m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: Hermes Dashboard via m3-atlas Traefik (TLS + Netbird-only) #15

Merged
m3tam3re merged 1 commits from feat/hermes-dashboard-traefik into master 2026-05-11 16:09:53 +02:00
Conversation 0 Commits 1 Files Changed 2
+30 -5
m3ta-chiron commented 2026-05-11 15:54:07 +02:00
Collaborator
Copy Link
Copy Source

Architecture

Browser (Netbird) → dash.m3ta.dev (TLS) → m3-atlas Traefik → Netbird → m3-hermes:9119

Changes

m3-hermes (hermes-dashboard.nix)

  • Add --insecure flag — required to bind 0.0.0.0 (hermes refuses non-localhost without it)
  • Safe because firewall already restricts port 9119 to Netbird mesh (100.64.0.0/16)
  • Updated comments documenting the Traefik proxy flow

m3-atlas (traefik.nix)

  • New service: hermes-dashboardhttp://100.81.231.152:9119 (m3-hermes via Netbird)
  • New router: dash.m3ta.dev with GoDaddy ACME TLS certificate
  • New middleware: netbird-only — IP whitelist restricting to 100.64.0.0/16

Access

https://dash.m3ta.dev — only reachable from Netbird mesh peers (IP whitelist + firewall).

Supersedes

  • PR #14 (this replaces the --insecure fix with the full Traefik setup)

DNS

dash.m3ta.dev needs to point to m3-atlas (152.53.85.162). May already be handled or needs a DNS record.

## Architecture ``` Browser (Netbird) → dash.m3ta.dev (TLS) → m3-atlas Traefik → Netbird → m3-hermes:9119 ``` ## Changes ### m3-hermes (`hermes-dashboard.nix`) - Add `--insecure` flag — required to bind `0.0.0.0` (hermes refuses non-localhost without it) - Safe because firewall already restricts port 9119 to Netbird mesh (`100.64.0.0/16`) - Updated comments documenting the Traefik proxy flow ### m3-atlas (`traefik.nix`) - **New service:** `hermes-dashboard` → `http://100.81.231.152:9119` (m3-hermes via Netbird) - **New router:** `dash.m3ta.dev` with GoDaddy ACME TLS certificate - **New middleware:** `netbird-only` — IP whitelist restricting to `100.64.0.0/16` ## Access `https://dash.m3ta.dev` — only reachable from Netbird mesh peers (IP whitelist + firewall). ## Supersedes - PR #14 (this replaces the `--insecure` fix with the full Traefik setup) ## DNS `dash.m3ta.dev` needs to point to m3-atlas (`152.53.85.162`). May already be handled or needs a DNS record.
m3ta-chiron added 1 commit 2026-05-11 15:54:08 +02:00
feat: Hermes Dashboard via m3-atlas Traefik with TLS + Netbird-only access fc39e05beb 
m3-hermes:
- Add --insecure flag (required for 0.0.0.0 bind, safe behind Netbird firewall)
- Update comments to document the Traefik proxy flow

m3-atlas Traefik:
- New service: hermes-dashboard → http://100.81.231.152:9119 (Netbird)
- New router: dash.m3ta.dev with GoDaddy TLS cert
- New middleware: netbird-only (IP whitelist 100.64.0.0/16)

Flow: Browser → dash.m3ta.dev (TLS) → Traefik → Netbird → m3-hermes:9119
m3tam3re merged commit 354791f252 into master 2026-05-11 16:09:53 +02:00
m3tam3re deleted branch feat/hermes-dashboard-traefik 2026-05-11 16:09:53 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
m3ta-chiron m3tam3re
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: m3tam3re/nixos-config#15
Delete Branch "feat/hermes-dashboard-traefik"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?