yevi.org/www.yevi.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 27 Activity

Fix headers

Browse Source
This commit is contained in:
yehor
2025-10-07 12:56:39 +03:00
parent a603f5160a
commit 342c025697
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
blog/2025-10-07-proxmox-ve-on-hetzner-dedicated-server/index.md
View File

@@ -11,13 +11,13 @@ I want to warn that this is not a full step-by-step guide. It is rather notes on
<!-- truncate --> <!-- truncate -->
# Installation ## Installation
There is documentation on the installation process at [Hetzner](https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve). There are options, and I chose the first one - installing Proxmox VE on Debian. There is documentation on the installation process at [Hetzner](https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve). There are options, and I chose the first one - installing Proxmox VE on Debian.
So, according to the docs, I booted a [Rescue System](https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system/) and installed Debian with the [installimage](https://docs.hetzner.com/robot/dedicated-server/operating-systems/installimage/). So, according to the docs, I booted a [Rescue System](https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system/) and installed Debian with the [installimage](https://docs.hetzner.com/robot/dedicated-server/operating-systems/installimage/).
Then I followed the [guide from Proxmox Wiki](https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_13_Trixie) to install Proxmox VE. There is a step where you first install a new kernel and reboot to activate it. I was forced to reboot the server twice to make it appear online again. Have no idea why. Then I followed the [guide from Proxmox Wiki](https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_13_Trixie) to install Proxmox VE. There is a step where you first install a new kernel and reboot to activate it. I was forced to reboot the server twice to make it appear online again. Have no idea why.
# Network ## Network
Now to the hard part. Now to the hard part.
The initial plan was to have all LXCs in a single local network to allow internal communication. Also, the host and some containers should have public IPs for external access. The initial plan was to have all LXCs in a single local network to allow internal communication. Also, the host and some containers should have public IPs for external access.
@@ -105,11 +105,11 @@ post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1 post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
``` ```
# Network security ### Network security
Ports `8006`, `22`, and `8007` are opened on the Proxmox host in the Proxmox firewall, but explicitly closed in the Hetzner firewall. That way, I can use Proxmox VE and PBS web UI only from the Tailscale network, but, in case of an emergency or misconfiguration, I can open critical ports in Hetzner firewall to get access using server's public IP. Ports `8006`, `22`, and `8007` are opened on the Proxmox host in the Proxmox firewall, but explicitly closed in the Hetzner firewall. That way, I can use Proxmox VE and PBS web UI only from the Tailscale network, but, in case of an emergency or misconfiguration, I can open critical ports in Hetzner firewall to get access using server's public IP.
# Public Reverse Proxy ## Public Reverse Proxy
I know it is not the best practice to install anything directly on a Proxmox host, but this looks like a perfect decision, as it already has a public IP address, and I can't unassign it because this is the only way to access the server in case of failure. I know it is not the best practice to install anything directly on a Proxmox host, but this looks like a perfect decision, as it already has a public IP address, and I can't unassign it because this is the only way to access the server in case of failure.
So I decided to install Caddy directly to a Proxmox Host and open ports `80` and `443` to it. Caddy handles requests and then proxies them to the local IPs of LXCs: So I decided to install Caddy directly to a Proxmox Host and open ports `80` and `443` to it. Caddy handles requests and then proxies them to the local IPs of LXCs:
@@ -120,7 +120,7 @@ git.nicelycomposed.codes {
} }
``` ```
# Tailscale and Internal Reverse Proxy ## Tailscale and Internal Reverse Proxy
They call it "bastion host". A single point of connecting to your internal resources that you don't want to expose publicly. I have an LXC for this with Tailscale and another instance of Caddy installed. Let's see how it works on an example. They call it "bastion host". A single point of connecting to your internal resources that you don't want to expose publicly. I have an LXC for this with Tailscale and another instance of Caddy installed. Let's see how it works on an example.
@@ -172,14 +172,14 @@ element-admin.int.example.com {
} }
``` ```
# Proxmox Backup Server ## Proxmox Backup Server
It was the simplest part. I know this is not the most recommended method, but my Proxmox Backup Server is [installed on the Proxmox VE host](https://pbs.proxmox.com/docs/installation.html#install-proxmox-backup-server-on-proxmox-ve). It was the simplest part. I know this is not the most recommended method, but my Proxmox Backup Server is [installed on the Proxmox VE host](https://pbs.proxmox.com/docs/installation.html#install-proxmox-backup-server-on-proxmox-ve).
After installing it and configuring it to use [Backblaze S3 storage](https://pbs.proxmox.com/docs/storage.html#datastores-with-s3-backend), I just added it as a storage to Proxmox VE using the local IP of the host. After installing it and configuring it to use [Backblaze S3 storage](https://pbs.proxmox.com/docs/storage.html#datastores-with-s3-backend), I just added it as a storage to Proxmox VE using the local IP of the host.
![PBS config](pbs.png) ![PBS config](pbs.png)
# Conclusion ## Conclusion
Have no idea why everyone wants to write a conclusion for each post nowadays. It looks like a forced conclusion to a school physics problem in most cases: "Solving this problem of moving trains, we found out that trains can move". Have no idea why everyone wants to write a conclusion for each post nowadays. It looks like a forced conclusion to a school physics problem in most cases: "Solving this problem of moving trains, we found out that trains can move".
Have a nice tinkering. Have a nice tinkering.