diff --git a/hosts/m3-hermes/secrets.nix b/hosts/m3-hermes/secrets.nix
index c6e2b98..a0bc85f 100644
--- a/hosts/m3-hermes/secrets.nix
+++ b/hosts/m3-hermes/secrets.nix
@@ -7,6 +7,9 @@
       hermes-cloud-env = {
         file = ../../secrets/hermes-cloud-env.age;
       };
+      hermes-api-server-key = {
+        file = ../../secrets/hermes-api-server-key.age;
+      };
     };
   };
 }
diff --git a/hosts/m3-hermes/services/default.nix b/hosts/m3-hermes/services/default.nix
index ea6a2d3..975b17e 100644
--- a/hosts/m3-hermes/services/default.nix
+++ b/hosts/m3-hermes/services/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
     ./hermes-agent.nix
+    ./netbird.nix
   ];
 }
diff --git a/hosts/m3-hermes/services/hermes-agent.nix b/hosts/m3-hermes/services/hermes-agent.nix
index f7cfa8d..68fcf26 100644
--- a/hosts/m3-hermes/services/hermes-agent.nix
+++ b/hosts/m3-hermes/services/hermes-agent.nix
@@ -85,6 +85,7 @@ in {
     environmentFiles = [
       config.age.secrets."hermes-env".path
       config.age.secrets."hermes-cloud-env".path
+      config.age.secrets."hermes-api-server-key".path
     ];
 
     # Non-secret environment variables
@@ -94,6 +95,13 @@ in {
       GIT_AUTHOR_EMAIL = "m3ta-chiron@agentmail.to";
       GIT_COMMITTER_NAME = "m3ta-chiron";
       GIT_COMMITTER_EMAIL = "m3ta-chiron@agentmail.to";
+
+      # ── API Server (OpenAI-compatible, for Hermes Desktop App) ─────────
+      # Accessible via Netbird mesh VPN — not exposed to the public internet.
+      # Bind to 0.0.0.0 so the Netbird interface can reach it.
+      API_SERVER_ENABLED = "true";
+      API_SERVER_HOST = "0.0.0.0";
+      API_SERVER_PORT = "8642";
     };
 
     # ── Container mode (podman) ──────────────────────────────────────────
diff --git a/hosts/m3-hermes/services/netbird.nix b/hosts/m3-hermes/services/netbird.nix
new file mode 100644
index 0000000..16c6f70
--- /dev/null
+++ b/hosts/m3-hermes/services/netbird.nix
@@ -0,0 +1,15 @@
+{pkgs, ...}: {
+  services.netbird.enable = true;
+
+  systemd.services.netbird = {
+    environment = {
+      NB_DISABLE_SSH_CONFIG = "true";
+    };
+    path = [
+      pkgs.shadow
+      pkgs.util-linux
+    ];
+  };
+
+  networking.firewall.checkReversePath = "loose";
+}
diff --git a/secrets.nix b/secrets.nix
index de36853..47fe3e4 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -52,6 +52,7 @@ in {
   "secrets/honcho-key.age".publicKeys = systems ++ users;
   "secrets/hermes-env.age".publicKeys = systems ++ users;
   "secrets/hermes-cloud-env.age".publicKeys = systems ++ users;
+  "secrets/hermes-api-server-key.age".publicKeys = systems ++ users;
   "secrets/hermes-gitea-token.age".publicKeys = systems ++ users;
   "secrets/tuwunel-registration-token.age".publicKeys = systems ++ users;
 }