m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: Hermes Dashboard via m3-atlas Traefik with TLS + Netbird-only access

Browse Source 
m3-hermes:
- Add --insecure flag (required for 0.0.0.0 bind, safe behind Netbird firewall)
- Update comments to document the Traefik proxy flow

m3-atlas Traefik:
- New service: hermes-dashboard → http://100.81.231.152:9119 (Netbird)
- New router: dash.m3ta.dev with GoDaddy TLS cert
- New middleware: netbird-only (IP whitelist 100.64.0.0/16)

Flow: Browser → dash.m3ta.dev (TLS) → Traefik → Netbird → m3-hermes:9119
This commit is contained in:
m3ta-chiron
2026-05-11 15:53:04 +02:00
parent e6f184f24a
commit fc39e05beb
2 changed files with 30 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/m3-hermes/services/hermes-dashboard.nix
+8 -5
View File
@@ -4,7 +4,8 @@
inputs,
...
}: let
# Netbird mesh VPN range — dashboard only accessible from mesh peers
# Netbird mesh VPN range — dashboard only accessible from mesh peers.
# m3-atlas Traefik proxies to this port over Netbird.
netbirdRange = "100.64.0.0/16";
# Reference the hermes-agent package from the running service config
@@ -12,7 +13,11 @@
in {
# ── Hermes Dashboard systemd service ───────────────────────────────────
# Web UI for managing Hermes Agent — sessions, config, kanban, cron, etc.
# Binds to 0.0.0.0:9119 but firewall restricts to Netbird mesh only.
#
# Flow: Browser → dash.m3ta.dev (TLS via m3-atlas Traefik) → Netbird → :9119
#
# --insecure is required to bind 0.0.0.0 (hermes refuses non-localhost otherwise).
# Safe because firewall restricts port 9119 to Netbird mesh only.
systemd.services.hermes-dashboard = {
description = "Hermes Agent Web Dashboard";
after = ["network.target" "hermes-agent.service"];
@@ -24,7 +29,7 @@ in {
User = "hermes";
Group = "hermes";
ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open";
ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open --insecure";
# Environment matching the hermes-agent service
Environment = [
@@ -48,8 +53,6 @@ in {
# ── Firewall: Dashboard only from Netbird mesh ─────────────────────────
networking.firewall = {
# Use extraCommands for source-IP-restricted port (NixOS firewall
# allowedTCPPorts is all-or-nothing per port).
extraCommands = ''
# Allow Hermes Dashboard (9119/tcp) only from Netbird mesh VPN
ip46tables -A nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept