Install Hermes AI Agent — Free Step-by-Step Guide for Mac Mini & VPS
By Lee Jie Teh, Founder · BixTech
A free Hermes install tutorial written for users in Malaysia. Pick the path that fits — a Mac mini at home or in the office, or a Linux VPS in the cloud — and follow the exact commands below to get Nous Research's self-improving AI agent running on Telegram, WhatsApp, Slack, Discord, or Signal.
Stuck on a step? Run hermes doctor first — it diagnoses most issues automatically. If the output isn't clear, WhatsApp us with the step number and we'll advise for free.
Before You Start — Pick Your Path
Hermes runs the same way on every machine — the difference is where you host it. Pick Mac mini if you want a quiet home / office box you control. Pick VPS if you want cloud-hosted, accessible from anywhere, with no physical machine to worry about.
Self-hosted at home or office in KL
Best for individuals and SMEs who already own a Mac mini, want data on-prem, and don't mind the box staying plugged in 24/7. Apple Silicon (M1 / M2 / M4) with 16 GB RAM is the sweet spot. Budget ~60 minutes.
Jump to Mac mini steps ↓Cloud-hosted, accessible anywhere
Best for teams, remote-first users, or anyone without spare hardware. Pick a Singapore region (DigitalOcean SGP1, Linode Singapore, AWS ap-southeast-1) for low MY latency. Minimum 2 vCPU / 4 GB RAM. Budget ~90 minutes.
Jump to VPS steps ↓Path A — Install Hermes on Mac Mini
These steps follow the official Hermes setup flow from Nous Research. You'll need the Mac mini powered on, signed in to an admin account, and connected to your home / office Wi-Fi. Hermes requires Python 3.11+ — the install script will set this up if missing.
Authoritative reference: hermes-agent.nousresearch.com · GitHub
Run the Hermes install script
Open Terminal and paste the one-liner — it installs Hermes plus a Python 3.11+ runtime if you don't already have one:
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
Verify the binary is on your PATH: hermes --version. If the command isn't found, open a new terminal window (the installer updates your shell rc file).
Run the setup wizard
This walks you through picking an LLM provider (Claude, OpenAI, Nous Portal, OpenRouter, or a custom endpoint) and creating the gateway daemon so Hermes starts on reboot:
hermes setup
Want the one-click flow with Nous Portal as the model backend? Use hermes setup --portal instead — it handles the API key and per-skill model routing for you.
Choose your model + tools
The wizard prompts for these, but you can re-run them anytime if you change your mind:
hermes model hermes tools
For Malaysian SMEs we usually pick Claude (Anthropic) for skill quality, or OpenRouter if you want to A/B between models per skill. For the cheapest pay-as-you-go, point Hermes at a self-hosted Ollama model — Hermes treats it as a custom endpoint.
Connect a messenger
The gateway is what lets you DM Hermes from Telegram / WhatsApp / Slack / Discord / Signal:
hermes gateway setup hermes gateway start
The setup command is interactive — it asks which messenger, then walks you through pairing. For WhatsApp on MY, use a dedicated +60 number, not your primary personal line — WhatsApp may flag a new linked device on your main account.
Pick a sandbox backend for sub-agents
Hermes spawns isolated sub-agents for parallel work. The sandbox backend decides where they run. The hermes setup wizard will ask — Docker is the right default for most SMEs (fast, well-understood, easy to wipe).
The README lists six backends: local (no isolation — only for trusted scripts), docker, ssh (run sub-agents on a separate box), singularity (HPC-style containerisation), modal (serverless, pay-per-execution), and daytona. To change the backend later, re-run hermes setup or check the upstream docs for the current hermes config set key — Nous Research has been iterating on the config schema, so we'd rather you read the canonical reference than copy a stale key from this guide.
Run the doctor and lock down access
Confirm everything is healthy before opening the gateway to your phone number:
hermes doctor
The doctor checks Python version, daemon status, channel connection, sandbox backend, and model auth. Fix anything flagged before continuing. Then add yourself to the messenger's DM allowlist via the gateway config — see the upstream docs for the exact key, since the format may shift between Hermes versions.
