DEV Community: Tao Ran The latest articles on DEV Community by Tao Ran (@tarrantro). https://dev.clauneck.workers.dev/tarrantro https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3999968%2F3aa85e0f-551c-4f22-99cc-c9dbb5dc390a.jpg DEV Community: Tao Ran https://dev.clauneck.workers.dev/tarrantro en AI-Assisted Development: A Practical Guide for Engineers Tao Ran Wed, 24 Jun 2026 07:27:35 +0000 https://dev.clauneck.workers.dev/tarrantro/ai-assisted-development-a-practical-guide-for-engineers-20cf https://dev.clauneck.workers.dev/tarrantro/ai-assisted-development-a-practical-guide-for-engineers-20cf <h2> 1. Why You Need a Configuration System </h2> <p>Most developers start with Claude CLI the same way: open a terminal, ask a question, get an answer — then repeat themselves every session explaining the tech stack, coding conventions, and project structure.</p> <p>The root cause is missing context. <strong>A configuration system's core value is ensuring the AI already understands your project, your preferences, and what it's allowed to do before a single message is typed.</strong></p> <p>A well-structured configuration lets you:</p> <ul> <li>Give the AI permanent knowledge of your tech stack and conventions, no re-explaining needed</li> <li>Require explicit confirmation before dangerous operations like <code>git push --force</code> </li> <li>Automate repetitive tasks like formatting on file save</li> <li>Share a consistent AI experience across your entire team</li> </ul> <h2> 2. File Hierarchy Overview </h2> <p>Claude CLI configuration follows a <strong>proximity principle</strong>: configuration closer to the project takes higher priority. Personal settings never bleed into shared team configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~/.claude/ # Global user-level config ├── settings.json # Global permissions, model, behavior ├── CLAUDE.md # Personal global preferences (not committed) ├── keybindings.json # Custom keyboard shortcuts └── projects/ └── &lt;project-hash&gt;/ └── memory/ # Auto-generated project memory files &lt;project-root&gt;/ ├── CLAUDE.md # Project-level briefing (committed, team-shared) ├── .claude/ │ ├── settings.json # Project permissions and behavior (committed) │ ├── settings.local.json # Local overrides (add to .gitignore) │ └── skills/ # Project-specific Skill definitions │ └── my-skill.md └── src/ └── components/ └── CLAUDE.md # Subdirectory-level notes (optional) </code></pre> </div> <h3> Configuration Priority (highest to lowest) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Subdirectory CLAUDE.md &gt; Project .claude/settings.local.json &gt; Project .claude/settings.json &gt; Project root CLAUDE.md &gt; Global ~/.claude/settings.json &gt; Global ~/.claude/CLAUDE.md </code></pre> </div> <p><strong>Rule of thumb</strong>: team conventions go in project-level config, personal preferences go in global config, sensitive local overrides go in <code>settings.local.json</code> (gitignored).</p> <h2> 3. CLAUDE.md: Your Project's AI Briefing Document </h2> <p><code>CLAUDE.md</code> is automatically loaded by Claude CLI at the start of every conversation. Think of it as an onboarding document the AI reads before touching your codebase.</p> <h3> What a Good CLAUDE.md Contains </h3> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Project Name</span> <span class="gu">## Tech Stack</span> <span class="p">-</span> Backend: Go 1.22, Chi router <span class="p">-</span> Frontend: React 18 + TypeScript, Vite <span class="p">-</span> Database: PostgreSQL 15, sqlc for type-safe queries <span class="p">-</span> Testing: Go stdlib testing + testify; Vitest for frontend <span class="gu">## Project Structure</span> <span class="p">-</span> <span class="sb">`cmd/`</span> — service entry points <span class="p">-</span> <span class="sb">`internal/`</span> — business logic (no external imports) <span class="p">-</span> <span class="sb">`pkg/`</span> — reusable libraries <span class="p">-</span> <span class="sb">`web/`</span> — frontend source <span class="gu">## Development Commands</span> <span class="p">-</span> <span class="sb">`make dev`</span> — start dev environment (requires Docker) <span class="p">-</span> <span class="sb">`make test`</span> — run all tests <span class="p">-</span> <span class="sb">`make lint`</span> — run golangci-lint + eslint <span class="p">-</span> <span class="sb">`make generate`</span> — regenerate sqlc and protobuf files <span class="gu">## Coding Conventions</span> <span class="p">-</span> Go: all errors must be handled, no bare <span class="sb">`panic`</span>, functions over 80 lines need splitting <span class="p">-</span> TypeScript: no <span class="sb">`any`</span>, functional components, state via Zustand <span class="p">-</span> Commit messages follow Conventional Commits <span class="p">-</span> All public APIs require integration test coverage <span class="gu">## Important Constraints</span> <span class="p">-</span> Database migration files are immutable — only add new ones, never edit existing <span class="p">-</span> Changes to <span class="sb">`internal/auth`</span> require a security review <span class="p">-</span> Never modify anything under <span class="sb">`vendor/`</span> </code></pre> </div> <h3> Subdirectory CLAUDE.md </h3> <p>For complex projects, add scoped instructions closer to specific areas of the codebase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># web/src/components/CLAUDE.md</span> <span class="gu">## Component Conventions</span> <span class="p">-</span> All components typed as <span class="sb">`React.FC&lt;Props&gt;`</span> <span class="p">-</span> Props interface must match the component name, e.g. <span class="sb">`ButtonProps`</span> <span class="p">-</span> Use CSS Modules; filename must match component name <span class="p">-</span> Never call APIs directly inside components — use hooks </code></pre> </div> <blockquote> <p>⚠️ <strong>What Should NOT Be in CLAUDE.md</strong></p> <ul> <li> <strong>Secrets, tokens, or passwords</strong> — even for development environments</li> <li> <strong>Large code samples</strong> — they consume context; the AI reads source files more accurately anyway</li> <li> <strong>Frequently changing information</strong> — like current version numbers; stale data misleads the AI</li> </ul> </blockquote> <h2> 4. settings.json: Behavior and Permission Control </h2> <p><code>settings.json</code> defines what Claude CLI can and cannot do. This is the core of your <strong>security boundary</strong>.