2 minute read

My short journey into Proxmox land. These are just notes for my self reference should I ever need them.


These are very destructive procedures. I bare no responsibility for any damages done to your system.


  • Install proxmox.
  • Have it use letsencrypt for the webui HTTPS.
  • Familiarize with the product to better understand the current virtualization landscape

KVM/libvirt Preparation

I will be using libvirt’s virt-manager to spin up Proxmox.


This time around I will be going with the default storage pool - meaning qcow2 backing image files.

sudo virsh vol-create-as --pool default --name proxmox-os --capacity 20G
sudo virsh vol-create-as --pool default --name proxmox-data-1 --capacity 200G
sudo virsh vol-create-as --pool default --name proxmox-data-2 --capacity 200G
sudo virsh vol-create-as --pool default --name proxmox-data-3 --capacity 200G


Bridge networking is fine here.

My home DNS will forward anything headed for the *.pm.dood.ie towards

First boot

  • Graphical Install
  • Accept license
  • Select the 20GB disk for OS
  • Country/Timezone/Keyboard Layout
  • Password/Email
  • Network
    • Management interface: default
    • Hostname: proxmox.pm.dood.ie
    • IP CIDR:
    • Gateway:
    • DNS:
  • Install

Admin user

Proxmox has a concept of “Realms”, which roughly correspond to authentication mechanisms. The preferred realm is “pve” which is the proxmox propriatery auth system.

There is also the “pam” Realm which corresponds to the system-local auth, but is not provisioned top-down. You can also add more auth mechanisms (realms), but that’s outside of the scope of this document.

What do I mean by “not provisioned top-down”? When we create a user, say

pveum user add testuser@pam --email youremail@something.invalid 

… and try to change it’s password

pveum passwd testuser@pam

We will get an error saying:

change password failed: user 'testuser' does not exist

This is because proxmox requires you to handle PAM authenticated users yourself.

This would work:

pveum user add testuser@pam --email youremail@something.invalid 
useradd -m testuser
pveum passwd testuser@pam

I did not want to proceed researching this and will be using the builtin root user in this guide.

letsencrypt powered HTTPS for the Promoxmox Webui

You will need your CloudFlare Account ID and API token to proceed. Here is a video guide on how to get them.

Permissions for the API token need to be:

  • Zone / Zone / Read
  • Zone / DNS / Edit
  • Include / Specific Zone / yourdomain.com
cat > acme.txt <<EOF

pvenode acme account register account-name youremail@something.invalid

After the last command you will be asked for a few choices regarding letsencrypt - whether you want to use the poduction or staging server as well as to accept the terms of service. I would recommend staging certs at this point, just be aware that they will produce invalid certs. You can inspect your browser “padlock” icon to check whether it’s actually letsencrypt.

But first, we need to finish the process:

pvenode acme plugin add dns cloudflare --api cf --data acme.txt
pvenode config set -acmedomain0 proxmox.pm.dood.ie,plugin=cloudflare
pvenode acme cert order

When we refresh the proxmox UI, the certificate should be updated.


I don’t really have one of much value. Speaking completely subjectively, it didn’t sit right with me, and I will probably be moving on to a DIY virtualization host powered by gitops.

Regardless of my subjective feel, Proxmox seems like a great tool, especially if you need advanced features like clustering.


sudo virsh vol-delete --pool default proxmox-os    
sudo virsh vol-delete --pool default proxmox-data-1
sudo virsh vol-delete --pool default proxmox-data-2
sudo virsh vol-delete --pool default proxmox-data-3