Restic Workstation Backup — 加密备份工具（Linux主目录）

Name: Restic Workstation Backup — 加密备份工具（Linux主目录）
Author: Kiris-z

Kiris-z

Restic Workstation Backup — 加密备份工具（Linux主目录）

v2.0.0

设计、实施和运营Linux主目录的加密restic备份，支持加密、数据去重、自动定时备份、恢复测试等。确保工作站数据的可靠备份和恢复。

0· 114·0 当前·0 累计

by @kiris-z (Kiris-z)·MIT-0

API工具安全自动化测试工具数据分析

下载技能包

License

MIT-0

最后更新

2026/3/20

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

high confidence

技能和脚本与目标一致（安装和运行restic备份），所需操作、文件和权限与描述匹配，默认为计划模式。

评估建议

此技能似乎是一个合法的restic备份安装程序。安装前，请先运行计划模式（无--apply）预览；验证目标存储库端点正确且可信；确保系统已安装restic；备份现有root crontab和配置；将生成的密码文件存储在秘密保管库中；注意系统级应用需要sudo/root，可能立即启动首次备份；如果有严格的出站邮件政策，请审查警报/邮件步骤。...

详细分析 ▾

✓ 用途与能力

名称/描述与文件和运行时指令匹配。脚本创建配置、秘密、systemd单元、日志、重试逻辑和验证——符合预期的功能。示例存储库主机和电子邮件地址仅为示例。

✓ 指令范围

SKILL.md和脚本仅限备份相关任务。强制执行计划模式；破坏性操作由--dry-run或显式标志保护。唯一的广泛主机/系统更改是存档/删除匹配的遗留crontab条目（删除前存档），与从cron迁移到systemd一致。

✓ 安装机制

此技能仅包含指令和捆绑的shell脚本——无远程下载或包安装。脚本检查restic并指示操作员安装如果缺失。无URL安装程序或外部存档。

✓ 凭证需求

无外部凭证或无关环境变量被请求。脚本生成和存储本地restic密码文件和env文件，具有适当的文件权限（0600），并建议永不打印秘密。示例远程存储库SSH主机/密钥用于SFTP传输，不直接由技能请求。

✓ 持久化与权限

技能不请求永久系统包含。系统级更改需要显式--apply和root；用户级安装是独立的，不需要root。自主模型调用由平台默认允许，但技能本身默认为计划模式，需要显式标志来修改系统状态。

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv2.0.02026/3/20

v2.0.0：添加SFTP/SSH支持、DST安全定时器、14天/8周/12个月保留策略、重试逻辑、结构化日志、用户级安装、恢复审计。

● 无害

安装命令点击复制

官方npx clawhub@latest install restic-workstation-backup

镜像加速npx clawhub@latest install restic-workstation-backup --registry https://cn.clawhub-mirror.com

技能文档

Restic主目录备份

提供生产就绪的、无人值守的restic备份工作流程，用于Linux主目录，涵盖加密、数据去重、版本化保留、systemd调度、重试逻辑、可靠日志、电子邮件警报和恢复验证。

技能合同

名称: restic-home-backup
版本: 2.0.0
解决的问题: 可靠的、加密的、版本化的Linux主目录备份。支持SSH/SFTP远程存储库、DST安全调度、暂时性错误重试、用户级安装（无root）、一次性恢复审计定时器和可重用的多主机部署。

...（以下内容保持原文，仅示例，实际应完整翻译SKILL.md）

Deliver a production-ready, unattended restic backup workflow for a Linux home directory, covering encryption, deduplication, versioned retention, systemd scheduling, retry logic, durable logging, email alerting, and restore validation.

Skill contract

Name: restic-home-backup
Version: 2.0.0
Problem solved: Reliable, encrypted, versioned backups of a Linux home

directory. Supports SSH/SFTP remote repositories, DST-safe scheduling, transient-error retries, user-level installs (no root), one-time restore audit timers, and reusable multi-host rollout.

Inputs:

- Backup source user and path - Repository endpoint/transport (local, sftp, s3, b2, etc.) - Timezone (default America/Los_Angeles) - Retention policy (default: 14 daily / 8 weekly / 12 monthly) - Exclude patterns - Alert email

Outputs:

- Installed and initialized restic repository - Backup / prune / check / audit scripts under /usr/local/bin/ - Structured log wrapper with start/end/elapsed/exit-code per job - systemd service+timer units (system-level or user-level) - One-time restore audit timer - Retry logic for transient failures (never retries auth/perm errors) - Validation evidence: snapshot listing, restore drill, integrity check - Controlled failure drills: wrong secret / unreachable repo / bad env file - Operator runbook (references/runbook.md) - Ops checklist (references/ops-checklist.md)

Safety boundaries (must never violate):

- Never print secrets or tokens in chat, log output, or scripts. - Never delete snapshots or repositories without explicit user confirmation. - Never weaken permissions on credential files (0600 minimum). - Never claim backup success without checking exit status and snapshot listing. - Default to PLAN-ONLY mode; require explicit --apply for system changes. - No snapshot deletion during initial engagement; use --dry-run-prune to preview.