</p> <h3> The Permission Model </h3> <p>Claude CLI uses an allowlist model: everything requires confirmation by default, and explicitly allowed operations run automatically.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allow"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"Bash(npm run *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Bash(make *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Bash(git status)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Bash(git diff *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Bash(git log *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Bash(git add *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Bash(git commit *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Read(**)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Edit(**)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Write(src/**)"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"deny"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"Bash(git push --force*)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Bash(rm -rf *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Write(.env*)"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Tool Permission Syntax </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ToolName(argument-match-pattern) </code></pre> </div> <ul> <li> <code>Bash(npm *)</code> — allow all npm commands</li> <li> <code>Bash(npm run test)</code> — allow only this exact command</li> <li> <code>Read(**)</code> — allow reading any file (<code>**</code> matches multiple path segments)</li> <li> <code>Write(src/**)</code> — allow writing only inside the <code>src/</code> directory</li> </ul> <h3> Model and Behavior Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"claude-opus-4-7"</span><span class="p">,</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"NODE_ENV"</span><span class="p">:</span><span class="w"> </span><span class="s2">"development"</span><span class="p">,</span><span class="w"> </span><span class="nl">"LOG_LEVEL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"debug"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"PreToolUse"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"PostToolUse"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"Stop"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Team Config vs Personal Config </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>File</th> <th>Commit to git</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>.claude/settings.json</code></td> <td>Yes</td> <td>Shared team permission baseline</td> </tr> <tr> <td><code>.claude/settings.local.json</code></td> <td>No (gitignore)</td> <td>Personal local overrides</td> </tr> <tr> <td><code>~/.claude/settings.json</code></td> <td>—</td> <td>Cross-project personal defaults</td> </tr> </tbody> </table></div> <h2> 5. Hooks: The Key to Automated Workflows </h2> <p>Hooks are shell commands configured in <code>settings.json</code> that run automatically when specific events fire. They are the primary mechanism for automating your AI workflow.</p> <h3> Available Hook Events </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Event</th> <th>Fires When</th> <th>Common Uses</th> </tr> </thead> <tbody> <tr> <td><code>PreToolUse</code></td> <td>Before the AI calls a tool</td> <td>Block dangerous operations, audit logging</td> </tr> <tr> <td><code>PostToolUse</code></td> <td>After the AI calls a tool</td> <td>Validate results, trigger follow-up actions</td> </tr> <tr> <td><code>Notification</code></td> <td>When the AI needs to alert the user</td> <td>Desktop notifications</td> </tr> <tr> <td><code>Stop</code></td> <td>When the AI finishes a response turn</td> <td>Run tests, generate summaries</td> </tr> </tbody> </table></div> <h3> Practical Hook Examples </h3> <p><strong>1. Auto-format after AI edits a file</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"PostToolUse"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matcher"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Edit|Write"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"command"</span><span class="p">,</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"if [[ </span><span class="se">\"</span><span class="s2">$CLAUDE_TOOL_INPUT</span><span class="se">\"</span><span class="s2"> == *.go ]]; then gofmt -w </span><span class="se">\"</span><span class="s2">$CLAUDE_TOOL_INPUT</span><span class="se">\"</span><span class="s2">; fi"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>2. Block writes to production config</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"PreToolUse"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matcher"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Write|Edit"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"command"</span><span class="p">,</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"echo </span><span class="se">\"</span><span class="s2">$CLAUDE_TOOL_INPUT</span><span class="se">\"</span><span class="s2"> | grep -q 'config/production' &amp;&amp; echo 'Direct modification of production config is not allowed' &amp;&amp; exit 2 || exit 0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>3. Desktop notification when AI finishes</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Stop"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"command"</span><span class="p">,</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"notify-send 'Claude' 'Task complete'"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Hook Exit Code Convention </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Exit Code</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>0</code></td> <td>Proceed normally</td> </tr> <tr> <td><code>1</code></td> <td>Log a warning, proceed anyway</td> </tr> <tr> <td><code>2</code></td> <td>Block the operation; AI receives an error message</td> </tr> </tbody> </table></div> <h2> 6. MCP Servers: Extending AI's Reach </h2> <p>MCP (Model Context Protocol) is the standard protocol for connecting AI to external systems. Through MCP Servers, the AI can query databases, call internal APIs, and interact with third-party services.