nightly-backuplisted

# nightly-backup — Hermes Backup Automation Thin wrapper around `hermes backup` + encryption + optional remote upload + retention. ## Procedure 1. **Snapshot.** Run: ```bash hermes backup --output /tmp/hermes-backup-$(date +%Y%m%d-%H%M%S).tar ``` This bundles config, sessions, skills, memory, and cron entries per [Part 16](../../../part16-backup-debug.md). 2. **Encrypt.** Use age (if available) or gpg symmetric: ```bash BACKUP_PASSPHRASE=$(hermes secrets get BACKUP_PASSPHRASE) age -p -o /tmp/hermes-backup-*.tar.age /tmp/hermes-backup-*.tar # or gpg --batch --yes --symmetric --cipher-algo AES256 \ --passphrase "$BACKUP_PASSPHRASE" \ /tmp/hermes-backup-*.tar shred -u /tmp/hermes-backup-*.tar ``` 3. **Upload.** Based on `remote:` parameter: - `s3://…` → `aws s3 cp <file> s3://bucket/prefix/` - `b2://…` → `rclone copy <file> b2:bucket/prefix/` - `ssh://…` → `rsync -av <file> user@host:/path/` - `local` → move to `~/.hermes/backups/` 4. **Prune.** Delete anything older than `retain_days`: - `s3`: use S3 lifecycle policy if possible; otherwise `aws s3 ls` + age filter - `b2`: `rclone delete --min-age ${retain_days}d b2:bucket/prefix/` - `ssh`: `ssh host "find /path -mtime +${retain_days} -delete"` - `local`: `find ~/.hermes/backups -mtime +${retain_days} -delete` 5. **Verify.** Download a random recent backup and test-decrypt: ```bash age -d -i ~/.age-backup-key backup.tar.age > /tmp/verify.tar && t