Open-source server admin panel for single-host Proxmox VE setups
FloppyOps Lite is a lightweight web UI that runs directly on your Proxmox VE host and brings the day-to-day terminal work for a dedicated server into one focused panel: updates, firewalling, reverse proxying, WireGuard, ZFS, Fail2ban, and VM/CT operations.
Designed for one rented server, one admin surface, no cluster overhead.
Current version: v1.3.0
Quick links:
When you rent a dedicated server with Proxmox VE, too many routine tasks still fall back to SSH:
- Updates & repos: keep both the host and the app itself current without hand-rolling shell commands
- WireGuard: create tunnels, add peers, import/export configs, inspect logs, and manage peer workflows from the UI
- Nginx & SSL: run reverse proxies, issue certificates, and check certificate health
- Security: review exposed ports, manage host firewall rules, and keep Fail2ban visible
- ZFS & VM/CT tooling: snapshot, rollback, clone, and adjust guest hardware/network settings
FloppyOps Lite gives you a direct, self-hosted control surface for exactly those jobs, without adding an external SaaS layer or cluster management complexity.
Security-audit follow-up: every finding fixed and re-verified. Read the CHANGELOG for details.
- Command/config injection closed in WireGuard. Live peer changes (
wg set) no longer go through a shell, and every field written into a tunnel.confis type-validated and CR/LF-rejected, so an authenticated non-root user can no longer smuggle a rootPostUp. - nginx reverse-proxy editing is validated.
ip/port/domaininputs can no longer inject nginx directives (e.g.alias /;for arbitrary file read). - XSS closed across the UI. All attacker-influenceable server data (log lines, peer/VM names, IPs, cert fields, the
Hostheader) is HTML-escaped before rendering. - sudo allowlist tightened to least privilege. Catch-all rules (
cp *,chmod *,chown *,iptables *,pvesh *,cat /etc/pve/*) that allowed a trivialwww-data→ root escape are replaced with rules scoped to the exact commands the panel runs.setup.shgenerates the hardened ruleset for fresh installs.
This is a security release with breaking auth changes. Read the CHANGELOG before upgrading.
- Panel access now requires admin-level authorization, not just a valid login. The panel mirrors PVE's own model: after authentication it checks
Sys.Modify+Sys.PowerMgmton/. PAM users must be root or in thesudo/wheelgroup. A read-only PVE user no longer gets full panel control. - WireGuard PostUp/PostDown lines are now allowlist-validated. The wizard's NAT/Forwarding/sysctl patterns still work; arbitrary shell commands (which
wg-quickwould run as root) are rejected on create/edit and stripped with a warning on import. - Session and login hardening. Session cookie is now HttpOnly + Secure + SameSite=Strict, session id is regenerated on login (no more fixation), login form is CSRF-protected via a double-submit cookie, and the PVE API call verifies TLS against PVE's own root CA.
- nginx security headers refreshed on every update, with a real Content-Security-Policy and
X-Frame-Options: DENY. Previously the headers were only written on first install. - Carry-overs from v1.2.21-23: autostart toggle for WireGuard tunnels and a clearer BOOT AN badge in the tunnel card header.