</p> <h3> Configuring MCP Servers </h3> <p>Declare them in <code>settings.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"postgres"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"-y"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@modelcontextprotocol/server-postgres"</span><span class="p">],</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"POSTGRES_URL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"postgresql://localhost/mydb"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"github"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"-y"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@modelcontextprotocol/server-github"</span><span class="p">],</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"GITHUB_TOKEN"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${GITHUB_TOKEN}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"internal-api"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">".claude/mcp/internal-api-server.py"</span><span class="p">],</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"API_BASE_URL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Security Principles </h3> <ul> <li>Reference sensitive tokens via environment variables (<code>${VAR_NAME}</code>), never hardcode them</li> <li>Internal MCP Servers should default to read-only; expose write operations as explicit tools with permission controls</li> <li>Document each MCP Server's purpose in <code>CLAUDE.md</code> so the AI uses them intentionally</li> </ul> <h2> 7. Skills: Encapsulating Reusable AI Workflows </h2> <p>Skills are structured instruction sets stored in <code>.md</code> files and triggered via <code>/skill-name</code> commands. They are the primary tool for <strong>standardizing AI workflows across a team</strong>.</p> <h3> Skill File Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># .claude/skills/create-feature.md</span> <span class="p"> ---</span> name: create-feature description: Scaffold a standard feature module (handler + service + repo + tests) triggers: <span class="gh"> - /create-feature --- </span> <span class="gu">## Usage</span> /create-feature <span class="nt">&lt;feature-name&gt;</span> [--module <span class="nt">&lt;module-name&gt;</span>] <span class="gu">## Steps</span> <span class="p"> 1.</span> Under <span class="sb">`internal/&lt;module&gt;/`</span>, create these files: <span class="p"> -</span> <span class="sb">`handler.go`</span> — HTTP layer <span class="p"> -</span> <span class="sb">`service.go`</span> — business logic layer <span class="p"> -</span> <span class="sb">`repo.go`</span> — data access layer <span class="p"> -</span> <span class="sb">`*_test.go`</span> — unit tests for each <span class="p"> 2.</span> Register routes in the <span class="sb">`RegisterRoutes`</span> function in <span class="sb">`handler.go`</span> <span class="p"> 3.</span> Add dependency injection bindings in <span class="sb">`internal/wire.go`</span> <span class="p"> 4.</span> Create a database migration file if schema changes are needed <span class="gu">## Output Checklist</span> List all created files and modified files when done. </code></pre> </div> <h3> Project-Level vs Global Skills </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.claude/skills/ # Project-specific; committed to git; team-shared ~/.claude/skills/ # Personal global; reusable across all projects </code></pre> </div> <h3> What's Worth Turning Into a Skill </h3> <ul> <li>Code generation with a fixed output structure (CRUD modules, API endpoints)</li> <li>Multi-step coordinated tasks (DB migration + code generation + tests)</li> <li>Tasks where the team has explicit conventions (PR descriptions, review checklists)</li> <li>Recurring analysis tasks (dependency security audits, benchmark comparisons)</li> </ul> <h2> 8. Agent SDK: Building Custom AI Agents </h2> <p>When the interactive Claude CLI model isn't enough, the Agent SDK lets you build purpose-built agents — for example, automated code review in CI/CD pipelines, or automated triage of monitoring alerts.</p> <h3> Core Concept: The Agent Loop </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">anthropic</span> <span class="n">client</span> <span class="o">=</span> <span class="n">anthropic</span><span class="p">.</span><span class="nc">Anthropic</span><span class="p">()</span> <span class="n">tools</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">read_file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Read the contents of a project file</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">input_schema</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">File path</span><span class="sh">"</span><span class="p">}</span> <span class="p">},</span> <span class="sh">"</span><span class="s">required</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="k">def</span> <span class="nf">run_agent</span><span class="p">(</span><span class="n">task</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">messages</span> <span class="o">=</span> <span class="p">[{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">task</span><span class="p">}]</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="n">messages</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">claude-opus-4-7</span><span class="sh">"</span><span class="p">,</span> <span class="n">max_tokens</span><span class="o">=</span><span class="mi">4096</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="n">tools</span><span class="p">,</span> <span class="n">messages</span><span class="o">=</span><span class="n">messages</span> <span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">stop_reason</span> <span class="o">==</span> <span class="sh">"</span><span class="s">end_turn</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="nf">extract_text</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">stop_reason</span> <span class="o">==</span> <span class="sh">"</span><span class="s">tool_use</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_results</span> <span class="o">=</span> <span class="nf">execute_tools</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">)</span> <span class="n">messages</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">assistant</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">})</span> <span class="n">messages</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_results</span><span class="p">})</span> </code></pre> </div> <h3> CI/CD Integration Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ai-review.