Configure for 24/7 headless operation
System Settings → Battery / Energy → uncheck "Put hard disks to sleep when possible" and set "Prevent automatic sleeping when the display is off" to ON. Enable FileVault (System Settings → Privacy & Security) and turn on the macOS firewall. For remote access into the Mac from outside your LAN, install Tailscale and use tailscale serve — don't port-forward Hermes directly on your router.
Send the first test message
Open the messenger you connected and send your Hermes a greeting (e.g. "Hello, what can you do?"). If you get a reply within a few seconds, you're live. To keep the scheduler running across reboots, the setup wizard should have already installed the launchd daemon — confirm with hermes doctor after a reboot.
Path B — Install Hermes on Linux VPS
Written against Ubuntu 22.04 / 24.04 on any provider (DigitalOcean, Linode, Hetzner, AWS Lightsail). For MY latency, a Singapore region is the right call. Minimum spec: 2 vCPU / 4 GB RAM. Hermes wants Python 3.11+.
Authoritative reference: github.com/nousresearch/hermes-agent
Provision the VPS
Minimum: 2 vCPU, 4 GB RAM, 20 GB SSD. Region: Singapore (ap-southeast-1 on AWS, SGP1 on DO). SSH in as a non-root user with sudo, and make sure the box is fully updated:
sudo apt update && sudo apt upgrade -y
Install Python 3.11+ and Docker
Ubuntu 24.04 ships Python 3.12 out of the box — fine. On 22.04 you'll want to add the deadsnakes PPA or use pyenv. Install Docker too, since it's the recommended sandbox backend:
sudo apt install -y python3 python3-venv python3-pip curl -fsSL https://get.docker.com | sudo bash sudo usermod -aG docker $USER newgrp docker
Confirm Python: python3 --version. Docker: docker ps (should run without sudo after the group change).
Run the Hermes install script
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
Open a fresh shell after install so the PATH update takes effect, then verify: hermes --version.
Run the setup wizard
hermes setup
The wizard handles model provider selection, tool toggles, and (on Linux) the systemd user service that keeps the gateway alive across reboots. For Nous Portal as the model backend in one click: hermes setup --portal.
Connect a messenger
hermes gateway setup hermes gateway start
On a headless VPS the QR / pairing code renders in the terminal as ASCII — scan or paste it from your phone. For WhatsApp on MY, use a dedicated +60 number; for Telegram, create a bot via @BotFather and paste the token when prompted.
Pick the Docker sandbox
When the hermes setup wizard asks for a sandbox backend, pick Docker. On a VPS, Docker is almost always the right call — it gives you per-sub-agent filesystem isolation without the cost of a separate machine.
If you need to change it later, re-run hermes setup or check the upstream docs for the current hermes config set key. Alternatives: modal if you want serverless and don't mind metered billing; ssh if you have a separate sandbox host.
Verify with hermes doctor
hermes doctor
Should report green on Python version, daemon, channel, sandbox, and model auth. Anything red? Fix it before sending real traffic. journalctl --user -u hermes-gateway -n 200 --no-pager gives the underlying logs if the doctor isn't specific enough.
Lock down the gateway + send a test message
Keep the Hermes gateway on loopback (127.0.0.1) — don't bind it to the public internet. If you need access from your laptop, reach it via SSH tunnel or Tailscale Serve:
ssh -L 8000:127.0.0.1:8000 user@your-vps-ip
Add yourself to the messenger's DM allowlist (the exact config key is in the upstream docs and may shift between versions; hermes config set is the surface). Then DM "Hello" from the messenger — if you get a reply, you're live.
Security Checklist — Don't Skip
A Hermes gateway can read files, send messages, spawn sub-agents, and call tools on your behalf. A leaked gateway is a leaked agent. Six minimum controls before you hand out your messenger identity:
1. Loopback-only gateway
Keep the Hermes gateway bound to 127.0.0.1. Remote access is done via SSH tunnel or Tailscale Serve — never by exposing the port publicly. The DM happens through your messenger, not through a public HTTP endpoint.
2. Allowlist your DMs
Configure the messenger gateway so only your trusted phone numbers / user IDs can talk to Hermes. Defaults can be more permissive than you'd expect — re-run hermes gateway setup if you're not sure what's exposed.
3. Pick a real sandbox backend
Don't run Hermes with the unsandboxed local backend in production. Sub-agents can shell out, read files, and call tools — Docker (or Modal / SSH for separation) gives you the kill-switch you need when a skill misbehaves.