- Server status: Hostname, Uptime, CPU %, RAM, Disk
- Live Charts - CPU, RAM, Network I/O, Disk I/O (4s refresh, Chart.js)
- Fail2ban stats + Nginx site count + Updates count
- Subscription status tile
- Auto-refresh every 4 seconds
- Compact table: Status, VMID, Name, Type, vCPU, RAM + Start/Stop/Restart buttons
- IP Column - Colored dots: yellow = public IP, gray = internal IP
- Template Assignments - Shows which firewall template is assigned to each VM/CT
- Clone with Full/Linked Clone option
- Adjust hardware: CPU, RAM, Swap, Onboot
- Network: Keep, Customize (IPv4/IPv6 Address, Gateway, Bridge, DNS), or Disconnect
- Auto-start after clone
- 18 built-in templates: Mailcow, Webserver, Database, Proxmox, Docker, DNS, WireGuard, Virtualmin Web, Virtualmin Web+Mail, Nginx Proxy, PostgreSQL, Redis, Elasticsearch, Minecraft, TeamSpeak, Nextcloud, Gitea/GitLab, Monitoring
- Custom Templates - Create, save and reuse your own rule sets
- Editable rules - Ports and sources can be customized before applying
- Duplicate detection - Already existing rules are not created twice
- VM/CT Firewall Management - View/toggle firewall per VM/CT, see status, policy, rule count and assigned template
- Two firewall levels: PVE Host Firewall (Security Check) for the host, VM/CT Firewall (Templates) for individual machines
- Compact card layout - icon + name + rule count inline
- All jails with status (banned IPs, failed logins)
- Unban button per IP
- Config editor (jail.local) with save & restart
- Ban log viewer
- All proxy sites with domain, target, SSL status + expiry date
- New site creation (multi-domain, SSL via Certbot)
- Edit site (config editor) and delete
- SSL Renew button per site
- SSL Health Check (new in v1.1.0) - Automated check of all sites:
- DNS A + AAAA record verification
- SSL certificate validity and expiry
- Certificate-domain match check
- IPv4/IPv6 consistency (same certificate on both protocols)
- ipv6only=on detection with 1-click fix
- Cloudflare Proxy Support - Optional during setup:
- Automatic
real_ipconfig for correct client IP behind CF Proxy - IP whitelists, logs and Fail2ban work correctly with proxied domains
- Automatic
- Setup Guide with live system checks:
- IPv4/IPv6 Forwarding (with fix button)
- IPv6 NDP Proxy check (with fix button - needed for IPv6 between bridges)
- NAT/Masquerading (with activate button)
- Safer system changes - forwarding/NDP/NAT fixes now support backup, diff output and dry-run mode before writing persistent config
- Internal bridge detection
- Nginx + Certbot status
- Pools & Datasets - utilization, health, fragmentation
- Snapshots - grouped by CT/VM with name, sortable, filterable
- Rollback - restore to previous state
- Clone - create new CT/VM from snapshot (full hardware: CPU, RAM, Swap, Onboot + IPv4/IPv6 network customization)
- Only 5 most recent shown, rest collapsible
- Auto-Snapshots - zfs-auto-snapshot installation + retention config
- Per-dataset toggle
- Editable retention per interval (frequent, hourly, daily, weekly, monthly)
- Default: 4 frequent, 24 hourly, 31 daily, 8 weekly, 12 monthly (~1 year)
- Tunnel overview with peer info (VPN IP, endpoint, handshake, transfer)
- Tunnel info bar - VPN subnet, gateway, port, public key, peer count
- Live traffic graph (Chart.js, 5s interval)
- Auto-refresh - peer status updates every 10 seconds
- Start / Stop / Restart per tunnel
- New tunnel wizard (3 steps):
- Basics: Interface, Port, IP, Keys (auto-generated)
- Peer: Endpoint, Public Key, Allowed IPs, PSK
- Preview + remote config for copying
- Add Peer Wizard - 2-step wizard for existing tunnels (auto-generated keys, suggested IPs)
- Peer Edit Modal - form-based editing (Name, Endpoint, AllowedIPs, PSK, Keepalive)
- Config Import - import .conf files from other WireGuard servers (upload or paste)
- Setup Script Generator - download .sh scripts for remote peers (installs WG, checks existing configs, starts tunnel)
- Download buttons - .conf and .sh per peer and in wizards
- Interface Settings - form-based editing (Address, Port, PostUp/Down)
- Log Viewer - journalctl + dmesg per tunnel in modal
- Restart banner - persistent notification when config changed since last service start
- Firewall Integration - auto-add UDP port to PVE firewall when creating/importing tunnels
- Firewall rules wizard - NAT, Forwarding, IP-Forward as checkboxes
- Port Scanner - all listening ports with risk classification (critical/high/medium/low)
- External vs. local-only detection
- PVE Firewall - Datacenter + Node status, one-click enable (auto-adds SSH + WebUI safety rules)
- Firewall Rules - view, add (modal), delete existing rules
- One-Click Block - block risky ports (rpcbind, MySQL, Redis, etc.) with a single click
- Default Rules - apply recommended ruleset with selectable checkboxes
- IPv6 NDP Proxy Check - detects if NDP proxy is needed, one-click fix (permanent via sysctl.conf)
- Realm Selection - Dropdown like PVE: Proxmox VE (PVE) or Linux (PAM)
- PVE Auth - Login with Proxmox VE users (root@pam, etc.)
