diff --git a/blog/2025-10-07-proxmox-ve-on-hetzner-dedicated-server/index.md b/blog/2025-10-07-proxmox-ve-on-hetzner-dedicated-server/index.md index b86b7e8..d03be20 100644 --- a/blog/2025-10-07-proxmox-ve-on-hetzner-dedicated-server/index.md +++ b/blog/2025-10-07-proxmox-ve-on-hetzner-dedicated-server/index.md @@ -11,13 +11,13 @@ I want to warn that this is not a full step-by-step guide. It is rather notes on -# Installation +## Installation There is documentation on the installation process at [Hetzner](https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve). There are options, and I chose the first one - installing Proxmox VE on Debian. So, according to the docs, I booted a [Rescue System](https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system/) and installed Debian with the [installimage](https://docs.hetzner.com/robot/dedicated-server/operating-systems/installimage/). Then I followed the [guide from Proxmox Wiki](https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_13_Trixie) to install Proxmox VE. There is a step where you first install a new kernel and reboot to activate it. I was forced to reboot the server twice to make it appear online again. Have no idea why. -# Network +## Network Now to the hard part. The initial plan was to have all LXCs in a single local network to allow internal communication. Also, the host and some containers should have public IPs for external access. @@ -105,11 +105,11 @@ post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1 ``` -# Network security +### Network security Ports `8006`, `22`, and `8007` are opened on the Proxmox host in the Proxmox firewall, but explicitly closed in the Hetzner firewall. That way, I can use Proxmox VE and PBS web UI only from the Tailscale network, but, in case of an emergency or misconfiguration, I can open critical ports in Hetzner firewall to get access using server's public IP. -# Public Reverse Proxy +## Public Reverse Proxy I know it is not the best practice to install anything directly on a Proxmox host, but this looks like a perfect decision, as it already has a public IP address, and I can't unassign it because this is the only way to access the server in case of failure. So I decided to install Caddy directly to a Proxmox Host and open ports `80` and `443` to it. Caddy handles requests and then proxies them to the local IPs of LXCs: @@ -120,7 +120,7 @@ git.nicelycomposed.codes { } ``` -# Tailscale and Internal Reverse Proxy +## Tailscale and Internal Reverse Proxy They call it "bastion host". A single point of connecting to your internal resources that you don't want to expose publicly. I have an LXC for this with Tailscale and another instance of Caddy installed. Let's see how it works on an example. @@ -172,14 +172,14 @@ element-admin.int.example.com { } ``` -# Proxmox Backup Server +## Proxmox Backup Server It was the simplest part. I know this is not the most recommended method, but my Proxmox Backup Server is [installed on the Proxmox VE host](https://pbs.proxmox.com/docs/installation.html#install-proxmox-backup-server-on-proxmox-ve). After installing it and configuring it to use [Backblaze S3 storage](https://pbs.proxmox.com/docs/storage.html#datastores-with-s3-backend), I just added it as a storage to Proxmox VE using the local IP of the host. ![PBS config](pbs.png) -# Conclusion +## Conclusion Have no idea why everyone wants to write a conclusion for each post nowadays. It looks like a forced conclusion to a school physics problem in most cases: "Solving this problem of moving trains, we found out that trains can move". Have a nice tinkering. \ No newline at end of file