How to Deploy Hermes Agent: A UK Business Complete Guide (2026)

Hermes Agent runs as a long-lived Linux service that connects to a model, a messaging gateway, and your tools. A serious deployment for a UK business needs four things: a stable server (Oracle Cloud Free Tier works perfectly for pilots), a hardened install with systemd auto-restart, a properly scoped toolset, and a recovery plan for the inevitable model-provider outage. We have run Hermes in production since March 2026 — this is what we wish we had known on day one.

Last updated: May 2026 · Covers Hermes Agent v0.13 · Includes the 30 April outage post-mortem · Based on 90 days of live production data

• Pilot on Oracle Cloud Free Tier (1 OCPU Ampere A1, 6 GB RAM) for £0/month — adequate for one founder-led business
• Use systemd with Restart=always and exponential backoff — anything else means the agent dies silently after the first transient error
• Attach Hermes to WhatsApp via the Baileys bridge for founder-friendly notifications
• Lock down the toolset before the first real task — never run with broad shell access
• Build the recovery playbook before you need it (we will publish ours below)

Contents

• Where to deploy Hermes Agent
• What you need before installing Hermes Agent
• Installing Hermes Agent on a Linux server
• Setting up systemd auto-restart (the most important step)
• Connecting WhatsApp (the founder-friendly channel)
• Locking down the toolset before the first real task
• Monitoring and the recovery playbook
• Auto-updates without breaking things
• How Ampliflow deploys Hermes for UK clients

Where to deploy Hermes Agent

Choose stability over compute. Hermes does not need GPU. It needs uptime.

Most UK businesses considering Hermes are choosing between four hosting options. The trade-offs:

We deploy on Oracle Cloud Free Tier for pilots and have done for 90 days now. Real measured uptime: 96.5% across the period, with the 3.5% downtime concentrated in a single 62-hour incident in late April that taught us the recovery patterns documented further down. Without that incident, uptime would have been 99.7%.

For a founder-led UK business with one to ten staff, Oracle Free Tier is adequate. We do not see a credible reason to spend £20-100 a month on managed compute for a Hermes pilot when £0 of capacity has handled real production traffic for three months.

The deeper guide on Hermes Agent on Oracle Cloud Free Tier covers the specific Oracle setup steps, region choice for UK latency, and the network rules you will need to open. This pillar covers the cross-host deployment patterns.

What you need before installing Hermes Agent

Five prerequisites, in order of how often they catch people out.

1. A Linux server you can SSH into

Any Ubuntu 22.04+ or Debian 12+ server works. Fedora and Arch work too with minor package-manager adjustments. Hermes does not run natively on Windows; if you must use Windows, install through WSL2 with Ubuntu — but for production, deploy on a real Linux server, not on a developer's WSL.

You need root access (or sudo) for the systemd configuration. SSH access is mandatory; "I'll just edit through the web console" works for thirty seconds and breaks every recovery procedure.

2. A model provider with appropriate capacity

Hermes is model-agnostic. You need an API key for whichever provider you choose. The currently common choices for UK businesses:

• Anthropic Claude (Sonnet 4.6 or Opus 4.7) — best reasoning, highest cost
• OpenAI Codex 5.4 / GPT-5 — competitive on agentic tool use
• Z.AI GLM-5 series — most cost-effective, weaker on long-form reasoning
• Local Ollama (Llama 4, Qwen 3) — for businesses that legally cannot send data to a US-based provider

Pick one for the pilot. Switching is a config change, not a rewrite — you can change later.

For a UK SME pilot, Anthropic Claude on Pro or Sonnet API tier is the right starting point. The reasoning quality removes a class of failure modes that cheaper providers introduce.

3. A domain name (optional but useful)

If you want a dashboard, scheduled webhooks, or external API access to your Hermes instance, you will want a domain pointed at your server. Cloudflare Tunnel is the easiest way to expose a service running on Oracle Free Tier without configuring inbound firewall rules — set up time is about five minutes.

4. A WhatsApp account (highly recommended)

The most useful Hermes integration for founder-led UK businesses is WhatsApp. The Baileys-based bridge connects to a personal WhatsApp account, lets the agent reply to your messages, and lets the agent send proactive notifications (cron jobs, alerts, daily summaries). Other channels work — Telegram, Slack, Discord — but for UK SME owners, WhatsApp is the channel they actually check.