- PAM Auth - Linux system users
- CSRF tokens on all forms
- IP Whitelist - configured during setup (auto-detects SSH client IP)
- Toolbar Button - FloppyOps button in PVE's top toolbar
- SSL Access - Port 8443 with PVE certificate, auto HTTP->HTTPS redirect
- apt Hook - auto-restores integration after PVE updates
- System Updates - check + install (apt dist-upgrade) with one click
- Repository Management - Enterprise / No-Subscription repos with toggle switches
- Auto-detect PVE 8 (bookworm, .list) and PVE 9 (trixie, .sources DEB822)
- Warnings: Enterprise without subscription, both active, no PVE repo
- Subscription status display
- App Self-Update - version check against GitHub, one-click update (git pull or download)
- Auto-Update - system + app auto-update with configurable schedule (day + time)
- Reboot detection - banner when system restart required
- 6 tabs: Dashboard, Security, Network, ZFS, Updates, Help
- Dashboard includes VMs/CTs table + subscription status
- Security groups: Firewall Templates + Security Check + Fail2ban
- Network groups: Nginx Reverse Proxy + WireGuard VPN
- Help page with search and collapsible sections
- Spinners on all loading states
- Deutsch / English - language toggle in topbar
- Responsive layout (mobile-friendly)
- Dark theme with accent color
- Login page uses local system font stacks only (no external font request)
- Tab persists after reload (URL hash)
- Bug report + Feature request links (GitHub Issues)
- Proxmox VE 8+ on a dedicated server (Hetzner, OVH, Netcup, etc.)
- Root access (SSH or console)
- Internet connection (for package installation)
PHP, Nginx and all other dependencies are installed automatically by the setup script.
1. Clone the repository on your PVE host:
git clone https://github.com/floppy007/floppyops-lite.git
cd floppyops-lite2. Run the setup script:
bash setup.shOr with a domain for automatic SSL:
bash setup.sh --domain admin.example.com3. The setup wizard will guide you through:
| Step | What happens |
|---|---|
| Language | Choose English or Deutsch |
| Modules | Select which modules to install (Fail2ban, Nginx Proxy, ZFS, WireGuard) - or install all |
| Dependencies | Installs PHP-FPM, Nginx, and selected module packages automatically |
| IP Whitelist | Restrict panel access to your IP or subnet (recommended). Your SSH client IP is detected automatically |
| Cloudflare | Optional: Configure real_ip for correct client IPs behind Cloudflare Proxy |
| SSL | If --domain is set: automatic Let's Encrypt certificate via Certbot |
| PVE Integration | Adds a FloppyOps button to the PVE toolbar + SSL access on port 8443 |
4. Open the panel in your browser:
| Access | URL |
|---|---|
| HTTP | http://YOUR-SERVER-IP |
| SSL (PVE cert) | https://YOUR-SERVER-IP:8443 |
| Custom domain | https://admin.example.com (if --domain was used) |
| PVE Toolbar | Click the FloppyOps button in your PVE web interface |
Login with a PVE user holding the Administrator role (Sys.Modify + Sys.PowerMgmt on /) or a Linux user that is root or in the sudo/wheel group. The panel verifies the authorization rights after login, the same way PVE itself does. A valid ticket alone is not sufficient.
| Option | Description |
|---|---|
--domain FQDN |
Domain for the panel - enables nginx vHost + SSL via Certbot |
--dir /path |
Install directory (default: /var/www/server-admin) |
--no-ssl |
Skip Let's Encrypt SSL certificate |
The panel has a built-in self-update feature (Updates tab). You can also update manually:
cd /var/www/server-admin
bash update.shbash update.sh is the recommended update path for both Git-based and non-Git installs.