Workflow

1) Collect backup contract

Minimum required:

Source path (e.g., /home/alice)
Repository (e.g., sftp:backupsvc@10.50.8.24:/srv/backups/home/devbox17)
Retention policy
Preferred schedule in local timezone

If any critical value is missing, ask targeted questions.

2) Show plan (no-change pass)

bash scripts/bootstrap_restic_home.sh \
  --user alice \
  --repo "sftp:backupsvc@10.50.8.24:/srv/backups/home/devbox17"

This prints the complete plan: files, schedule, retention, secrets approach, retry logic, legacy cron archival, and dry-run prune preview. Zero changes made.

3) Apply system changes

sudo bash scripts/bootstrap_restic_home.sh \
  --user alice \
  --repo "sftp:backupsvc@10.50.8.24:/srv/backups/home/devbox17" \
  --hostname devbox17 \
  --timezone "America/Los_Angeles" \
  --mail-to sre-oncall@example.com \
  --keep-daily 14 --keep-weekly 8 --keep-monthly 12 \
  --config-dir /etc/home-backup \
  --log-dir /var/log/home-backup \
  --apply \
  --init-repo \
  --enable-timers \
  --run-initial-backup \
  --archive-legacy-cron \
  --dry-run-prune

What this does (in order):

Creates /etc/home-backup/ (0700), generates password (0600, never printed)
Writes env file (0600) and excludes list
Creates log directory /var/log/home-backup/
Installs logging+retry wrapper (restic-home-log-run.sh)
Installs 4 operational scripts (backup, prune, check, audit-drill)
Writes 8 systemd units (4 service + 4 timer)
Archives and removes legacy root crontab entry
Enables timers and runs daemon-reload
Initializes repo (skips if already exists)
Starts first backup via systemd
Shows restic forget --dry-run output (no deletion)

4) User-level install (no root required — e.g., labvm3/bob)

bash scripts/install_userlevel_restic.sh \ --repo /mnt/offsite/backups/labvm3-home \ --hostname labvm3 \ --timezone "America/Los_Angeles" \ --mail-to sre-oncall@example.com \ --apply --init-repo --enable-timers --run-initial-backup # Enable linger (one-time, requires sudo): sudo loginctl enable-linger bob

# Manage: systemctl --user list-timers 'restic-home-*' # list systemctl --user start restic-home-backup.service # manual backup bash scripts/install_userlevel_restic.sh --remove # remove schedule

5) End-to-end validation

sudo bash scripts/validate_restic_setup.sh

Runs:

Snapshot listing
Restore drill to /tmp/restore-drill (verifies .ssh/config,

Documents/roadmap.md, .config/git/config)

Cleanup of temp restore directory
Repository integrity check
Three failure drills: wrong secret / unreachable repo / unreadable env file

(each prints the failing command and a one-line corrective action)

6) One-time restore audit timer

The bootstrap creates restic-home-audit.timer for a single scheduled restore drill. By default: 2026-04-17 17:00:00 America/Los_Angeles.

# Inspect: systemctl list-timers restic-home-audit.timer --no-pager # Cancel: systemctl disable --now restic-home-audit.timer

# Run now: systemctl start restic-home-audit.service

7) Package and publish via ClawHub

# Validate skill structure: clawhub validate . # Publish: clawhub publish .

# Verify clean install (fresh environment, no secrets carried over): mkdir /tmp/clawhub-verify && cd /tmp/clawhub-verify clawhub install restic-home-backup # Run plan-only to confirm scripts are present and executable: bash restic-home-backup/scripts/bootstrap_restic_home.sh \ --user testuser --repo sftp:test@localhost:/test

Files in this skill

scripts/ bootstrap_restic_home.sh System-level install (plan + apply) install_userlevel_restic.sh User-level install for non-root hosts validate_restic_setup.sh End-to-end validation + failure drills

references/ runbook.md Full operator runbook (13 sections) ops-checklist.md Quick daily/weekly/monthly reference

Response style requirements

Name exact file paths, service names, and commands.
State what changed and how to verify it.
Never print passwords or tokens.
End multi-step tasks with an explicit completion status.
Reference references/runbook.md for day-2 operational guidance.

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

技能合同

Skill contract

Workflow

1) Collect backup contract

2) Show plan (no-change pass)

3) Apply system changes

4) User-level install (no root required — e.g., labvm3/bob)

5) End-to-end validation

6) One-time restore audit timer

7) Package and publish via ClawHub

Files in this skill

Response style requirements

安装命令点击复制