From ebad994d6096a720eadfe9b967b21c62644d4b16 Mon Sep 17 00:00:00 2001
From: Hermes <hermes@lazyworkhorse.net>
Date: Wed, 20 May 2026 14:06:23 -0400
Subject: [PATCH] feat(hermes): enable dashboard (HERMES_DASHBOARD=1) +
 Authelia auth

---
 ai/compose.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ai/compose.yml b/ai/compose.yml
index 17d6170..8697395 100644
--- a/ai/compose.yml
+++ b/ai/compose.yml
@@ -39,6 +39,7 @@ services:
     command: gateway run
     environment:
       - OLLAMA_HOST=http://ollama:11434
+      - HERMES_DASHBOARD=1
       - API_SERVER_ENABLED=true
       - API_SERVER_PORT=8642
       - API_SERVER_HOST=0.0.0.0
@@ -76,11 +77,17 @@ services:
       - "traefik.http.routers.hermes-web-http.entrypoints=web"
       - "traefik.http.routers.hermes-web-http.middlewares=redirect-to-https"
 
-      # Router for HTTPS with TLS
+      # Router for HTTPS with TLS — protected by Authelia
       - "traefik.http.routers.hermes-web-https.rule=Host(`hermes.lazyworkhorse.net`)"
       - "traefik.http.routers.hermes-web-https.entrypoints=websecure"
       - "traefik.http.routers.hermes-web-https.tls=true"
       - "traefik.http.routers.hermes-web-https.tls.certresolver=njalla"
+      - "traefik.http.routers.hermes-web-https.middlewares=hermes-auth"
+
+      # Authelia forwardAuth
+      - "traefik.http.middlewares.hermes-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lazyworkhorse.net/"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.trustforwardheader=true"
+      - "traefik.http.middlewares.hermes-auth.forwardauth.authresponseheaders=X-Forwarded-User,X-Forwarded-Groups"
 
       # Service Loadbalancer (dashboard port 9119)
       - "traefik.http.services.hermes-web.loadbalancer.server.port=9119"