- Git installs: pulls the latest code, validates the release tree, creates a backup, and synchronizes the full app tree
- Non-Git installs: use
bash update.sh --from /path/to/floppyops-lite config.phpanddata/are preserved- For Git-based installs, the worktree must be clean
- The in-app update button uses the same
update.shbackend
Upgrading from a version before v1.3.1: that first update is still driven by your old
update.sh, which only appends sudoers rules. To fully apply the hardened ruleset (remove oldcp */chmod */pvesh *catch-alls, add the new scoped rules), runbash update.shonce more afterwards, or runsudo bash setup.shonce. From v1.3.1 onward a singleupdate.shregenerates/etc/sudoers.d/server-admincompletely. Versions before v1.2.1 predateupdate.sh: runsudo bash setup.shonce, thenupdate.shworks. See RELEASE_NOTES.md.
index.php → Auth, Authorization, CSRF, Router, HTML/CSS Layout
api/ → PHP API modules (one per feature)
dashboard.php → System stats (CPU, RAM, Disk, Network)
fail2ban.php → Jails, Logs, Config
nginx.php → Reverse Proxy, Sites, SSL
vms.php → PVE VMs & Containers
zfs.php → Pools, Datasets, Snapshots
wireguard.php → VPN Tunnel Management
updates.php → App + System Updates, Repos
security.php → Port Scan, Host Firewall
firewall.php → VM/CT Firewall Templates
js/ → JavaScript modules (one per feature)
core.js → Navigation, API helper, Toast, Modals
dashboard.js → Live charts + stats
fail2ban.js → Jails, Unban
nginx.js → Sites, SSL Health
vms.js → VM/CT list, Clone, Control
zfs.js → Pools, Snapshots, Auto-Snapshot
wireguard.js → Tunnels, Wizard, Traffic Graph
security.js → Port Scan, Host Firewall
firewall.js → Templates, VM/CT Rules
updates.js → App/System Updates, Repos
helpers/ → Out-of-tree helpers invoked via sudo
pam_auth.py → PAM authentication bridge (installed to /usr/local/libexec)
pve-integration/ → PVE web-UI toolbar button + apt hook
install.sh → Drops the button into the PVE UI, survives PVE updates
floppyops.js → The button itself
public/ → Static assets served as-is by nginx
style.css → Login + reserved styles (most CSS is inlined in index.php)
data/ → Runtime state (gitignored, 0750 www-data)
config.php → Credentials + settings (not in Git, 0640 root:www-data)
config.example.php → Template for config.php
lang.php → Translations (DE/EN)
setup.sh → Automated setup script, writes /etc/sudoers.d/server-admin
update.sh → Update script, also refreshes sudoers + security headers
Modular PHP app - no framework, no database, no external dependencies (except Chart.js for the traffic graph).
MIT License - free to use and modify.
Footer attribution must remain (see LICENSE).
