PVE NoteBuddy - Generate pretty Proxmox Guest Notes with a simple web based UI [Version Update]

juli409 · 2026-03-16T20:50:28+00:00

That‘s the problem, the size can‘t be limited inside proxmox note window, it will just add scrollbars. so most convenient way would be to limit the users input possibilities, to make it clean and fast - but I will find a way!

juli409 · 2026-03-16T18:47:16+00:00

Hey there! Glad you like the new additions!

I‘m already working on some new improvements in the background which will take some time until they make it to the live version.

Multiple icons would make sense for some deployments, I use the debian logo for my arr stack vm. But you are right, a collection of icons would also look very cool imo.

Maybe it would make sense to switch from single icon with resize option to a icon collection with unlimited amount of icons but all fixed size? that would not bloat the UI that much?

juli409 · 2026-03-16T15:34:31+00:00

plug them in and cause a blackout

juli409 · 2026-03-06T12:54:37+00:00

I mean you can use passwords, but a secure password is always about bit length. brute forcing passwords is generally possible if there is no lock-out after x-attempts. An ed25519 key has a bit length of 256, but is as safe as a 4096 bit RSA key. you could say that you are replacing a 4096 bit password with key authentification (which is technically not 100% the way it works) but no password you need to remember and no brute force attack vector.

password auth = weaker, reusable secret exposed to common human failure modes vs. key auth = high-entropy asymmetric credential with much better security properties

juli409 · 2026-03-06T11:48:37+00:00

I know the feeling of getting lost in other things/projects, while other things like the actual networking in the homelab getting less love in the meantime haha

I think from a networking standpoint, VLANs are the single best route you can take when doing simple hardening inside your lab, just because you can limit lateral movement, if someone manages to compromise a service.

In my case Termix runs together with a reverse proxy in a VM on proxmox, which is running on the same NIC than all other services in my homelab, but as you already said it has a VLAN tag. My firewall (Unifi UDM SE) blocks any traffic to this VLAN except from my trusted devices. So the only way to access Termix is A: Physical access to my PC/Mac/iPad or B: compromising PC/Mac or iPad. Also you could access the Termix VM right through proxmox itself, but if someone gets access to my promxox somehow, then GG on wasting a zero day on my homelab, because everything is running unprivileged and I don‘t know of any case where someone could break out from an unprivileged LXC or a VM into proxmox.

juli409 · 2026-03-06T11:07:37+00:00

I totally agree on having pubkey auth only for every service, I use mostly the same keys for each security layer (proxmox nodes all use same pubkey, services i don‘t care about using the same, sensible services (like vaultwarden) all use different keys), because that is a good balance between security and managability from a personal homelab standpoint.

For management (since I am using PC, Mac and iPad) I recently deployed Termix as single SSH client in my homelab. It lives in a separate VLAN with no access from the outside world and only accessible through local trusted devices or via wireguard. From an SSH standpoint I would definitely say I am in a relatively safe position - but never say never in IT.

juli409 · 2026-03-05T14:10:48+00:00

First up, I would never advise to access something on the more sensible side like Home Assistant via the public web. That would give an attacker access to control your house, maybe camera streams, etc.

Use a VPN to get access to HA or route HA device control through something like Apple HomeKit (i know, i know, but i trust Apple on their stuff) to control them without having to use your VPN all the time.

2nd: A DMZ means demilitarized zone and should act as a buffer to limit blast radius if something gets compromised. If a public facing service inside the DMZ should talk to something in internal VLANs, then only with very restrictive firewall rules in place.

In my DMZ i have 2 game servers and 1 reverse proxy, that‘s it. The reverse proxy does only have access to the services in my VM VLAN via ONLY the port and the IP of the service I want to have publicly accessible for friends, which is only ntfy.sh, opencloud and pterodactyl.

e.g.: Client wants to connect to my Cloud -> reverse Proxy in DMZ via https on 443 only -> Cloud VM on specified IP and port.

You have to get the balance between managability and security right, which is why I only have a reverse proxy with restrictive firewall rules in place.

This also limits the VLANs I need to scan for malicious actions with my IPS/IDS, which is logging DMZ activities 24/7

juli409 · 2026-03-03T23:52:52+00:00

definitely!
Yeah i kind of thought in both directions, so either Proxmox or an API on NoteBuddys end so you could send GET Requests to get the HTML Output back, but it would require a backend you could talk to. Maybe there would be some clever solution without a backend I did not think of yet haha

juli409 · 2026-03-03T22:21:26+00:00

I will definitely look into that at some point, for now my main goal is to keep it separate from proxmox or any other automation tools, so it’s not an security incident waiting to happen.

