Storage Azure

NZBGet on Ubuntu 24.04 on Azure User Guide

| Product: NZBGet on Ubuntu 24.04 LTS on Azure

Overview

NZBGet is a free, open source binary downloader for Usenet, written in C++ for efficiency so it downloads and processes NZB files quickly while using very little memory and CPU. This cloudimg image runs the NZBGet daemon and exposes its full functionality through a browser based Web UI: add NZB files by upload or URL, organise downloads into categories, control speed and scheduling, watch download and post processing progress in real time, and let NZBGet verify, repair and unpack completed downloads automatically. The daemon runs as a dedicated unprivileged nzbget system user under a hardened systemd unit, with the Web UI and JSON-RPC bound to the loopback address 127.0.0.1:6789 behind an nginx reverse proxy on port 80. NZBGet connects out to your own Usenet provider over NNTP/NNTPS, so there is no inbound download port to open. The download queue and the completed downloads library live on a dedicated Azure data disk mounted at /var/lib/nzbget, and a unique control password is generated on the first boot of every VM so no shared credential ships in the image. Backed by 24/7 cloudimg support.

What is included:

  • NZBGet 21.0 managed by systemd, serving a full Web UI and JSON-RPC
  • nginx on port 80 fronting the Web UI, which is bound to the loopback address 127.0.0.1:6789
  • Authentication required for every request, so the Web UI is never open
  • The well known default NZBGet password is never shipped in the image
  • A unique control password generated on first boot and recorded in a root only file
  • A dedicated Azure data disk at /var/lib/nzbget holding the queue and completed downloads
  • nzbget.service and nginx.service as systemd units, enabled and active
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a comfortable starting point. NSG inbound rules: allow 22/tcp from your management network for SSH and 80/tcp for the Web UI. NZBGet reaches your Usenet provider over an outbound connection, so no inbound download port is required. NZBGet serves the Web UI over plain HTTP on port 80; for production, terminate TLS in front of it with your own domain (see Maintenance). You will also need an account with a Usenet provider (an NNTP news server and login) to download anything.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for NZBGet by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name nzbget \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name nzbget --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active nzbget.service nginx.service

Both report active. NZBGet serves the Web UI and JSON-RPC on the loopback address 127.0.0.1:6789, and nginx fronts it on port 80. The queue and completed downloads live on the dedicated Azure data disk mounted at /var/lib/nzbget.

nzbget.service and nginx.service reporting active, with the Web UI listening on 127.0.0.1:6789 and nginx on port 80

Step 5 - Retrieve your control login

The NZBGet Web UI control password is generated uniquely on the first boot of your VM and written to a root only file:

sudo cat /root/nzbget-credentials.txt

This file contains NZBGET_USERNAME, NZBGET_PASSWORD and the URL to open. The username is nzbget. Store them somewhere safe.

The NZBGet version and the per VM credentials file with the generated control username, password and URL

Step 6 - Confirm the health endpoint

nginx serves an unauthenticated health endpoint for load balancers and probes:

curl -s http://localhost/healthz

It returns ok. This endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe.

Step 7 - Verify authentication from the command line

The Web UI and JSON-RPC require authentication for every request, so an unauthenticated call is rejected. Confirm this, then call the API with the per VM control password and read the version back:

# Secure by default: an unauthenticated JSON-RPC request is rejected
curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:6789/jsonrpc/version

# Call the API with the per-VM control password (read from the root-only file)
PW=$(sudo grep '^NZBGET_PASSWORD=' /root/nzbget-credentials.txt | cut -d= -f2-)
curl -s -u "nzbget:$PW" http://127.0.0.1:6789/jsonrpc/version; echo

The unauthenticated request returns 401. The authenticated request returns a JSON response whose result field is the NZBGet version (for example 21.0).

An unauthenticated JSON-RPC request rejected with HTTP 401, then the per VM control password reading the NZBGet version through the authenticated API

Step 8 - Sign in to the Web UI

Browse to http://<vm-public-ip>/. NZBGet shows a sign in page; enter the username nzbget and the password from Step 5.

The NZBGet Web UI sign in page in the browser

Once signed in, the Downloads tab is the main view. A menu across the top switches between Downloads, History and Messages, the toolbar adds NZBs and controls the queue, and the status bar reports the current speed, remaining size and free disk space.

The NZBGet Web UI Downloads view with the top menu, the add and queue controls and the status bar

Step 9 - Add your Usenet provider

Before NZBGet can download anything, point it at your own Usenet provider. Open Settings -> News-Servers, fill in your provider's host, port (usually 563 for SSL), username and password, enable Encryption for an NNTPS connection, then Save all changes and reload. NZBGet will use this server to fetch the articles referenced by every NZB you add.

The NZBGet Settings News-Servers page with the host, port, username, password and encryption fields for a Usenet provider

Step 10 - Add an NZB

Use the Add button on the Downloads tab to upload an NZB file or paste an NZB URL. You can choose a category and a priority before adding. NZBGet downloads the articles, then automatically verifies, repairs (par2) and unpacks the result. Completed downloads are saved to /var/lib/nzbget/completed on the dedicated data disk by default.

The NZBGet Add NZB dialog with the file upload and URL fields, category and priority options

Step 11 - Confirm downloads live on the dedicated disk

The NZBGet queue, intermediate files and completed downloads are stored under /var/lib/nzbget on the dedicated Azure data disk, so they survive OS changes and can be resized independently:

findmnt /var/lib/nzbget

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.

Maintenance

  • Control login: the per VM credentials live in /root/nzbget-credentials.txt. To change the password, open Settings -> Security in the Web UI, set a new ControlPassword, then save and reload.
  • Usenet provider: configure your news server under Settings -> News-Servers; NZBGet supports multiple servers with priority levels for redundancy.
  • Storage: all runtime state lives under /var/lib/nzbget on the data disk; back up that volume to protect your configuration and downloads.
  • Service: the unit is nzbget.service; after any change run sudo systemctl restart nzbget.
  • TLS: the Web UI is served over plain HTTP on port 80; front it with TLS (for example certbot with your own domain) before production use.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.