Wenn du einen Dedicated Server mit Proxmox VE mietest, landest du für viele Alltagsaufgaben immer noch im Terminal:
- Updates & Repos: Host und App aktuell halten, ohne ständig Shell-Kommandos von Hand abzufeuern
- WireGuard: Tunnel anlegen, Peers verwalten, Configs importieren/exportieren und Logs prüfen
- Nginx & SSL: Reverse Proxies betreiben, Zertifikate ausrollen und SSL-Status sauber im Blick behalten
- Security: offene Ports, Host-Firewall und Fail2ban zentral sehen und bedienen
- ZFS & VM/CT-Workflows: Snapshots, Rollback, Clone und Hardware-/Netzwerk-Anpassungen direkt im Panel
FloppyOps Lite bringt genau diese Aufgaben in eine direkte, selbst gehostete Web-Oberfläche auf deinem Proxmox-Host, ohne externe Plattform und ohne Cluster-Overhead.
Das ist ein Security-Release mit Breaking Changes bei der Auth. Vor dem Upgrade bitte das CHANGELOG lesen.
- Panel-Zugriff braucht jetzt Admin-Rechte, nicht nur ein gültiges Login. Das Panel spiegelt das PVE-Modell: nach der Authentifizierung wird
Sys.Modify+Sys.PowerMgmtauf/geprüft. PAM-User müssen root oder in dersudo/wheel-Gruppe sein. Ein Read-Only-PVE-User kommt nicht mehr ins Panel. - WireGuard PostUp/PostDown gegen Allowlist validiert. Die NAT/Forwarding/sysctl-Muster des Wizards funktionieren weiter; beliebige Shell-Befehle (die
wg-quickals root ausführen würde) werden beim Anlegen/Editieren abgelehnt und beim Import mit Warnung entfernt. - Session- und Login-Härtung. Session-Cookie ist jetzt HttpOnly + Secure + SameSite=Strict, Session-ID wird beim Login regeneriert (keine Fixation mehr), Login-Form per Double-Submit-Cookie gegen CSRF gesichert, und der PVE-API-Call verifiziert TLS gegen PVEs eigene Root-CA.
- nginx-Security-Header werden bei jedem Update aktualisiert, mit echter Content-Security-Policy und
X-Frame-Options: DENY. Vorher wurden die Header nur beim Erstinstall geschrieben. - Mit übernommen aus v1.2.21-23: Autostart-Toggle für WireGuard-Tunnel und ein klareres BOOT AN Badge im Tunnel-Header.
| Bereich | Funktionen |
|---|---|
| Dashboard | Uptime, CPU, RAM, Disk, Live-Charts, Fail2ban Stats, Nginx Sites, Subscription-Status, VMs/CTs Tabelle |
| VMs/CTs | Status, Start/Stop/Restart, Clone (Full/Linked), Hardware anpassen, IPv4/IPv6 Netzwerk |
| Firewall Templates | 18 Built-in + Custom Templates, editierbare Ports/Sources, Duplikat-Erkennung, VM/CT Firewall-Tabelle |
| Fail2ban | Jails, gebannte IPs, Unban, Config-Editor, Ban-Log |
| Nginx Proxy | Sites, SSL-Ablauf/Renew, Multi-Domain, SSL Health Check, Cloudflare Proxy Support, Setup-Guide |
| ZFS | Eigener Tab - Pools, Datasets, Snapshots, Rollback, Clone (mit IPv6), Auto-Snapshots |
| WireGuard | Tunnel-Info, Live Traffic, Peer Wizard, Config Import, Setup Scripts, Downloads, Log Viewer, Auto-Refresh, Firewall-Integration |
| Security | Port-Scanner, PVE Firewall, Regeln verwalten, One-Click Block, Standard-Regeln, IPv6 NDP Proxy Check |
| Navigation | 6 Tabs (Dashboard, Security, Network, ZFS, Updates, Help), Spinner, Hilfe mit Suche |
| Auth | Realm-Dropdown (PVE/PAM), CSRF, IP-Whitelist (im Setup konfigurierbar) |
| PVE Integration | Toolbar-Button, SSL Port 8443, apt-Hook |
| i18n | Deutsch + Englisch |
- Proxmox VE 8+ auf einem Dedicated Server (Hetzner, OVH, Netcup, etc.)
