{"host": "pki1001.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 4897, "only_in_self": ["Alternatives::Select[ip6tables]", "Alternatives::Select[iptables]", "Augeas[Apache2 logs]", "Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet]", "Cfssl::Cert[puppet_rsa__pki_discovery_wmnet]", "Cfssl::Config[aux]", "Cfssl::Config[aux_front_proxy]", "Cfssl::Config[cassandra]", "Cfssl::Config[cloud_wmnet_ca]", "Cfssl::Config[debmonitor]", "Cfssl::Config[discovery2026]", "Cfssl::Config[discovery]", "Cfssl::Config[dse]", "Cfssl::Config[dse_front_proxy]", "Cfssl::Config[etcd]", "Cfssl::Config[kafka]", "Cfssl::Config[mlserve]", "Cfssl::Config[mlserve_front_proxy]", "Cfssl::Config[mlserve_staging]", "Cfssl::Config[mlserve_staging_front_proxy]", "Cfssl::Config[network_devices]", "Cfssl::Config[puppet_rsa]", "Cfssl::Config[syslog]", "Cfssl::Config[wikikube]", "Cfssl::Config[wikikube_front_proxy]", "Cfssl::Config[wikikube_staging]", "Cfssl::Config[wikikube_staging_front_proxy]", "Cfssl::Config[zuul]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "Cfssl::Db[multirootca-db]", "Cfssl::Ocsp[Wikimedia_Internal_Root_CA]", "Cfssl::Ocsp[aux]", "Cfssl::Ocsp[aux_front_proxy]", "Cfssl::Ocsp[cassandra]", "Cfssl::Ocsp[cloud_wmnet_ca]", "Cfssl::Ocsp[debmonitor]", "Cfssl::Ocsp[discovery2026]", "Cfssl::Ocsp[discovery]", "Cfssl::Ocsp[dse]", "Cfssl::Ocsp[dse_front_proxy]", "Cfssl::Ocsp[etcd]", "Cfssl::Ocsp[kafka]", "Cfssl::Ocsp[mlserve]", "Cfssl::Ocsp[mlserve_front_proxy]", "Cfssl::Ocsp[mlserve_staging]", "Cfssl::Ocsp[mlserve_staging_front_proxy]", "Cfssl::Ocsp[network_devices]", "Cfssl::Ocsp[puppet_rsa]", "Cfssl::Ocsp[syslog]", "Cfssl::Ocsp[wikikube]", "Cfssl::Ocsp[wikikube_front_proxy]", "Cfssl::Ocsp[wikikube_staging]", "Cfssl::Ocsp[wikikube_staging_front_proxy]", "Cfssl::Ocsp[zuul]", "Cfssl::Signer[aux]", "Cfssl::Signer[aux_front_proxy]", "Cfssl::Signer[cassandra]", "Cfssl::Signer[cloud_wmnet_ca]", "Cfssl::Signer[debmonitor]", "Cfssl::Signer[discovery2026]", "Cfssl::Signer[discovery]", "Cfssl::Signer[dse]", "Cfssl::Signer[dse_front_proxy]", "Cfssl::Signer[etcd]", "Cfssl::Signer[kafka]", "Cfssl::Signer[mlserve]", "Cfssl::Signer[mlserve_front_proxy]", "Cfssl::Signer[mlserve_staging]", "Cfssl::Signer[mlserve_staging_front_proxy]", "Cfssl::Signer[network_devices]", "Cfssl::Signer[puppet_rsa]", "Cfssl::Signer[syslog]", "Cfssl::Signer[wikikube]", "Cfssl::Signer[wikikube_front_proxy]", "Cfssl::Signer[wikikube_staging]", "Cfssl::Signer[wikikube_staging_front_proxy]", "Cfssl::Signer[zuul]", "Class[Cfssl::Multirootca]", "Class[Httpd]", "Class[Profile::Firewall::Log::Ferm]", "Class[Profile::Pki::Multirootca]", "Class[Role::Pki::Multirootca]", "Class[Sslcert::Dhparam]", "Class[Ulogd]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet]", "Exec[Generate initial CRL for aux]", "Exec[Generate initial CRL for aux_front_proxy]", "Exec[Generate initial CRL for cassandra]", "Exec[Generate initial CRL for cloud_wmnet_ca]", "Exec[Generate initial CRL for debmonitor]", "Exec[Generate initial CRL for discovery2026]", "Exec[Generate initial CRL for discovery]", "Exec[Generate initial CRL for dse]", "Exec[Generate initial CRL for dse_front_proxy]", "Exec[Generate initial CRL for etcd]", "Exec[Generate initial CRL for kafka]", "Exec[Generate initial CRL for mlserve]", "Exec[Generate initial CRL for mlserve_front_proxy]", "Exec[Generate initial CRL for mlserve_staging]", "Exec[Generate initial CRL for mlserve_staging_front_proxy]", "Exec[Generate initial CRL for network_devices]", "Exec[Generate initial CRL for puppet_rsa]", "Exec[Generate initial CRL for syslog]", "Exec[Generate initial CRL for wikikube]", "Exec[Generate initial CRL for wikikube_front_proxy]", "Exec[Generate initial CRL for wikikube_staging]", "Exec[Generate initial CRL for wikikube_staging_front_proxy]", "Exec[Generate initial CRL for zuul]", "Exec[apache2_test_config_and_restart]", "Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "Exec[ensure_present_mod_access_compat]", "Exec[ensure_present_mod_filter]", "Exec[ensure_present_mod_headers]", "Exec[ensure_present_mod_proxy_http]", "Exec[ensure_present_mod_ssl]", "Exec[ensure_present_mod_status]", "Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]", "Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]", "Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]", "Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]", "Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]", "Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]", "Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]", "Exec[update_alternative_ip6tables]", "Exec[update_alternative_iptables]", "Ferm::Conf[defs]", "Ferm::Conf[main]", "Ferm::Filter_log[filter-bootp]", "Ferm::Rule[drop-blocked-nets]", "Ferm::Rule[dscp-default]", "Ferm::Rule[filter_log_filter-bootp]", "Ferm::Rule[log-everything]", "Ferm::Service[csr_and_ocsp_responder]", "Ferm::Service[full_monitoring_metrics_access_tcp]", "Ferm::Service[full_monitoring_metrics_access_udp]", "Ferm::Service[multirootca_tls_termination]", "Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "Ferm::Service[ssh_from_bastion]", "Ferm::Service[ssh_from_cumin_masters]", "File[/etc/apache2/conf-available/00-defaults.conf]", "File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-available/50-server-status.conf]", "File[/etc/apache2/conf-available]", "File[/etc/apache2/conf-enabled/00-defaults.conf]", "File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-enabled/50-server-status.conf]", "File[/etc/apache2/conf-enabled]", "File[/etc/apache2/env-available]", "File[/etc/apache2/env-enabled]", "File[/etc/apache2/mods-available/status.conf]", "File[/etc/apache2/mods-enabled/status.conf]", "File[/etc/apache2/ports.conf]", "File[/etc/apache2/sites-available/00-dummy.conf]", "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-available]", "File[/etc/apache2/sites-enabled/00-dummy.conf]", "File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-enabled]", "File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/db.conf.json]", "File[/etc/cfssl/db.conf]", "File[/etc/cfssl/multiroot.conf]", "File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]", "File[/etc/cfssl/ocsp/aux.ocsp]", "File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/cassandra.ocsp]", "File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]", "File[/etc/cfssl/ocsp/debmonitor.ocsp]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/ocsp/discovery2026.ocsp]", "File[/etc/cfssl/ocsp/dse.ocsp]", "File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/etcd.ocsp]", "File[/etc/cfssl/ocsp/kafka.ocsp]", "File[/etc/cfssl/ocsp/mlserve.ocsp]", "File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/network_devices.ocsp]", "File[/etc/cfssl/ocsp/puppet_rsa.ocsp]", "File[/etc/cfssl/ocsp/syslog.ocsp]", "File[/etc/cfssl/ocsp/wikikube.ocsp]", "File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/zuul.ocsp]", "File[/etc/cfssl/signers/aux/ca/aux-key.pem]", "File[/etc/cfssl/signers/aux/ca/aux.pem]", "File[/etc/cfssl/signers/aux/ca]", "File[/etc/cfssl/signers/aux/cfssl.conf]", "File[/etc/cfssl/signers/aux]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca]", "File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/aux_front_proxy]", "File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]", "File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]", "File[/etc/cfssl/signers/cassandra/ca]", "File[/etc/cfssl/signers/cassandra/cfssl.conf]", "File[/etc/cfssl/signers/cassandra]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca]", "File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]", "File[/etc/cfssl/signers/cloud_wmnet_ca]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]", "File[/etc/cfssl/signers/debmonitor/ca]", "File[/etc/cfssl/signers/debmonitor/cfssl.conf]", "File[/etc/cfssl/signers/debmonitor]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]", "File[/etc/cfssl/signers/discovery2026/ca]", "File[/etc/cfssl/signers/discovery2026/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/signers/dse/ca/dse-key.pem]", "File[/etc/cfssl/signers/dse/ca/dse.pem]", "File[/etc/cfssl/signers/dse/ca]", "File[/etc/cfssl/signers/dse/cfssl.conf]", "File[/etc/cfssl/signers/dse]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca]", "File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/dse_front_proxy]", "File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]", "File[/etc/cfssl/signers/etcd/ca/etcd.pem]", "File[/etc/cfssl/signers/etcd/ca]", "File[/etc/cfssl/signers/etcd/cfssl.conf]", "File[/etc/cfssl/signers/etcd]", "File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]", "File[/etc/cfssl/signers/kafka/ca/kafka.pem]", "File[/etc/cfssl/signers/kafka/ca]", "File[/etc/cfssl/signers/kafka/cfssl.conf]", "File[/etc/cfssl/signers/kafka]", "File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]", "File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]", "File[/etc/cfssl/signers/mlserve/ca]", "File[/etc/cfssl/signers/mlserve/cfssl.conf]", "File[/etc/cfssl/signers/mlserve]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_front_proxy]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca]", "File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy]", "File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]", "File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]", "File[/etc/cfssl/signers/network_devices/ca]", "File[/etc/cfssl/signers/network_devices/cfssl.conf]", "File[/etc/cfssl/signers/network_devices]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca]", "File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]", "File[/etc/cfssl/signers/puppet_rsa]", "File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]", "File[/etc/cfssl/signers/syslog/ca/syslog.pem]", "File[/etc/cfssl/signers/syslog/ca]", "File[/etc/cfssl/signers/syslog/cfssl.conf]", "File[/etc/cfssl/signers/syslog]", "File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]", "File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]", "File[/etc/cfssl/signers/wikikube/ca]", "File[/etc/cfssl/signers/wikikube/cfssl.conf]", "File[/etc/cfssl/signers/wikikube]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_front_proxy]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca]", "File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy]", "File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]", "File[/etc/cfssl/signers/zuul/ca/zuul.pem]", "File[/etc/cfssl/signers/zuul/ca]", "File[/etc/cfssl/signers/zuul/cfssl.conf]", "File[/etc/cfssl/signers/zuul]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]", "File[/etc/default/ferm]", "File[/etc/ferm/conf.d/00_defs]", "File[/etc/ferm/conf.d/01_drop-blocked-nets]", "File[/etc/ferm/conf.d/02_main]", "File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "File[/etc/ferm/conf.d/10_ssh_from_bastion]", "File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]", "File[/etc/ferm/conf.d/98_filter_log_filter-bootp]", "File[/etc/ferm/conf.d/98_log-everything]", "File[/etc/ferm/conf.d/99_dscp-default]", "File[/etc/ferm/conf.d]", "File[/etc/ferm/ferm.conf]", "File[/etc/ferm/functions.conf]", "File[/etc/logrotate.d/cfssl-gc-expired-certs]", "File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]", "File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]", "File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]", "File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/etc/logrotate.d/ulogd]", "File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]", "File[/etc/logrotate.d/wmf_auto_restart_apache2]", "File[/etc/logrotate.d/wmf_auto_restart_ulogd2]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]", "File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]", "File[/etc/nagios/nrpe.d/check_ferm_active.