**Course:** Hermes Agent — From Zero to Autonomous Agent
**Module:** 8 of 10
**Reading time:** ~20 minutes
**Difficulty:** Intermediate
TL;DR
| **Why a VPS** | 24/7 uptime, gateway always online, cron jobs always run, you don't need your laptop turned on |
|---|---|
| **Cost** | $4–$6/month — less than a streaming subscription |
| **Specs** | 1 CPU, 1GB RAM, 25GB SSD — plenty for Hermes |
| **Setup** | 30 minutes, follow the exact commands below |
| **Key steps** | SSH in → create user → secure SSH → install Hermes → configure gateway → done |
Why a VPS?
Running Hermes on your laptop works great for development and testing. But for a **production setup** — a bot that your team uses, cron jobs that need to fire at 3 AM, or an agent that monitors your infrastructure — you need something that stays on.
A **Virtual Private Server (VPS)** is a small cloud server that runs 24/7. For the price of a coffee subscription, you get:
- **Always-on gateway** — your Telegram/Discord bot never goes offline
- **Always-on cron** — scheduled tasks fire at 3 AM whether your laptop is open or not
- **No dependency on your machine** — you can shut down, travel, or switch computers
- **Stable internet** — data centers have redundant networking, unlike home connections
- **Room to grow** — add more users, more skills, more cron jobs without slowdown
VPS Providers
These are the most cost-effective providers for running Hermes. All work with the standard install.
| Provider | Cheapest Plan | Notes |
|---|---|---|
| ---------- | :------------: | ------- |
| **Hetzner** | ~$4/month (€3.79) | Best value. 1 CPU, 2GB RAM, 20GB SSD. Excellent network. |
| **DigitalOcean** | ~$6/month | 1 CPU, 1GB RAM, 25GB SSD. Easy to use. Good documentation. |
| **Vultr** | ~$2.50/month | Cheapest option. 1 CPU, 0.5GB RAM, 10GB SSD. Tight on RAM. |
| **Linode (Akamai)** | ~$5/month | 1 CPU, 1GB RAM, 25GB SSD. Solid and reliable. |
**Recommendation:** Start with **Hetzner** ($4/month) or **DigitalOcean** ($6/month). The extra $2 gets you more RAM and a simpler control panel.
Recommended Specs
| Component | Minimum | Recommended |
|---|---|---|
| ----------- | :-------: | :-----------: |
| CPU | 1 core | 1 core |
| RAM | 512 MB | 1 GB |
| Storage | 10 GB SSD | 25 GB SSD |
| OS | Ubuntu 22.04 / 24.04 LTS | Ubuntu 24.04 LTS |
1 GB RAM is the sweet spot. Hermes itself is lightweight — the LLM calls happen on the provider's servers. The RAM mostly goes to caching sessions and running cron job agents.
Initial Server Setup
Let's walk through hardening a fresh Ubuntu VPS. These are standard security practices.
Step 1: SSH into the Server
ssh root@<your-server-ip>
You should see the Ubuntu welcome message. The first time you log in, you may be prompted to change the root password.
Step 2: Update the System
apt update && apt upgrade -y
This installs the latest security patches and package updates.
Step 3: Create a Non-Root User
Operating as `root` full-time is dangerous — a single mistake (or a compromised script) can destroy your system. Create a regular user with sudo privileges:
adduser hermes
You'll be prompted for a password and some optional info (Full Name, etc.). Then add the user to the sudo group:
usermod -aG sudo hermes
Step 4: Copy Your SSH Key
Before logging out of root, copy your public SSH key to the new user so you can log in without a password:
mkdir -p /home/hermes/.ssh
cp ~/.ssh/authorized_keys /home/hermes/.ssh/
chown -R hermes:hermes /home/hermes/.ssh
chmod 700 /home/hermes/.ssh
chmod 600 /home/hermes/.ssh/authorized_keys
Step 5: Test the New User
Open a **new terminal** window (don't close the root session yet) and test:
ssh hermes@<your-server-ip>
If you can log in without a password prompt, everything worked. If not, check the `.ssh` permissions before continuing.
Step 6: Disable Root Login
Now edit the SSH configuration to block direct root access:
sudo nano /etc/ssh/sshd_config
Find these lines and change them:
PermitRootLogin no
PasswordAuthentication no
- `PermitRootLogin no` — blocks direct root SSH access
- `PasswordAuthentication no` — requires SSH key authentication (no password logins)
Then restart SSH:
sudo systemctl restart sshd
**Before closing your current root session**, open a third terminal and verify you can still log in as `hermes`. If SSH breaks, you can fix it via the root session you kept open.
