Open source · one agent per droplet · GitHub-backed knowledge base

Your own Hermes agent, in three commands

Take a bare Ubuntu droplet to a running Hermes agent (Nous Research) — hardened, with a GitHub-backed knowledge base and secrets kept in Bitwarden. Your agent is pure data: a persona, a bit of memory, some skills, and a wiki. Edit files, re-run the installer, done.

A simple baseline for students · ~$12/mo droplet · ~10 minutes to first agent

See how it works ↓
Before you start

How it works — three steps

Create a droplet, then two scripts do the rest. Each is safe to re-run.

1
DigitalOcean UI

Create the droplet

Spin up an Ubuntu 24.04 droplet, 2 GB RAM (the floor — the image build OOMs on 1 GB), SSH-key auth. Prefer the CLI? create-droplet.sh does the same with doctl.

web UI · ~1 min
2
Droplet · as root

bootstrap.sh

Hardens the box — UFW (SSH only), fail2ban, SSH key-only, an admin user, swap — then installs Docker and brings up the Hermes stack (gateway + dashboard).

harden + Docker · ~5 min
3
Droplet · hermes user

install-agent.sh

Deploys one agent from a directory (persona, memory, skills), wires the GitHub knowledge base, writes only the Bitwarden bootstrap token to disk, and restarts.

deploy your agent · ~1 min

Deploy to DigitalOcean

One agent per droplet, deployed as a Docker Compose stack. Five steps from a bare droplet to "say hello".

Hermes runs one agent per droplet.

A single Docker Compose stack — gateway + dashboard — sharing ~/.hermes. No multi-agent "team": the unit is one reusable agent, which is pure data.

Server + Hermes

bootstrap.sh

Run as root on a fresh Ubuntu 24.04 droplet. Handles hardening through to a running gateway.

  • Creates an admin user with SSH keys
  • UFW firewall (SSH only — dashboard is localhost)
  • fail2ban for brute-force protection
  • Installs Docker + the compose plugin
  • Creates the hermes service user
  • Builds the image and brings up the stack
  • Adds swap (the build is memory-hungry)

Agent Deployer

install-agent.sh

Run as the hermes user. Deploys any agent directory in a single command.

  • Clones the repo (shallow, fast)
  • Refreshes SOUL.md; seeds memory once
  • Merges skills without clobbering
  • Preserves runtime-managed config.yaml
  • Sets up the GitHub knowledge base
  • Writes only the Bitwarden token to disk
1
In the DigitalOcean web console

Create the droplet

Create → Droplets. Choose Ubuntu 24.04 (LTS), size Basic · Regular · 2 GB / 1 CPU (s-1vcpu-2gb, ~$12/mo — 2 GB is the floor, the build OOMs on 1 GB), and SSH Key auth (select your key — not a password, or hardening will lock you out). Create it, then copy the droplet's public IP.

Prefer the CLI? ./create-droplet.sh --name hermes-1 does the same via doctl — add --bootstrap to chain step 2 automatically.

2
On the droplet · as root

Harden + install Hermes

SSH in as root and run bootstrap. It hardens the box (UFW, fail2ban, SSH key-only, an admin user, swap), installs Docker, and builds + starts the Hermes stack. ~5–8 min. The gateway comes up with no model or agent yet — that's steps 3–4.

$ ssh root@<ip>
$ curl -fsSL https://raw.githubusercontent.com/zenithventure/hermes-agent-teams/main/bootstrap.sh | bash
3
In the Bitwarden web app · or skip for now

Set up secrets in Bitwarden

Create a project, add your keys as secrets named after their env vars (ANTHROPIC_API_KEY, …), create a machine account with Read access, and generate an access token (starts with 0.). Only that token reaches the box.

Zero-key first run: skip this and set provider: openai-codex — no API key at all, just a one-time OAuth login the installer prints. Add Bitwarden when you add an API-key provider or a channel.

4
On the droplet · as the hermes user

Install your agent

Seeds the agent, wires the knowledge base, and writes only the bootstrap token to ~/.hermes/.env (0600). Add the printed deploy key to your KB repo (Settings → Deploy keys, allow write), then re-run so it can push the seed.

