Dev Resources

Self-Host Hermes Agent on a Hetzner VPS: A Practical Guide

Updated on May 7, 2026

Run Nous Research's open-source Hermes Agent 24/7 on a €5 Hetzner VPS. Step-by-step setup with Telegram integration, systemd persistence, and security hardening.

Category: Dev Resources
Hermes AgentSelf-HostingVPSHetznerAI AgentsOpen SourceTelegramDevOpsTutorial

Hermes Agent self-hosted on a Hetzner VPS

Hermes Agent (from Nous Research) is one of the more interesting open-source agents out there. It is not a chatbot. It runs a learning loop that builds and refines its own skills, persists memory across sessions, searches past conversations, models the user, runs scheduled jobs, and plugs into messaging apps like Telegram.

If you are still picking between options, I covered Hermes alongside six other open-source agents in the 2026 open-source AI agent frameworks roundup. This guide assumes you have already decided on Hermes and want it running on a server.

You can run it on a laptop. It works. But the moment you close the lid, your "always on" agent stops being always on. A small VPS fixes that. You get 24/7 uptime, scheduled automations that actually fire, remote access from your phone over Telegram, and zero battery drain on your local machine.

A Hetzner CX22 or CPX21 box runs around €5 to €10 a month. No GPU required. The agent itself is a lightweight Python and Node process. Inference goes out to OpenRouter, Anthropic, or the Nous portal, so the VPS only needs to hold the agent, its memory store, and a few skills.

This guide walks through the full setup: provisioning the box, hardening it, installing Hermes, wiring up Telegram, and running it as a systemd service that survives reboots.

Why Hetzner for this

Three reasons.

  • Cheap and reliable. A CX22 with 2 vCPU, 4 GB RAM, and 40 GB NVMe is enough. Around €5 a month. The CPX21 doubles cores and is still under €10.
  • No GPU needed for the standard setup. LLM calls go out to a hosted provider. You only need a GPU server if you want fully local inference via Ollama or vLLM, which is a different post.
  • Full control. SSH access, optional Docker, easy systemd. No managed-platform lock-in.

Minimum I would recommend: 2 vCPU, 4 GB RAM, 20 GB disk. That gives you headroom for the agent process, its skill store, and a few background jobs without thrashing.

Step 1: Provision the box

Sign in at hetzner.com/cloud and create a new server.

  • OS: Ubuntu 24.04 LTS (or 22.04 if you have a reason).
  • Plan: CPX21 is a good default. CX22 if you want to start cheaper.
  • Add your SSH public key during creation. SSH key beats a root password every time.
  • Note the public IP after deploy.

First SSH in:

Terminal
ssh root@YOUR-HETZNER-IP

Patch the system before doing anything else:

Terminal
apt update && apt upgrade -y
apt install -y curl git ufw

Step 2: Lock the server down

Running an always-on agent as root is asking for trouble. Make a dedicated user.

Terminal
adduser hermes --disabled-password --gecos ""
usermod -aG sudo hermes
echo "hermes ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/hermes
chmod 440 /etc/sudoers.d/hermes
 
mkdir -p /home/hermes/.ssh
cp ~/.ssh/authorized_keys /home/hermes/.ssh/ 2>/dev/null || true
chown -R hermes:hermes /home/hermes/.ssh
chmod 700 /home/hermes/.ssh
chmod 600 /home/hermes/.ssh/authorized_keys

Switch over:

Terminal
su - hermes

Turn on a basic firewall. Default deny inbound, allow SSH:

Terminal
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

Optional and recommended: install Tailscale and put SSH behind your tailnet. Then the public SSH port can go away entirely. That alone cuts most of the noise from drive-by scanners.

Step 3: Install Hermes Agent

The official installer handles Python 3.11+, Node 22, ripgrep, ffmpeg, and the rest. Run it as the hermes user:

Terminal
curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash

Reload the shell so the new binaries are on PATH:

Terminal
source ~/.bashrc

Confirm it is alive:

Terminal
hermes --version
hermes doctor

hermes doctor is your friend. Run it any time something feels off.

Step 4: Pick a model provider

Hermes does not ship its own model. You point it at a provider.

Terminal
hermes setup

The wizard asks for a provider, an API key, and a default model. OpenRouter is the most flexible option because one key gets you Claude, DeepSeek, Gemini, and most other models behind a single endpoint. Anthropic direct works too.

After the wizard, you can change models without rerunning it:

Terminal
hermes model
hermes config set model.provider openrouter
hermes config set model.default anthropic/claude-sonnet-4

Set approval mode to ask while you are still feeling out what the agent does. This makes it pause for confirmation before anything destructive:

Terminal
hermes config set approval_mode ask

A typical setup runs $5 to $20 a month in API costs depending on how chatty you are with it. The VPS itself is the smaller line item.

