Kubernetes on Proxmox.
Fully automated.

From bare Proxmox to production-ready Kubernetes — fully automated.

coming soon...

proxkube — Main Menu

  ██████╗  ██████╗   ██████╗  ██╗  ██╗ ██╗  ██╗ ██╗   ██╗ ██████╗  ███████╗
  ██╔══██╗ ██╔══██╗ ██╔═══██╗ ╚██╗██╔╝ ██║ ██╔╝ ██║   ██║ ██╔══██╗ ██╔════╝
  ██████╔╝ ██████╔╝ ██║   ██║  ╚███╔╝  █████╔╝  ██║   ██║ ██████╔╝ █████╗  
  ██╔═══╝  ██╔══██╗ ██║   ██║  ██╔██╗  ██╔═██╗  ██║   ██║ ██╔══██╗ ██╔══╝  
  ██║      ██║  ██║ ╚██████╔╝ ██╔╝ ██╗ ██║  ██╗ ╚██████╔╝ ██████╔╝ ███████╗
                                   ╚═╝  ╚═╝

  ██████╗  ██████╗   ██████╗  ██╗  ██╗ ██╗  ██╗ ██╗   ██╗ ██████╗  ███████╗
  ██╔══██╗ ██╔══██╗ ██╔═══██╗ ╚██╗██╔╝ ██║ ██╔╝ ██║   ██║ ██╔══██╗ ██╔════╝
  ██████╔╝ ██████╔╝ ██║   ██║  ╚███╔╝  █████╔╝  ██║   ██║ ██████╔╝ █████╗  
  ██╔═══╝  ██╔══██╗ ██║   ██║  ██╔██╗  ██╔═██╗  ██║   ██║ ██╔══██╗ ██╔══╝  
  ██║      ██║  ██║ ╚██████╔╝ ██╔╝ ██╗ ██║  ██╗ ╚██████╔╝ ██████╔╝ ███████╗
                                   ╚═╝  ╚═╝

⎈ proxkube HomeLab cluster: k8s-hetzner Phase 1/2

████████████░░░░░░░░░░░░░░░░ 43% (6/14) › Install Kubernetes

STEPS

✓🔍Preflight Check

✓📦Template exists

✓🖥Clone VMs

✓▶Start VMs + SSH

✓🔌Wait for SSH

✓⚖Setup load balancer (HAProxy + keepalived)

⟳☸Install Kubernetes packages

○🏗Init Control Plane

○🔗Install CNI Plugin

○🔄Join CPs (HA)

○👷Join Workers

○🏷Node labels + taints

○🔑Fetch kubeconfig

⎈ proxkube HomeLab mode: NodePort

ADDONS

▶1 → traefikwill installInfrastructure

2 → cert-managerwill installInfrastructure

3 → external-dnswill installInfrastructure

4 ● longhornalready installedStorage

5 → monitoringwill installObservability

6 → argocdwill installGitOps & Dev

7 → authentikwill installSecurity

8 ○ vaultskippedSecurity

9 ○ headlampskippedSecurity

10 → giteawill installGitOps & Dev

⎈ proxkube HomeLab cluster: k8s-hetzner Phase 2/2

████████████████████░░░░░░░░ 71% (5/7) › authentik

ADDONS

— Infrastructure

✓traefikdone

✓cert-managerdone

✓external-dnsdone

— GitOps & Dev

✓giteadone

✓argocddone

— Security

⟳authentikinstalling...

○monitoringwaiting

GitOps Status · k8s-hetzner · 16 managed · 0 unmanaged

ADDONSYNCHEALTHREVISIONAGE

▶argocdSyncedHealthya1b2c3d42d

cert-managerSyncedHealthye5f6g7h82d

traefikSyncedHealthyb9c0d1e21d

authentikSyncedHealthyf3g4h5i61d

external-dnsSyncedHealthyj7k8l9m01d

longhornSyncedHealthyn1o2p3q41d

monitoringSyncedHealthyr5s6t7u823h

vaultSyncedHealthyv9w0x1y223h

s sync app S sync all h history e edit values esc back

Addon Manager · k8s-hetzner · 12 installed · 28 available

ADDONSTATUSVERSIONACTION

▶traefikinstalledv32.1.0upgrade available

cert-managerinstalledv1.16.2up to date

argocdinstalledv7.7.14upgrade available

authentikinstalledv2024.12.3up to date

longhorninstalledv1.7.2up to date

vaultinstalledv0.29.1up to date

harbor—v1.16.0install

woodpecker—v2.8.1install

enter install/upgrade d uninstall esc back

Why proxkube

Everything included. Nothing extra.

A single Go binary. No Ansible, no Terraform, no external dependencies.

⚡

Fully Automated

Cloud-Init template, network detection, storage detection — everything is automatically discovered and configured.

🔄

Resumption

If setup aborts, resume continues exactly where it left off. No VM is recreated.

🖥️

Interactive TUI

Full-featured Bubbletea TUI with two-level category navigation, live progress, GitOps status, addon manager and config editor — everything in one terminal window.

🔒

Security Hardened

Secrets encryption at rest, audit logging, nftables firewall with source-IP restrictions, Pod Security Standards and proper kubelet TLS — enabled by default, zero configuration required.

🛡️

Policy Enforcement

Optional Network Policies (default-deny-all + allow-dns/traefik/prometheus) and Kyverno policy engine — block :latest tags, audit resource limits and non-root containers across all namespaces.

🏗️

HA Mode

3 Control Planes with HAProxy and keepalived (Virtual IP). If one CP fails, another takes over automatically.

💾

Backup & Restore

etcd backup with auto-rotation, VM snapshots, Velero for Persistent Volumes. Fully automated restore included.

🌐

Hetzner Dedicated

Special mode for Proxmox on Hetzner root servers: private NAT network, port forwarding, iptables-persistent.

📊

Monitoring

Prometheus + Grafana, Loki log aggregation and Falco runtime security — one flag to enable each.

🔐

SSO with Authentik

Protect internal UIs (Traefik, Longhorn) with OAuth2 via Authentik — fully automated, no manual IdP setup.

📱

Nautik iOS & macOS

Native Kubernetes app for iPhone and Mac. Connect via kubeconfig — Prometheus metrics, node stats and workload management on the go.

🗝️

Secret Management

HashiCorp Vault as central secret store — auto-initialized, auto-unsealed, KV v2 enabled. Addon credentials are synced automatically. External Secrets Operator bridges Vault into native Kubernetes Secrets.

🔭

Network Observability

Cilium Hubble UI for real-time network flow visibility — see which pod talks to which, inspect DNS queries, and visualize policy drops across all namespaces. One flag to enable.

🚦

Gateway API

Kubernetes Gateway API CRDs installed and Traefik configured as gateway controller. Use modern HTTPRoute and Gateway resources alongside classic Ingress — both work simultaneously.

🔑

Encrypted Config

Encrypt your .env config (with passwords & tokens) using age. The encrypted file is transparently decrypted in-memory — plaintext never touches disk during cluster operations.

🐙

GitOps TUI

Integrated GitOps workflow: bootstrap Gitea + ArgoCD app-of-apps, live sync status per addon, one-key sync trigger, rollback to any history entry, and in-TUI values editor — all without leaving the terminal.

🛠️

Day-2 Operations

Upgrade individual add-ons, get Discord/Slack alerts when a new Kubernetes version drops, and clone a cluster as a template for a new one — all from the interactive TUI.