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]", "File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-ulogd.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]", "File[/etc/ssl/dhparam.pem]", "File[/etc/ssl/localcerts/multiroot_ca.pem]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]", "File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]", "File[/etc/sudoers.d/nrpe-check_ferm_active]", "File[/etc/sudoers.d/nrpe_certificate_check_aux]", "File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_cassandra]", "File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_dse]", "File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_etcd]", "File[/etc/sudoers.d/nrpe_certificate_check_kafka]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_network_devices]", "File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]", "File[/etc/sudoers.d/nrpe_certificate_check_syslog]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_zuul]", "File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]", "File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]", "File[/etc/systemd/system/ferm.service.d]", "File[/etc/ulogd.conf]", "File[/etc/update-motd.d/05-pki--multirootca]", "File[/lib/systemd/system/cfssl-gc-expired-certs.service]", "File[/lib/systemd/system/cfssl-gc-expired-certs.timer]", "File[/lib/systemd/system/cfssl-multirootca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]", "File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]", "File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@etcd.service]", "File[/lib/systemd/system/cfssl-ocspserve@kafka.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]", "File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocspserve@syslog.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache2.service]", "File[/lib/systemd/system/wmf_auto_restart_apache2.timer]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]", "File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]", "File[/srv/cfssl/bundles/aux.pem]", "File[/srv/cfssl/bundles/aux_front_proxy.pem]", "File[/srv/cfssl/bundles/cassandra.pem]", "File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]", "File[/srv/cfssl/bundles/debmonitor.pem]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/srv/cfssl/bundles/discovery2026.pem]", "File[/srv/cfssl/bundles/dse.pem]", "File[/srv/cfssl/bundles/dse_front_proxy.pem]", "File[/srv/cfssl/bundles/etcd.pem]", "File[/srv/cfssl/bundles/kafka.pem]", "File[/srv/cfssl/bundles/mlserve.pem]", "File[/srv/cfssl/bundles/mlserve_front_proxy.pem]", "File[/srv/cfssl/bundles/mlserve_staging.pem]", "File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/network_devices.pem]", "File[/srv/cfssl/bundles/puppet_rsa.pem]", "File[/srv/cfssl/bundles/syslog.pem]", "File[/srv/cfssl/bundles/wikikube.pem]", "File[/srv/cfssl/bundles/wikikube_front_proxy.pem]", "File[/srv/cfssl/bundles/wikikube_staging.pem]", "File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/zuul.pem]", "File[/srv/cfssl/bundles]", "File[/srv/cfssl/crl]", "File[/srv/cfssl]", "File[/usr/local/bin/apache-status]", "File[/usr/local/bin/prometheus-check-aux-certificate-expiry]", "File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]", "File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]", "File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]", "File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]", "File[/usr/local/lib/nagios/plugins/check_ferm]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/cfssl-certs]", "File[/usr/local/sbin/cfssl-ocsprefresh]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]", "File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]", "File[/var/log/cfssl-gc-expired-certs]", "File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/var/log/cfssl-ocsprefresh-aux]", "File[/var/log/cfssl-ocsprefresh-aux_front_proxy]", "File[/var/log/cfssl-ocsprefresh-cassandra]", "File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/var/log/cfssl-ocsprefresh-debmonitor]", "File[/var/log/cfssl-ocsprefresh-discovery2026]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/cfssl-ocsprefresh-dse]", "File[/var/log/cfssl-ocsprefresh-dse_front_proxy]", "File[/var/log/cfssl-ocsprefresh-etcd]", "File[/var/log/cfssl-ocsprefresh-kafka]", "File[/var/log/cfssl-ocsprefresh-mlserve]", "File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-network_devices]", "File[/var/log/cfssl-ocsprefresh-puppet_rsa]", "File[/var/log/cfssl-ocsprefresh-syslog]", "File[/var/log/cfssl-ocsprefresh-wikikube]", "File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-zuul]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/var/log/ulogd]", "File[/var/log/wmf_auto_restart_apache-htcacheclean]", "File[/var/log/wmf_auto_restart_apache2]", "File[/var/log/wmf_auto_restart_ulogd2]", "File_line[auto_restart_file_presence_apache-htcacheclean]", "File_line[auto_restart_file_presence_apache2]", "File_line[auto_restart_file_presence_ulogd2]", "File_line[load_env_enabled]", "Firewall::Service[csr_and_ocsp_responder]", "Firewall::Service[multirootca tls termination]", "Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods]", "Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port]", "Httpd::Conf[defaults]", "Httpd::Conf[dummy]", "Httpd::Conf[pki.discovery.wmnet]", "Httpd::Conf[server-status]", "Httpd::Mod_conf[access_compat]", "Httpd::Mod_conf[filter]", "Httpd::Mod_conf[headers]", "Httpd::Mod_conf[proxy_http]", "Httpd::Mod_conf[ssl]", "Httpd::Mod_conf[status]", "Httpd::Site[dummy]", "Httpd::Site[pki.discovery.wmnet]", "Logrotate::Conf[cfssl-gc-expired-certs]", "Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Logrotate::Conf[cfssl-ocsprefresh-aux]", "Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-cassandra]", "Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "Logrotate::Conf[cfssl-ocsprefresh-debmonitor]", "Logrotate::Conf[cfssl-ocsprefresh-discovery2026]", "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "Logrotate::Conf[cfssl-ocsprefresh-dse]", "Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-etcd]", "Logrotate::Conf[cfssl-ocsprefresh-kafka]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-network_devices]", "Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa]", "Logrotate::Conf[cfssl-ocsprefresh-syslog]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-zuul]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Logrotate::Conf[ulogd]", "Logrotate::Conf[wmf_auto_restart_apache-htcacheclean]", "Logrotate::Conf[wmf_auto_restart_apache2]", "Logrotate::Conf[wmf_auto_restart_ulogd2]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul]", "Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status]", "Monitoring::Exported_nagios_service[pki1001 ferm_active]", "Monitoring::Service[check_certificate_expiry_aux]", "Monitoring::Service[check_certificate_expiry_aux_front_proxy]", "Monitoring::Service[check_certificate_expiry_cassandra]", "Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]", "Monitoring::Service[check_certificate_expiry_debmonitor]", "Monitoring::Service[check_certificate_expiry_discovery2026]", "Monitoring::Service[check_certificate_expiry_discovery]", "Monitoring::Service[check_certificate_expiry_dse]", "Monitoring::Service[check_certificate_expiry_dse_front_proxy]", "Monitoring::Service[check_certificate_expiry_etcd]", "Monitoring::Service[check_certificate_expiry_kafka]", "Monitoring::Service[check_certificate_expiry_mlserve]", "Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]", "Monitoring::Service[check_certificate_expiry_mlserve_staging]", "Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]", "Monitoring::Service[check_certificate_expiry_network_devices]", "Monitoring::Service[check_certificate_expiry_puppet_rsa]", "Monitoring::Service[check_certificate_expiry_syslog]", "Monitoring::Service[check_certificate_expiry_wikikube]", "Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]", "Monitoring::Service[check_certificate_expiry_wikikube_staging]", "Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]", "Monitoring::Service[check_certificate_expiry_zuul]", "Monitoring::Service[check_cfssl-multirootca_status]", "Monitoring::Service[ferm_active]", "Motd::Message[pki::multirootca]", "Motd::Script[pki::multirootca]", "Node[__node_regexp__pki10012.eqiad.]", "Nrpe::Check[check_check_certificate_expiry_aux]", "Nrpe::Check[check_check_certificate_expiry_aux_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_cassandra]", "Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca]", "Nrpe::Check[check_check_certificate_expiry_debmonitor]", "Nrpe::Check[check_check_certificate_expiry_discovery2026]", "Nrpe::Check[check_check_certificate_expiry_discovery]", "Nrpe::Check[check_check_certificate_expiry_dse]", "Nrpe::Check[check_check_certificate_expiry_dse_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_etcd]", "Nrpe::Check[check_check_certificate_expiry_kafka]", "Nrpe::Check[check_check_certificate_expiry_mlserve]", "Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_mlserve_staging]", "Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_network_devices]", "Nrpe::Check[check_check_certificate_expiry_puppet_rsa]", "Nrpe::Check[check_check_certificate_expiry_syslog]", "Nrpe::Check[check_check_certificate_expiry_wikikube]", "Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_wikikube_staging]", "Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_zuul]", "Nrpe::Check[check_check_cfssl-multirootca_status]", "Nrpe::Check[check_ferm_active]", "Nrpe::Monitor_service[check_certificate_expiry_aux]", "Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_cassandra]", "Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca]", "Nrpe::Monitor_service[check_certificate_expiry_debmonitor]", "Nrpe::Monitor_service[check_certificate_expiry_discovery2026]", "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "Nrpe::Monitor_service[check_certificate_expiry_dse]", "Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_etcd]", "Nrpe::Monitor_service[check_certificate_expiry_kafka]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_network_devices]", "Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa]", "Nrpe::Monitor_service[check_certificate_expiry_syslog]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_zuul]", "Nrpe::Monitor_service[check_cfssl-multirootca_status]", "Nrpe::Monitor_service[ferm_active]", "Nrpe::Plugin[check_ferm]", "Nrpe::Plugin[check_systemd_unit_status]", "Package[apache2]", "Package[links]", "Package[python3-cryptography]", "Package[python3-pymysql]", "Package[ulogd2]", "Profile::Auto_restarts::Service[apache-htcacheclean]", "Profile::Auto_restarts::Service[apache2]", "Profile::Auto_restarts::Service[ulogd2]", "Profile::Pki::Multirootca::Monitoring[aux]", "Profile::Pki::Multirootca::Monitoring[aux_front_proxy]", "Profile::Pki::Multirootca::Monitoring[cassandra]", "Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca]", "Profile::Pki::Multirootca::Monitoring[debmonitor]", "Profile::Pki::Multirootca::Monitoring[discovery2026]", "Profile::Pki::Multirootca::Monitoring[discovery]", "Profile::Pki::Multirootca::Monitoring[dse]", "Profile::Pki::Multirootca::Monitoring[dse_front_proxy]", "Profile::Pki::Multirootca::Monitoring[etcd]", "Profile::Pki::Multirootca::Monitoring[kafka]", "Profile::Pki::Multirootca::Monitoring[mlserve]", "Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy]", "Profile::Pki::Multirootca::Monitoring[mlserve_staging]", "Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy]", "Profile::Pki::Multirootca::Monitoring[network_devices]", "Profile::Pki::Multirootca::Monitoring[puppet_rsa]", "Profile::Pki::Multirootca::Monitoring[syslog]", "Profile::Pki::Multirootca::Monitoring[wikikube]", "Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy]", "Profile::Pki::Multirootca::Monitoring[wikikube_staging]", "Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy]", "Profile::Pki::Multirootca::Monitoring[zuul]", "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90]", "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494]", "Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63]", "Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e]", "Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393]", "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba]", "Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928]", "Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951]", "Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011]", "Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb]", "Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9]", "Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]", "Prometheus::Blackbox::Check::Http[PKI_aux]", "Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_cassandra]", "Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca]", "Prometheus::Blackbox::Check::Http[PKI_debmonitor]", "Prometheus::Blackbox::Check::Http[PKI_discovery2026]", "Prometheus::Blackbox::Check::Http[PKI_discovery]", "Prometheus::Blackbox::Check::Http[PKI_dse]", "Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_etcd]", "Prometheus::Blackbox::Check::Http[PKI_kafka]", "Prometheus::Blackbox::Check::Http[PKI_mlserve]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_network_devices]", "Prometheus::Blackbox::Check::Http[PKI_puppet_rsa]", "Prometheus::Blackbox::Check::Http[PKI_syslog]", "Prometheus::Blackbox::Check::Http[PKI_wikikube]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_zuul]", "Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry]", "Rsyslog::Conf[cfssl-gc-expired-certs]", "Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Rsyslog::Conf[cfssl-ocsprefresh-aux]", "Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-cassandra]", "Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "Rsyslog::Conf[cfssl-ocsprefresh-debmonitor]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery2026]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "Rsyslog::Conf[cfssl-ocsprefresh-dse]", "Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-etcd]", "Rsyslog::Conf[cfssl-ocsprefresh-kafka]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-network_devices]", "Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa]", "Rsyslog::Conf[cfssl-ocsprefresh-syslog]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-zuul]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul]", "Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status]", "Rsyslog::Conf[nrpe2nodexp-ferm_active]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Rsyslog::Conf[ulogd]", "Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean]", "Rsyslog::Conf[wmf_auto_restart_apache2]", "Rsyslog::Conf[wmf_auto_restart_ulogd2]", "Service[apache-htcacheclean]", "Service[apache2]", "Service[cfssl-gc-expired-certs.timer]", "Service[cfssl-multirootca]", "Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Service[cfssl-ocsprefresh-aux.timer]", "Service[cfssl-ocsprefresh-aux_front_proxy.timer]", "Service[cfssl-ocsprefresh-cassandra.timer]", "Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Service[cfssl-ocsprefresh-debmonitor.timer]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocsprefresh-discovery2026.timer]", "Service[cfssl-ocsprefresh-dse.timer]", "Service[cfssl-ocsprefresh-dse_front_proxy.timer]", "Service[cfssl-ocsprefresh-etcd.timer]", "Service[cfssl-ocsprefresh-kafka.timer]", "Service[cfssl-ocsprefresh-mlserve.timer]", "Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Service[cfssl-ocsprefresh-mlserve_staging.timer]", "Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-network_devices.timer]", "Service[cfssl-ocsprefresh-puppet_rsa.timer]", "Service[cfssl-ocsprefresh-syslog.timer]", "Service[cfssl-ocsprefresh-wikikube.timer]", "Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Service[cfssl-ocsprefresh-wikikube_staging.timer]", "Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-zuul.timer]", "Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Service[cfssl-ocspserve@aux]", "Service[cfssl-ocspserve@aux_front_proxy]", "Service[cfssl-ocspserve@cassandra]", "Service[cfssl-ocspserve@cloud_wmnet_ca]", "Service[cfssl-ocspserve@debmonitor]", "Service[cfssl-ocspserve@discovery2026]", "Service[cfssl-ocspserve@discovery]", "Service[cfssl-ocspserve@dse]", "Service[cfssl-ocspserve@dse_front_proxy]", "Service[cfssl-ocspserve@etcd]", "Service[cfssl-ocspserve@kafka]", "Service[cfssl-ocspserve@mlserve]", "Service[cfssl-ocspserve@mlserve_front_proxy]", "Service[cfssl-ocspserve@mlserve_staging]", "Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Service[cfssl-ocspserve@network_devices]", "Service[cfssl-ocspserve@puppet_rsa]", "Service[cfssl-ocspserve@syslog]", "Service[cfssl-ocspserve@wikikube]", "Service[cfssl-ocspserve@wikikube_front_proxy]", "Service[cfssl-ocspserve@wikikube_staging]", "Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Service[cfssl-ocspserve@zuul]", "Service[ferm]", "Service[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Service[nrpe2nodexp-ferm_active.timer]", "Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Service[ulogd2]", "Service[wmf_auto_restart_apache-htcacheclean.timer]", "Service[wmf_auto_restart_apache2.timer]", "Service[wmf_auto_restart_ulogd2.timer]", "Sudo::User[nrpe-check_check_certificate_expiry_aux]", "Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_cassandra]", "Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "Sudo::User[nrpe-check_check_certificate_expiry_debmonitor]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery2026]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "Sudo::User[nrpe-check_check_certificate_expiry_dse]", "Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_etcd]", "Sudo::User[nrpe-check_check_certificate_expiry_kafka]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_network_devices]", "Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa]", "Sudo::User[nrpe-check_check_certificate_expiry_syslog]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_zuul]", "Sudo::User[nrpe-check_check_cfssl-multirootca_status]", "Sudo::User[nrpe-check_ferm_active]", "Sudo::User[nrpe_certificate_check_aux]", "Sudo::User[nrpe_certificate_check_aux_front_proxy]", "Sudo::User[nrpe_certificate_check_cassandra]", "Sudo::User[nrpe_certificate_check_cloud_wmnet_ca]", "Sudo::User[nrpe_certificate_check_debmonitor]", "Sudo::User[nrpe_certificate_check_discovery2026]", "Sudo::User[nrpe_certificate_check_discovery]", "Sudo::User[nrpe_certificate_check_dse]", "Sudo::User[nrpe_certificate_check_dse_front_proxy]", "Sudo::User[nrpe_certificate_check_etcd]", "Sudo::User[nrpe_certificate_check_kafka]", "Sudo::User[nrpe_certificate_check_mlserve]", "Sudo::User[nrpe_certificate_check_mlserve_front_proxy]", "Sudo::User[nrpe_certificate_check_mlserve_staging]", "Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy]", "Sudo::User[nrpe_certificate_check_network_devices]", "Sudo::User[nrpe_certificate_check_puppet_rsa]", "Sudo::User[nrpe_certificate_check_syslog]", "Sudo::User[nrpe_certificate_check_wikikube]", "Sudo::User[nrpe_certificate_check_wikikube_front_proxy]", "Sudo::User[nrpe_certificate_check_wikikube_staging]", "Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy]", "Sudo::User[nrpe_certificate_check_zuul]", "Systemd::Monitor[cfssl-multirootca]", "Systemd::Override[apache2-after-network-online-target]", "Systemd::Override[ferm-service-status-restart]", "Systemd::Service[cfssl-gc-expired-certs]", "Systemd::Service[cfssl-multirootca]", "Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Service[cfssl-ocsprefresh-aux]", "Systemd::Service[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-cassandra]", "Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Service[cfssl-ocsprefresh-debmonitor]", "Systemd::Service[cfssl-ocsprefresh-discovery2026]", "Systemd::Service[cfssl-ocsprefresh-discovery]", "Systemd::Service[cfssl-ocsprefresh-dse]", "Systemd::Service[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-etcd]", "Systemd::Service[cfssl-ocsprefresh-kafka]", "Systemd::Service[cfssl-ocsprefresh-mlserve]", "Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-network_devices]", "Systemd::Service[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Service[cfssl-ocsprefresh-syslog]", "Systemd::Service[cfssl-ocsprefresh-wikikube]", "Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-zuul]", "Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Systemd::Service[cfssl-ocspserve@aux]", "Systemd::Service[cfssl-ocspserve@aux_front_proxy]", "Systemd::Service[cfssl-ocspserve@cassandra]", "Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca]", "Systemd::Service[cfssl-ocspserve@debmonitor]", "Systemd::Service[cfssl-ocspserve@discovery2026]", "Systemd::Service[cfssl-ocspserve@discovery]", "Systemd::Service[cfssl-ocspserve@dse]", "Systemd::Service[cfssl-ocspserve@dse_front_proxy]", "Systemd::Service[cfssl-ocspserve@etcd]", "Systemd::Service[cfssl-ocspserve@kafka]", "Systemd::Service[cfssl-ocspserve@mlserve]", "Systemd::Service[cfssl-ocspserve@mlserve_front_proxy]", "Systemd::Service[cfssl-ocspserve@mlserve_staging]", "Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Systemd::Service[cfssl-ocspserve@network_devices]", "Systemd::Service[cfssl-ocspserve@puppet_rsa]", "Systemd::Service[cfssl-ocspserve@syslog]", "Systemd::Service[cfssl-ocspserve@wikikube]", "Systemd::Service[cfssl-ocspserve@wikikube_front_proxy]", "Systemd::Service[cfssl-ocspserve@wikikube_staging]", "Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Systemd::Service[cfssl-ocspserve@zuul]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Service[nrpe2nodexp-ferm_active]", "Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Service[wmf_auto_restart_apache-htcacheclean]", "Systemd::Service[wmf_auto_restart_apache2]", "Systemd::Service[wmf_auto_restart_ulogd2]", "Systemd::Syslog[cfssl-gc-expired-certs]", "Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Syslog[cfssl-ocsprefresh-aux]", "Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-cassandra]", "Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Syslog[cfssl-ocsprefresh-debmonitor]", "Systemd::Syslog[cfssl-ocsprefresh-discovery2026]", "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "Systemd::Syslog[cfssl-ocsprefresh-dse]", "Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-etcd]", "Systemd::Syslog[cfssl-ocsprefresh-kafka]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-network_devices]", "Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Syslog[cfssl-ocsprefresh-syslog]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-zuul]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Syslog[ulogd]", "Systemd::Syslog[wmf_auto_restart_apache-htcacheclean]", "Systemd::Syslog[wmf_auto_restart_apache2]", "Systemd::Syslog[wmf_auto_restart_ulogd2]", "Systemd::Timer::Job[cfssl-gc-expired-certs]", "Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Timer::Job[cfssl-ocsprefresh-