Files
truenas-stacks/home/doris-dashboard/docs/hermes-dashboard-trusted-access-apply-2026-05-24.md
Fizzlepoof 6659fd929f
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
ops: record hermes dashboard trusted access slice
2026-05-25 15:40:03 +00:00

3.5 KiB

Hermes dashboard Trusted-only Policy Engine apply — 2026-05-24

Live change summary

Applied the narrow UniFi Policy Engine service slice that makes the Hermes dashboard on Nomad effectively Trusted-only.

Dashboard endpoint:

  • 10.5.30.7:9119

Apply time artifact stamp:

  • 2026-05-24-061715

What changed

Created these two custom firewall policies:

  1. Allow Trusted to Hermes Dashboard
  • id: 6a1297eefb913dd84d4a3fbb
  • action: ALLOW
  • protocol: tcp
  • source: 10.5.1.0/24
  • destination: 10.5.30.7
  • destination port: 9119
  • schedule: ALWAYS
  1. Block Management and Servers to Hermes Dashboard
  • id: 6a1297eefb913dd84d4a3fc0
  • action: BLOCK
  • protocol: tcp
  • source: 10.5.0.0/24, 10.5.30.0/24
  • destination: 10.5.30.7
  • destination port: 9119
  • schedule: ALWAYS

Verification result

  • Pre-apply baseline did not already contain either Hermes-dashboard policy.
  • Post-apply readback shows both rules present as non-predefined custom policies.
  • Apply helper returned no API errors.

Artifacts

Baselines and apply output saved in:

  • home/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-24-061715-pre-hermes-dashboard-slice.json
  • home/doris-dashboard/docs/baselines/unifi-hermes-dashboard-policy-apply-2026-05-24-061715.json
  • home/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-24-061715-post-hermes-dashboard-slice.json

Helper added to repo and copied to PD runtime for repeatable staging/apply:

  • repo: automation/bin/unifi_stage_hermes_dashboard_policy.py
  • PD runtime: /mnt/docker-ssd/docker/compose/automation/bin/unifi_stage_hermes_dashboard_policy.py

Representative lane probe after apply

Follow-up live check from PD showed an important enforcement caveat.

From PD (10.5.30.6) to Nomad (10.5.30.7:9119):

  • direct TCP connect succeeded
  • HTTP GET succeeded with 200 OK
  • route on PD is on-link: 10.5.30.7 dev enp3s0f0 src 10.5.30.6

Interpretation:

  • PD and Nomad are both on the Servers subnet (10.5.30.0/24)
  • this flow stays L2-local and does not traverse the UniFi gateway
  • therefore the gateway Policy Engine block does not stop PD from reaching the dashboard even though the custom rule exists

What the current rule set still likely achieves:

  • Trusted clients on 10.5.1.0/24 can reach the dashboard
  • routed Management-lane access should still be governed by the custom block
  • same-subnet Servers peers are not isolated by this gateway-only approach

Operator validation still worth doing

Because same-subnet east-west traffic bypasses the gateway enforcement point, the right checks are now:

  • from a Trusted client: confirm http://hermes.home.paccoco.com:9119 or the intended dashboard URL still loads
  • from a Management client on a different subnet: confirm 10.5.30.7:9119 is blocked
  • do not treat PD->Nomad reachability as proof the rule failed globally; it specifically proves intra-subnet server peers need host-local enforcement if they must be excluded

If true Trusted-only must exclude PD and other Servers peers

Use one of these instead of relying only on the gateway policy:

  • add a host firewall on Nomad permitting only Trusted-source addresses/subnets to port 9119
  • move the dashboard to a lane where disallowed sources must cross a routed boundary
  • use switch/ACL mechanisms that can enforce same-subnet isolation if available

Rollback

Fastest rollback is to delete the two Hermes-dashboard custom rules by id or rerun a small helper update that disables/removes them:

  • 6a1297eefb913dd84d4a3fbb
  • 6a1297eefb913dd84d4a3fc0