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AI Code Review</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">opened</span><span class="pi">,</span> <span class="nv">synchronize</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">review</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run AI Review</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ANTHROPIC_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">python .claude/agents/pr-reviewer.py ${{ github.event.pull_request.number }}</span> </code></pre> </div> <h3> Agent Design Principles </h3> <ol> <li> <strong>Single responsibility</strong>: each agent does one thing; split complex tasks across multiple collaborating agents</li> <li> <strong>Idempotent operations</strong>: retrying a failed agent run should not produce side effects</li> <li> <strong>Audit logging</strong>: record every tool call the agent makes for debugging</li> <li> <strong>Hard limits</strong>: set <code>max_tokens</code> and loop iteration caps to prevent runaway agents</li> </ol> <h2> 9. Development Best Practices </h2> <h3> 9.1 Front-Load Context Into Configuration </h3> <p>Stop repeating yourself. Put recurring context into <code>CLAUDE.md</code> once.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## Project-Specific Vocabulary</span> <span class="p">-</span> "DTO" = Data Transfer Object, lives in <span class="sb">`internal/dto/`</span> <span class="p">-</span> "UC" = Use Case, lives in <span class="sb">`internal/usecase/`</span> <span class="p">-</span> "current PR" = changes in <span class="sb">`git diff main...HEAD`</span> </code></pre> </div> <p>Also, use <code>/clear</code> to reset the conversation context when switching to an unrelated task. Long sessions accumulate stale context that degrades output quality.</p> <h3> 9.2 Principle of Least Privilege </h3> <p>Resist the temptation to give the AI broad permissions for convenience:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Bad:</span><span class="w"> </span><span class="err">dangerously</span><span class="w"> </span><span class="err">broad</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allow"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Bash(*)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Write(**)"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Good:</span><span class="w"> </span><span class="err">precise,</span><span class="w"> </span><span class="err">intentional</span><span class="w"> </span><span class="err">grants</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allow"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"Bash(npm run *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Bash(git add src/**)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Write(src/**)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Write(test/**)"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"deny"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"Bash(git push *)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Write(.env*)"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Write(config/production*)"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 9.3 Progressive Automation </h3> <p>Start automating low-risk operations and expand trust incrementally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Phase 1: Read-only automation (file reads, code search, running tests) ↓ Phase 2: Local write automation (file edits, local git operations) ↓ Phase 3: Guarded remote operations (create PR, with confirmation required) ↓ Phase 4: Fully automated CI/CD flows (within clearly scoped task boundaries) </code></pre> </div> <h3> 9.4 Write Constrained Prompts </h3> <p>Structure matters more than length. Give the AI constraints, not freedom:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Vague — produces mediocre results</span> <span class="s">"Optimize this code"</span> <span class="c">// Constrained — produces targeted results</span> <span class="s">"Refactor the validateToken function in src/auth/middleware.go: - Goal: extract the duplicated error handling logic - Constraint: do not change the function signature or touch test files - Verify: run `make test` after refactoring to confirm tests pass"</span> </code></pre> </div> <h3> 9.5 Use AI for Structured Code Review </h3> <p>Give the AI an explicit review mandate instead of asking it to "look at the code":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Review internal/payment/calculator.go for: 1. security — SQL injection, auth bypass, input validation 2. correctness — boundary conditions, concurrency safety, error handling 3. performance — N+1 queries, unnecessary allocations 4. conventions — compliance with project rules in CLAUDE.md Flag each issue with a severity: critical / warning / suggestion </code></pre> </div> <h3> 9.6 Team Collaboration Conventions </h3> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## What to Commit</span> Always commit: <span class="p">-</span> CLAUDE.md (all levels) <span class="p">-</span> .claude/settings.json <span class="p">-</span> .claude/skills/<span class="err">*</span>.md Never commit: <span class="p">-</span> .claude/settings.local.json <span class="p">-</span> Any file containing tokens or credentials <span class="p">-</span> ~/.claude/ (personal global config) <span class="gu">## PR Template Additions</span> <span class="p">-</span> [ ] Did conventions change? Update CLAUDE.md. <span class="p">-</span> [ ] Is this task repetitive? Consider creating a Skill. <span class="p">-</span> [ ] Do new operations need permission entries in settings.json? </code></pre> </div> <h2> 10. Common Anti-Patterns </h2> <h3> Using AI as a Search Engine </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Anti-pattern: asking for information with a deterministic answer</span> <span class="s">"How do goroutines work?"