You will need a phone number that can be linked to WhatsApp Business or personal WhatsApp. We use a dedicated number for the agent rather than the founder's primary number — the audit trail is cleaner.

5. A .env template ready before you start

Hermes reads configuration from ~/.hermes/config.yaml and environment variables. Have your model API keys, WhatsApp credentials (added during first run), and any tool-specific tokens ready before you hermes init. Stopping mid-install to find an API key is how you end up with half a configuration committed to disk.

Installing Hermes Agent on a Linux server

The install itself is one line. The hardening around it is the rest of this guide.

SSH to your server. Then:

`bash curl -sSL https://install.hermes-agent.nousresearch.com | bash `

This installs Hermes into ~/.hermes/ for the current user. Do not run as root. The agent should run as a non-root user with sudo access only for the systemd configuration step.

If you prefer not to pipe an internet script into bash (a reasonable position), the official documentation walks through the manual install: clone the repo, install Python dependencies into a virtualenv, copy the configuration template, set up the systemd unit. Manual install takes about ten minutes versus the script's one minute.

After install, run:

`bash hermes init `

This launches the interactive configuration wizard. Pick your model provider, paste your API key, choose which channels to enable, and confirm the data directory location. The wizard writes ~/.hermes/config.yaml with your selections.

Verify the install:

`bash hermes --version hermes status `

You should see version 0.13.x or higher. hermes status shows the gateway state, configured channels, and any active sessions. If both commands succeed, the agent is installed but not yet running as a service.

Setting up systemd auto-restart (the most important step)

The single difference between a Hermes deployment that survives and one that dies on day three is the systemd unit configuration.

Naive systemd units use Restart=on-failure. The Hermes gateway can exit cleanly (status 0) after a fatal error, which on-failure does not catch. Your agent appears stopped for hours before anyone notices.

Create the user-level systemd service at ~/.config/systemd/user/hermes-gateway.service:

`ini [Unit] Description=Hermes Agent Gateway After=network-online.target Wants=network-online.target

[Service] Type=simple ExecStart=%h/.hermes/venv/bin/hermes gateway --foreground Restart=always RestartSec=60 RestartSteps=5 RestartMaxDelaySec=300 RestartForceExitStatus=75 StartLimitIntervalSec=0 TimeoutStartSec=300 TimeoutStopSec=60

[Install] WantedBy=default.target `

The non-obvious settings:

• `Restart=always` — restart on any exit, clean or not. This is the entire point.
• `RestartSec=60` with `RestartSteps=5` and `RestartMaxDelaySec=300` — exponential backoff. First restart at 60s, then 120s, then 180s, then 240s, then 300s. Prevents tight restart loops when the model provider is down.
• `RestartForceExitStatus=75` — exit status 75 means "temporary failure" by Unix convention. Always retry.
• `StartLimitIntervalSec=0` — disable systemd's start-rate limiting. We want to retry forever, not give up after a few attempts.
• `TimeoutStartSec=300` — Hermes can take up to a few minutes on first start if it needs to download model context.

Enable the service and lingering (so it runs even when nobody is logged in):

`bash systemctl --user daemon-reload systemctl --user enable hermes-gateway.service sudo loginctl enable-linger $USER systemctl --user start hermes-gateway.service systemctl --user status hermes-gateway.service `

The loginctl enable-linger step is critical. Without it, your user-level systemd services stop when you log out. With it, they survive reboots and SSH disconnections.

You should see the service in active (running) state. If it is not, journalctl --user -u hermes-gateway.service -n 50 will show why.

Connecting WhatsApp (the founder-friendly channel)

For UK SME owners, WhatsApp is the channel that gets read. Email gets ignored. Slack is for the team.

After the gateway is running, link WhatsApp:

`bash hermes whatsapp link `

This prints a QR code in your terminal. Open WhatsApp on your phone, go to Settings → Linked Devices → Link a Device, and scan the code. The bridge connects within thirty seconds.

