Seedbox – Setup
Two qBittorrent instances on LXC 110 (dlbox), each forced through its own ProtonVPN WireGuard tunnel via Gluetun's
network_mode. Downloads stored on a dedicated 2TB Crucial MX500 SSD.
Infrastructure
| Instance | LXC | Internal | URL |
|---|---|---|---|
| Seedbox | 110 (dlbox) | 192.168.1.110:8080 | https://seedbox.eva-00.network |
| Normal | 110 (dlbox) | 192.168.1.110:8081 | https://normal.eva-00.network |
Architecture
LXC 110 runs four Docker containers:
- gluetun — ProtonVPN WireGuard tunnel (seedbox traffic)
- gluetun-normal — ProtonVPN WireGuard tunnel (normal traffic)
- seedbox (qBittorrent) —
network_mode: "service:gluetun"forces all traffic through VPN - normal (qBittorrent) —
network_mode: "service:gluetun-normal"forces all traffic through VPN
No proxy configuration needed — network_mode ensures zero possibility of traffic leaking outside the VPN tunnel.
Port forwarding is handled automatically via VPN_PORT_FORWARDING=on in Gluetun, which updates qBittorrent's listening port via VPN_PORT_FORWARDING_UP_COMMAND.
Observability
Logs
qBittorrent logs are collected via Grafana Alloy Docker discovery and shipped to Loki.
| Query | Purpose |
|---|---|
{container="qbittorrent"} |
Seedbox container output |
{container="qbittorrent-normal"} |
Normal container output |
{container=~"qbittorrent.*"} \|= "error" |
Errors across both instances |
Access: Grafana → Explore → Loki → Enter query
IaC
| Artifact | Path |
|---|---|
| Playbook | ansible/playbooks/gluetun.yml |
| Workflow | .forgejo/workflows/gluetun.yml |
| Compose | services/gluetun/docker-compose.yml |
Storage
| Detail | Value |
|---|---|
| Disk | Crucial MX500 2TB (sdb) |
| Disk ID | ata-CT2000MX500SSD1_2138E5D50162-part1 |
| Proxmox mount | /mnt/seedbox |
| LXC bind mount | /data |
| Seedbox downloads | /data/seedbox |
| Normal downloads | /data/normal |
The 2TB disk is mounted on the Proxmox host at /mnt/seedbox and bind-mounted into LXC 110 at /data.
Authentication
Both WebUIs are protected by PocketID SSO via oauth2-proxy (running on LXC 119). qBittorrent's own auth is disabled — access is controlled entirely by oauth2-proxy.
| Proxy | Port | Upstream |
|---|---|---|
| oauth2-proxy-seedbox | 8584 | 192.168.1.110:8080 |
| oauth2-proxy-normal | 8585 | 192.168.1.110:8081 |
Samba Share
The /data directory is shared over SMB for LAN access.
Connect from macOS Finder:
- Finder → Go → Connect to Server (
⌘K) - Enter
smb://192.168.1.110 - Connect as Guest
- Select the seedbox share
The share is guest-accessible (LAN only) and maps directly to /data (the 2TB disk).