</span> <span class="c">// Better: use AI for project-specific reasoning</span> <span class="s">"In internal/worker/processor.go, what data race risks should I watch for when converting the current serial processing to concurrent?"</span> </code></pre> </div> <h3> Blindly Trusting AI Output </h3> <p>AI can produce incorrect code with high confidence. Code generated by AI for critical paths — authentication, payments, data migrations — <strong>must be human-reviewed and test-covered</strong> before merging. Treat AI output as a draft, not a finished product.</p> <h3> Overloading a Single Session </h3> <p>Doing too much in one session leads to context pollution — early incorrect assumptions contaminate later outputs. <strong>Start a new session for each independent task.</strong></p> <h3> Letting AI Guess Intent </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Anti-pattern: open-ended instruction</span> <span class="s">"Add some tests to this module"</span> <span class="c">// Better: specify exactly what you expect</span> <span class="s">"Write unit tests for the Calculate function in internal/payment/calculator.go. Cover: happy path, zero amount, negative amount, and unsupported currency."</span> </code></pre> </div> <h3> Ignoring the AI's Uncertainty Signals </h3> <p>When the AI says "I'm not sure" or "you may want to verify this" — <strong>don't skip past it</strong>. These signals usually mean it's working at the boundary of its knowledge or lacks context. Human intervention at these moments is far more efficient than letting the AI guess.</p> ai claude tutorial coding Linux Backup Made Simple: Automate Incremental System Snapshots with Restic Tao Ran Wed, 24 Jun 2026 07:20:24 +0000 https://dev.clauneck.workers.dev/tarrantro/linux-backup-made-simple-automate-incremental-system-snapshots-with-restic-4kp9 https://dev.clauneck.workers.dev/tarrantro/linux-backup-made-simple-automate-incremental-system-snapshots-with-restic-4kp9 <blockquote> <p>A single Bash script, a USB drive, and 30 seconds a day. No cloud. No subscriptions. No excuses.</p> </blockquote> <p>You have spent months tweaking your Linux environment. The perfect i3 config, the custom kernel parameters, the Docker containers you curated one by one. Then one day — a power surge fries your NVMe. A bad <code>rm -rf</code>. A failed <code>dist-upgrade</code>. And it's all gone.</p> <p>Most Linux users either don't back up at all, or rely on manual rsync and tar commands they run twice a year. The good news: you can set up fully automated, incremental, encrypted system snapshots with a single script and a USB drive — no cloud subscriptions, no complex configuration, no vendor lock-in.</p> <p>In this guide I'll show you how to use <strong>restic</strong> — an open-source backup tool with built-in deduplication, client-side encryption, and snapshot management — paired with a Bash script that handles the real-world edge cases for you: detecting external mounts to avoid wasteful backups, skipping caches that would bloat your repository, and initializing itself on first run.</p> <h2> Why Restic? </h2> <p>Most Linux users fall into one of two camps: they either don't back up at all, or they use rsync / tar because that's what they have always used. Both are risky for different reasons. Here is how restic compares:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Incremental</th> <th>Dedup</th> <th>Encryption</th> <th>Snapshot Mgmt</th> <th>Restore UX</th> </tr> </thead> <tbody> <tr> <td>rsync</td> <td>partial</td> <td>no</td> <td>no</td> <td>no</td> <td>manual</td> </tr> <tr> <td>tar</td> <td>no</td> <td>no</td> <td>no</td> <td>no</td> <td>manual</td> </tr> <tr> <td>duplicity</td> <td>yes</td> <td>no</td> <td>yes</td> <td>basic</td> <td>slow on long chains</td> </tr> <tr> <td>borg</td> <td>yes</td> <td>yes</td> <td>yes</td> <td>yes</td> <td>requires borg binary</td> </tr> <tr> <td>timeshift</td> <td>yes</td> <td>no</td> <td>no</td> <td>yes</td> <td>GUI-focused, tied to local disk</td> </tr> <tr> <td><strong>restic</strong></td> <td><strong>yes</strong></td> <td><strong>yes</strong></td> <td><strong>yes</strong></td> <td><strong>yes</strong></td> <td><strong>single binary, any target</strong></td> </tr> </tbody> </table></div> <p>Here is why these differences matter in practice:</p> <h3> True Incremental Backups </h3> <p>Restic chunks your files into content-addressed blobs. When you run a backup, it only uploads chunks it hasn't seen before. The second backup of a 200GB system where you changed three config files? It takes seconds, not hours.</p> <h3> Global Deduplication </h3> <p>Have the same 2GB ISO sitting in three different directories? Restic stores it once. The same Python virtual environment duplicated across five projects? One copy. This matters especially when your USB drive is finite.</p> <h3> Client-Side Encryption </h3> <p>Your backup repository is encrypted before a single byte leaves your machine. Lose the USB drive on a train? Without the password, the data is meaningless noise. Restic uses AES-256 in CTR mode with Poly1305-AES for authentication.</p> <h3> Snapshots, Not Archives </h3> <p>Every backup is a named, timestamped snapshot. You can list them, diff them, mount them as a FUSE filesystem, or restore individual files from any point in time. This is closer to what you would expect from a ZFS snapshot than a tarball.</p> <h3> Single Static Binary </h3> <p>No daemon. No database. No kernel module. Restic is one Go binary. Copy it to any machine and it works. This also makes it trivially deployable in rescue environments — just <code>scp</code> the binary and go.</p> <h2> The Script: Automation with Intelligence </h2> <p>A backup tool is only as good as your willingness to run it. If it requires you to remember which directories to exclude, or mounts to skip, or flags to pass, you will eventually stop running it.