feat(m3-hermes): add Hermes Dashboard as systemd service with Netbird-only firewall

- New hermes-dashboard.service: runs 'hermes dashboard' on 0.0.0.0:9119
- Firewall restricts port 9119 to Netbird mesh VPN range (100.64.0.0/16)
- Runs as hermes user with NoNewPrivileges + ProtectSystem hardening
- Depends on hermes-agent.service (starts after gateway)
- Added placeholder hermes-api-server-key.age (needs real encryption on host)

secrets/hermes-api-server-key.age

@@ -0,0 +1 @@
+placeholder