一键导入
nightly-backup
Run `hermes backup`, encrypt, upload to remote storage, prune old backups
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Run `hermes backup`, encrypt, upload to remote storage, prune old backups
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Delegate a PR review to Claude Code with a scoped read-only GitHub PAT
Build human-readable release notes from a range of commits or merged PRs
Weekly LLM cost breakdown by provider / gateway / skill, posted to private DM
Sweep inbox (email + Slack + Telegram DMs) and produce a prioritized action list with suggested replies
Produce a weekly "What's new in Hermes" digest by summarizing merged PRs + active issues from NousResearch/hermes-agent
Classify inbound Telegram DMs, autoreply low-stakes, escalate high-stakes to you
| name | nightly-backup |
| description | Run `hermes backup`, encrypt, upload to remote storage, prune old backups |
| when_to_use | ["Scheduled nightly via cron","User requests an explicit backup","Before a risky config change"] |
| toolsets | ["terminal","file"] |
| parameters | {"remote":{"type":"string","description":"Remote target. Supports s3://bucket/prefix, b2://bucket/prefix, ssh://user@host:/path, or \"local\"","default":"local"},"retain_days":{"type":"integer","default":30}} |
| security | {"trust":"trusted","notes":"No untrusted input. Handles the backup archive and encryption key\nmaterial — never logs key contents; the age identity/passphrase must\nlive outside this host's .env (see Security notes below).\n"} |
| model_hint | google/gemini-3.1-flash |
Thin wrapper around hermes backup + encryption + optional remote upload + retention.
Snapshot. Run:
STAMP=$(date +%Y%m%d-%H%M%S)
hermes backup --output /tmp/hermes-backup-$STAMP.tar
This bundles config, sessions, skills, memory, and cron entries per Part 16.
Encrypt. Non-interactively — this runs from cron, so nothing may prompt.
Route A — age with a keyfile (preferred):
# One-time setup (NOT in the nightly run): generate the identity, store a
# copy somewhere that is not this host.
age-keygen -o ~/.age-backup-key && chmod 600 ~/.age-backup-key
# Nightly: encrypt to the key's recipient (public half) — no prompt, and
# the nightly path never needs the private key at all.
age -r "$(age-keygen -y ~/.age-backup-key)" \
-o /tmp/hermes-backup-$STAMP.tar.age /tmp/hermes-backup-$STAMP.tar
(age -p is interactive passphrase mode — it cannot run from cron.)
Route B — gpg symmetric with a passphrase:
BACKUP_PASSPHRASE=$(hermes secrets get BACKUP_PASSPHRASE)
gpg --batch --yes --symmetric --cipher-algo AES256 \
--passphrase "$BACKUP_PASSPHRASE" \
/tmp/hermes-backup-$STAMP.tar
Then either way:
shred -u /tmp/hermes-backup-$STAMP.tar
Upload. Based on remote: parameter:
s3://… → aws s3 cp <file> s3://bucket/prefix/b2://… → rclone copy <file> b2:bucket/prefix/ssh://… → rsync -av <file> user@host:/path/local → move to ~/.hermes/backups/Prune. Delete anything older than retain_days:
s3: use S3 lifecycle policy if possible; otherwise aws s3 ls + age filterb2: rclone delete --min-age ${retain_days}d b2:bucket/prefix/ssh: ssh host "find /path -mtime +${retain_days} -delete"local: find ~/.hermes/backups -mtime +${retain_days} -deleteVerify. Download a random recent backup and test-decrypt:
# Route A (age keyfile):
age -d -i ~/.age-backup-key backup.tar.age > /tmp/verify.tar
# Route B (gpg passphrase):
# gpg --batch --passphrase "$BACKUP_PASSPHRASE" -d backup.tar.gpg > /tmp/verify.tar
tar tf /tmp/verify.tar | head -5 && shred -u /tmp/verify.tar
Fail loud if the verification fails — a backup you can't restore is not a backup.
Report. Send a line to your configured notify: channel:
✔ hermes backup 2026-04-17 — 284 MB, uploaded to s3://backups/hermes/, pruned 3 old
On failure, send 🔴 with the specific error and skip pruning (keep old backups until the new one succeeds).
# ~/.hermes/cron.yaml
- name: nightly-backup
schedule: "0 3 * * *"
task: /nightly-backup s3://my-backups/hermes/ 30
notify: telegram_private
.env plaintext — hermes backup already excludes it. If you're using a fork, verify with tar tf backup.tar | grep .env and bail if it appears..env — Route A: keep an offline copy of ~/.age-backup-key (that file is the only way back into your archives); Route B: keep BACKUP_PASSPHRASE in a separate secret store. Otherwise a stolen Hermes host gets both the backups and the key to them.skills/security/rotate-secrets, then re-encrypt (or at least re-verify) the archives you still need.