diff --git a/ai/compose.yml b/ai/compose.yml
index 17d6170..8697395 100644
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -39,6 +39,7 @@ services:
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
+      - HERMES_DASHBOARD=1
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -76,11 +77,17 @@ services:
       - "traefik.http.routers.hermes-web-http.entrypoints=web"
       - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
 
-      # Router for HTTPS with TLS
+      # Router for HTTPS with TLS — protected by Authelia
       - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
       - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
       - "traefik.http.routers.hermes-web-https.tls=true"
       - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
+      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
 
       # Service Loadbalancer (dashboard port 9119)
       - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"