+* Register each cluster in puppet's
+ {{{puppet:modules/postgres/manifests/backup_source.pp}}}.
+ This takes care of adding the replication user to pgpass on the backup servers,
+ and the firewall rule and adds the cluster to {{{make-base-backups}}}.
+ (The module can also create the postgres role and modify the hba file, but we
+ do not do this when we don't configure the entire cluster via puppet.)
+* Historically, we also have clusters hardcoded in
+ {{{puppet:modules/postgres/templates/backup_server/postgres-make-base-backups.erb}}}.
+* Run puppet on the backup hosts (storace and backuphost as of 2018).
+
+* On the db server, create a role. Find the password to use on the backup host in {{{~debbackup/.pgpass}}}:\\
+ {{{sudo -u postgres createuser -D -E -P -R -S debian-backup}}}
+* Give the role replication access:\\
+ {{{sudo -u postgres psql -c 'ALTER ROLE "debian-backup" REPLICATION;'}}}
+* Add an entry to pg_hba to allow access:\\
+ {{{hostssl replication debian-backup 5.153.231.12/32 md5 # backuphost
+hostssl replication debian-backup 2001:41c8:1000:21::21:12/128 md5 # backuphost
+hostssl replication debian-backup 93.94.130.161/32 md5 # storace
+hostssl replication debian-backup 2a02:158:380:280::161/128 md5 # storace}}}
+* Ensure pg is listening on *.
+* Ensure the server is using ssl and a proper debian auto-ca cert.
+* Reload db server.
+* Test running "postgres-make-base-backups host:port".
+* You should see a tarball and WALs
+
+= Nagios warnings =
+
+== BASE-IS-OLD ==
+
+(2018-02) Our nagios check warns us when a backup server has not successfully fetched
+a base backup recently. The causes often are that either the postgres server or the
+backup host went down or was down during the time of the weekly cronjob.
+
+To re-run a base backup for a specific cluster, log into the backup server
+(either storace or backuphost), cat /usr/local/bin/postgres-make-base-backups
+to see the port for the cluster, and run