Kubernetes on Proxmox.
Fully automated.

From bare Proxmox to production-ready Kubernetes — fully automated.

coming soon…

proxkube — Main Menu

  ██████╗  ██████╗   ██████╗  ██╗  ██╗ ██╗  ██╗ ██╗   ██╗ ██████╗  ███████╗
  ██╔══██╗ ██╔══██╗ ██╔═══██╗ ╚██╗██╔╝ ██║ ██╔╝ ██║   ██║ ██╔══██╗ ██╔════╝
  ██████╔╝ ██████╔╝ ██║   ██║  ╚███╔╝  █████╔╝  ██║   ██║ ██████╔╝ █████╗  
  ██╔═══╝  ██╔══██╗ ██║   ██║  ██╔██╗  ██╔═██╗  ██║   ██║ ██╔══██╗ ██╔══╝  
  ██║      ██║  ██║ ╚██████╔╝ ██╔╝ ██╗ ██║  ██╗ ╚██████╔╝ ██████╔╝ ███████╗
                                   ╚═╝  ╚═╝

  ██████╗  ██████╗   ██████╗  ██╗  ██╗ ██╗  ██╗ ██╗   ██╗ ██████╗  ███████╗
  ██╔══██╗ ██╔══██╗ ██╔═══██╗ ╚██╗██╔╝ ██║ ██╔╝ ██║   ██║ ██╔══██╗ ██╔════╝
  ██████╔╝ ██████╔╝ ██║   ██║  ╚███╔╝  █████╔╝  ██║   ██║ ██████╔╝ █████╗  
  ██╔═══╝  ██╔══██╗ ██║   ██║  ██╔██╗  ██╔═██╗  ██║   ██║ ██╔══██╗ ██╔══╝  
  ██║      ██║  ██║ ╚██████╔╝ ██╔╝ ██╗ ██║  ██╗ ╚██████╔╝ ██████╔╝ ███████╗
                                   ╚═╝  ╚═╝

⎈ proxkube HomeLab cluster: k8s-hetzner Phase 1/2

████████████░░░░░░░░░░░░░░░░ 43% (6/14) › Install Kubernetes

STEPS

✓🔍Preflight Check

✓📦Template exists

✓🖥Clone VMs

✓▶Start VMs + SSH

✓🔌Wait for SSH

✓⚖Setup load balancer (HAProxy + keepalived)

⟳☸Install Kubernetes packages

○🏗Init Control Plane

○🔗Install CNI Plugin

○🔄Join CPs (HA)

○👷Join Workers

○🏷Node labels + taints

○🔑Fetch kubeconfig

⎈ proxkube HomeLab mode: NodePort

ADDONS

▶1 → traefikwill installInfrastructure

2 → cert-managerwill installInfrastructure

3 → external-dnswill installInfrastructure

4 ● longhornalready installedStorage

5 → monitoringwill installObservability

6 → argocdwill installGitOps & Dev

7 → authentikwill installSecurity

8 ○ vaultskippedSecurity

9 ○ headlampskippedSecurity

10 → giteawill installGitOps & Dev

⎈ proxkube HomeLab cluster: k8s-hetzner Phase 2/2

████████████████████░░░░░░░░ 71% (5/7) › authentik

ADDONS

— Infrastructure

✓traefikdone

✓cert-managerdone

✓external-dnsdone

— GitOps & Dev

✓giteadone

✓argocddone

— Security

⟳authentikinstalling...

○monitoringwaiting

GitOps Status · k8s-hetzner · 16 managed · 0 unmanaged

ADDONSYNCHEALTHREVISIONAGE

▶argocdSyncedHealthya1b2c3d42d

cert-managerSyncedHealthye5f6g7h82d

traefikSyncedHealthyb9c0d1e21d

authentikSyncedHealthyf3g4h5i61d

external-dnsSyncedHealthyj7k8l9m01d

longhornSyncedHealthyn1o2p3q41d

monitoringSyncedHealthyr5s6t7u823h

vaultSyncedHealthyv9w0x1y223h

s sync app S sync all h history e edit values esc back

Addon Manager · k8s-hetzner · 12 installed · 24 available

ADDONSTATUSVERSIONACTION

▶traefikinstalledv32.1.0upgrade available

cert-managerinstalledv1.16.2up to date

argocdinstalledv7.7.14upgrade available

authentikinstalledv2024.12.3up to date

longhorninstalledv1.7.2up to date

vaultinstalledv0.29.1up to date

harbor—v1.16.0install

woodpecker—v2.8.1install

enter install/upgrade d uninstall esc back

Why proxkube

Everything included. Nothing extra.