We use a dedicated phone number for the agent rather than a founder's primary number. Reasons:

• Cleaner audit trail (every message in the agent's WhatsApp history was either to or from the agent)
• The founder's primary WhatsApp does not get linked to a server they may forget about
• If the agent needs to be paused or rolled back, the founder's normal WhatsApp keeps working
• Compliance is easier — the agent's WhatsApp is a business asset with documented access

Once linked, you can ask Hermes anything in a WhatsApp message:

` You: Daily ops summary please Hermes: [returns the summary you configured in your skills] `

For the in-depth use cases beyond simple replies — scheduled summaries, lead capture from voice notes, escalation patterns — see the companion piece on WhatsApp AI Agent with Hermes.

Locking down the toolset before the first real task

A Hermes agent with broad shell access is not a deployment — it is an incident waiting to happen. Lock the toolset down before the agent runs anything in production.

Hermes ships with a permissive default toolset for development: file system access, shell execution, web fetch, browser automation, model invocation. For production:

Disable tools you do not need

Edit ~/.hermes/config.yaml:

`yaml tools: enabled:

• web_fetch
• file_read
• whatsapp_send
• cron
• skills

disabled:

• shell_exec # Disable until you need it
• file_write # Re-enable explicitly per scoped path
• browser_automation
• sudo

`

Scope file_write to specific directories

If the agent needs to write files (for outputs, reports, logs), scope the write access to specific directories rather than allowing global write:

`yaml tools: file_write: enabled: true allowed_paths:

• /home/ubuntu/hermes-outputs/
• /tmp/hermes-scratch/

forbidden_paths:

• ~/.ssh/
• ~/.hermes/config.yaml
• /etc/

`

Use skills to constrain shell access

If the agent needs shell execution for specific tasks (running a deploy script, querying a database), wrap them in skills rather than enabling raw shell_exec. A skill is a named, scoped operation with a clear interface. The agent calls run_daily_report rather than executing arbitrary shell commands.

The dedicated piece on Hermes Agent custom skills covers the skill-writing patterns we use in production.

Network egress restrictions

For UK businesses with sensitive data, restrict the agent's outbound network access. The agent needs to reach:

• Your model provider (Anthropic API, OpenAI API, etc.)
• Configured third-party APIs (the ones you explicitly allow)
• WhatsApp servers (web.whatsapp.com, *.whatsapp.net)

Everything else can be blocked at the firewall level. We use Oracle's network security lists (or ufw on a non-cloud server) to maintain an explicit allowlist. This eliminates an entire class of compromise — even if the agent is tricked into trying to exfiltrate data, it has nowhere to send it.

The Hermes Agent security and GDPR piece covers the deeper compliance posture for FCA-regulated firms, NHS suppliers, and GDPR-sensitive UK businesses.

Monitoring and the recovery playbook

The most important piece of operational documentation we have for Hermes is the recovery playbook. It exists because of the 30 April 2026 outage.

What happened on 30 April 2026

Our Hermes deployment went down at approximately 02:14 UTC and stayed down for 62 hours. The root cause: the gateway received an unhandled exception from a model provider rate-limit response, exited with status 0, and Restart=on-failure (which we were using at the time) did not retry. The agent was offline through the bank holiday weekend before anyone noticed.

The fix was a series of changes that became the recovery patterns documented in this section. We publish them because most Hermes guides skip this part.

What to monitor

For a single-instance deployment, the minimum viable monitoring:

1. Service uptime check every 60 seconds. Either systemctl --user is-active hermes-gateway.service from a cron, or a Healthchecks.io / UptimeRobot pinger if you want offsite alerting. We use Healthchecks.io free tier (£0/mo) — the agent itself sends a heartbeat every two minutes; if the heartbeat is missed for 10 minutes, Healthchecks notifies us via WhatsApp through a separate channel.
2. Log monitoring for fatal errors. journalctl --user -u hermes-gateway.service -p err --since "5 minutes ago" run on a cron. Pipe any output to your alert channel.
3. Disk space check. Hermes logs grow. Configure logrotate at /etc/logrotate.d/hermes:

` ~/.hermes/logs/*.log { daily rotate 14 compress delaycompress missingok notifempty copytruncate } `

1. Memory usage. Hermes occasionally leaks memory under specific load patterns. We check RSS every 5 minutes and restart the service if it exceeds 4 GB on a 6 GB machine. The leak fix is in v0.14, but the watchdog stays as a belt-and-braces measure.

The Hermes Agent monitoring and uptime guide covers the full monitoring stack we run in production, including the auto-update v2 script that survived a 98-commit upgrade in early May.

