Why bother
I like knowing how the things I use actually work. Not just the product surface. The internals. Self-hosting is fun the same way building a PC is fun. And an AI agent that does things for you instead of just describing how to do them? Me likey.
Not ideology. Not “big tech bad.” Just: this is interesting to build, and useful to have.
I had my home servers for a while and like every other person I keep destroying them, rebuilding them just for the fun of it. Now with the AI Agent craze, I wanted to put something online rather than just keep it on my local machine.
You don’t need a Mac Mini or a beefy server
Everyone reaches for managed platforms, expensive droplets or rushing to buy a new Mac Mini. But most personal-use software, unless you are streaming 4K with transcoding, doesn’t require much resource. A Hetzner CX22 at €3.89/month can handle all of this.
What I’m running on it right now:
| App | Purpose |
|---|---|
| Jellyfin | TV and movies (1080p, but it works) |
| Audiobookshelf | Audiobooks |
| Mealie | Recipes |
| Forgejo | Private Git repos |
| Hermes | The AI agent that ties it all together |
| And many others |
Part 2 covers the full app stack. But first, we need to get started.
Everyone’s building an agent
The AI agent space is crowded right now. Everyone and their dog is building one. OpenClaw is obviously the king in the castle, but I found it too much to configure and get working in the “right way.”
Hermes is smaller, opinionated and easier to maintain. At least that’s how it feels to me. Compared to OpenClaw, it depends less on frontier models. Currently it works quite well with MiniMax 2.7 or Kimi K2.5 for me. Setup was straightforward, and it does what I want. So I have no complaints.
Security without the paranoia
Security is always the discussion when you talk about OpenClaw or Hermes. I wanted to be as secure as I could. Simple guards: Tailscale + Firewall so only public accessible parts are open. Like port 80, 443. SSH and other ports are limited to Tailscale VPN.
⚠️ Why this matters: If you expose SSH to the internet, you’ll get brute-force attempts within hours. With Tailscale-only SSH, your server is invisible to the public internet.
Securing the agent itself is another thing. Simple rule here too: Start with the least permissions possible and expand if you see the need. And never give access to anything crucial. I gave read-only access to my emails and calendar, write access to my todos.
A personal AI that can read your calendar but not your bank account is useful. One with unrestricted access to everything is terrifying.
The actual stack
Hetzner CX22 (€3.89/mo) + Tailscale (free) + UFW + Hermes.
That’s it.
Tailscale handles the VPN layer. Everything on the server is either on the Tailscale network or blocked from public access by UFW. Hermes runs as a systemd service, accessible via Telegram (only I am allowed to text the bot), and connects to the outside world only through the APIs I explicitly configure.
Install guide
The step-by-step setup is on a separate page. This keeps the blog post focused on the why, not a walkthrough that gets outdated the moment an install command changes. The install guide can go out of date, but it should give you the general idea.
→ Full install guide: Hermes + Tailscale on your VPS
What you actually get
If your attention span got you this far, you should now have a functioning agent. Here are a few ways I use it.
The morning briefing
Runs before I’m awake. My portfolio summary, prices, P&L, and relevant news lands in my inbox at 8am. I wake up, check my phone, done.
The shopping list
I open Telegram, type "add parmesan to the shopping list". Hermes creates a task with a checkable item in my TickTick inbox. Takes five seconds.
I could open the app and type it myself. But I don’t have to.
The recipe saver
I forward a recipe URL to Hermes. It:
- Fetches the page
- Extracts ingredients and instructions
- Calls the Mealie API
- Confirms it’s added
I never open the Mealie UI.
The invisible stuff
Reminders, calendar checks, session summaries that file themselves into my knowledge base. None of it requires me to remember to do it. The agent handles the maintenance.
What’s next
So far we’ve covered the foundation: the VPS, the VPN, the agent. In the next post, we’ll:
- Install Coolify
- Add more applications to the server
- Connect them to Hermes
- The integrations that tie it all together
→ Part 2: Coolify, the apps, and the integrations (coming soon)