m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Optimize Hermes Nix service configuration

Browse Source
This commit is contained in:
m3ta-chiron
2026-05-23 08:55:05 +02:00
parent 1bd78b5de8
commit b49d5c4f72
3 changed files with 33 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/m3-hermes/services/hermes-dashboard.nix
+11 -7
View File
@@ -7,6 +7,8 @@
# Netbird mesh VPN range — dashboard only accessible from mesh peers.
# m3-atlas Traefik proxies to this port over Netbird.
netbirdRange = "100.64.0.0/16";
apiPort = config.m3ta.ports.get "hermes-api";
dashboardPort = config.m3ta.ports.get "hermes-dashboard";
# Reference the hermes-agent package from the running service config
hermesPkg = config.services.hermes-agent.package or (inputs.hermes-agent.packages.${pkgs.stdenv.hostPlatform.system}.default or pkgs.hermes-agent);
@@ -14,10 +16,10 @@ in {
# ── Hermes Dashboard systemd service ───────────────────────────────────
# Web UI for managing Hermes Agent — sessions, config, kanban, cron, etc.
#
# Flow: Browser → dash.m3ta.dev (TLS via m3-atlas Traefik) → Netbird → :9119
# Flow: Browser → dash.m3ta.dev (TLS via m3-atlas Traefik) → Netbird → :${toString dashboardPort}
#
# --insecure is required to bind 0.0.0.0 (hermes refuses non-localhost otherwise).
# Safe because firewall restricts port 9119 to Netbird mesh only.
# Safe because firewall restricts the dashboard/API ports to Netbird mesh only.
systemd.services.hermes-dashboard = {
description = "Hermes Agent Web Dashboard";
after = ["network.target" "hermes-agent.service"];
@@ -29,7 +31,7 @@ in {
User = "hermes";
Group = "hermes";
ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open --insecure";
ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port ${toString dashboardPort} --no-open --insecure";
# Environment matching the hermes-agent service
Environment = [
@@ -51,15 +53,17 @@ in {
};
};
# ── Firewall: Dashboard only from Netbird mesh ─────────────────────────
# ── Firewall: Hermes network endpoints only from Netbird mesh ──────────
networking.firewall = {
extraCommands = ''
# Allow Hermes Dashboard (9119/tcp) only from Netbird mesh VPN
ip46tables -A nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept
# Allow Hermes Dashboard and OpenAI-compatible API only from Netbird mesh VPN
ip46tables -A nixos-fw -p tcp --dport ${toString dashboardPort} -s ${netbirdRange} -j nixos-fw-accept
ip46tables -A nixos-fw -p tcp --dport ${toString apiPort} -s ${netbirdRange} -j nixos-fw-accept
'';
extraStopCommands = ''
ip46tables -D nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept 2>/dev/null || true
ip46tables -D nixos-fw -p tcp --dport ${toString dashboardPort} -s ${netbirdRange} -j nixos-fw-accept 2>/dev/null || true
ip46tables -D nixos-fw -p tcp --dport ${toString apiPort} -s ${netbirdRange} -j nixos-fw-accept 2>/dev/null || true
'';
};
}