A single Go binary. No Ansible, no Terraform, no external dependencies.

⚡

Fully Automated

Cloud-Init template, network detection, storage detection — everything is automatically discovered and configured.

🔄

Resumption

If setup aborts, resume continues exactly where it left off. No VM is recreated.

🖥️

Interactive TUI

Full-featured Bubbletea TUI with two-level category navigation, live progress, GitOps status, addon manager and config editor — everything in one terminal window.

🔒

Security Hardened

Secrets encryption at rest, audit logging, nftables firewall with source-IP restrictions, Pod Security Standards and proper kubelet TLS — enabled by default, zero configuration required.

🛡️

Policy Enforcement

Optional Network Policies (default-deny-all + allow-dns/traefik/prometheus) and Kyverno policy engine — block :latest tags, audit resource limits and non-root containers across all namespaces.

🏗️

HA Mode

3 Control Planes with HAProxy and keepalived (Virtual IP). If one CP fails, another takes over automatically.

💾

Backup & Restore

Scheduled etcd + VM snapshots via cron with configurable retention, Velero for Persistent Volumes, and one-shot etcd restore that rolls the cluster back from any snapshot.

🌐

Hetzner Dedicated

Special mode for Proxmox on Hetzner root servers: private NAT network, port forwarding, iptables-persistent.

📊

Monitoring

Prometheus + Grafana, Loki log aggregation and Falco runtime security — one flag to enable each.

🔐

SSO with Authentik

One Authentik login covers everything: kubectl, Vault, Headlamp, Grafana, ArgoCD, Gitea, Woodpecker and Harbor — OIDC apps, role mappings and admin-group bindings configured automatically. Longhorn and Hubble UI are gated by Authentik ForwardAuth via Traefik.

📱

Nautik QR Import

One-tap cluster import into Nautik on iPhone / iPad / Mac. A QR pairing page over your Tailnet rewrites the kubeconfig to a MagicDNS endpoint — reachable from cellular, not just imported.

🛡️

Tailnet-only Admin UIs

Toggle any UI (Grafana, Longhorn, Headlamp, ArgoCD, Vault) between public and tailnet-only — same <addon>.<domain> URL, resolved via Tailscale MagicDNS. Switch live with proxkube addon expose grafana tailnet or pick a preset in the installer.

🗝️

Secret Management

HashiCorp Vault as central secret store — auto-initialized, auto-unsealed, KV v2 enabled. Addon credentials are synced automatically. External Secrets Operator bridges Vault into native Kubernetes Secrets.

🔭

Network Observability

Cilium Hubble UI for real-time network flow visibility — see which pod talks to which, inspect DNS queries, and visualize policy drops across all namespaces. One flag to enable.

⚙️

eBPF Dataplane

Opt into Cilium's kubeProxyReplacement or Calico's eBPF dataplane — kube-proxy is removed, pod-to-service traffic bypasses iptables, latency drops. Off by default; one env flag to enable on kernels ≥ 5.3.

🚦

Gateway API

Kubernetes Gateway API CRDs installed and Traefik configured as gateway controller. Use modern HTTPRoute and Gateway resources alongside classic Ingress — both work simultaneously.

🔑

Encrypted Config

Encrypt your .env config (with passwords & tokens) using age. The encrypted file is transparently decrypted in-memory — plaintext never touches disk during cluster operations.

🐙

GitOps TUI

Integrated GitOps workflow: bootstrap Gitea + ArgoCD app-of-apps, live sync status per addon, one-key sync trigger, rollback to any history entry, and in-TUI values editor — all without leaving the terminal.

🔎

Safe Upgrades

Upgrade preflight scans for removed APIs, node readiness and kubelet version skew before each kubeadm bump. Cert rotation renews kubeadm certs on all control planes with a zero-downtime static-pod bounce and a /healthz wait.

🩺

Cluster Diagnostics

Pre-flight doctor validates Proxmox, template, storage, VMID/IP collisions and DNS before install. Cluster diagram renders a live topology of nodes, namespaces, ingresses and PVCs — straight in the terminal.