m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(m3-hermes): Hermes Dashboard as systemd service with Netbird-only firewall #13

Merged
m3tam3re merged 1 commits from feat/hermes-dashboard-service into master 2026-05-11 11:26:52 +02:00
Conversation 0 Commits 1 Files Changed 3
+64
m3ta-chiron commented 2026-05-11 11:25:34 +02:00
Collaborator
Copy Link
Copy Source

Summary

Adds the Hermes Agent Web Dashboard as a dedicated systemd service, accessible only from the Netbird mesh VPN.

Changes

New: hosts/m3-hermes/services/hermes-dashboard.nix

  • hermes-dashboard.service — runs hermes dashboard --host 0.0.0.0 --port 9119 --no-open
  • Starts after hermes-agent.service (gateway must be up)
  • Runs as hermes user with security hardening (NoNewPrivileges, ProtectSystem=strict, PrivateTmp)
  • Auto-restarts on failure (5s delay)

Firewall

  • Port 9119/tcp restricted to Netbird mesh range 100.64.0.0/16 via extraCommands
  • Not accessible from the public internet

Other

  • Added placeholder secrets/hermes-api-server-key.age (was missing from PR #12 — needs real encryption on host)
  • Updated services/default.nix to import the new module

Access after deploy

http://100.81.231.152:9119   (Netbird mesh IP)

Post-merge steps

  1. Re-encrypt secrets/hermes-api-server-key.age on host with agenix -e
  2. sudo nixos-rebuild switch --flake .#m3-hermes
## Summary Adds the Hermes Agent Web Dashboard as a dedicated systemd service, accessible only from the Netbird mesh VPN. ## Changes ### New: `hosts/m3-hermes/services/hermes-dashboard.nix` - **`hermes-dashboard.service`** — runs `hermes dashboard --host 0.0.0.0 --port 9119 --no-open` - Starts after `hermes-agent.service` (gateway must be up) - Runs as `hermes` user with security hardening (`NoNewPrivileges`, `ProtectSystem=strict`, `PrivateTmp`) - Auto-restarts on failure (5s delay) ### Firewall - Port **9119/tcp** restricted to Netbird mesh range `100.64.0.0/16` via `extraCommands` - Not accessible from the public internet ### Other - Added placeholder `secrets/hermes-api-server-key.age` (was missing from PR #12 — needs real encryption on host) - Updated `services/default.nix` to import the new module ## Access after deploy ``` http://100.81.231.152:9119 (Netbird mesh IP) ``` ## Post-merge steps 1. Re-encrypt `secrets/hermes-api-server-key.age` on host with `agenix -e` 2. `sudo nixos-rebuild switch --flake .#m3-hermes`
m3ta-chiron added 1 commit 2026-05-11 11:25:35 +02:00
feat(m3-hermes): add Hermes Dashboard as systemd service with Netbird-only firewall 20bd28d567 
- New hermes-dashboard.service: runs 'hermes dashboard' on 0.0.0.0:9119
- Firewall restricts port 9119 to Netbird mesh VPN range (100.64.0.0/16)
- Runs as hermes user with NoNewPrivileges + ProtectSystem hardening
- Depends on hermes-agent.service (starts after gateway)
- Added placeholder hermes-api-server-key.age (needs real encryption on host)
m3tam3re merged commit 72ef896297 into master 2026-05-11 11:26:52 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
m3ta-chiron m3tam3re
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: m3tam3re/nixos-config#13
Delete Branch "feat/hermes-dashboard-service"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?