feat(m3-hermes): add Hermes Dashboard as systemd service with Netbird-only firewall

- New hermes-dashboard.service: runs 'hermes dashboard' on 0.0.0.0:9119
- Firewall restricts port 9119 to Netbird mesh VPN range (100.64.0.0/16)
- Runs as hermes user with NoNewPrivileges + ProtectSystem hardening
- Depends on hermes-agent.service (starts after gateway)
- Added placeholder hermes-api-server-key.age (needs real encryption on host)

This commit is contained in:

m3ta-chiron

2026-05-11 11:19:21 +02:00

parent e743808d2b

commit 20bd28d567

3 changed files with 64 additions and 0 deletions

									
										hosts/m3-hermes/services/default.nix
									
		+1
		
												View File
												
				@@ -1,6 +1,7 @@

				{

				  imports = [

				    ./hermes-agent.nix

				    ./hermes-dashboard.nix

				    ./netbird.nix

				  ];

				}