /var/lib/bazarr/

config/config.yaml holds the settings, the API key and the password digest, db/bazarr.db holds your series, movies, history and subtitle records, and log holds the application logs. Back up /var/lib/bazarr to preserve everything.

Security notes

  • No default login. Forms authentication is enforced and a unique administrator password and API key are generated on each VM's first boot. Only a one way digest is stored in the configuration; the plain values live in the root only /root/bazarr-credentials.txt.

  • Protect the API key. The key grants full API access. Treat it exactly as you would the password, and rotate it from Settings if it is ever exposed.

  • Restrict access. Bazarr serves plain HTTP on 6767. Allow that port only from the networks that need it, and keep 22 restricted to your management network. For internet facing use, put a TLS terminating reverse proxy or an Azure Application Gateway in front so credentials are never sent in clear text.

  • Rotate the password from Settings, General, Security at any time; the new value is stored as a fresh one way digest.

  • Providers, Sonarr and Radarr are yours to configure. The image ships none connected, so a new deployment cannot reach out anywhere until you deliberately add them. Make sure your use of any subtitle provider complies with its terms and with the law in your jurisdiction.

Support

This image is backed by 24/7 cloudimg support with a guaranteed 24 hour response SLA. Contact support@cloudimg.co.uk for assistance. Bazarr is open source software distributed under the GNU General Public License version 3 and is free; the cloudimg charge covers packaging, hardening, security patching, image maintenance and support.