Step 7: Set Up the Firewall (UFW)
Ubuntu's Uncomplicated Firewall is simple and effective:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 22/tcp
If you plan to use Telegram webhook mode (inbound from Telegram), also allow that port:
sudo ufw allow 8443/tcp
Enable the firewall:
sudo ufw --force enable
sudo ufw status
You should see:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
Step 8: Install Fail2Ban
Fail2Ban protects against brute-force SSH attacks by temporarily banning IPs that fail too many login attempts:
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
That's it — it works out of the box with Ubuntu's default configuration.
Installing Hermes on the VPS
Now that the server is secure, install Hermes.
The One-Liner Install
Log in as `hermes` and run:
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
The installer detects your OS, installs dependencies, and sets up Hermes. It will ask if you want to run the setup wizard — say yes.
Setup Wizard
hermes setup
The wizard asks for:
1. **LLM Provider** — Choose your provider (OpenAI, Anthropic, OpenRouter, etc.)
2. **API Key** — Paste your API key
3. **Model** — Choose a default model
4. **Gateway setup** — Configure Telegram/Discord/etc. (optional now, can do later)
Setting Up .env
If you skip the wizard or need to edit later, the `.env` file lives at `~/.hermes/.env`:
nano ~/.hermes/.env
Your `.env` should contain at minimum:
# LLM Provider (pick one)
OPENAI_API_KEY=sk-...
# or
ANTHROPIC_API_KEY=sk-ant-...
# or
OPENROUTER_API_KEY=sk-or-...
# Telegram (if using)
TELEGRAM_BOT_TOKEN=123456789:ABCdef...
TELEGRAM_ALLOWED_USERS=123456789
# Discord (if using)
DISCORD_BOT_TOKEN=your-discord-token
DISCORD_ALLOWED_USERS=284102345871466496
Verifying the Install
hermes --version
hermes doctor
`hermes doctor` runs a comprehensive health check — provider connectivity, configuration validity, system resources.
Gateway as a Systemd Service
For a production VPS, install the gateway as a **system service** that starts at boot.
Install as System Service
sudo hermes gateway install --system
This creates:
- A systemd service file at `/etc/systemd/system/hermes-gateway.service`
- Service runs as your `hermes` user
- Starts automatically at boot
- Auto-restarts on failure
Enable Lingering
sudo loginctl enable-linger hermes
This ensures user services keep running after you log out.
Start the Gateway
sudo hermes gateway start --system
Check Status
sudo hermes gateway status --system
Expected output shows `active (running)` and the service uptime.
View Logs
sudo journalctl -u hermes-gateway -f
Stop and Restart
sudo hermes gateway stop --system
sudo hermes gateway restart --system
SSH Key Management
Generating a Key Pair
If you don't already have an SSH key on your local machine:
# On your local machine
ssh-keygen -t ed25519 -C "hermes-vps"
Copying the Key to the VPS
ssh-copy-id hermes@<your-server-ip>
Or manually:
cat ~/.ssh/id_ed25519.pub | ssh hermes@<your-server-ip> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Using an SSH Config Entry
Create `~/.ssh/config` on your local machine:
Host hermes-vps
HostName <your-server-ip>
User hermes
IdentityFile ~/.ssh/id_ed25519
Then connect with:
ssh hermes-vps
Monitoring
`hermes doctor`
Run a health check anytime:
hermes doctor
This checks:
- Provider connectivity (can it reach your LLM API?)
- Gateway status (is the daemon running?)
- Memory usage
- Disk space
- Network connectivity
Health Check Cron Job
Set up a cron job that checks the server's health and reports to your Telegram:
/check_server_health
Hermes will inspect CPU, RAM, disk, and gateway status, then optionally set up a recurring monitor.
Or manually:
hermes cron create "0 * * * *" "Check the server's CPU, RAM, and disk usage. Check if the gateway is running. If anything is abnormal, include a warning. Send to telegram."
System Monitoring
Standard Linux tools:
# Real-time resource usage
htop
# Disk usage
df -h
# Memory
free -h
# Process list
ps aux | grep hermes
# Gateway logs
sudo journalctl -u hermes-gateway -n 50 --no-pager
Backups
Your Hermes data is located in `~/.hermes/`. Back this up regularly.