aux]", "Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]", "Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "Systemd::Timer::Job[cfssl-ocsprefresh-dse]", "Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-etcd]", "Systemd::Timer::Job[cfssl-ocsprefresh-kafka]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]", "Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Timer::Job[cfssl-ocsprefresh-syslog]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-zuul]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Timer::Job[nrpe2nodexp-ferm_active]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean]", "Systemd::Timer::Job[wmf_auto_restart_apache2]", "Systemd::Timer::Job[wmf_auto_restart_ulogd2]", "Systemd::Timer[cfssl-gc-expired-certs]", "Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Timer[cfssl-ocsprefresh-aux]", "Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-cassandra]", "Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Timer[cfssl-ocsprefresh-debmonitor]", "Systemd::Timer[cfssl-ocsprefresh-discovery2026]", "Systemd::Timer[cfssl-ocsprefresh-discovery]", "Systemd::Timer[cfssl-ocsprefresh-dse]", "Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-etcd]", "Systemd::Timer[cfssl-ocsprefresh-kafka]", "Systemd::Timer[cfssl-ocsprefresh-mlserve]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-network_devices]", "Systemd::Timer[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Timer[cfssl-ocsprefresh-syslog]", "Systemd::Timer[cfssl-ocsprefresh-wikikube]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-zuul]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Timer[nrpe2nodexp-ferm_active]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Timer[wmf_auto_restart_apache-htcacheclean]", "Systemd::Timer[wmf_auto_restart_apache2]", "Systemd::Timer[wmf_auto_restart_ulogd2]", "Systemd::Unit[apache2-apache2-after-network-online-target]", "Systemd::Unit[cfssl-gc-expired-certs.service]", "Systemd::Unit[cfssl-gc-expired-certs.timer]", "Systemd::Unit[cfssl-multirootca]", "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Systemd::Unit[cfssl-ocsprefresh-aux.service]", "Systemd::Unit[cfssl-ocsprefresh-aux.timer]", "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-cassandra.service]", "Systemd::Unit[cfssl-ocsprefresh-cassandra.timer]", "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]", "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]", "Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer]", "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer]", "Systemd::Unit[cfssl-ocsprefresh-dse.service]", "Systemd::Unit[cfssl-ocsprefresh-dse.timer]", "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-etcd.service]", "Systemd::Unit[cfssl-ocsprefresh-etcd.timer]", "Systemd::Unit[cfssl-ocsprefresh-kafka.service]", "Systemd::Unit[cfssl-ocsprefresh-kafka.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-network_devices.service]", "Systemd::Unit[cfssl-ocsprefresh-network_devices.timer]", "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]", "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer]", "Systemd::Unit[cfssl-ocsprefresh-syslog.service]", "Systemd::Unit[cfssl-ocsprefresh-syslog.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-zuul.service]", "Systemd::Unit[cfssl-ocsprefresh-zuul.timer]", "Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Systemd::Unit[cfssl-ocspserve@aux]", "Systemd::Unit[cfssl-ocspserve@aux_front_proxy]", "Systemd::Unit[cfssl-ocspserve@cassandra]", "Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca]", "Systemd::Unit[cfssl-ocspserve@debmonitor]", "Systemd::Unit[cfssl-ocspserve@discovery2026]", "Systemd::Unit[cfssl-ocspserve@discovery]", "Systemd::Unit[cfssl-ocspserve@dse]", "Systemd::Unit[cfssl-ocspserve@dse_front_proxy]", "Systemd::Unit[cfssl-ocspserve@etcd]", "Systemd::Unit[cfssl-ocspserve@kafka]", "Systemd::Unit[cfssl-ocspserve@mlserve]", "Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy]", "Systemd::Unit[cfssl-ocspserve@mlserve_staging]", "Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy]", "Systemd::Unit[cfssl-ocspserve@network_devices]", "Systemd::Unit[cfssl-ocspserve@puppet_rsa]", "Systemd::Unit[cfssl-ocspserve@syslog]", "Systemd::Unit[cfssl-ocspserve@wikikube]", "Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy]", "Systemd::Unit[cfssl-ocspserve@wikikube_staging]", "Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy]", "Systemd::Unit[cfssl-ocspserve@zuul]", "Systemd::Unit[ferm-ferm-service-status-restart]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]", "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Systemd::Unit[nrpe2nodexp-ferm_active.service]", "Systemd::Unit[nrpe2nodexp-ferm_active.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]", "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer]", "Systemd::Unit[wmf_auto_restart_apache2.service]", "Systemd::Unit[wmf_auto_restart_apache2.timer]", "Systemd::Unit[wmf_auto_restart_ulogd2.service]", "Systemd::Unit[wmf_auto_restart_ulogd2.timer]"], "only_in_other": ["Class[Nftables]", "Class[Profile::Firewall::Nftables_base_sets]", "Class[Role::Insetup::Infrastructure_foundations_nftables]", "Exec[systemd daemon-reload for nftables.service (nftables)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]", "Exec[unmask_nftables.service]", "File[/etc/logrotate.d/prometheus-node-textfile-check-nft]", "File[/etc/nftables.conf]", "File[/etc/nftables/100_base_puppet.nft]", "File[/etc/nftables/]", "File[/etc/nftables/forward]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]", "File[/etc/nftables/input/10_ssh-from-bastion.nft]", "File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]", "File[/etc/nftables/input]", "File[/etc/nftables/main.nft]", "File[/etc/nftables/notrack]", "File[/etc/nftables/output]", "File[/etc/nftables/postrouting]", "File[/etc/nftables/prerouting]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/CACHES_ipv4.nft]", "File[/etc/nftables/sets/CACHES_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/INTERNAL_ipv4.nft]", "File[/etc/nftables/sets/INTERNAL_ipv6.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]", "File[/etc/nftables/sets]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]", "File[/etc/systemd/system/nftables.service.d/puppet-override.conf]", "File[/etc/systemd/system/nftables.service.d]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]", "File[/usr/local/bin/check-nft]", "File[/var/log/prometheus-node-textfile-check-nft]", "Logrotate::Conf[prometheus-node-textfile-check-nft]", "Motd::Message[insetup::infrastructure_foundations_nftables]", "Motd::Script[insetup::infrastructure_foundations_nftables]", "Nftables::File[base]", "Nftables::Service[full-monitoring-metrics-access-tcp]", "Nftables::Service[full-monitoring-metrics-access-udp]", "Nftables::Service[ssh-from-bastion]", "Nftables::Service[ssh-from-cumin-masters]", "Nftables::Set[ANALYTICS_NETWORKS]", "Nftables::Set[AUX_KUBEPODS_NETWORKS]", "Nftables::Set[BASTION_HOSTS]", "Nftables::Set[CACHES]", "Nftables::Set[CLOUD_NETWORKS]", "Nftables::Set[CLOUD_NETWORKS_PUBLIC]", "Nftables::Set[CLOUD_PRIVATE_NETWORKS]", "Nftables::Set[CUMIN_MASTERS]", "Nftables::Set[DEPLOYMENT_HOSTS]", "Nftables::Set[DOMAIN_NETWORKS]", "Nftables::Set[DRUID_PUBLIC_HOSTS]", "Nftables::Set[DSE_KUBEPODS_NETWORKS]", "Nftables::Set[FRACK_NETWORKS]", "Nftables::Set[INSTALL_HOSTS]", "Nftables::Set[INTERNAL]", "Nftables::Set[KAFKAMON_HOSTS]", "Nftables::Set[KAFKA_BROKERS_JUMBO]", "Nftables::Set[KAFKA_BROKERS_LOGGING]", "Nftables::Set[KAFKA_BROKERS_MAIN]", "Nftables::Set[LABSTORE_HOSTS]", "Nftables::Set[LABS_NETWORKS]", "Nftables::Set[LINK_LOCAL]", "Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]", "Nftables::Set[MGMT_NETWORKS]", "Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]", "Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]", "Nftables::Set[MONITORING_HOSTS]", "Nftables::Set[MW_APPSERVER_NETWORKS]", "Nftables::Set[MYSQL_ROOT_CLIENTS]", "Nftables::Set[NETWORK_INFRA]", "Nftables::Set[PRODUCTION_NETWORKS]", "Nftables::Set[PROMETHEUS_HOSTS]", "Nftables::Set[SANDBOX_NETWORKS]", "Nftables::Set[STAGING_KUBEPODS_NETWORKS]", "Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]", "Nftables::Set[ZOOKEEPER_FLINK_HOSTS]", "Nftables::Set[ZOOKEEPER_HOSTS_MAIN]", "Node[__node_regexp__pki1001.eqiad.]", "Package[nftables]", "Prometheus::Node_textfile[check-nft]", "Rsyslog::Conf[prometheus-node-textfile-check-nft]", "Service[nftables]", "Service[prometheus-node-textfile-check-nft.timer]", "Systemd::Service[nftables]", "Systemd::Service[prometheus-node-textfile-check-nft]", "Systemd::Syslog[prometheus-node-textfile-check-nft]", "Systemd::Timer::Job[prometheus-node-textfile-check-nft]", "Systemd::Timer[prometheus-node-textfile-check-nft]", "Systemd::Unit[nftables]", "Systemd::Unit[prometheus-node-textfile-check-nft.service]", "Systemd::Unit[prometheus-node-textfile-check-nft.timer]", "Systemd::Unmask[nftables.service]"], "resource_diffs": [{"resource": "Class[Profile::Firewall]", "parameters": "--- Class[Profile::Firewall].orig\n+++ Class[Profile::Firewall]\n\n@@\n-    provider => ferm\n+    provider => nftables\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_wikikube_staging_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Prometheus::Node_textfile[check-nft]", "parameters": "--- Prometheus::Node_textfile[check-nft].orig\n+++ Prometheus::Node_textfile[check-nft]\n\n+    user           => root\n+    run_cmd        => /usr/local/bin/check-nft\n+    interval       => *:0/30\n+    environment    => {}\n+    extra_packages => []\n+    filesource     => puppet:///modules/profile/firewall/check_nftables.py\n+    ensure         => present\n"}, {"resource": "Cfssl::Signer[dse]", "parameters": "--- Cfssl::Signer[dse].orig\n+++ Cfssl::Signer[dse]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDpTCCAwegAwIBAgIUb4Tdc/LBMz08oj3vXm9vyvVoa8kwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjBx\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQwwCgYDVQQDEwNkc2UwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEKIsRi\nrMZazQ75DhhEGhtUEr3248uYpcVNJ3Mp/1IdsIkgdy3vU97D4x+FWvbcITOzw9xz\napIVnwWIAU7hei4jEwCAIr3llako75gtbD7Xvq9y6UDUcp/LOGBkmGMBktL2Q9qz\nDgc4AgI29X2/hGBuYEglW2Qhpnbu0+q+7Xi/eKSG3aOCAQwwggEIMA4GA1UdDwEB\n/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSp3KLmcR8APKuf\nwQNUAmw4ugiWrzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\nBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\nbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\noD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\nbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCBhwJCAYGa4oeqY5OQzJhU\nJqhW7Wn0V5dXQ3F0LJKbf70afe5Xx/jkMKMXv6cpUoCgq6OW5CzFHvwyYGDYc3Uy\nDj63k3tQAkFP3CHPBJahbaziMXpat5mFpYeRit/bScad+W+ysdXe4wLSRK3skzhU\npOp2n7NgGJQbM1fWuRcBPMQLEZVFsbo04A==\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/dse/ca/dse.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/dse\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/dse\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/dse/ca/dse-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => \n"}, {"resource": "File[/srv/cfssl/bundles/network_devices.pem]", "content": "--- /srv/cfssl/bundles/network_devices.pem.orig\n+++ /srv/cfssl/bundles/network_devices.