I Spent 4 Hours So You Don’t Have To: Hetzner Metal + NixOS in ~15 Minutes

There’s a lot of talk right now about agents, loops, OpenClaw setups, automation, orchestration, sandboxing, things running 24/7, controlling everything from your phone, and all that stuff. And yeah, obviously, I got a bit of FOMO too.

I started feeling like I wanted a dedicated machine just for running agents and AI assistants. I even caught myself lurking on hardware sites, building hypothetical perfect Linux boxes in my head. Then I decided to stop fantasizing and just start somewhere: get a Linux box for running agents, AI assistants, containers, and ML-related experiments that are just a bit too much for my laptop. I want this thing running 24/7. And there was no way I was going to run agents and assistants with --yolo/--dangerously-skip-permissions on the machine I use every day.

My 16GB MacBook Pro is great for hands-on work, a few containers, a few agents, slacking, and zooming. But it’s not the machine I want running 24/7, and it’s definitely not the machine I want handling a lot of containers and multiple agents at once. And most importantly, it’s not where I want agents operating while my sensitive personal stuff is sitting on the same hard drive.

So I decided to move this stuff to the cloud — but not regular cloud, bare metal.

In the conventional cloud world, you can go with AWS, GCP, or whatever provider you like. You can use Terraform and go all-in on infrastructure as code. But for me, pushing this workload into mainstream cloud would cost more than I wanted to spend. So the question became: how do I still get something that feels like infrastructure as code, without paying cloud tax for everything?

For me, the answer was Nix, which I’ve been slowly falling in love with over the last year. First I started replacing parts of my Homebrew setup with Nix. Then I started using Home Manager. Eventually the next obvious thought was: why not just run NixOS on the server too?

That’s how I ended up here.

So I decided to install NixOS on a Hetzner server. I picked Hetzner because this wasn’t some abstract exploration exercise. I’ve used them for years, they’re practical, and their dedicated servers are very hard to beat on price.

If you are wondering what is Nix, NixOS, and Home Manager, here’s a quick explanation:

• Nix is a package manager that provides reproducible builds and declarative configuration. You don’t have to use NixOS to use Nix.
• NixOS is a Linux distribution built on top of Nix, where the entire system configuration is defined in code.
• Home Manager is a tool for managing user-level configuration with Nix, allowing you to define your dotfiles and user environment declaratively.

The part I underestimated wasn’t the install itself. It was all the annoying real-world edges around it: finding the right server offer with reasonably modern hardware, making sure the boot setup matched what I wanted, and getting the network configuration right. To be fair, this part went more smoothly than I expected with help from Pi and OpenAI Codex. And now that I’ve turned the whole thing into scripts, skills, and declarative config, the process is much simpler. If everything goes smoothly, you can go from zero to a running NixOS box in about 15 minutes of active setup time.

Here is the repo for this setup: IrakliJani/nixos-hetzner-metal

I used Pi agent to build the skills and scripts for this setup, and I used OpenAI Codex to help with the more complex scripting and configuration tasks. The result is a set of reusable tools that you can use to quickly set up NixOS on Hetzner bare metal, without having to go through all the trial and error that I did.

The 4-step flow (mapped to skills)

1) Pick server location by measurement, not vibes

Skills:

• hetzner-latency-benchmark
• hetzner-throughput-benchmark

I run both because they answer different questions:

• Latency = SSH/API responsiveness
• Throughput = bulk transfer behavior

For my setup (interactive ops), latency mattered more.

2) Snatch the best server offer with opinionated filters

Skill:

• hetzner-server-offer-finder

Filters I used (and why):

• ECC RAM — detects/corrects memory bit flips; better reliability for long-running services/builds.
• DDR5 — newer platform; useful for memory-heavy workloads and future-proofing.
• Modern CPU (≤5 years old) — better perf and responsiveness.
• NVMe — much better IO for builds, caches, and containers.
• Datacenter NVMe preferred — usually better sustained behavior/endurance.
• Zero setup cost — simple cost control.
• Instant availability preferred — I don’t want to wait days for provisioning.

After you get the server, configure SSH access and let your agent use that host alias.

3) Install NixOS declaratively

Skill:

• hetzner-nixos-install

Flow:

• Rescue preflight
• Verify boot mode
• Disko layout (UEFI + RAID1)
• nixos-anywhere + hardware generation
• First boot checks

4) Run post-install audit

Skill:

• hetzner-postinstall-health-check

Checks:

• Failed units
• RAID health/resync
• Mounts/boot
• IPv4/IPv6 routes + reachability
• SSH listener
• Firewall/time/DNS
• Optional EFI + SMART

This validated the install quickly and confirmed we needed explicit IPv6 config on this host.

What bit me along the way

A few concrete issues from this setup:

1. UEFI in the auction flow was confusing in practice. I ended up buying/changing servers three times before landing on the exact UEFI path I wanted. Provisioning itself was fast (minutes), but still real churn. Relevant Hetzner docs: UEFI - Hetzner Docs.
2. GRUB/UEFI option mismatch during install (efiInstallAsRemovable + canTouchEfiVariables conflict).
3. known_hosts mismatch after installing (expected host key change). The fix was local known_hosts cleanup.
4. IPv6 required explicit static config on this host (address + gateway), while IPv4 worked with defaults.
5. Local macOS nixos-rebuild issue, agent struggled a bit here before we got it working.

Why Nix helped here (beyond “reproducible”)

Nix made this manageable.

• Declarative system config: host/user/network/boot in one place.
• Evaluation before apply: you can catch config errors before cutting over.
• Assertions/typing: invalid option combinations fail early.
• Generations + rollback: safer change cycles.

Important nuance:

• Nix does not make your whole machine untouchable. Root can still break things outside /nix/store.
• What Nix gives you is a reliable path back to a known state.

For agent-heavy workflows, this is the safety net: agents can make mistakes, but your system has a predictable way back.

Isolation baseline I recommend

• One Unix user per major project/agent domain
• Root SSH disabled
• Explicit sudo path for privileged operations
• Separate repos/workdirs per project/agent harness for autonomy and sandboxing.
• Keep OpenClaw work under a separate user from other experiments.

Note: The setup includes Home Manager integration — I’m plugging in my own flake (IrakliJani/home-manager) so my dotfiles carry over. You can use your own, clone mine, or just disable it entirely.

I used agents to write all of the code/config/skills + this blog

What I actually did:

• Reviewed all changes
• Steered the agent with constraints and corrections

Tooling used:

• Pi agent
• OpenAI Codex (gpt-5.3-codex, medium effort thinking)

↑1.0M ↓121k R37M $10.022 (sub) 89.6%/272k (auto) — (openai-codex) gpt-5.3-codex • medium.

Final take

I want the machine to be disposable, but I want the workflow to be reproducible.

Happy experimenting and good luck!