$ sudo -u hermes -i
$ curl -fsSL https://raw.githubusercontent.com/zenithventure/hermes-agent-teams/main/install-agent.sh \
  | bash -s -- --agent _template \
    --bws-token 0.<token> --bws-project <uuid> \
    --kb-repo git@github.com:<you>/<kb-repo>.git
5
Still on the droplet · in ~/hermes-agent

Say hello

Confirm secrets resolve from Bitwarden, then talk to the agent. The dashboard is localhost-only — reach it over an SSH tunnel (ssh -L 9119:127.0.0.1:9119 <admin>@<ip>).

$ docker compose exec gateway hermes secrets bitwarden status
$ docker compose exec -T gateway hermes -z "say hello"

Pick your model

config.yaml chooses how the model authenticates. Start zero-key, add a key later.

anthropic

claude-opus-4.6

Bring an ANTHROPIC_API_KEY (stored in Bitwarden). The default provider — most capable, billed per token.

API key · from Bitwarden
openai-api

gpt-4o

Bring an OPENAI_API_KEY (stored in Bitwarden). Standard OpenAI API access, billed per token.

API key · from Bitwarden

A knowledge base, natively

Every agent maintains a personal wiki (the Karpathy LLM Wiki pattern): you drop sources into raw/, it compiles cross-linked articles into wiki/, and keeps INDEX.md current — all in a GitHub repo you open in Obsidian.

~/.hermes/workspace/kb/wiki/bitwarden-secrets.md
# Bitwarden Secrets Manager The backend Hermes pulls API keys from at startup. Keys live in a [[project]]; only a scoped [[bootstrap-token]] ever touches the droplet. ## How it works - Each secret is **named after its env var** (`ANTHROPIC_API_KEY`, …). - The [[gateway]] resolves them into memory at boot — nothing on disk. - Rotate in the web app; no redeploy needed. ## Source Notes - Ingested 2026-07-03 from raw/bitwarden-setup.md ## See Also [[config-yaml]] · [[soul]] · [[deploy]]

The wiki lives at ~/.hermes/workspace/kb/. Create an empty GitHub repo, pass it as --kb-repo, and the installer seeds it. Open the same repo in Obsidian via the obsidian-git plugin — that's your window into everything the agent has learned, and an off-box backup of its most valuable state.

Secrets — start on the right foot

Never paste keys in chat, scripts, or .env. The default backend is Hermes' native Bitwarden Secrets Manager.

Only a scoped token touches disk.

Keys live in a Bitwarden project, each named after its env var, and are pulled into the gateway's memory at startup. The droplet holds only a machine-account bootstrap token — rotate anything with one edit in the web app, no redeploy. Your agent is also told to refuse credentials sent over chat and point you to Bitwarden instead.

Built as a student baseline

Dead simple, works for everyone, and does the right thing by default.

🧬

An agent is a directory

Persona, memory, skills, and a knowledge base — plain files. Point Claude Code at the repo, describe the agent you want, and it fills in the template.

📓

GitHub-backed wiki

The knowledge base is just a GitHub repo of markdown. No MCP server, no database — the agent reads and writes it with normal file tools and pushes.

🔐

Secrets done right

Bitwarden Secrets Manager by default. Only a scoped bootstrap token on disk; the installer takes no raw keys; the persona refuses credentials over chat.

🔒

Hardened by default

UFW (SSH only), fail2ban, SSH key-only auth, a non-root admin user, and swap — all configured automatically by bootstrap.sh.

🔁

Seed-once & idempotent

Re-run the installer anytime. Memory and the runtime-managed config are never clobbered; the persona refreshes; skills merge. Safe by construction.

🚀

Zero-key first run

Try it with openai-codex — a ChatGPT subscription and a one-time OAuth login, no API key to store. Add Bitwarden when you're ready.

Curious about the file layout? Expand the agent directory structure

Copy _template/ to a new directory and fill it in. See CLAUDE.md for the authoring contract.

my-agent/
  config.yaml # name, model/provider, Bitwarden block
  SOUL.md # persona (first person)
  memories/
    USER.md # who the agent works for
    MEMORY.md # optional long-term seed
  skills/
    knowledge-base/ # the LLM-wiki discipline
      SKILL.md
  kb-seed/ # starter pushed to an empty KB repo