feat: Hermes Dashboard via m3-atlas Traefik with TLS + Netbird-only access

m3-hermes:
- Add --insecure flag (required for 0.0.0.0 bind, safe behind Netbird firewall)
- Update comments to document the Traefik proxy flow

m3-atlas Traefik:
- New service: hermes-dashboard → http://100.81.231.152:9119 (Netbird)
- New router: dash.m3ta.dev with GoDaddy TLS cert
- New middleware: netbird-only (IP whitelist 100.64.0.0/16)

Flow: Browser → dash.m3ta.dev (TLS) → Traefik → Netbird → m3-hermes:9119

hosts/m3-atlas/services/traefik.nix

@@ -43,6 +43,12 @@
     dynamicConfigOptions = {
       http = {
         services = {
+          # ── Hermes Dashboard (m3-hermes over Netbird) ────────────────
+          hermes-dashboard = {
+            loadBalancer.servers = [
+              {url = "http://100.81.231.152:9119";}
+            ];
+          };
           dummy = {
             loadBalancer.servers = [
               {url = "http://192.168.0.1";} # Diese URL wird nie verwendet
@@ -50,6 +56,12 @@
           };
         };
         middlewares = {
+          # Hermes Dashboard — Netbird mesh only
+          netbird-only = {
+            ipWhiteList = {
+              sourceRange = ["100.64.0.0/16"];
+            };
+          };
           domain-redirect = {
             redirectRegex = {
               regex = "^https://www\\.m3tam3re\\.com(.*)";
@@ -79,6 +91,16 @@
         };
 
         routers = {
+          # ── Hermes Dashboard — Netbird mesh only ─────────────────────
+          hermes-dashboard = {
+            rule = "Host(`dash.m3ta.dev`)";
+            service = "hermes-dashboard";
+            middlewares = ["netbird-only"];
+            entrypoints = ["websecure"];
+            tls = {
+              certResolver = "godaddy";
+            };
+          };
           api = {
             rule = "Host(`r.m3tam3re.com`)";
             service = "api@internal";