What to Back Up
| Item | Path | Why |
|---|---|---|
| **Config** | `~/.hermes/.env` | API keys and platform tokens |
| **Config** | `~/.hermes/config.yaml` | Settings and preferences |
| **Skills** | `~/.hermes/skills/` | Your custom skills |
| **Session data** | `~/.hermes/session_store/` | Conversation history (optional) |
| **Memory** | `~/.hermes/memory/` | Persistent memory |
| **Cron state** | `~/.hermes/cron/` | Cron job definitions |
| **Gateway config** | `~/.hermes/gateway.json` | Platform-specific gateway settings |
Simple Backup Script
Save this as `~/backup-hermes.sh` on the VPS:
#!/bin/bash
BACKUP_DIR="/home/hermes/backups"
DATE=$(date +%Y-%m-%d)
mkdir -p "$BACKUP_DIR"
tar -czf "$BACKUP_DIR/hermes-config-$DATE.tar.gz" \
-C /home/hermes .hermes/.env \
-C /home/hermes .hermes/config.yaml \
-C /home/hermes .hermes/skills \
-C /home/hermes .hermes/gateway.json
# Optional: include session data
tar -czf "$BACKUP_DIR/hermes-full-$DATE.tar.gz" \
-C /home/hermes .hermes
# Keep only last 30 days
find "$BACKUP_DIR" -name "hermes-*.tar.gz" -mtime +30 -delete
echo "Backup complete: $BACKUP_DIR/hermes-config-$DATE.tar.gz"
Make it executable and run it:
chmod +x ~/backup-hermes.sh
~/backup-hermes.sh
Download Backups to Your Local Machine
scp hermes-vps:~/backups/hermes-config-2025-01-01.tar.gz .
Automate with a Cron Job
crontab -e
Add:
0 3 * * * /home/hermes/backup-hermes.sh
This runs the backup daily at 3 AM.
Updating Hermes
Standard Update
hermes update
This pulls the latest version, applies any migrations, and asks if you want to restart the gateway.
Update with Gateway Restart
hermes update
sudo hermes gateway restart --system
Checking the Current Version
hermes --version
Cost Breakdown
Here's a realistic monthly cost for running Hermes on a VPS:
| Item | Cost | Notes |
|---|---|---|
| ------ | :----: | ------- |
| **VPS** (Hetzner CX22) | ~$4.00 | 1 CPU, 2GB RAM, 20GB SSD |
| **LLM API** (OpenAI GPT-4o mini) | ~$5–20 | Depends on usage. Cheap for light use. |
| **LLM API** (OpenAI GPT-4o) | ~$20–100 | Heavy use with large contexts. |
| **Telegram** | Free | No cost for bots |
| **Discord** | Free | No cost for bots |
| **Domain** (optional) | ~$1/month | For webhook mode. Annual billing. |
| **Total (light use)** | **~$9–25/month** | VPS + cheap model |
| **Total (heavy use)** | **~$25–105/month** | VPS + premium model |
**Ways to reduce LLM costs:**
- Use **OpenRouter** to dynamically route to cheaper models
- Use **local models** via Ollama if you have GPU access
- Set session reset policies to prevent context bloat
- Use smaller models for routine cron jobs
Complete Setup Cheat Sheet
Run these commands in order on a fresh Ubuntu VPS:
# === Initial server setup ===
ssh root@<server-ip>
apt update && apt upgrade -y
adduser hermes
usermod -aG sudo hermes
# Copy SSH key
mkdir -p /home/hermes/.ssh
cp ~/.ssh/authorized_keys /home/hermes/.ssh/
chown -R hermes:hermes /home/hermes/.ssh
chmod 700 /home/hermes/.ssh
chmod 600 /home/hermes/.ssh/authorized_keys
# Disable root login (exit root session first, verify hermes user works)
sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# Firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw --force enable
# Fail2Ban
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# === Install Hermes ===
# Log out and log back in as hermes
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
hermes setup
# === Gateway setup ===
sudo hermes gateway install --system
sudo loginctl enable-linger hermes
sudo hermes gateway start --system
sudo hermes gateway status --system
Summary
- A **VPS** is essential for 24/7 operation — $4–6/month gets you plenty
- **Harden the server** first: non-root user, SSH key only, firewall, Fail2Ban
- **Install Hermes** with the standard one-liner — it works the same on a VPS
- **Install the gateway as a system service** for boot-time start and auto-restart
- **Monitor** with `hermes doctor` and a health check cron job
- **Back up** `~/.hermes/` regularly — especially `.env` and `config.yaml`
- **Update** with `hermes update` when new versions are available
The total cost is typically **$5–10/month** for the VPS itself — less than a streaming subscription, and you get a personal AI agent that works for you around the clock.
In the next module, we'll explore monetization strategies — how to turn your Hermes setup into a source of income.