</p> <p>The script tackles four real-world problems:</p> <h3> 1. Sensible Exclusions Out of the Box </h3> <p>The script ships with a curated set of exclusions that skip directories you would never want in a system backup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">EXCLUDES</span><span class="o">=(</span> <span class="nt">--exclude</span> /proc <span class="nt">--exclude</span> /sys <span class="nt">--exclude</span> /dev <span class="nt">--exclude</span> /tmp <span class="nt">--exclude</span> /run <span class="nt">--exclude</span> /mnt <span class="nt">--exclude</span> /media <span class="nt">--exclude</span> /var/tmp <span class="nt">--exclude</span> /lost+found <span class="nt">--exclude</span> /.snapshots <span class="nt">--exclude</span> <span class="s1">'/home/*/.cache'</span> <span class="nt">--exclude</span> <span class="s1">'/home/*/.npm'</span> <span class="nt">--exclude</span> <span class="s1">'/home/*/.local/share/Trash'</span> <span class="nt">--exclude</span> /var/cache/apt/archives <span class="o">)</span> </code></pre> </div> <p>A few of these deserve explanation:</p> <ul> <li> <code>/home/*/.cache</code> — This is the big one. Browser caches, Go build artifacts, pip wheels, and a thousand other things apps dump here. On a well-used system this can easily be 5–10 GB of data you will never need to restore.</li> <li> <code>/home/*/.npm</code> — Node.js package cache. A single <code>npm install</code> rebuilds it.</li> <li> <code>/home/*/.local/share/Trash</code> — The trash bin. You deleted it once already.</li> <li> <code>/var/cache/apt/archives</code> — Downloaded <code>.deb</code> packages. <code>apt update</code> fetches fresh ones.</li> </ul> <p>Using bash arrays (<code>"${EXCLUDES[@]}"</code>) instead of a plain string ensures patterns like <code>/home/*/.cache</code> survive shell expansion intact and are interpreted correctly by restic.</p> <h3> 2. Auto-Detect External Mounts </h3> <p>On top of the static exclusion list, the script dynamically detects remote filesystems so you never accidentally pull a NAS into your backup. It parses <code>/proc/mounts</code> and appends matches to the same array:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">read</span> <span class="nt">-r</span> _ mp fs_type _<span class="p">;</span> <span class="k">do case</span> <span class="s2">"</span><span class="nv">$fs_type</span><span class="s2">"</span> <span class="k">in </span>cifs|nfs|nfs4|fuse.sshfs|fuse.rclone<span class="p">)</span> EXCLUDES+<span class="o">=(</span><span class="nt">--exclude</span> <span class="s2">"</span><span class="nv">$mp</span><span class="s2">"</span><span class="o">)</span> <span class="p">;;</span> <span class="k">esac</span> <span class="k">done</span> &lt; /proc/mounts </code></pre> </div> <p>This means you can mount and unmount NAS shares, add new ones, or switch between SMB and NFS, and the script will never accidentally pull them in. Each detected mount is logged so you can verify what was excluded.</p> <h3> 3. First Run vs. Daily Run </h3> <p>The script has exactly two paths through its logic:</p> <ul> <li> <strong>No repository yet</strong> → initialize a new encrypted restic repository on the USB drive, then run the first backup.</li> <li> <strong>Repository exists</strong> → run an incremental backup. Only changed chunks are transmitted.</li> </ul> <p>No separate init step. No configuration file to maintain. Plug in the USB, run the script, and it figures out what to do.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="k">${</span><span class="nv">REPO</span><span class="k">}</span><span class="s2">/config"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>restic init <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$REPO</span><span class="s2">"</span> <span class="k">fi </span>restic backup / <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$REPO</span><span class="s2">"</span> <span class="s2">"</span><span class="k">${</span><span class="nv">EXCLUDES</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <h3> 4. Format Flexibility </h3> <p>Three modes for different needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./backup.sh <span class="c"># incremental — what you run every day</span> ./backup.sh <span class="nt">--dry</span> <span class="c"># preview what would change, no data written</span> ./backup.sh <span class="nt">--full</span> <span class="c"># force re-read of all files</span> </code></pre> </div> <p>The <code>--dry</code> mode is particularly useful before a system upgrade — see exactly which files have changed since your last backup. The <code>--full</code> mode is for when you suspect filesystem corruption or bit rot and want a fresh scan of every file.</p> <h2> The Full Script </h2> <p>Copy it, adjust the two variables at the top, and you are ready to go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># ============================================================</span> <span class="c"># Restic incremental backup script — local machine</span> <span class="c"># Usage: ./backup.sh # incremental backup</span> <span class="c"># ./backup.sh --dry # preview changes</span> <span class="c"># ./backup.sh --full # force full scan</span> <span class="c"># ============================================================</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="c"># ---- Config: customize these two lines ----</span> <span class="nv">USB</span><span class="o">=</span><span class="s2">"/media/</span><span class="nv">$USER</span><span class="s2">/backup-disk"</span> <span class="c"># USB mount point</span> <span class="nv">REPO</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">USB</span><span class="k">}</span><span class="s2">/my-laptop"</span> <span class="c"># subdirectory (unique per machine)</span> <span class="nv">TIMESTAMP_FILE</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">REPO</span><span class="k">}</span><span class="s2">/LAST_BACKUP"</span> <span class="nv">LOGFILE</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">HOME</span><span class="k">}</span><span class="s2">/.local/state/backup.log"</span> log<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"[</span><span class="si">$(</span><span class="nb">date</span> <span class="s1">'+%Y-%m-%d %H:%M:%S'</span><span class="si">)</span><span class="s2">] </span><span class="nv">$*</span><span class="s2">"</span> | <span class="nb">tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$LOGFILE</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> die<span class="o">()</span> <span class="o">{</span> log <span class="s2">"ERROR: </span><span class="nv">$*</span><span class="s2">"</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$LOGFILE</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="c"># ---- Dependencies ----</span> <span class="nb">command</span> <span class="nt">-v</span> restic <span class="o">&gt;</span>/dev/null 2&gt;&amp;1 <span class="o">||</span> die <span class="s2">"restic not installed. Run: sudo apt install restic"</span> <span class="c"># ---- USB mount check ----</span> mountpoint <span class="nt">-q</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">"</span> <span class="o">||</span> die <span class="s2">"USB not mounted: </span><span class="nv">$USB</span><span class="s2">"</span> <span class="c"># ---- Build exclude list ----</span> <span class="nv">EXCLUDES</span><span class="o">=(</span> <span class="nt">--exclude</span> /proc <span class="nt">--exclude</span> /sys <span class="nt">--exclude</span> /dev <span class="nt">--exclude</span> /tmp <span class="nt">--exclude</span> /run <span class="nt">--exclude</span> /mnt <span class="nt">--exclude</span> /media <span class="nt">--exclude</span> /var/tmp <span class="nt">--exclude</span> /lost+found <span class="nt">--exclude</span> /.snapshots <span class="nt">--exclude</span> <span class="s1">'/home/*/.cache'</span> <span class="nt">--exclude</span> <span class="s1">'/home/*/.npm'</span> <span class="nt">--exclude</span> <span class="s1">'/home/*/.local/share/Trash'</span> <span class="nt">--exclude</span> /var/cache/apt/archives <span class="o">)</span> <span class="c"># Auto-detect CIFS / NFS / SSHFS external mounts</span> <span class="k">while </span><span class="nb">read</span> <span class="nt">-r</span> _ mp fs_type _<span class="p">;</span> <span class="k">do case</span> <span class="s2">"</span><span class="nv">$fs_type</span><span class="s2">"</span> <span class="k">in </span>cifs|nfs|nfs4|fuse.sshfs|fuse.rclone<span class="p">)</span> EXCLUDES+<span class="o">=(</span><span class="nt">--exclude</span> <span class="s2">"</span><span class="nv">$mp</span><span class="s2">"</span><span class="o">)</span> log <span class="s2">"Excluding external mount: </span><span class="nv">$mp</span><span class="s2"> (</span><span class="nv">$fs_type</span><span class="s2">)"</span> <span class="p">;;</span> <span class="k">esac</span> <span class="k">done</span> &lt; /proc/mounts <span class="c"># ---- Repo init ----</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="k">${</span><span class="nv">REPO</span><span class="k">}</span><span class="s2">/config"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>log <span class="s2">"Repo not found, initializing restic repository..."</span> restic init <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$REPO</span><span class="s2">"</span> <span class="o">||</span> die <span class="s2">"Repo init failed"</span> log <span class="s2">"Repo initialized."</span> <span class="k">else </span>log <span class="s2">"Repo exists, running incremental backup."</span> <span class="k">fi</span> <span class="c"># ---- Arguments ----</span> <span class="nv">RESTIC_ARGS</span><span class="o">=(</span> <span class="nt">--verbose</span> <span class="nt">--limit-upload</span> 50000 <span class="nt">--limit-download</span> 50000 <span class="o">)</span> <span class="k">case</span> <span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-}</span><span class="s2">"</span> <span class="k">in</span> <span class="nt">--dry</span><span class="p">|</span><span class="nt">--dry-run</span><span class="p">)</span> log <span class="s2">"=== DRY-RUN mode ==="</span> restic backup / <span class="se">\</span> <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$REPO</span><span class="s2">"</span> <span class="se">\</span> <span class="s2">"</span><span class="k">${</span><span class="nv">EXCLUDES</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="s2">"</span><span class="k">${</span><span class="nv">RESTIC_ARGS</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--dry-run</span> log <span class="s2">"Dry-run complete."</span> <span class="nb">exit </span>0 <span class="p">;;</span> <span class="nt">--full</span><span class="p">)</span> log <span class="s2">"Forcing full scan."</span> RESTIC_ARGS+<span class="o">=(</span><span class="nt">--force</span><span class="o">)</span> <span class="p">;;</span> <span class="k">esac</span> <span class="c"># ---- Backup ----</span> log <span class="s2">"Starting backup / → </span><span class="nv">$REPO</span><span class="s2"> ..."</span> restic backup / <span class="se">\</span> <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$REPO</span><span class="s2">"</span> <span class="se">\</span> <span class="s2">"</span><span class="k">${</span><span class="nv">EXCLUDES</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="s2">"</span><span class="k">${</span><span class="nv">RESTIC_ARGS</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> 2&gt;&amp;1 | <span class="nb">tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$LOGFILE</span><span class="s2">"</span> <span class="c"># ---- Timestamp ----</span> <span class="nb">date</span> <span class="s1">'+%Y-%m-%d %H:%M:%S'</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$TIMESTAMP_FILE</span><span class="s2">"</span> log <span class="s2">"Backup complete. Timestamp: </span><span class="si">$(</span><span class="nb">cat</span> <span class="s2">"</span><span class="nv">$TIMESTAMP_FILE</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="c"># ---- Maintenance reminder ----</span> <span class="nv">SNAP_COUNT</span><span class="o">=</span><span class="si">$(</span>restic snapshots <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$REPO</span><span class="s2">"</span> 2&gt;/dev/null | <span class="nb">grep</span> <span class="nt">-c</span> <span class="s1">'^[a-f0-9]'</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"?"