Restic Home Backup

Define and deliver a production-ready restic backup setup for ~/ with encryption, deduplication, automated scheduling, and restore testing.

Skill contract

• Name: restic-home-backup
• Problem solved: Provide reliable, encrypted, versioned backups of a Linux home directory with operational safety and repeatable recovery.
• Inputs:
• Backup target type (local disk, sftp, s3, b2, etc.)
• Repository endpoint/path
• Secret handling method (env file or password file)
• Schedule preferences (daily backup, weekly prune, monthly check)
• Exclude patterns
• Outputs:
• Installed and initialized restic repository
• Backup/prune/check scripts
• systemd service/timer units
• Validation evidence (snapshots + test restore)
• Short operator runbook
• Safety boundaries (must never violate):
• Never print secrets or tokens in chat/log output.
• Never delete snapshots/repositories without explicit user confirmation.
• Never weaken permissions on credential files (chmod 600 minimum).
• Never claim backup success without checking command exit status and snapshot listing.
• Never apply system changes implicitly: require explicit --apply (or explicit user confirmation) before writing to /etc, /usr/local/bin, or /etc/systemd/system.

Workflow

1) Assess and confirm backup contract

Collect the minimum required values before changes:

• Source path (default /home/)
• Destination repo and transport
• Retention policy (for example: 7d/4w/12m)
• Preferred schedule in local timezone

If any critical value is missing, ask targeted questions.

2) Scaffold backup implementation

Use these resources:

• scripts/bootstrap_restic_home.sh to generate deterministic setup artifacts. It is PLAN-ONLY by default and requires explicit --apply for system changes. Optional flags control timer enablement, repository initialization, and initial backup run.
• references/ops-checklist.md for day-2 operations and troubleshooting.

Create:

• /etc/restic-home.env (root-readable only)
• /usr/local/bin/restic-home-backup.sh
• /usr/local/bin/restic-home-prune.sh
• /usr/local/bin/restic-home-check.sh
• restic-home-backup.service/.timer
• restic-home-prune.service/.timer
• restic-home-check.service/.timer

3) Harden and validate

Run and verify:

1. restic snapshots
2. One immediate backup run
3. One restore smoke test to temporary directory
4. restic check (or scheduled monthly deep check)

Validate failure behavior:

• Wrong password
• Unreachable repository
• Permission denied on env file

Report exact failing command + short corrective action.

4) Package and publish via ClawHub CLI (when requested)

When user requests publication:

1. Validate skill quality and structure.
2. Package skill.
3. Publish with clawhub CLI.
4. Verify install from registry in a clean environment.

Keep publish actions explicit and auditable.

Response style requirements

Use descriptive language with concrete operational detail:

• Name the exact file path, service name, and command.
• State what changed and how to verify it.
• End multi-step tasks with explicit completion status.