diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml
index 19ad78ec..e0b5d635 100644
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -31,6 +31,13 @@ releases:
       autoDirectNodeRoutes: true
       routingMode: native
 
+- name: cozy-proxy
+  releaseName: cozystack
+  chart: cozy-cozy-proxy
+  namespace: cozy-system
+  optional: true
+  dependsOn: [cilium]
+
 - name: cert-manager-crds
   releaseName: cert-manager-crds
   chart: cozy-cert-manager-crds
diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml
index 328d0bbb..30733b4a 100644
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -50,6 +50,12 @@ releases:
         SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}"
         JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}"
 
+- name: cozy-proxy
+  releaseName: cozystack
+  chart: cozy-cozy-proxy
+  namespace: cozy-system
+  dependsOn: [cilium,kubeovn]
+
 - name: cert-manager-crds
   releaseName: cert-manager-crds
   chart: cozy-cert-manager-crds
diff --git a/packages/system/cozy-proxy/Chart.yaml b/packages/system/cozy-proxy/Chart.yaml
new file mode 100644
index 00000000..5dd1730b
--- /dev/null
+++ b/packages/system/cozy-proxy/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-cozystack-api
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
diff --git a/packages/system/cozy-proxy/Makefile b/packages/system/cozy-proxy/Makefile
new file mode 100644
index 00000000..0b679c2a
--- /dev/null
+++ b/packages/system/cozy-proxy/Makefile
@@ -0,0 +1,11 @@
+NAME=cozy-proxy
+NAMESPACE=cozy-system
+
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/aenix-io/cozy-proxy | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/aenix-io/cozy-proxy/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 1 cozy-proxy-$${tag#*v}/charts
diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml
new file mode 100644
index 00000000..72cbe4e1
--- /dev/null
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: cozy-proxy
+description: A simple kube-proxy addon for 1:1 NAT services in Kubernetes using an NFT backend
+type: application
+version: 0.1.0
+appVersion: 0.1.0
diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl b/packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl
new file mode 100644
index 00000000..9da6b02e
--- /dev/null
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl
@@ -0,0 +1,24 @@
+{{- define "cozy-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "cozy-proxy.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if .Values.fullnameOverride -}}
+  {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+  {{- if eq .Release.Name $name }}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cozy-proxy.labels" -}}
+helm.sh/chart: {{ include "cozy-proxy.name" . }}-{{ .Chart.Version | replace "+" "_" }}
+app.kubernetes.io/name: {{ include "cozy-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml
new file mode 100644
index 00000000..5816a8f9
--- /dev/null
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml
@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "cozy-proxy.name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "cozy-proxy.name" . }}
+      annotations:
+        {{- toYaml .Values.daemonset.podAnnotations | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "cozy-proxy.fullname" . }}
+      hostNetwork: {{ .Values.daemonset.hostNetwork }}
+      containers:
+        - name: cozy-proxy
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["NET_ADMIN"]
diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml
new file mode 100644
index 00000000..5e80fe1e
--- /dev/null
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "watch"]
+{{- end }}
diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml
new file mode 100644
index 00000000..b295e83a
--- /dev/null
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "cozy-proxy.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "cozy-proxy.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml
new file mode 100644
index 00000000..18b1a256
--- /dev/null
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+{{- end }}
diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml
new file mode 100644
index 00000000..57d246b5
--- /dev/null
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml
@@ -0,0 +1,12 @@
+image:
+  repository: ghcr.io/aenix-io/cozystack/cozy-proxy
+  tag: v0.1.0
+  pullPolicy: IfNotPresent
+
+daemonset:
+  hostNetwork: true
+  podAnnotations: {}
+  podLabels: {}
+
+rbac:
+  create: true
diff --git a/packages/system/cozy-proxy/values.yaml b/packages/system/cozy-proxy/values.yaml
new file mode 100644
index 00000000..33b034fc
--- /dev/null
+++ b/packages/system/cozy-proxy/values.yaml
@@ -0,0 +1,2 @@
+cozy-proxy:
+  fullnameOverride: cozy-proxy