</span><span class="si">)</span> log <span class="s2">"Snapshot count: </span><span class="nv">$SNAP_COUNT</span><span class="s2">"</span> log <span class="s2">"Tip: restic forget --repo </span><span class="nv">$REPO</span><span class="s2"> --keep-daily 14 --keep-monthly 6 --keep-yearly 5 --prune"</span> </code></pre> </div> <h2> Step-by-Step Setup </h2> <h3> Prerequisites </h3> <ul> <li>A USB drive (preferably SSD) with enough capacity. Format it as ext4 for best performance and to preserve Linux permissions.</li> <li>restic installed on your machine (<code>sudo apt install restic</code> on Debian/Ubuntu).</li> </ul> <h3> Step 1: Find Your USB </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>lsblk <span class="nt">-o</span> NAME,SIZE,TYPE,MOUNTPOINT,LABEL </code></pre> </div> <p>Look for your USB drive in the output. Note the mount point — typically <code>/media/$USER/&lt;label&gt;</code>. Set the <code>USB</code> variable in the script to match.</p> <h3> Step 2: Save the Script </h3> <p>Copy the script above into a file and make it executable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x backup.sh </code></pre> </div> <p>If you have multiple machines, give each a different <code>REPO</code> name (e.g., <code>my-laptop</code>, <code>my-desktop</code>, <code>my-server</code>). This keeps their backups in separate subdirectories on the same USB drive.</p> <h3> Step 3: First Run </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./backup.sh </code></pre> </div> <p>Restic will prompt you to set a password for the repository. <strong>Do not lose this password.</strong> Write it down. Store it in your password manager. Without it, the backup is unrecoverable. There is no "reset password" button.</p> <p>The first run will take a while — it reads your entire filesystem. On a 200GB SSD over USB 3.0, expect roughly 20–40 minutes. Subsequent runs take seconds to a few minutes.</p> <h3> Step 4: Verify </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>restic snapshots <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> </code></pre> </div> <p>You should see your first snapshot, timestamped. Run <code>./backup.sh</code> again a few hours later and you will see a second snapshot appear. The data stored on disk will barely grow because only changed files were uploaded.</p> <h3> Step 5: Automate (Optional but Recommended) </h3> <p>Add a cron job or systemd timer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># crontab -e</span> 0 20 <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> /home/<span class="nv">$USER</span>/scripts/backup.sh <span class="o">&gt;&gt;</span> /home/<span class="nv">$USER</span>/.local/state/backup.log 2&gt;&amp;1 </code></pre> </div> <p>This runs the backup every evening at 8 PM. Since the script uses restic's <code>--limit-upload</code> flag, it won't saturate your USB bandwidth even on slower drives.</p> <h2> Maintenance and Restore </h2> <h3> Cleaning Up Old Snapshots </h3> <p>Snapshots accumulate. After a few months, you might have hundreds. Restic's forget policy lets you keep a sensible rotation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>restic forget <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> <span class="se">\</span> <span class="nt">--keep-daily</span> 14 <span class="se">\</span> <span class="nt">--keep-monthly</span> 6 <span class="se">\</span> <span class="nt">--keep-yearly</span> 5 <span class="se">\</span> <span class="nt">--prune</span> </code></pre> </div> <p>This keeps: every snapshot from the last 14 days, one per month for the last 6 months, and one per year for the last 5 years. Everything else is pruned and the underlying data blobs are garbage-collected.</p> <h3> Restoring Your System </h3> <p>Full system restore to a new disk:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>restic restore latest <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> <span class="nt">--target</span> /mnt/new-disk </code></pre> </div> <p>Single file restore:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>restic restore latest <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> <span class="nt">--target</span> / <span class="nt">--include</span> /home/<span class="nv">$USER</span>/.bashrc </code></pre> </div> <p>Restore from a specific date:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>restic snapshots <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> <span class="c"># find the snapshot ID</span> restic restore &lt;snapshot-id&gt; <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> <span class="nt">--target</span> /path </code></pre> </div> <h3> Checking Repository Health </h3> <p>Run periodically (monthly is fine):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>restic check <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> <span class="c"># quick structural check</span> restic check <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> <span class="nt">--read-data</span> <span class="c"># thorough, reads all data</span> </code></pre> </div> <h3> Mounting Snapshots as a Filesystem </h3> <p>You can browse your snapshots without restoring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>restic mount <span class="nt">--repo</span> <span class="s2">"</span><span class="nv">$USB</span><span class="s2">/my-laptop"</span> /mnt/restic <span class="nb">ls</span> /mnt/restic/snapshots/ </code></pre> </div> <p>This is invaluable for comparing versions or grabbing a file you deleted last week without doing a full restore.</p> <h2> Summary </h2> <p>You don't need a complex backup strategy. You need one USB drive, one script, and one habit.</p> <p>Restic gives you enterprise-grade backup features — deduplication, encryption, snapshot management — in a tool that is genuinely simple to use. The script wraps it in automation that handles the real-world edge cases: external mounts, cache directories, first-run initialization, and daily incrementals.</p> <p>Set it up once. Run it often. The next time your system breaks, you will be back up and running in the time it takes to restore a snapshot, not the time it takes to rebuild from memory.</p> linux bash devops tutorial