Lidarr on Ubuntu 24.04 on Azure User Guide
Overview
Lidarr is the open source music collection manager of the arr family (GPL 3.0). It monitors your favourite artists, automatically fetches and organises new releases from your own indexers and download clients, tags and renames tracks, and keeps a tidy library, all through a modern web interface and a full REST API. The cloudimg image installs the self contained Lidarr release, runs it as a systemd service bound to loopback behind an nginx reverse proxy on port 80, protects that interface with HTTP Basic authentication whose password is unique to every VM, keeps all Lidarr state on a dedicated Azure data disk, and regenerates the Basic auth password and the Lidarr API key on the first boot of each VM. Backed by 24/7 cloudimg support.
What is included:
- Lidarr 3.1.0.4875 installed from the official self contained linux core release, running as
lidarr.service - nginx on
:80as an authenticating reverse proxy to the loopback Lidarr backend (127.0.0.1:8686) - HTTP Basic authentication on the web interface, with a per VM password generated on first boot (user
admin) - A fresh per VM Lidarr API key generated on first boot, so no shared secret ships in the image
- A dedicated 30 GiB Azure data disk at
/var/lib/lidarrholding config, the SQLite databases, artwork cache and backups lidarr.service+nginx.serviceas systemd units, enabled and active- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point. NSG inbound: allow 22/tcp from your management network and 80/tcp. Lidarr serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Lidarr by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name lidarr \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name lidarr --port 80 --priority 1010
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the services are running
systemctl is-active lidarr.service nginx.service
Both report active. Lidarr listens on the loopback interface 127.0.0.1:8686 only, and nginx fronts it on port 80. You can confirm the listeners:
sudo ss -tlnp | grep -E ':80 |:8686 '
Port 8686 is bound to 127.0.0.1 (never exposed on the network); only port 80, protected by Basic authentication, is reachable.

Step 5 - Retrieve your sign in password
The admin Basic auth password is generated uniquely on the first boot of your VM and written to a root only file:
sudo cat /root/lidarr-credentials.txt
This file contains LIDARR_URL, LIDARR_ADMIN_USER (admin) and LIDARR_ADMIN_PASSWORD. Store the password somewhere safe.

Step 6 - Verify the authentication gate (optional)
The web interface is never open. nginx rejects a request with HTTP 401 when no credentials or a wrong password are supplied. Both of these return 401:
curl -s -o /dev/null -w '%{http_code}\n' http://localhost/
curl -s -o /dev/null -w '%{http_code}\n' -u admin:wrong-password http://localhost/
nginx accepts HTTP 200 only with the per VM password. Using the LIDARR_ADMIN_PASSWORD from Step 5 (substitute your own password for <LIDARR_ADMIN_PASSWORD>), this returns 200:
curl -s -o /dev/null -w '%{http_code}\n' -u admin:<LIDARR_ADMIN_PASSWORD> http://localhost/
An unauthenticated health endpoint is proxied at /ping for load balancers and probes:
curl -s http://localhost/ping; echo
It returns {"status":"OK"}.

Step 7 - Sign in to the web interface
Browse to http://<vm-public-ip>/. Your browser prompts for the Basic auth credentials: sign in as user admin with the password from Step 5. You land on the Library view, which on a fresh VM shows the empty state, ready for you to add a root folder and your first artist.

Step 8 - Add artists to your library
Choose Add New from the sidebar (or Add New Artist on the Library view) and search for an artist by name. Lidarr looks the artist up, and once you pick a root folder and quality profile it begins monitoring for releases.

Step 9 - Review media management settings
Open Settings then Media Management to control how Lidarr renames and organises tracks, and to add the root folder where your music library lives.

Step 10 - Check the system status
Open System then Status to see the running version, the bundled .NET runtime, the SQLite database version, disk space and any health messages. On a fresh VM the health panel notes that no indexer or download client is configured yet, which you add under Settings.

Step 11 - Confirm data lives on the dedicated disk
All Lidarr state, configuration, the SQLite databases, artwork cache and backups, is stored on the dedicated Azure data disk so it survives OS changes and can be resized independently:
findmnt -no SOURCE,TARGET,FSTYPE /var/lib/lidarr
The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.

Maintenance
- Sign in password: the Basic auth password is unique per VM in
/root/lidarr-credentials.txt. To change it, runsudo htpasswd -B /etc/nginx/.lidarr-htpasswd adminand reload nginx. - Indexers and download clients: add them under Settings then Indexers and Settings then Download Clients so Lidarr can find and fetch releases.
- Root folders: point Lidarr at the folder where your music library lives under Settings then Media Management.
- Data: configuration, the SQLite databases, artwork and backups all live under
/var/lib/lidarron the dedicated data disk; snapshot it to back Lidarr up. - TLS: Lidarr is served over plain HTTP on port 80; front it with TLS (e.g. certbot) and your own domain before production use.
- Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.