Step 5: Wire up Telegram

This is the part that turns Hermes from "interesting project" into "agent in my pocket."

  1. Message @BotFather on Telegram. Send /newbot, follow the prompts, and copy the bot token.
  2. Message @userinfobot and copy your numeric Telegram user ID.
  3. Add both to ~/.hermes/.env:
~/.hermes/.env
TELEGRAM_BOT_TOKEN=your_token_here
TELEGRAM_ALLOWED_USERS=your_numeric_user_id

TELEGRAM_ALLOWED_USERS is the access list. Only IDs in there can talk to the bot. Do not skip this. A bot token without an allow-list is a public agent.

Quick smoke test:

Terminal
hermes gateway

Send a message to the bot. If it replies, you are wired up. Stop the foreground process with Ctrl+C, because the next step puts it under systemd properly.

Step 6: Run it as a systemd service

The built-in gateway tooling generates a user-level systemd unit. Use it:

Terminal
hermes gateway setup
hermes gateway install

Enable and start:

Terminal
systemctl --user enable --now hermes-gateway

Check status and tail logs:

Terminal
systemctl --user status hermes-gateway
journalctl --user -u hermes-gateway -f

If you want the agent to operate on a specific working directory (useful when you give it shell or coding tools), set it explicitly:

Terminal
echo 'MESSAGING_CWD=/home/hermes/projects' >> ~/.hermes/.env
mkdir -p ~/projects
systemctl --user restart hermes-gateway

That is the whole "always on" setup. Reboot the box and the agent comes back without you logging in.

Step 7: Backups, updates, and a few habits

Treat this like any other small server.

API keys. They live in ~/.hermes/.env. Make sure the file is chmod 600. The installer should already do this, but check.

Approval mode. Keep it on ask until you trust a given workflow. Once a skill is well-trodden you can relax it per-skill.

Backups. Hermes has a built-in backup command. Wire it into cron:

Terminal
hermes backup
# crontab -e, then:
# 0 3 * * * /home/hermes/.local/bin/hermes backup

Updates. Back up first, then update, then run doctor:

Terminal
hermes backup
hermes update
hermes config migrate
hermes doctor
systemctl --user restart hermes-gateway

Monitoring. When something feels stuck, the journal almost always has the answer:

Terminal
journalctl --user -u hermes-gateway --since "1 hour ago"

Going further

A few directions worth knowing about once the basics are in place.

  • Skills. Hermes auto-creates and refines skills as it works. Point it at an Obsidian vault, a GitHub repo, or a folder of internal docs and it gets sharper over time.
  • Pairing with coding agents. A common setup is Hermes plus Claude Code or a similar coding agent on the same box, so the agent in your pocket can hand off long-running coding work.
  • Local inference. If you upgrade to a Hetzner GPU instance, Ollama at http://localhost:11434/v1 slots in as a provider and your data stops leaving the box.
  • Migrating from OpenClaw. If you were running OpenClaw, hermes claw migrate is the easy path. Memory and config carry over.

What it actually costs

Rough monthly numbers for moderate daily use:

  • VPS: €5 to €10
  • Provider API: $5 to $20

Call it under $30 a month for an always-on, self-improving agent that you chat with from your phone. Most managed equivalents are 3 to 5x that and you do not own the data.

Troubleshooting

A short list that covers most first-time issues.

  • hermes: command not found after install. Run source ~/.bashrc. If still missing, the installer log will say where it put the binary.
  • Gateway will not start. hermes doctor first, then journalctl --user -u hermes-gateway -n 100. Almost always a missing env var or a bad token.
  • Provider rate limits. Either drop to a cheaper model for routine work or top up credits. Hermes does not silently retry forever.
  • Telegram silent. Confirm TELEGRAM_ALLOWED_USERS includes your real numeric ID, not your @handle. The two are different.

If you hit something not on that list, hermes --help and the project README on GitHub usually have it.

You now have a small, cheap, persistent AI teammate living on a server in Falkenstein or Ashburn. Send it a first command and let it start building skills.

Curious how Hermes compares to ZeroClaw, NanoClaw, Agent Zero, and the rest? The open-source AI agent frameworks comparison breaks down where each one fits.

Disclaimer: I have no affiliation with Nous Research, Hetzner, or OpenRouter. This is informational. Test and review anything before deploying it on a server you care about.

Get the latest AI insights delivered to your inbox

Stay up to date with the latest trends, tutorials, and industry insights. Join community of developers who trust our newsletter.