diff --git a/scripts/hermes-bootstrap.sh b/scripts/hermes-bootstrap.sh
new file mode 100755
index 0000000..82eb451
--- /dev/null
+++ b/scripts/hermes-bootstrap.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# Hermes Agent bootstrap — run INSIDE the hermes LXC (#118) console, once.
+# Prereqs (already done): features nesting/keyctl set, /data and /fast bind mounts present.
+set -euo pipefail
+
+LITELLM_BASE_URL="http://10.1.10.22:4000/v1"   # litellm gateway (#117)
+HERMES_DATA="/opt/hermes"                       # ~/.hermes equivalent on rootfs (fast)
+COMPOSE_DIR="/opt/hermes-stack"
+
+echo "==> 1/5 Install rootful Docker + compose plugin"
+apt-get update
+apt-get install -y ca-certificates curl gnupg
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
+chmod a+r /etc/apt/keyrings/docker.asc
+. /etc/os-release
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian ${VERSION_CODENAME} stable" \
+  > /etc/apt/sources.list.d/docker.list
+apt-get update
+apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+systemctl enable --now docker
+docker run --rm hello-world >/dev/null && echo "    docker OK"
+
+echo "==> 2/5 Prepare data + workspace dirs"
+mkdir -p "${HERMES_DATA}" "${COMPOSE_DIR}"
+# /data (hdd, bulk) and /fast (2tb ssd) are the bind mounts from the LXC.
+mkdir -p /data/workspace /fast/workspace
+
+echo "==> 3/5 Write docker-compose.yml"
+cat > "${COMPOSE_DIR}/docker-compose.yml" <<EOF
+services:
+  hermes:
+    image: nousresearch/hermes-agent:latest
+    container_name: hermes
+    restart: unless-stopped
+    command: gateway run
+    shm_size: "1g"            # browser tools (Playwright/Chromium)
+    volumes:
+      - ${HERMES_DATA}:/opt/data   # config, memory, skills, sessions (rootfs/SSD)
+      - /data:/data                # bulk workspace (hdd 14TB)
+      - /fast:/fast                # fast workspace (2tb SSD)
+    env_file:
+      - ${COMPOSE_DIR}/.env
+    deploy:
+      resources:
+        limits:
+          memory: 3G
+          cpus: "2.0"
+EOF
+
+echo "==> 4/5 Write .env (EDIT secrets before 'gateway run')"
+if [ ! -f "${COMPOSE_DIR}/.env" ]; then
+  cat > "${COMPOSE_DIR}/.env" <<EOF
+# --- litellm gateway (OpenAI-compatible) ---
+OPENAI_BASE_URL=${LITELLM_BASE_URL}
+OPENAI_API_KEY=REPLACE_WITH_LITELLM_KEY
+# --- messaging connectors (fill the ones you use) ---
+TELEGRAM_BOT_TOKEN=
+DISCORD_BOT_TOKEN=
+SLACK_BOT_TOKEN=
+EOF
+  chmod 600 "${COMPOSE_DIR}/.env"
+  echo "    wrote ${COMPOSE_DIR}/.env — edit OPENAI_API_KEY + bot tokens now."
+fi
+
+echo "==> 5/5 First-time interactive setup (model -> litellm, sandbox=local, connectors)"
+echo "    Run setup, then start the gateway:"
+echo "      cd ${COMPOSE_DIR}"
+echo "      docker compose run --rm hermes setup     # pick provider=custom, base_url=${LITELLM_BASE_URL}, sandbox=local"
+echo "      docker compose up -d                     # start 'gateway run'"
+echo "      docker compose logs -f hermes"
+echo "Done. (config.yaml lives under ${HERMES_DATA}; secrets stay in ${COMPOSE_DIR}/.env)"