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUS2pUBD1erPOX2W9m08l4NjcjbVYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNzE0MTAxODAwWhcNMjgwNzEyMTAxODAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9uZXR3b3JrX2RldmljZXMwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABABVWARjDjpjG7IlggP4BkOm5hanZXdtYYzUb1CsmHvpBA4W6s8CjzHp\n-QlZoBzaMi6SSO5Q7v9rAuymjLctweVRy7gAkNU3jjQXZPjRKaW/ofZlUhDyhgyCS\n-WNr9LBjYklAnMM3yz3J6EG9aHehHbV11lq24AQDrZ4bEtNzGHMQyU9ufZ6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBRmY7aPPiOyhsjgXpDtumx9X/wcGzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-ARWhtt4Mi0I8j+6LUC+ZJfTnhYkEWSXa6nhttbzNPLzHuBTnj42WE8a2oQW2Mv5w\n-mzRdtJGsstcrgGwGt5FyLP6WAkIAxYlEt4MHqohD9adWY1IsnX4qWBYRw4tXrx0T\n-tF1M2n2K7ww/zCL9HkBoWVe249y+ctpGqqgw0ROMnMN6Q2Zg8ic=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/network_devices.pem].orig\n+++ File[/srv/cfssl/bundles/network_devices.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-etcd.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-etcd.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-etcd.service]\n\n-    unit              => cfssl-ocsprefresh-etcd.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"prometheus-node-textfile-check-nft\" then {\n+    action(\n+        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-check-nft/syslog.log\"\n+        fileOwner=\"root\" fileGroup=\"root\"\n+        fileCreateMode=\"0644\"\n+    )\n+    & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]\n\n+    notify => Service[rsyslog]\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer]\n\n-    unit              => cfssl-ocsprefresh-mlserve_front_proxy.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/apache2/conf-available/00-defaults.conf]", "parameters": "--- File[/etc/apache2/conf-available/00-defaults.conf].orig\n+++ File[/etc/apache2/conf-available/00-defaults.conf]\n\n-    notify => Service[apache2]\n-    owner  => root\n-    source => puppet:///modules/httpd/defaults.conf\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-aux-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-aux-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-aux-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_kafka]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_kafka].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_kafka]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: kafka\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]", "content": "--- /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem.orig\n+++ /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem].orig\n+++ File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-syslog.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-syslog.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-syslog.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-syslog.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-zuul]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-zuul].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-zuul]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Service[cfssl-ocsprefresh-mlserve_staging.timer]", "parameters": "--- Service[cfssl-ocsprefresh-mlserve_staging.timer].orig\n+++ Service[cfssl-ocsprefresh-mlserve_staging.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]", "parameters": "--- File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml].orig\n+++ File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-debmonitor.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_mlserve\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"bfd2f7c6497e1da6323bef48d24f9e8e\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-dse-certificate-expiry --cert-path /etc/cfssl/signers/dse/ca/dse.pem --outfile /var/lib/prometheus/node.d/dse_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-ferm_active]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-ferm_active].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-ferm_active]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-ferm_active\n-    splay                     => 600\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"bba0a2572329bb500b832470e08b381c\" --timeout 10 --check-command \"check_ferm_active\"\n-    description               => execution of nrpe2nodexp for the check_ferm_active command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '10min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/etc/cfssl/signers/syslog/cfssl.conf]", "content": "--- /etc/cfssl/signers/syslog/cfssl.conf.orig\n+++ /etc/cfssl/signers/syslog/cfssl.conf\n@@ -1,65 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/syslog\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/syslog\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/syslog/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/syslog/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Cfssl::Config[wikikube]", "parameters": "--- Cfssl::Config[wikikube].orig\n+++ Cfssl::Config[wikikube]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/wikikube\n-    path                => /etc/cfssl/signers/wikikube/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/wikikube\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ocsp/mlserve_staging.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/mlserve_staging.ocsp].orig\n+++ File[/etc/cfssl/ocsp/mlserve_staging.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_front_proxy_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-wikikube_front_proxy-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-discovery]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-discovery].orig\n+++ File[/var/log/cfssl-ocsprefresh-discovery]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-dse_front_proxy.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/FRACK_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/FRACK_NETWORKS_ipv6.nft\n@@ -0,0 +1,4 @@\n+# Autogenerated by puppet\n+set FRACK_NETWORKS_ipv6 {\n+    type ipv6_addr\n+}", "parameters": "--- File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]", "content": "--- /etc/cfssl/signers/mlserve_staging/cfssl.conf.orig\n+++ /etc/cfssl/signers/mlserve_staging/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"72h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/mlserve_staging\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/mlserve_staging\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"72h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"72h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-dse.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-dse.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - dse\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/dse/ca/dse.pem --responses-file /etc/cfssl/ocsp/dse.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@dse' dse ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-dse.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_dse]", "parameters": "--- Sudo::User[nrpe_certificate_check_dse].orig\n+++ Sudo::User[nrpe_certificate_check_dse]\n\n-    user       => nrpe_certificate_check_dse\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Exec[Generate initial CRL for mlserve]", "parameters": "--- Exec[Generate initial CRL for mlserve].orig\n+++ Exec[Generate initial CRL for mlserve]\n\n-    creates => /srv/cfssl/crl/mlserve\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/mlserve/ca/mlserve.pem /etc/cfssl/signers/mlserve/ca/mlserve-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/mlserve\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - mlserve\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve/ca/mlserve.pem --responses-file /etc/cfssl/ocsp/mlserve.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve' mlserve ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nftables::Set[PRODUCTION_NETWORKS]", "parameters": "--- Nftables::Set[PRODUCTION_NETWORKS].orig\n+++ Nftables::Set[PRODUCTION_NETWORKS]\n\n+    hosts  => ['10.128.0.0/24', '10.128.1.0/24', '10.128.2.0/24', '10.132.0.0/24', '10.132.2.0/24', '10.136.0.0/24', '10.136.1.0/24', '10.140.0.0/24', '10.140.1.0/24', '10.140.2.0/24', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.20.0/24', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.24.0/23', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.64.0/21', '10.192.7.0/24', '10.192.72.0/24', '10.192.76.0/24', '10.192.8.0/24', '10.192.80.0/20', '10.192.9.0/24', '10.192.96.0/21', '10.194.0.0/20', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.62.0/23', '10.194.64.0/20', '10.194.80.0/21', '10.2.1.0/24', '10.2.2.0/24', '10.2.3.0/24', '10.2.4.0/24', '10.2.5.0/24', '10.2.6.0/24', '10.2.7.0/24', '10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.141.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.148.0/24', '10.64.149.0/24', '10.64.150.0/24', '10.64.151.0/24', '10.64.152.0/24', '10.64.153.0/24', '10.64.154.0/24', '10.64.155.0/24', '10.64.156.0/24', '10.64.157.0/24', '10.64.158.0/24', '10.64.159.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.161.0/24', '10.64.162.0/24', '10.64.163.0/24', '10.64.164.0/24', '10.64.165.0/24', '10.64.166.0/24', '10.64.167.0/24', '10.64.169.0/24', '10.64.170.0/24', '10.64.171.0/24', '10.64.172.0/24', '10.64.173.0/24', '10.64.174.0/24', '10.64.175.0/24', '10.64.176.0/24', '10.64.177.0/24', '10.64.178.0/24', '10.64.179.0/24', '10.64.180.0/24', '10.64.181.0/24', '10.64.182.0/24', '10.64.183.0/24', '10.64.184.0/24', '10.64.185.0/24', '10.64.186.0/24', '10.64.187.0/24', '10.64.188.0/24', '10.64.189.0/24', '10.64.190.0/24', '10.64.20.0/24', '10.64.21.0/24', '10.64.24.0/23', '10.64.32.0/22', '10.64.36.0/24', '10.64.48.0/22', '10.64.5.0/24', '10.64.53.0/24', '10.64.64.0/21', '10.64.72.0/24', '10.64.76.0/24', '10.67.0.0/20', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.32.0/20', '10.67.64.0/20', '10.67.80.0/21', '10.80.0.0/24', '10.80.1.0/24', '10.80.2.0/24', '103.102.166.0/28', '103.102.166.224/27', '103.102.166.96/27', '185.15.58.0/27', '185.15.58.224/27', '185.15.58.32/27', '185.15.59.0/27', '185.15.59.224/27', '185.15.59.32/27', '185.15.59.96/27', '195.200.68.0/27', '195.200.68.224/27', '195.200.68.32/27', '195.200.68.96/27', '198.35.26.0/27', '198.35.26.32/27', '198.35.26.96/27', '198.35.26.96/27', '2001:df2:e500:101::/64', '2001:df2:e500:103::/64', '2001:df2:e500:1::/64', '2001:df2:e500:3::/64', '2001:df2:e500:ed1a::/64', '208.80.152.128/27', '208.80.153.0/27', '208.80.153.224/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.224/27', '208.80.154.64/26', '208.80.155.96/27', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:118::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '2620:0:860:140::/64', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:300::/64', '2620:0:860:301::/64', '2620:0:860:302::/64', '2620:0:860:303::/64', '2620:0:860:304::/64', '2620:0:860:305::/64', '2620:0:860:307::/64', '2620:0:860:308::/64', '2620:0:860:3::/64', '2620:0:860:4::/64', '2620:0:860:5::/64', '2620:0:860:babe::/64', '2620:0:860:babf::/64', '2620:0:860:cabe::/64', '2620:0:860:cabf::/64', '2620:0:860:ed1a::/64', '2620:0:861:100::/64', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:107::/64', '2620:0:861:108::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:113::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:118::/64', '2620:0:861:119::/64', '2620:0:861:11a::/64', '2620:0:861:11c::/64', '2620:0:861:11d::/64', '2620:0:861:11e::/64', '2620:0:861:11f::/64', '2620:0:861:120::/64', '2620:0:861:121::/64', '2620:0:861:122::/64', '2620:0:861:123::/64', '2620:0:861:124::/64', '2620:0:861:125::/64', '2620:0:861:126::/64', '2620:0:861:127::/64', '2620:0:861:128::/64', '2620:0:861:129::/64', '2620:0:861:12a::/64', '2620:0:861:12b::/64', '2620:0:861:12c::/64', '2620:0:861:12d::/64', '2620:0:861:12e::/64', '2620:0:861:12f::/64', '2620:0:861:131::/64', '2620:0:861:132::/64', '2620:0:861:133::/64', '2620:0:861:134::/64', '2620:0:861:135::/64', '2620:0:861:136::/64', '2620:0:861:137::/64', '2620:0:861:138::/64', '2620:0:861:139::/64', '2620:0:861:13a::/64', '2620:0:861:13b::/64', '2620:0:861:13c::/64', '2620:0:861:13d::/64', '2620:0:861:13e::/64', '2620:0:861:13f::/64', '2620:0:861:140::/64', '2620:0:861:141::/64', '2620:0:861:142::/64', '2620:0:861:143::/64', '2620:0:861:144::/64', '2620:0:861:145::/64', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:300::/64', '2620:0:861:301::/116', '2620:0:861:302::/64', '2620:0:861:303::/116', '2620:0:861:304::/116', '2620:0:861:305::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '2620:0:861:babe::/64', '2620:0:861:babf::/116', '2620:0:861:cabe::/64', '2620:0:861:cabf::/116', '2620:0:861:ed1a::/64', '2620:0:863:101::/64', '2620:0:863:102::/64', '2620:0:863:103::/64', '2620:0:863:1::/64', '2620:0:863:2::/64', '2620:0:863:3::/64', '2620:0:863:ed1a::/64', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '2a02:ec80:300:103::/64', '2a02:ec80:300:1::/64', '2a02:ec80:300:2::/64', '2a02:ec80:300:3::/64', '2a02:ec80:300:ed1a::/64', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '2a02:ec80:600:1::/64', '2a02:ec80:600:2::/64', '2a02:ec80:600:ed1a::/64', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64', '2a02:ec80:700:103::/64', '2a02:ec80:700:1::/64', '2a02:ec80:700:2::/64', '2a02:ec80:700:3::/64', '2a02:ec80:700:ed1a::/64']\n+    