The recovery playbook

If Hermes goes down, the playbook is:

1. First, check it is actually down — systemctl --user status hermes-gateway.service. If it is failed or inactive, proceed.
2. Restart the service — systemctl --user restart hermes-gateway.service. Wait 30 seconds. Re-check status. If it comes up cleanly, look at recent logs for the cause but proceed with normal operations.
3. If the restart fails repeatedly, check the model provider — most "Hermes is broken" incidents are actually "Anthropic is down" or "rate limit exceeded." Check status.anthropic.com or your provider's equivalent.
4. If the provider is healthy and Hermes still will not start, roll back — Hermes auto-update keeps backups in ~/.hermes/backups/pre-update-*.zip. Restore the most recent: ~/.hermes/hermes-agent/venv/bin/hermes import --force ~/.hermes/backups/pre-update-YYYY-MM-DD-*.zip then restart the service.
5. If rollback also fails, file an issue — at github.com/NousResearch/hermes-agent. The Nous team responds fast; we have had hour-turnaround on critical issues.

The whole playbook fits on one A4 page. Print it. Tape it next to the laptop you SSH from. The five minutes you spend now save you 62 hours later.

Auto-updates without breaking things

Hermes ships updates roughly weekly. Auto-updating without a verification step has burned us. Auto-updating with a verification step is fine.

Our auto-update setup runs at 03:00 London time daily:

1. Snapshot current state (hermes export ~/.hermes/backups/pre-update-$(date -I).zip)
2. Capture pre-update Git SHA (git rev-parse HEAD in the Hermes source dir)
3. Run hermes update --yes (the --yes flag avoids hanging on interactive prompts)
4. Re-run any local patches (we have two custom patches for WhatsApp voice replies — these get reapplied after every upgrade)
5. Verify the gateway starts (systemctl --user restart hermes-gateway.service && sleep 30 && systemctl --user is-active hermes-gateway.service)
6. If verification fails: roll back via hermes import --force of the snapshot, restart, send WhatsApp alert
7. Write status to ~/.hermes/.auto-update-status.json for the dashboard

The full script is roughly 100 lines of bash and lives in ~/.hermes/bin/auto-update.sh. We trigger it from a systemd timer:

`ini

[Unit] Description=Daily Hermes auto-update [Timer] OnCalendar=--* 03:00:00 Europe/London Persistent=true [Install] WantedBy=timers.target `

The Persistent=true line ensures that if the server was offline at 03:00, the update runs as soon as it comes back online. Without it, an overnight reboot means an entire day of skipped updates.

How Ampliflow deploys Hermes for UK clients

A four-stage rollout, every time. We do not skip stages.

Stage 1 — Foundation pilot (week 1)

Single Oracle Free Tier instance, single skill (a daily ops summary that reads three data sources and sends a WhatsApp summary at 08:00). The founder uses Hermes for a week. Every issue the founder hits becomes a config change or a CLAUDE.md-equivalent rule.

By Friday, the agent's daily summary is reliable enough that the founder reads it before opening their laptop.

Stage 2 — Skill expansion (weeks 2-3)

We add three to five more skills based on the founder's most repeated weekly tasks. Common patterns: lead summary from CRM exports, content moderation of overnight messages, weekly P&L reconciliation, scheduled invoice chasing.

Each skill is scoped, audit-logged, and reviewed before deployment. The agent does nothing without explicit human approval for the first two weeks of each new skill.

Stage 3 — Channel expansion (week 4)

If the WhatsApp loop is working, we add additional channels: Telegram for the founder's family/personal time separation, Discord for community-management businesses, Slack for businesses with internal teams. Each channel gets its own permissions and skills.

Stage 4 — Specialist harnesses (week 5+)

For businesses where Hermes is doing real operational work, we move from a single agent to specialist harnesses — separate Hermes instances each scoped to a specific function. A "sales harness" handles lead routing. A "ops harness" handles internal tooling. A "support harness" handles WhatsApp customer queries. Isolation reduces blast radius and clarifies audit logs.

This is the same pattern we use for Claude Code rollouts — the specialist-harness model works across both tools.

Frequently asked questions

Do I need a powerful server to run Hermes Agent?

