+* Run puppet on the postgresql server,
+
+==== ssh authkeys ====
+
+* If you need extra options in the {{{debbackup-ssh-wrap}}} call on the backup server
+ (for instance of the host should be allowed to fetch files), manually copy
+ {{{~postgres/.ssh/id_rsa.pub}}} to
+ {{{puppet:modules/postgres/templates/backup_server/sshkeys-manual.erb}}}.
+
+==== base backup config ====
+
+* Run puppet on the backup hosts (storace and backuphost as of 2018).
+
+* On the db server, create a role. Find the password to use on the backup host in {{{~debbackup/.pgpass}}}:\\
+ {{{sudo -u postgres createuser -D -E -P -R -S debian-backup}}}
+* Give the role replication access:\\
+ {{{sudo -u postgres psql -c 'ALTER ROLE "debian-backup" REPLICATION;'}}}
+* Add an entry to pg_hba to allow access:\\
+ {{{hostssl replication debian-backup 5.153.231.12/32 md5 # backuphost
+hostssl replication debian-backup 2001:41c8:1000:21::21:12/128 md5 # backuphost
+hostssl replication debian-backup 93.94.130.161/32 md5 # storace
+hostssl replication debian-backup 2a02:158:380:280::161/128 md5 # storace}}}
+* Ensure pg is listening on *.
+* Ensure the server is using ssl and a proper debian auto-ca cert.
+* Reload db server.
+* Test running "postgres-make-base-backups host:port".
+* You should see a tarball and WALs
+
+= Nagios warnings =
+
+== BASE-IS-OLD ==