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026]", "parameters": "--- File[/etc/cfssl/signers/discovery2026].orig\n+++ File[/etc/cfssl/signers/discovery2026]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-dse_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-dse_front_proxy]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-discovery.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]", "content": "--- /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem.orig\n+++ /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUBGeKXglKnoXGyRgWodaHSfz0z/gwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9kc2VfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAGUNx07sN1MWk3DzjEFh3pfYaQVrqo1tWFQjf7URfwqfyZY81Tqt6yl\n-y/zj3DpvtOmvyI5jPH91yPBaFho0/SpP6wFkBIyE8/Ik2b80slPKuzstrYgBlYsG\n-+Fxop4CYWjLItOy1Ut82aYr76hNm0goEma9ETjgE4nfBEU3vi77QO/B9E6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBQPHxMmkuy8EqO+Wz7TmM1MfmcXDDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AO3JNb9OyC3JQ3mmkgt+Db3NMgLArYlvcYd8Nd5uWEXm6d6NfUPDN5XBGkjly1B7\n-N18vKQYxlZzX2wgYqaK9LYs9AkIBch3vTND/M2T78Hhp5YoodasCdLDcpMJ1Qn3T\n-fI0Lwjt7W50T0FMle6CwZkI+ZrxRzqvic19IUSTDDqwiOFgLhqM=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-ferm_active\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocsprefresh-wikikube.timer]", "parameters": "--- Service[cfssl-ocsprefresh-wikikube.timer].orig\n+++ Service[cfssl-ocsprefresh-wikikube.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-dse.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-dse.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-dse.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-dse.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]", "content": "--- /etc/nftables/sets/CUMIN_MASTERS_ipv6.nft.orig\n+++ /etc/nftables/sets/CUMIN_MASTERS_ipv6.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set CUMIN_MASTERS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:102:10:64:16:154,\n+             2620:0:860:103:10:192:32:49\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/srv/cfssl/bundles/discovery.pem]", "content": "--- /srv/cfssl/bundles/discovery.pem.orig\n+++ /srv/cfssl/bundles/discovery.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n-3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\n-wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n-5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\n-q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\n-ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n-4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/discovery.pem].orig\n+++ File[/srv/cfssl/bundles/discovery.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Service[cfssl-ocspserve@dse]", "parameters": "--- Service[cfssl-ocspserve@dse].orig\n+++ Service[cfssl-ocspserve@dse]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-check-nft]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-check-nft].orig\n+++ Systemd::Syslog[prometheus-node-textfile-check-nft]\n\n+    force_stop             => True\n+    readable_by            => all\n+    owner                  => root\n+    base_dir               => /var/log\n+    group                  => root\n+    programname_comparison => startswith\n+    log_filename           => syslog.log\n+    ensure                 => present\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocspserve@network_devices]", "parameters": "--- Service[cfssl-ocspserve@network_devices].orig\n+++ Service[cfssl-ocspserve@network_devices]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_dse\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_wikikube_staging\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"f389c556cebfcfc345b3d6802f320045\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_staging\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_staging command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_syslog]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_syslog].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_syslog]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"syslog\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_mlserve]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Sudo::User[nrpe_certificate_check_cloud_wmnet_ca]", "parameters": "--- Sudo::User[nrpe_certificate_check_cloud_wmnet_ca].orig\n+++ Sudo::User[nrpe_certificate_check_cloud_wmnet_ca]\n\n-    user       => nrpe_certificate_check_cloud_wmnet_ca\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/srv/cfssl/bundles/mlserve_staging.pem]", "content": "--- /srv/cfssl/bundles/mlserve_staging.pem.orig\n+++ /srv/cfssl/bundles/mlserve_staging.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUHWrqd3I2VME7z6A5M3brKa5UlOgwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9tbHNlcnZlX3N0YWdpbmcwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAAu0g2dBBEAH2iUfZLPv+mA+1srb6S3bdVyH/kRk+QZDoOMnM0H8Edn\n-V+dakFKXnwl+w+qsOsWj1NP2FlOm3bTglwCIxFAzX5XaDfqWa74L1tIqDH6kx+bX\n-yxnuGWT/U1cv8rIHFap7ccH3h5YxPQfHy73KRTWxPln6ByswgxekotwnCKOCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBSRzdapYuh57Gp5MstVlUJNJ+6zTzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AY8VuLFo6MpcfxrDG8Junk8mESfQTMRbfeZM6WpHqKYBTESkpeV8HIdTYliFDAMX\n-JqE94+xbPVaTS8DZ0xiXz4SjAkIBEIIXA4nOdLYbX/MvdKWr7aDunH8n1oO3K/op\n-7NktfJd5CXuECxdSonHOb7PFW5lbpCtZrLxFzhB2Hlp1TBWHX84=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/mlserve_staging.pem].orig\n+++ File[/srv/cfssl/bundles/mlserve_staging.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"mlserve_front_proxy\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/apache2/conf-enabled]", "parameters": "--- File[/etc/apache2/conf-enabled].orig\n+++ File[/etc/apache2/conf-enabled]\n\n-    owner   => root\n-    group   => root\n-    mode    => 0755\n-    require => Package[apache2]\n-    recurse => True\n-    purge   => True\n-    notify  => Service[apache2]\n-    ensure  => directory\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/ferm/conf.d/01_drop-blocked-nets]", "content": "--- /etc/ferm/conf.d/01_drop-blocked-nets.orig\n+++ /etc/ferm/conf.d/01_drop-blocked-nets\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# 01_drop-blocked-nets: drop abuse/blocked_nets.yaml defined in the requestctl private repo\n-\n-domain (ip ip6) {\n-\ttable filter {\n-\t\tchain INPUT {\n-\t\t\tsaddr $BLOCKED_NETS DROP;\n-\t\t}\n-\t}\n-}", "parameters": "--- File[/etc/ferm/conf.d/01_drop-blocked-nets].orig\n+++ File[/etc/ferm/conf.d/01_drop-blocked-nets]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_puppet_rsa]", "parameters": "--- Monitoring::Service[check_certificate_expiry_puppet_rsa].orig\n+++ Monitoring::Service[check_certificate_expiry_puppet_rsa]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_puppet_rsa!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: puppet_rsa\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_wikikube]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_wikikube].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_wikikube]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Augeas[Apache2 logs]", "parameters": "--- Augeas[Apache2 logs].orig\n+++ Augeas[Apache2 logs]\n\n-    lens    => Logrotate.lns\n-    incl    => /etc/logrotate.d/apache2\n-    changes => ['set rule/schedule daily', 'set rule/rotate 30']\n-    require => Package[apache2]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_aux.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/apache2/env-available]", "parameters": "--- File[/etc/apache2/env-available].orig\n+++ File[/etc/apache2/env-available]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0755\n-    require => Package[apache2]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --responses-file /etc/cfssl/ocsp/wikikube_staging.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_staging' wikikube_staging \n-    description               => OCSP Refresh job - wikikube_staging\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_aux]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_aux].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_aux]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: aux\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-aux]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-aux].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-aux]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/aux/ca/aux.pem --responses-file /etc/cfssl/ocsp/aux.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@aux' aux \n-    description               => OCSP Refresh job - aux\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_syslog.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_syslog.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Cfssl::Cert[puppet_rsa__pki_discovery_wmnet]", "parameters": "--- Cfssl::Cert[puppet_rsa__pki_discovery_wmnet].orig\n+++ Cfssl::Cert[puppet_rsa__pki_discovery_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    owner           => root\n-    hosts           => ['pki1001.eqiad.wmnet']\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    group           => root\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    mode            => 0740\n-    common_name     => pki.discovery.wmnet\n-    names           => []\n-    provide_chain   => True\n-    label           => puppet_rsa\n-    notify_services => ['apache2']\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_syslog]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_syslog].orig\n+++ Nrpe::Check[check_check_certificate_expiry_syslog]\n\n-    before    => Monitoring::Service[check_certificate_expiry_syslog]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-syslog-certificate-expiry --cert-path /etc/cfssl/signers/syslog/ca/syslog.pem --outfile /var/lib/prometheus/node.d/syslog_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-syslog-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_cfssl-multirootca_status\n-    splay                     => 300\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"52832284a5fb8b8ea6f55bb6271912c9\" --timeout 10 --check-command \"check_check_cfssl-multirootca_status\" --page\n-    description               => execution of nrpe2nodexp for the check_check_cfssl-multirootca_status command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/srv/cfssl/bundles/kafka.pem]", "content": "--- /srv/cfssl/bundles/kafka.pem.orig\n+++ /srv/cfssl/bundles/kafka.