- Root-Zugriff (SSH oder Konsole)
- Internetverbindung (für Paketinstallation)
PHP, Nginx und alle weiteren Abhängigkeiten werden automatisch vom Setup-Script installiert.
1. Repository auf dem PVE-Host klonen:
git clone https://github.com/floppy007/floppyops-lite.git
cd floppyops-lite2. Setup-Script starten:
bash setup.shOder mit Domain für automatisches SSL:
bash setup.sh --domain admin.example.com3. Der Setup-Wizard führt durch die Konfiguration:
| Schritt | Was passiert |
|---|---|
| Sprache | Deutsch oder English wählen |
| Module | Welche Module installiert werden sollen (Fail2ban, Nginx Proxy, ZFS, WireGuard) - oder alle |
| Abhängigkeiten | Installiert PHP-FPM, Nginx und ausgewählte Modul-Pakete automatisch |
| IP-Whitelist | Panel-Zugriff auf deine IP oder Subnetz beschränken (empfohlen). Deine SSH-Client-IP wird automatisch erkannt |
| Cloudflare | Optional: real_ip Konfiguration für korrekte Client-IPs hinter Cloudflare Proxy |
| SSL | Bei --domain: automatisches Let's Encrypt Zertifikat via Certbot |
| PVE-Integration | FloppyOps-Button in der PVE-Toolbar + SSL-Zugang auf Port 8443 |
4. Panel im Browser öffnen:
| Zugang | URL |
|---|---|
| HTTP | http://DEINE-SERVER-IP |
| SSL (PVE-Zertifikat) | https://DEINE-SERVER-IP:8443 |
| Eigene Domain | https://admin.example.com (wenn --domain gesetzt) |
| PVE-Toolbar | FloppyOps-Button in der PVE-Weboberfläche |
Login mit einem PVE-Benutzer mit Administrator-Rolle (Sys.Modify + Sys.PowerMgmt auf /) oder einem Linux-User der root ist oder in der sudo/wheel-Gruppe. Das Panel prüft die Autorisierung nach dem Login, genau wie PVE selbst. Ein gültiges Ticket allein reicht nicht.
| Option | Beschreibung |
|---|---|
--domain FQDN |
Domain für das Panel - aktiviert nginx vHost + SSL via Certbot |
--dir /path |
Installationsverzeichnis (Standard: /var/www/server-admin) |
--no-ssl |
Let's Encrypt SSL-Zertifikat überspringen |
Das Panel hat eine eingebaute Self-Update-Funktion (Updates-Tab). Manuell geht es auch:
cd /var/www/server-admin
bash update.shbash update.sh ist der empfohlene Update-Weg für Git- und Nicht-Git-Installationen.
- Git-Installationen: holen den neuesten Code, validieren den Release-Dateisatz, erstellen ein Backup und synchronisieren den vollständigen App-Baum
- Nicht-Git-Installationen:
bash update.sh --from /pfad/zu/floppyops-lite config.phpunddata/bleiben erhalten- Bei Git-Installationen muss der Worktree sauber sein
- Der In-App-Update-Button nutzt denselben
update.sh-Backend-Pfad
Upgrade von einer Version VOR v1.3.1: Das erste Update wird noch von deiner alten
update.shgesteuert, die sudoers-Regeln nur ergänzt. Damit das gehärtete Regelwerk vollständig greift (altecp */chmod */pvesh *-Catch-alls entfernen, neue scoped Rules ergänzen), danach einmal zusätzlichbash update.shausführen, oder einmaligsudo bash setup.sh. Ab v1.3.1 genügt einupdate.sh-Lauf:/etc/sudoers.d/server-adminwird komplett neu generiert. Versionen vor v1.2.1 haben noch keinupdate.sh: einmalsudo bash setup.sh, danach läuftupdate.sh. Siehe RELEASE_NOTES.md.
- FloppyOps PVE Manager (Full Version): floppyops.com
- Author: Florian Hesse - Comnic-IT