4. Disk encryption at rest
On Mac mini, turn on FileVault. On VPS, enable full-disk encryption if your provider offers it. Hermes's state directory contains your model API keys, message history, and the learning-loop memory — encrypt it.
5. Firewall + SSH hardening (VPS)
ufw default-deny inbound except port 22, disable password SSH (PasswordAuthentication no), use keys only. Install fail2ban. Docker daemon should not be exposed to the network either.
6. Rotate model API keys quarterly
Your Claude / OpenAI / Nous Portal / OpenRouter key is stored in Hermes's config. Treat it like a password — rotate on a schedule, and monitor the provider's usage dashboard for anomalies (especially if you've enabled the scheduler).
Common Install Questions
Yes. The tutorial is free to follow, and Hermes itself is free and open source (MIT). If you get stuck on any step, WhatsApp us and we'll advise at no cost. We only charge (RM 2,000, one-time) if you want us to do the whole install and configuration for you — see the done-for-you Hermes setup package.
Not really. The install script handles the Python 3.11+ runtime for you, and the hermes setup wizard is interactive — no Python code to write. You only need Python literacy if you want to write custom tools or skills beyond what the wizard generates. For a standard messenger-connected agent, the install is a single curl command followed by hermes setup.
Yes. Hermes supports Anthropic (Claude / Claude Max), OpenAI, Nous Portal, OpenRouter (200+ models), NVIDIA NIM, Hugging Face, and custom endpoints. Run hermes setup --portal for the one-click Nous Portal flow, or hermes setup and pick your provider during the wizard. Billing continues to come from your model provider — Hermes is the gateway.
Yes. Hermes ships hermes claw migrate which imports your existing OpenClaw skills, channel connections, and history into the fresh install. Run it after hermes setup completes. If you want a side-by-side decision before committing, read our Hermes vs OpenClaw comparison.
Three to watch. (1) Latency: Claude, OpenAI, and most frontier-model endpoints are US or EU hosted — expect 180–250 ms extra round-trip from MY. For a VPS, pick Singapore (DigitalOcean SGP1, Linode Singapore, AWS ap-southeast-1). (2) Messenger identity: Use a Malaysian +60 number for WhatsApp or a dedicated Telegram bot — not your primary personal account. (3) Language: Configure BM / Mandarin / mixed-language system prompts during hermes setup or via hermes config set — the defaults assume English only.
Run hermes doctor first — it surfaces the most common issues (Python below 3.11, missing Docker, daemon not running, model auth failed, port collision). On Linux check the user-scope service: journalctl --user -u hermes-gateway -n 200 --no-pager. Ninety percent of fresh-install failures are Python version, Docker permissions (you forgot to newgrp docker), or a stale shell PATH (open a new terminal window). If the doctor output means nothing to you, WhatsApp it to us — we'll translate.
Singapore-region VPS with 2 vCPU / 4 GB RAM runs USD 12–24 / month (roughly RM 55–110). Add the model cost: Claude and OpenAI pay-as-you-go typically lands at RM 30–80 / month for light SME use; Nous Portal flat rate is higher but uncapped. If you want zero ongoing model cost, point Hermes at a self-hosted Ollama model via a custom endpoint — RAM-heavy but free after install.
Yes — BixTech offers a done-for-you Hermes install service for RM 2,000 one-time. It covers the discovery call, full install on your Mac mini or VPS, model + messenger configuration, sandbox hardening, 3–5 custom workflows (including scheduled and sub-agent skills) for your role, a one-hour training session, and 14 days of WhatsApp support after handover. See the full Hermes setup package.
Hit a Wall? Two Ways Forward.
Both paths start on WhatsApp. The free-advice one stays free. The done-for-you one takes RM 2,000 off your weekend.
Free — Install advice
Tell us the step number and paste any error output (or your hermes doctor result). We respond with the fix. No sales pitch, no obligation.
RM 2,000 — Done-for-you install
Skip the weekend. We install on your Mac mini or VPS, configure model + messenger, harden the sandbox, build 3–5 workflows (including scheduled skills), and train your team. 14-day support included.
Comparing options? Read the Hermes vs OpenClaw comparison before you commit either way.
Or email contact@bixtech.co · Call +60 11-1300 4052