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqDCCAwmgAwIBAgIUTWT2navXkMW9fz3oUB7Fc6azbKcwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjExMDI4MTMwNjAwWhcNMjYxMDI3MTMwNjAwWjBz\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ4wDAYDVQQDEwVrYWZrYTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAScI\n-AVY36upnobdfvpQJ7Y5uefRAv0OsdtR++HEqm2kTatOG4BJTdjdBv3+gyd3rJccd\n-DEifyU1EcxVVXjjXzqdHADiJ+Zol5mwexbnrpF8JDBiJv7ntNamdr7Xjv4kw8Tkp\n-kgl70aFalPLjpwjDNyrm2ACxPmHxK8EOu7eXb8RImqeVo4IBDDCCAQgwDgYDVR0P\n-AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGIY/nB0tTtl\n-RGdO5J4ck+RM8p8rMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2MFYG\n-CCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zlcnku\n-d21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBB\n-MD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1lZGlh\n-X0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBv8ZMP7g8aPkc\n-tcrO4rXcBkhFIWH9+4H4iTbuSBtjVtUXdsRW++IU89BjVVKQxv/4ZDm8hlpd+vJU\n-b9xj3WUpi8cCQgFpjYqKVM+I5eRpIjhWoPxognJtGI3626wAOpV2CPauciD51gP3\n-up2xe36OG3Z8XDcbNGoNiG3505+af9zBrt3c4g==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/kafka.pem].orig\n+++ File[/srv/cfssl/bundles/kafka.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-discovery-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_network_devices]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_network_devices].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_network_devices]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: network_devices\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 ssh].orig\n+++ Monitoring::Exported_nagios_service[pki1001 ssh]\n\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_aux\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"f7dfe9e2cd77303dfae7ae11c5c56d90\" --timeout 10 --check-command \"check_check_certificate_expiry_aux\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_aux command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft\n@@ -0,0 +1,183 @@\n+# Autogenerated by puppet\n+set DOMAIN_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2001:df2:e500:101::/64,\n+             2001:df2:e500:103::/64,\n+             2001:df2:e500:1::/64,\n+             2001:df2:e500:3::/64,\n+             2001:df2:e500:ed1a::/64,\n+             2620:0:860:100::/64,\n+             2620:0:860:101::/64,\n+             2620:0:860:102::/64,\n+             2620:0:860:103::/64,\n+             2620:0:860:104::/64,\n+             2620:0:860:105::/64,\n+             2620:0:860:106::/64,\n+             2620:0:860:107::/64,\n+             2620:0:860:108::/64,\n+             2620:0:860:109::/64,\n+             2620:0:860:10a::/64,\n+             2620:0:860:10b::/64,\n+             2620:0:860:10c::/64,\n+             2620:0:860:10d::/64,\n+             2620:0:860:10e::/64,\n+             2620:0:860:10f::/64,\n+             2620:0:860:110::/64,\n+             2620:0:860:111::/64,\n+             2620:0:860:112::/64,\n+             2620:0:860:113::/64,\n+             2620:0:860:114::/64,\n+             2620:0:860:115::/64,\n+             2620:0:860:116::/64,\n+             2620:0:860:118::/64,\n+             2620:0:860:119::/64,\n+             2620:0:860:11a::/64,\n+             2620:0:860:11b::/64,\n+             2620:0:860:11c::/64,\n+             2620:0:860:11d::/64,\n+             2620:0:860:11e::/64,\n+             2620:0:860:11f::/64,\n+             2620:0:860:120::/64,\n+             2620:0:860:121::/64,\n+             2620:0:860:122::/64,\n+             2620:0:860:123::/64,\n+             2620:0:860:124::/64,\n+             2620:0:860:125::/64,\n+             2620:0:860:126::/64,\n+             2620:0:860:127::/64,\n+             2620:0:860:12b::/64,\n+             2620:0:860:12c::/64,\n+             2620:0:860:12d::/64,\n+             2620:0:860:12e::/64,\n+             2620:0:860:140::/64,\n+             2620:0:860:1::/64,\n+             2620:0:860:2::/64,\n+             2620:0:860:300::/64,\n+             2620:0:860:301::/64,\n+             2620:0:860:302::/64,\n+             2620:0:860:303::/64,\n+             2620:0:860:304::/64,\n+             2620:0:860:305::/64,\n+             2620:0:860:307::/64,\n+             2620:0:860:308::/64,\n+             2620:0:860:3::/64,\n+             2620:0:860:4::/64,\n+             2620:0:860:5::/64,\n+             2620:0:860:babe::/64,\n+             2620:0:860:babf::/64,\n+             2620:0:860:cabe::/64,\n+             2620:0:860:cabf::/64,\n+             2620:0:860:ed1a::/64,\n+             2620:0:861:100::/64,\n+             2620:0:861:101::/64,\n+             2620:0:861:102::/64,\n+             2620:0:861:103::/64,\n+             2620:0:861:104::/64,\n+             2620:0:861:105::/64,\n+             2620:0:861:106::/64,\n+             2620:0:861:107::/64,\n+             2620:0:861:108::/64,\n+             2620:0:861:109::/64,\n+             2620:0:861:10a::/64,\n+             2620:0:861:10b::/64,\n+             2620:0:861:10c::/64,\n+             2620:0:861:10d::/64,\n+             2620:0:861:10e::/64,\n+             2620:0:861:10f::/64,\n+             2620:0:861:110::/64,\n+             2620:0:861:111::/64,\n+             2620:0:861:112::/64,\n+             2620:0:861:113::/64,\n+             2620:0:861:114::/64,\n+             2620:0:861:115::/64,\n+             2620:0:861:116::/64,\n+             2620:0:861:117::/64,\n+             2620:0:861:118::/64,\n+             2620:0:861:119::/64,\n+             2620:0:861:11a::/64,\n+             2620:0:861:11c::/64,\n+             2620:0:861:11d::/64,\n+             2620:0:861:11e::/64,\n+             2620:0:861:11f::/64,\n+             2620:0:861:120::/64,\n+             2620:0:861:121::/64,\n+             2620:0:861:122::/64,\n+             2620:0:861:123::/64,\n+             2620:0:861:124::/64,\n+             2620:0:861:125::/64,\n+             2620:0:861:126::/64,\n+             2620:0:861:127::/64,\n+             2620:0:861:128::/64,\n+             2620:0:861:129::/64,\n+             2620:0:861:12a::/64,\n+             2620:0:861:12b::/64,\n+             2620:0:861:12c::/64,\n+             2620:0:861:12d::/64,\n+             2620:0:861:12e::/64,\n+             2620:0:861:12f::/64,\n+             2620:0:861:131::/64,\n+             2620:0:861:132::/64,\n+             2620:0:861:133::/64,\n+             2620:0:861:134::/64,\n+             2620:0:861:135::/64,\n+             2620:0:861:136::/64,\n+             2620:0:861:137::/64,\n+             2620:0:861:138::/64,\n+             2620:0:861:139::/64,\n+             2620:0:861:13a::/64,\n+             2620:0:861:13b::/64,\n+             2620:0:861:13c::/64,\n+             2620:0:861:13d::/64,\n+             2620:0:861:13e::/64,\n+             2620:0:861:13f::/64,\n+             2620:0:861:140::/64,\n+             2620:0:861:141::/64,\n+             2620:0:861:142::/64,\n+             2620:0:861:143::/64,\n+             2620:0:861:144::/64,\n+             2620:0:861:145::/64,\n+             2620:0:861:1::/64,\n+             2620:0:861:2::/64,\n+             2620:0:861:300::/64,\n+             2620:0:861:301::/116,\n+             2620:0:861:302::/64,\n+             2620:0:861:303::/116,\n+             2620:0:861:304::/116,\n+             2620:0:861:305::/64,\n+             2620:0:861:3::/64,\n+             2620:0:861:4::/64,\n+             2620:0:861:babe::/64,\n+             2620:0:861:babf::/116,\n+             2620:0:861:cabe::/64,\n+             2620:0:861:cabf::/116,\n+             2620:0:861:ed1a::/64,\n+             2620:0:863:101::/64,\n+             2620:0:863:102::/64,\n+             2620:0:863:103::/64,\n+             2620:0:863:1::/64,\n+             2620:0:863:2::/64,\n+             2620:0:863:3::/64,\n+             2620:0:863:ed1a::/64,\n+             2a02:ec80:300:101::/64,\n+             2a02:ec80:300:102::/64,\n+             2a02:ec80:300:103::/64,\n+             2a02:ec80:300:1::/64,\n+             2a02:ec80:300:2::/64,\n+             2a02:ec80:300:3::/64,\n+             2a02:ec80:300:ed1a::/64,\n+             2a02:ec80:600:101::/64,\n+             2a02:ec80:600:102::/64,\n+             2a02:ec80:600:1::/64,\n+             2a02:ec80:600:2::/64,\n+             2a02:ec80:600:ed1a::/64,\n+             2a02:ec80:700:101::/64,\n+             2a02:ec80:700:102::/64,\n+             2a02:ec80:700:103::/64,\n+             2a02:ec80:700:1::/64,\n+             2a02:ec80:700:2::/64,\n+             2a02:ec80:700:3::/64,\n+             2a02:ec80:700:ed1a::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-network_devices.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-network_devices.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - network_devices\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/network_devices/ca/network_devices.pem --responses-file /etc/cfssl/ocsp/network_devices.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@network_devices' network_devices ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_dse_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_dse_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_dse_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_dse_front_proxy]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"aux_front_proxy\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_ferm_active.cfg]", "content": "--- /etc/nagios/nrpe.d/check_ferm_active.cfg.orig\n+++ /etc/nagios/nrpe.d/check_ferm_active.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_ferm_active]=/usr/bin/sudo /usr/local/lib/nagios/plugins/check_ferm", "parameters": "--- File[/etc/nagios/nrpe.d/check_ferm_active.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_ferm_active.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_network_devices]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-debmonitor.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]\n\n-    unit              => cfssl-ocsprefresh-debmonitor.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Service[cfssl-ocsprefresh-discovery]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-discovery.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/cfssl/ocsp/syslog.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/syslog.ocsp].orig\n+++ File[/etc/cfssl/ocsp/syslog.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Exec[Generate initial CRL for dse_front_proxy]", "parameters": "--- Exec[Generate initial CRL for dse_front_proxy].orig\n+++ Exec[Generate initial CRL for dse_front_proxy]\n\n-    creates => /srv/cfssl/crl/dse_front_proxy\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/dse_front_proxy\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/srv/cfssl/bundles/dse_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/dse_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/dse_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUBGeKXglKnoXGyRgWodaHSfz0z/gwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9kc2VfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAGUNx07sN1MWk3DzjEFh3pfYaQVrqo1tWFQjf7URfwqfyZY81Tqt6yl\n-y/zj3DpvtOmvyI5jPH91yPBaFho0/SpP6wFkBIyE8/Ik2b80slPKuzstrYgBlYsG\n-+Fxop4CYWjLItOy1Ut82aYr76hNm0goEma9ETjgE4nfBEU3vi77QO/B9E6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBQPHxMmkuy8EqO+Wz7TmM1MfmcXDDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AO3JNb9OyC3JQ3mmkgt+Db3NMgLArYlvcYd8Nd5uWEXm6d6NfUPDN5XBGkjly1B7\n-N18vKQYxlZzX2wgYqaK9LYs9AkIBch3vTND/M2T78Hhp5YoodasCdLDcpMJ1Qn3T\n-fI0Lwjt7W50T0FMle6CwZkI+ZrxRzqvic19IUSTDDqwiOFgLhqM=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/dse_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/dse_front_proxy.