global:
  serve:
    stdinserver:
      # Directory where AF_UNIX sockets for stdinserver command are placed.
      #
      # `zrepl stdinserver CLIENT_IDENTITY`
      #   * connects to the socket in $sockdir/CLIENT_IDENTITY
      #   * sends its stdin / stdout file descriptors to the `zrepl daemon` process (see cmsg(3))
      #   * does nothing more
      #
      # This enables a setup where `zrepl daemon` is not directly exposed to the internet
      # but instead all traffic is tunnelled through SSH.
      # The server with the source job has an authorized_keys file entry for the public key
      # used by the corresponding pull job
      #
      #   command="/mnt/zrepl stdinserver CLIENT_IDENTITY" ssh-ed25519 AAAAC3NzaC1E... zrepl@pullingserver
      #
      # Below is the default value.
      sockdir: /var/run/zrepl/stdinserver

jobs:

- name: fullbackup_prod1
  # expect remote to connect via ssh+stdinserver with fullbackup_prod1 as client_identity
  type: source
  serve:
    type: stdinserver # see global.serve.stdinserver for explanation
    client_identity: fullbackup_prod1

  # snapshot these filesystems every 10m with zrepl_ as prefix
  datasets: {
    "zroot/var/db<": "ok",
    "zroot/usr/home<": "ok",
    "zroot/var/tmp": "!", #don't backup /tmp
  }
  snapshot_prefix: zrepl_
  interval: 10m


  # keep a one day window 10m interval snapshots in case pull doesn't work (link down, etc)
  # (we cannot keep more than one day because this host will run out of disk space)
  prune:
    policy: grid
    grid: 1x1d(keep=all)