saltierpoop¶
| Field | Value |
|---|---|
| ID | saltierpoop |
| Class | managed_appliance |
| Kind | saltbox |
| Role | media-stack |
| Status | active |
| Primary IP | 192.168.6.243 |
Overview¶
Saltbox on Proxmox VM 100: ~50 containers via sb install — Plex, arr, Traefik,
Authentik, Prometheus/Grafana/Loki (Saltbox monitoring roles), Gitea, and more.
Homelab Ansible manages OS layer only
(secrets deploy, Tailscale, node_exporter, coordinated OS patching* via
infra-services) — not Saltbox containers.
UFW: disabled on host (Saltbox + Docker); common_manage_firewall: false in
homelab Ansible so pull does not re-enable it. Perimeter is UDM ZBF + Traefik.
VPN download apps (Gluetun)¶
Container-level Mullvad via Saltbox Gluetun — only apps with
*_docker_network_mode: "container:gluetun" in Saltbox inventory use the VPN.
Plex/Sonarr/etc. do not.
| Config | Path |
|---|---|
| Inventory (Gluetun, JD2 network_mode) | /srv/git/saltbox/inventories/host_vars/localhost.yml — sb edit inventory |
| Global settings (downloads, rclone) | /srv/git/saltbox/settings.yml — homelab SOPS |
| Accounts | /srv/git/saltbox/accounts.yml — homelab SOPS |
| App | Status | Notes |
|---|---|---|
| Gluetun + Mullvad | Deployed | Mullvad WG keys in inventory; sb install gluetun |
| JDownloader2 | Deployed | Gluetun VPN egress; jdownloader2_role_dns_enabled: false (MyJDownloader) |
| qbittorrent (Saltbox) | Deployed | Gluetun VPN egress; qbittorrent_role_dns_enabled: false |
| qbittorrentvpn (binhex/PIA) | Removed | Replaced 2026-06-21 — qbittorrent + Gluetun |
Runbooks: JDownloader2, qBittorrent migration
Configuration¶
- Saltbox git:
/srv/git/saltbox/ - Inventory overrides:
/srv/git/saltbox/inventories/host_vars/localhost.yml - SOPS secrets (homelab):
secrets/appliances/saltierpoop/*.sops.yaml→/srv/git/saltbox/accounts.ymlandsettings.ymlonly
Runbooks¶
- Coordinated OS patching — wave 0 target
- JDownloader2 + Mullvad (Gluetun)
- SSH keys and infra-services (pattern for agent access)