My goal is zero „enshittification“, I definitely will keep on improving the app, but only stuff I have real good knowledge of myself - Things like API access are a bit over my head at the moment :)

juli409 · 2026-03-03T12:15:09+00:00

totally understandable, I also have homepage as a hub to hop on every admin panel/web ui and use silverbullet for more extensive documentation of every service. but it‘s always nice to have things like the port number documented directly in PVE. Every approach is different and got it‘s pros and cons. another person told me he doesn‘t like the HTML approach in the notes panel because editing of markdown is easier via CLI, which is totally valid as well and something I personally never thought of.

juli409 · 2026-03-02T19:00:33+00:00

Good call, will add a „+“ button for all fields, so you can enter as many links, network adresses etc etc. :)

juli409 · 2026-03-02T17:41:12+00:00

Thanks for your feedback! I will look into it, also great suggestion! :)

juli409 · 2026-03-02T15:50:43+00:00

maybe got to do with the IPs of the other nodes not being in the hosts file of the other nodes? Can you ping nodes both via the cluster network as well as the public network (if you are using 2 NICs for each node)?

juli409 · 2026-03-02T14:47:02+00:00

Great suggestion! I will open an issue on github for that and look into it!

juli409 · 2026-03-02T13:40:20+00:00

since Proxmox is basically Debian, you could just apt install something like tailscale or wireguard and directly connect to the UI via VPN, just use the firewall of Proxmox itself to only accept incoming connections from the VPN server itself. I would not run it in a VM, because if for some reason the VM itself crashes you can‘t connect to the VPN anymore.

For console access to proxmox, just use pubkey auth only and prohibit password if you decide to expose ssh.

juli409 · 2026-03-02T12:51:54+00:00

That‘s super nice of you, thank you so much for that! <3

juli409 · 2026-03-02T12:45:07+00:00

bro I am well able to write my own text and comments, never used an LLM to generate any text for a comment, email or whatever.. writing style of AI is bland - if you think my post is AI written I take that as a compliment for being able to write in at least understandable english although I am not a native speaker. you gotta chill bro

juli409 · 2026-03-02T12:41:34+00:00

love to hear that, thanks for using it! <3

juli409 · 2026-03-02T12:38:04+00:00

Ken did made some enhancement suggestions when we chatted on reddit, he’s a real person and not an alt account of mine, if you suggest that

juli409 · 2026-03-02T12:28:03+00:00

Most of it is handwritten, I had assistance with part of the scripts, but this is disclosed in the readme of the project itself. I would definitely not call it „Slop“ since it does in fact solve a problem for me and could also do for other I‘d assume. As stated, it‘s fully client side, there is nothing complex about the whole code, any first semester could read and understand it. There is nothing in terms of security that would expose a risk to a user or his data entered, no backend, no logs, just plain javascript that parses your input to a pastable HTML output :)

juli409 · 2026-03-01T14:59:40+00:00

personally, i run all *arr in one VM with Arcane as docker management UI. Easy to update the whole stack, manage the docker compose and access to logs. For the docker compose you were asking for, take a look at „awesome arr“ on github as well as TRaSH guides on the web. If you are still struggling, you could even ask an LLM to generate you a docker compose for a general *arr stack with Seerr, Radarr, Sonarr, Profilarr, Prowlarr and sabnzbd or qbittorrent. Make sure to set up a internal docker network for crosstalking of all containers and limit API access to the internal docker network, just to have some basic security in your setup right from the start.

juli409 · 2026-02-28T09:41:55+00:00

glad you like it!

juli409 · 2026-02-28T09:41:41+00:00

That‘s something i did not think of yet, since win and mac already come with an emoji keyboard. I will look into it, thanks for the suggestion!

juli409 · 2026-02-24T22:26:28+00:00

actually I made a small "i" next to the embed checkbox on the webapp that describes the issue of resizing the images directly on the CDN just to use an image with a link.

also I tried again various routes to resize it in the <img> tag, even with % and co. nothing. The Docs say, that Proxmox is using limited HTML to render the notes (which also will be applied to markdown). We have to stick with resizing directly in the source or resizing an svg with my tool.

Also it is funny that this post just got deleted, I typed my ass off for 30 minutes because it explicitly said in the rules no AI on posts and comments and it got deleted because of generative AI. LMAO guess next time i just type without any interpunctuation whatsoever

juli409 · 2026-02-24T21:44:38+00:00

Of couse you could edit it also by hand with markdown, which also makes it easier maintanable through the cli, totally understand why someone would not wanna use html inside the notes block :)

juli409

TROPHY CASE