No. Hermes is not GPU-bound. Reasoning happens at the model provider's side; your server runs the orchestrator, the gateway, the messaging bridges, and the tool calls. Oracle Cloud Free Tier (1 OCPU Ampere A1, 6 GB RAM) handles a founder-led business comfortably. We have measured this in production for 90 days.

Can I run Hermes Agent on Windows?

Not natively. Hermes is Linux-first. You can install via WSL2 with Ubuntu for development, but production deployments should target a real Linux server (Oracle, Hetzner, DigitalOcean, AWS Lightsail, Linode). The systemd configuration this guide describes does not work in WSL.

Is Hermes Agent free?

The Hermes Agent software is open-source and free. You pay for the model provider (Anthropic API, OpenAI API, Z.AI, or you self-host an open model on your own GPU). For UK SME pilots, we typically see model costs of £20-100 per month per agent depending on usage. Server hosting on Oracle Free Tier is £0.

Is Hermes Agent GDPR-compliant for UK businesses?

Hermes itself does not handle data classification — that is the deployer's responsibility. With a properly scoped toolset (no broad shell access, scoped file paths, network egress allowlist) and your choice of UK-compliant model provider (Anthropic and OpenAI both offer EU data residency), Hermes can be deployed in a GDPR-compliant manner. The Hermes Agent security and GDPR piece covers the specific hardening for regulated UK sectors.

What happens if my model provider goes down?

The gateway logs the failure and the systemd unit's exponential backoff prevents tight restart loops. Once the provider recovers, Hermes resumes automatically. For mission-critical deployments, you can configure a fallback model provider in ~/.hermes/config.yaml — Hermes will failover automatically if the primary returns a sustained 5xx for more than 60 seconds.

Can I run multiple Hermes Agents on one server?

Yes. Each agent runs as a separate systemd service with its own ~/.hermes/ directory. We commonly run two — a "primary" handling daily operations and a "test" used to validate config changes before they touch production. Resource overhead is minimal because each gateway is small (~200 MB RAM at idle).

How do I share a Hermes Agent with my team?

For founder-only use, link a single WhatsApp account. For team use, the dashboard at port 9119 (SSH-tunneled, never exposed publicly) provides a web chat interface. For organisations that need proper multi-tenant access, deploy a separate Hermes instance per user — the resource cost is small and the audit clarity is worth it.

What is the difference between Hermes Agent and Claude Code?

Different problems. Claude Code is a developer's terminal-native coding agent — it lives where engineers write code. Hermes Agent is a server-resident automation agent — it runs scheduled jobs, holds conversations across sessions, and integrates with messaging channels. Many UK businesses run both: Claude Code for shipping software, Hermes for shipping operational outcomes.

Is Hermes Agent worth it vs commercial alternatives like n8n or Make.com?

For straightforward automations (CRM webhooks, basic notifications), n8n and Make.com are simpler and cheaper to operate. For agents that need to reason, hold context across sessions, learn from interactions, and use tools dynamically, Hermes is in a different category. The original-data piece on 90 days of Hermes production cost (publishing later this month) walks through the cost comparison with real numbers.

Related reading

• ↑ What is Hermes Agent? A UK Business Guide — the foundational pillar this deployment guide sits under
• ↔ Hermes Agent on Oracle Cloud Free Tier — UK Guide — the specific Oracle setup steps for a £0/month pilot
• ↔ Hermes Agent Security & GDPR for UK Business — the compliance posture for FCA-regulated firms, NHS suppliers, and GDPR-sensitive deployments
• ↔ Hermes Agent Monitoring, Uptime & Reliability in Production — the full monitoring stack we run, including auto-update v2
• ↔ How to Install Claude Code — UK Business Guide — the Claude Code-side equivalent of this guide, for the developer workflow that complements Hermes operational automation

What should you do next?

The install takes an hour. Getting Hermes to do real, trustworthy work for your business takes a fortnight of iteration on skills, channels, and recovery patterns.

If you want a working session with a UK practitioner who has run Hermes in production for ninety days — your server choice reviewed, your first three skills scoped to your business, the systemd hardening laid out for your specific deployment — book a free Hermes deployment review.

Book a free Hermes deployment review →

Forty-five minutes, free, no commitment. We cover your server choice, your model provider, your initial skill set, your security posture, and the recovery playbook. You leave with a deployment plan you can execute that afternoon.