--- title: How I Deploy a Hermes Agent on a Blank VPS in 2 Minutes summary: >- A walkthrough of hermes-bootstrap — an open-source CLI + Web UI that takes a fresh, unconfigured VPS from zero to a hardened, production-ready Hermes Agent in one guided deploy: swap, Docker, SSH hardening, UFW, Fail2Ban, Telegram alerts, and the agent itself, with automatic rollback on failure. author: koocha_mala authorUrl: 'https://x.com/koocha_mala' category: Automation difficulty: Intermediate readingTime: 7 date: '2026-06-29' tags: - vps - deployment - provisioning - ssh-hardening - ufw - fail2ban - docker - telegram integrations: - Hermes Agent - Docker - UFW - Fail2Ban - Telegram - OpenRouter --- I just rented a fresh VPS — a blank Debian server. No Docker. No firewall. No agent. I needed Hermes running on it fast, and I did not want to SSH in and type 50 commands by hand. So I built a tool that does it for me. **hermes-bootstrap** is an open-source CLI + Web UI that provisions a Hermes Agent VPS from zero to production in one go. It handles everything: swap, packages, Docker, SSH hardening, UFW, Fail2Ban, Telegram alerts, and the agent itself. Open source, MIT licensed — [github.com/swingkiddo/hermes_bootstrap](https://github.com/swingkiddo/hermes_bootstrap). ```bash pip install git+https://github.com/swingkiddo/hermes_bootstrap.git ``` ## Step 1 — Start the dashboard One command opens a web UI at `localhost:8080`. No messing with config files. ```bash hermes-bootstrap serve ``` ## Step 2 — Fill the form The UI has a clean, step-by-step sidebar. Here is what I filled in: - **Connection** — VPS IP + root password. The server was fresh out of the box, no SSH keys yet. - **LLM Provider** — OpenRouter + API key. - **Telegram** — bot token to send commands to the agent and get replies. - **Security** — SSH hardening (port `2091`, root login disabled), Firewall (UFW deny-by-default), and Fail2Ban for brute-force protection. - **Notifications** — a Telegram hook that alerts me every time someone SSHs into the server. > **Important — do not lock yourself out.** If you do not check "Permit Root Login", root access is gone after deployment, and port `22` stops working too — the tool moves SSH to your configured port (default `2091`). Remember both your new port and your `hermes` user password. Locking yourself out is surprisingly easy to do. On the bright side: after a successful deployment, the tool automatically writes a `~/.ssh/config` entry on your local machine. So you do not have to remember the new port or username — just `ssh ` and you are in. ## Step 3 — Click Deploy I hit **Deploy** and watched the live log stream. The tool SSHs into the server and runs 8 steps in order: ```text System → User → SSHD → Firewall → Fail2Ban → Hermes → Notify → Verify ``` If any step fails, it **rolls back automatically** — no orphaned configs left behind. ## Step 4 — Done Two minutes later the server is fully hardened: - SSH on port `2091` (non-default) - UFW firewall active, deny-by-default - Fail2Ban protecting against brute force - Hermes Agent running in a hardened Docker container — all caps dropped, `no-new-privileges` - A Telegram message every time someone SSHs into the box ## Bonus: multi-server dashboard You can manage multiple VPSes from one dashboard. Each server has its own config, SSH keys, and deploy history — useful when you run agents across different providers. ## Try it The tool is open source and MIT licensed. Install it in one line and point it at your VPS: ```bash pip install git+https://github.com/swingkiddo/hermes_bootstrap.git hermes-bootstrap serve ``` > Source: write-up by [koocha_mala](https://x.com/koocha_mala). Tool: [swingkiddo/hermes_bootstrap](https://github.com/swingkiddo/hermes_bootstrap).