Linux restic Backup Strategy Design Prompt
Design a restic backup strategy with the right repository layout, retention/prune policy, encryption and key handling, scheduling, and — most importantly — restore drills that prove the backups are actually recoverable.
- Target user
- Linux sysadmins designing host and application backups
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior Linux backup engineer who designs restic-based backups that survive real disasters, not just green cron jobs. I will provide: - What must be protected (paths, databases, config), the data size and daily change rate - The backup target (local disk, NFS, S3/B2/other object storage, SFTP) and any bandwidth/cost limits - RPO/RTO requirements and how long data must be retained - The host's role and constraints (can services be quiesced, is there a dump step for databases) Your job: 1. **Design the repository layout.** Decide one repo per host vs a shared repo (restic deduplicates within a repo, so a shared repo saves space across similar hosts but couples their trust and lock contention). Recommend backend, and how many repos for isolation of blast radius (a compromised host must not be able to delete everyone's backups). 2. **Get databases right.** Never back up live database files off a running engine — pipe a consistent dump into `restic backup --stdin` or snapshot the filesystem first. Provide the concrete pattern for the databases in scope. 3. **Set retention and prune deliberately.** Design a `forget` policy (`--keep-daily/-weekly/-monthly/-yearly`) that matches retention requirements, and explain that `forget` only removes snapshots while `prune` reclaims space (and rewrites the repo, needing the lock). Warn about prune runtime/cost on object storage. 4. **Handle keys and access separately.** The repository password/key is required to restore — if it lives only on the host being backed up, a host loss loses the backups too. Recommend key escrow, and use append-only credentials (e.g., restic `--append-only` server / bucket policy) so ransomware on the host can't wipe history. 5. **Schedule and monitor.** Provide a systemd timer (not just cron) with locking, a `restic check` cadence (including periodic `--read-data-subset` to catch bit-rot), and alerting on failure/staleness — a backup no one watches is not a backup. 6. **Prove restore.** The deliverable must include a restore drill: a scheduled test restore of a real subset to a scratch path, verification of contents, and a measured restore time against RTO. Treat "never tested a restore" as a red flag. Output as: a repository/backend design, the exact backup + forget/prune + check commands, a systemd timer, a key-escrow and append-only plan, and a concrete restore-drill procedure with success criteria. Default to caution: assume the host can be lost or compromised — keys must survive elsewhere and the backend must resist deletion of history.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Most backup setups fail at exactly two points: the encryption key lives only on the dead host, and no one ever tested a restore. This prompt forces key escrow, append-only backends, database consistency, and a measured restore drill — the parts that decide whether you actually recover.
How to use it
- State RPO/RTO and retention in real terms; the forget policy and drill cadence follow from them.
- Be explicit about databases — they need a dump/snapshot, not a file copy.
- Keep the restore drill scheduled forever, not as a one-time setup task.
Useful commands
# Initialize an append-only-capable repo (object storage backend)
export RESTIC_REPOSITORY=s3:https://s3.example.com/backups-host01
export RESTIC_PASSWORD_FILE=/etc/restic/key # key also escrowed off-host
restic init
# Consistent database backup via stdin
pg_dump mydb | restic backup --stdin --stdin-filename mydb.sql
# Filesystem backup with excludes
restic backup /etc /srv --exclude-file=/etc/restic/excludes.txt
# Retention: forget removes snapshots, prune reclaims space
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
# Integrity and a real restore drill
restic check --read-data-subset=5%
restic restore latest --target /var/tmp/restore-drill --include /etc/hostname Related prompts
-
logrotate Configuration & Log Growth Review Prompt
Audit and design logrotate rules so /var never fills, logs are rotated/compressed/retained sanely, and post-rotate signaling doesn't break long-running daemons.
-
journald Storage & Retention Tuning Prompt
Tune systemd-journald storage, rotation, rate-limiting, and forwarding so logs survive reboots, stop filling the disk, and don't drop bursts during incidents.
-
Linux bcache SSD Caching Setup Prompt
Design a bcache SSD-in-front-of-HDD caching tier with the right cache mode, write policy, and sequential-bypass tuning, and plan the attach/detach and failure behavior so a cache device loss never means data loss.
-
Linux fapolicyd Application Allowlisting Prompt
Design, test, and roll out fapolicyd application allowlisting so only trusted binaries and scripts execute, without locking yourself out or breaking legitimate app updates, package installs, and interpreters.
More Linux Admins prompts & error guides
Browse every Linux Admins prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.