A single Bash script. No Ansible, no Terraform, no external dependencies.
⚡
Fully Automated
Cloud-Init template, network detection, storage detection — everything is automatically discovered and configured.
🔄
Resumption
If setup aborts, resume continues exactly where it left off. No VM is recreated.
🖥️
Live TUI
Built-in flicker-free TUI with 19 phases, progress bar and live log. No separate monitoring tool needed.
🔒
Security Hardened
Secrets encryption at rest, audit logging, nftables firewall with source-IP restrictions, Pod Security Standards and proper kubelet TLS — enabled by default, zero configuration required.
🛡️
Policy Enforcement
Optional Network Policies (default-deny-all + allow-dns/traefik/prometheus) and Kyverno policy engine — block :latest tags, audit resource limits and non-root containers across all namespaces.
🏗️
HA Mode
3 Control Planes with HAProxy and keepalived (Virtual IP). If one CP fails, another takes over automatically.
💾
Backup & Restore
etcd backup with auto-rotation, VM snapshots, Velero for Persistent Volumes. Fully automated restore included.
🌐
Hetzner Dedicated
Special mode for Proxmox on Hetzner root servers: private NAT network, port forwarding, iptables-persistent.
📊
Monitoring
Prometheus + Grafana, Loki log aggregation and Falco runtime security — one flag to enable each.
🔐
SSO with Authentik
Protect internal UIs (Traefik, Longhorn) with OAuth2 via Authentik — fully automated, no manual IdP setup.
📱
Nautik iOS & macOS
Native Kubernetes app for iPhone and Mac. Connect via kubeconfig — Prometheus metrics, node stats and workload management on the go.
🗝️
Secret Management
HashiCorp Vault as central secret store — auto-initialized, auto-unsealed, KV v2 enabled. Addon credentials are synced automatically. External Secrets Operator bridges Vault into native Kubernetes Secrets.
🔭
Network Observability
Cilium Hubble UI for real-time network flow visibility — see which pod talks to which, inspect DNS queries, and visualize policy drops across all namespaces. One flag to enable.
🚦
Gateway API
Kubernetes Gateway API CRDs installed and Traefik configured as gateway controller. Use modern HTTPRoute and Gateway resources alongside classic Ingress — both work simultaneously.
🔑
Encrypted Config
Encrypt your .env config (with passwords & tokens) using age. The encrypted file is transparently decrypted in-memory — plaintext never touches disk during cluster operations.
🐙
Internal GitOps Stack
Gitea for self-hosted Git and Woodpecker CI for pipelines — GitHub Actions-compatible syntax, lightweight (~300 MB combined), deep ArgoCD integration. No external services required.
🛠️
Day-2 Operations
Upgrade individual add-ons, get Discord/Slack alerts when a new Kubernetes version drops, and clone a cluster as a template for a new one — all with a single command.
Traefik
cert-manager
Cloudflare DNS
Falco
Grafana
Hubble UI
Prometheus
metrics-server
Vault
Authentik
Tailscale
Vaultwarden
Velero
Longhorn
Gitea
ArgoCD
Flux CD
Renovate
Helm