qBit Tracker Safety — Daily Operation

Daily Operation

Adding a New Private Tracker

This is the main day-to-day workflow and it's zero-config on the script side:

1. Add the indexer in Prowlarr as normal (privacy = private)
2. Next time the script runs (AutoRun hook on new torrents, or 4 AM cron), the blocklist auto-syncs from Prowlarr's API

No file edits, no restarts. Existing torrents from that tracker get correctly reclassified (and any leaked public trackers get stripped) on the next full sweep.

Want immediate reclassification

Run the sweep manually: /srv/storage/docker/scripts/system/trackerslist-inject.py. Completes in ~10 seconds for ~100 torrents.

Handling Manual Overrides

Edit $DOCKERDIR/scripts/system/trackerslist-private-hosts.txt:

# Add this host to the blocklist (plain line)
tleechreload.org

# Remove from blocklist (leading dash)
-bitmagnet

When to add vs. remove:

• Add when a private tracker's announce host differs from its indexer URL (most common for trackers using CDN hostnames or passkey-prefixed domains)
• Remove when Prowlarr's metadata is wrong for your use case (Bitmagnet is the canonical example — it's a local torznab that serves public DHT)

Verifying Classification

In the qBittorrent WebUI: click the Tags section in the sidebar → filter by private or public. Every torrent should be tagged one way or the other. Untagged torrents indicate the hook didn't fire or the sweep hasn't run yet.

Full dry-run with reasoning:

/srv/storage/docker/scripts/system/trackerslist-inject.py --dry-run

Each sample line is prefixed with [bep27] or [hostname] showing which gate classified it.

Every unique tracker host in your library:

/srv/storage/docker/scripts/system/trackerslist-inject.py --dry-run --list-hosts

Hosts matched by the private blocklist are marked <PRIVATE>. This is the best tool for curating manual overrides — if you see a private tracker's announce host with 20 torrents attached and no <PRIVATE> marker, add it to the overrides file.

Watching the hook live:

docker exec qbittorrent tail -f /config/trackerslist-hook.log

Or on the host:

tail -f /srv/storage/docker/appdata/qbittorrent/qBittorrent/../trackerslist-hook.log

Troubleshooting

A newly added torrent has no tags.

The hook didn't fire. Check:

1. docker exec qbittorrent tail /config/trackerslist-hook.log — is there a recent entry?
2. Both AutoRun preferences are enabled (on-added AND on-finished). The UI labels are independent toggles.
3. Container volume mounts are present: docker exec qbittorrent ls -la /custom-scripts/ /run/custom-scripts.env
4. Manually trigger for that hash: docker exec qbittorrent /custom-scripts/trackerslist-inject-hook.sh "<full-hash>" — any errors go to the log

A private torrent is tagged public.

Rare with BEP 27 as the primary gate, but possible for amateur trackers that don't set the flag:

1. Run --dry-run --list-hosts and find the torrent's announce host
2. If the host is a recognizable private tracker, add it to the overrides file
3. Re-run the script — the torrent will reclassify and any injected public trackers will be stripped automatically

A public torrent is tagged private.

Usually a Prowlarr false-positive. Example: Bitmagnet is flagged private in Prowlarr but serves public DHT content. Add an exclusion line to the overrides file:

-bitmagnet

Script exits with [fatal] blocklist build failed.

Prowlarr is unreachable. Expected behavior — the script refuses to run rather than proceed with a stale blocklist. Fix Prowlarr connectivity; next scheduled run will pick up automatically.

Classification is right but no trackers get injected.

Check that the trackerslist URL is reachable from inside the container:

docker exec qbittorrent curl -sI https://raw.githubusercontent.com/ngosang/trackerslist/master/trackers_best.txt

If blocked, the container network is restricted (possible with gluetun-routed qBit configurations). The script will print [warn] could not fetch trackerslist and skip injection cleanly.

What to Audit Periodically

Every month or so:

• Run --list-hosts and spot-check unknown announce hosts — any private tracker announce URLs that aren't getting caught?
• Verify all your Prowlarr private indexers are flagged privacy=private in Prowlarr's API
• Check the classification split matches expectations (a major drift suggests a misconfigured indexer)

Healthy steady state (real example)

[info] blocklist: 13 private hosts (Prowlarr-synced + overrides)
[info] 98 torrents to process
[result] private: 70 (bep27=70 hostname=0)   public: 28
[done] injected into 28/28 public torrents

All 70 private torrents classified by BEP 27 — the hostname gate caught zero, meaning it's serving as pure safety net. That's the expected pattern for a mature setup.

TL;DR

Adding a private tracker in Prowlarr is zero-config — the blocklist auto-syncs. Use --dry-run --list-hosts to audit unknown hosts. Hook not firing? Check that BOTH AutoRun preferences are enabled. Misclassification? Edit the overrides file (add plain hostname, or prefix with - to exclude).

---

Previous: ← Setup