From 36b50e174f1f6a987f436b32e5c37aeb7d2f14b9 Mon Sep 17 00:00:00 2001
From: m3ta-chiron <m3ta-chiron@agentmail.to>
Date: Mon, 11 May 2026 11:39:37 +0200
Subject: [PATCH] fix(m3-hermes): add --insecure flag to dashboard for 0.0.0.0
 binding

The dashboard refuses to bind to non-localhost without --insecure.
Safe here because firewall restricts port 9119 to Netbird mesh (100.64.0.0/16).
---
 hosts/m3-hermes/services/hermes-dashboard.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hosts/m3-hermes/services/hermes-dashboard.nix b/hosts/m3-hermes/services/hermes-dashboard.nix
index 20b93de..1480dbd 100644
--- a/hosts/m3-hermes/services/hermes-dashboard.nix
+++ b/hosts/m3-hermes/services/hermes-dashboard.nix
@@ -24,7 +24,9 @@ in {
       User = "hermes";
       Group = "hermes";
 
-      ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open";
+      # --insecure: required to bind 0.0.0.0 (default refuses non-localhost).
+      # Safe because firewall restricts port 9119 to Netbird mesh only.
+      ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open --insecure";
 
       # Environment matching the hermes-agent service
       Environment = [
-- 
2.54.0