feat(m3-hermes): add Netbird mesh VPN + enable API server for Hermes Desktop

2026-05-10 11:46:21 +02:00
parent 1544764f37
commit c6df5d3836
5 changed files with 28 additions and 0 deletions
@@ -7,6 +7,9 @@
      hermes-cloud-env = {
        file = ../../secrets/hermes-cloud-env.age;
      };
+      hermes-api-server-key = {
+        file = ../../secrets/hermes-api-server-key.age;
+      };
    };
  };
 }
@@ -1,5 +1,6 @@
 {
  imports = [
    ./hermes-agent.nix
+    ./netbird.nix
  ];
 }
@@ -85,6 +85,7 @@ in {
    environmentFiles = [
      config.age.secrets."hermes-env".path
      config.age.secrets."hermes-cloud-env".path
+      config.age.secrets."hermes-api-server-key".path
    ];

    # Non-secret environment variables
@@ -94,6 +95,13 @@ in {
      GIT_AUTHOR_EMAIL = "m3ta-chiron@agentmail.to";
      GIT_COMMITTER_NAME = "m3ta-chiron";
      GIT_COMMITTER_EMAIL = "m3ta-chiron@agentmail.to";
+
+      # ── API Server (OpenAI-compatible, for Hermes Desktop App) ─────────
+      # Accessible via Netbird mesh VPN — not exposed to the public internet.
+      # Bind to 0.0.0.0 so the Netbird interface can reach it.
+      API_SERVER_ENABLED = "true";
+      API_SERVER_HOST = "0.0.0.0";
+      API_SERVER_PORT = "8642";
    };

    # ── Container mode (podman) ──────────────────────────────────────────
@@ -0,0 +1,15 @@
+{pkgs, ...}: {
+  services.netbird.enable = true;
+
+  systemd.services.netbird = {
+    environment = {
+      NB_DISABLE_SSH_CONFIG = "true";
+    };
+    path = [
+      pkgs.shadow
+      pkgs.util-linux
+    ];
+  };
+
+  networking.firewall.checkReversePath = "loose";
+}