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_syslog!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: syslog\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_discovery2026!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: discovery2026\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_debmonitor!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: debmonitor\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/LABS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/LABS_NETWORKS_ipv4.nft\n@@ -0,0 +1,27 @@\n+# Autogenerated by puppet\n+set LABS_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 172.16.0.0/21,\n+             172.16.128.0/24,\n+             172.16.129.0/24,\n+             172.16.130.0/24,\n+             172.16.131.0/24,\n+             172.16.16.0/21,\n+             172.16.24.0/24,\n+             172.16.8.0/21,\n+             172.20.1.0/24,\n+             172.20.2.0/24,\n+             172.20.254.0/24,\n+             172.20.255.0/24,\n+             172.20.3.0/24,\n+             172.20.4.0/24,\n+             172.20.5.0/24,\n+             185.15.56.0/25,\n+             185.15.56.160/28,\n+             185.15.57.0/29,\n+             185.15.57.16/29,\n+             185.15.57.24/29\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "parameters": "--- Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem].orig\n+++ Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]\n\n-    command   => /bin/cat /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem > /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem\n-    subscribe => ['Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]', 'File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]', 'File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]']\n-    notify    => ['Service[apache2]']\n-    unless    => /usr/bin/test \"$(/bin/cat /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem | sha512sum)\"\n\n-    require   => Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]\n"}, {"resource": "Systemd::Service[cfssl-gc-expired-certs]", "parameters": "--- Systemd::Service[cfssl-gc-expired-certs].orig\n+++ Systemd::Service[cfssl-gc-expired-certs]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-gc-expired-certs.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Nftables::Set[DOMAIN_NETWORKS]", "parameters": "--- Nftables::Set[DOMAIN_NETWORKS].orig\n+++ Nftables::Set[DOMAIN_NETWORKS]\n\n+    hosts  => ['10.128.0.0/24', '10.128.1.0/24', '10.128.2.0/24', '10.132.0.0/24', '10.132.2.0/24', '10.136.0.0/24', '10.136.1.0/24', '10.140.0.0/24', '10.140.1.0/24', '10.140.2.0/24', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.20.0/24', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.24.0/23', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.64.0/21', '10.192.7.0/24', '10.192.72.0/24', '10.192.76.0/24', '10.192.8.0/24', '10.192.80.0/20', '10.192.9.0/24', '10.192.96.0/21', '10.194.0.0/20', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.62.0/23', '10.194.64.0/20', '10.194.80.0/21', '10.2.1.0/24', '10.2.2.0/24', '10.2.3.0/24', '10.2.4.0/24', '10.2.5.0/24', '10.2.6.0/24', '10.2.7.0/24', '10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.141.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.148.0/24', '10.64.149.0/24', '10.64.150.0/24', '10.64.151.0/24', '10.64.152.0/24', '10.64.153.0/24', '10.64.154.0/24', '10.64.155.0/24', '10.64.156.0/24', '10.64.157.0/24', '10.64.158.0/24', '10.64.159.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.161.0/24', '10.64.162.0/24', '10.64.163.0/24', '10.64.164.0/24', '10.64.165.0/24', '10.64.166.0/24', '10.64.167.0/24', '10.64.169.0/24', '10.64.170.0/24', '10.64.171.0/24', '10.64.172.0/24', '10.64.173.0/24', '10.64.174.0/24', '10.64.175.0/24', '10.64.176.0/24', '10.64.177.0/24', '10.64.178.0/24', '10.64.179.0/24', '10.64.180.0/24', '10.64.181.0/24', '10.64.182.0/24', '10.64.183.0/24', '10.64.184.0/24', '10.64.185.0/24', '10.64.186.0/24', '10.64.187.0/24', '10.64.188.0/24', '10.64.189.0/24', '10.64.190.0/24', '10.64.20.0/24', '10.64.21.0/24', '10.64.24.0/23', '10.64.32.0/22', '10.64.36.0/24', '10.64.48.0/22', '10.64.5.0/24', '10.64.53.0/24', '10.64.64.0/21', '10.64.72.0/24', '10.64.76.0/24', '10.67.0.0/20', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.32.0/20', '10.67.64.0/20', '10.67.80.0/21', '10.80.0.0/24', '10.80.1.0/24', '10.80.2.0/24', '103.102.166.0/28', '103.102.166.224/27', '103.102.166.96/27', '185.15.58.0/27', '185.15.58.224/27', '185.15.58.32/27', '185.15.59.0/27', '185.15.59.224/27', '185.15.59.32/27', '185.15.59.96/27', '195.200.68.0/27', '195.200.68.224/27', '195.200.68.32/27', '195.200.68.96/27', '198.35.26.0/27', '198.35.26.32/27', '198.35.26.96/27', '198.35.26.96/27', '2001:df2:e500:101::/64', '2001:df2:e500:103::/64', '2001:df2:e500:1::/64', '2001:df2:e500:3::/64', '2001:df2:e500:ed1a::/64', '208.80.152.128/27', '208.80.153.0/27', '208.80.153.224/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.224/27', '208.80.154.64/26', '208.80.155.96/27', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:118::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '2620:0:860:140::/64', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:300::/64', '2620:0:860:301::/64', '2620:0:860:302::/64', '2620:0:860:303::/64', '2620:0:860:304::/64', '2620:0:860:305::/64', '2620:0:860:307::/64', '2620:0:860:308::/64', '2620:0:860:3::/64', '2620:0:860:4::/64', '2620:0:860:5::/64', '2620:0:860:babe::/64', '2620:0:860:babf::/64', '2620:0:860:cabe::/64', '2620:0:860:cabf::/64', '2620:0:860:ed1a::/64', '2620:0:861:100::/64', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:107::/64', '2620:0:861:108::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:113::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:118::/64', '2620:0:861:119::/64', '2620:0:861:11a::/64', '2620:0:861:11c::/64', '2620:0:861:11d::/64', '2620:0:861:11e::/64', '2620:0:861:11f::/64', '2620:0:861:120::/64', '2620:0:861:121::/64', '2620:0:861:122::/64', '2620:0:861:123::/64', '2620:0:861:124::/64', '2620:0:861:125::/64', '2620:0:861:126::/64', '2620:0:861:127::/64', '2620:0:861:128::/64', '2620:0:861:129::/64', '2620:0:861:12a::/64', '2620:0:861:12b::/64', '2620:0:861:12c::/64', '2620:0:861:12d::/64', '2620:0:861:12e::/64', '2620:0:861:12f::/64', '2620:0:861:131::/64', '2620:0:861:132::/64', '2620:0:861:133::/64', '2620:0:861:134::/64', '2620:0:861:135::/64', '2620:0:861:136::/64', '2620:0:861:137::/64', '2620:0:861:138::/64', '2620:0:861:139::/64', '2620:0:861:13a::/64', '2620:0:861:13b::/64', '2620:0:861:13c::/64', '2620:0:861:13d::/64', '2620:0:861:13e::/64', '2620:0:861:13f::/64', '2620:0:861:140::/64', '2620:0:861:141::/64', '2620:0:861:142::/64', '2620:0:861:143::/64', '2620:0:861:144::/64', '2620:0:861:145::/64', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:300::/64', '2620:0:861:301::/116', '2620:0:861:302::/64', '2620:0:861:303::/116', '2620:0:861:304::/116', '2620:0:861:305::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '2620:0:861:babe::/64', '2620:0:861:babf::/116', '2620:0:861:cabe::/64', '2620:0:861:cabf::/116', '2620:0:861:ed1a::/64', '2620:0:863:101::/64', '2620:0:863:102::/64', '2620:0:863:103::/64', '2620:0:863:1::/64', '2620:0:863:2::/64', '2620:0:863:3::/64', '2620:0:863:ed1a::/64', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '2a02:ec80:300:103::/64', '2a02:ec80:300:1::/64', '2a02:ec80:300:2::/64', '2a02:ec80:300:3::/64', '2a02:ec80:300:ed1a::/64', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '2a02:ec80:600:1::/64', '2a02:ec80:600:2::/64', '2a02:ec80:600:ed1a::/64', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64', '2a02:ec80:700:103::/64', '2a02:ec80:700:1::/64', '2a02:ec80:700:2::/64', '2a02:ec80:700:3::/64', '2a02:ec80:700:ed1a::/64']\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-gc-expired-certs.service]", "parameters": "--- Systemd::Unit[cfssl-gc-expired-certs.service].orig\n+++ Systemd::Unit[cfssl-gc-expired-certs.service]\n\n-    unit              => cfssl-gc-expired-certs.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label etcd -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_ulogd2]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_ulogd2].orig\n+++ Rsyslog::Conf[wmf_auto_restart_ulogd2]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/wmf_auto_restart_ulogd2]\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-dse]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-dse].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-dse]\n\n-    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: syslog\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__syslog\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"e3b9b989d5062ce2d267023dfe42fcd8\",check_name=\"check_check_certificate_expiry_syslog\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: syslog\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_syslog))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]\n\n-    unit              => cfssl-ocsprefresh-puppet_rsa.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-wikikube_staging_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[ulogd2]", "parameters": "--- Service[ulogd2].orig\n+++ Service[ulogd2]\n\n-    enable  => True\n-    ensure  => running\n-    require => Package[ulogd2]\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]", "content": "--- /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem.orig\n+++ /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_etcd.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-cassandra]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-cassandra].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-cassandra]\n\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[Generate initial CRL for cloud_wmnet_ca]", "parameters": "--- Exec[Generate initial CRL for cloud_wmnet_ca].orig\n+++ Exec[Generate initial CRL for cloud_wmnet_ca]\n\n-    creates => /srv/cfssl/crl/cloud_wmnet_ca\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/cloud_wmnet_ca\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Systemd::Service[cfssl-ocsprefresh-wikikube_staging]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-etcd.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-etcd.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-etcd.timer]\n\n-    unit              => cfssl-ocsprefresh-etcd.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@mlserve_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@mlserve_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@mlserve_front_proxy]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Monitoring::Service[ferm_active]", "parameters": "--- Monitoring::Service[ferm_active].orig\n+++ Monitoring::Service[ferm_active]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm\n-    check_command  => nrpe_check!check_ferm_active!10\n-    critical       => False\n-    description    => Check whether ferm is active by checking the default input chain\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 30\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/var/log/cfssl-gc-expired-certs]", "parameters": "--- File[/var/log/cfssl-gc-expired-certs].orig\n+++ File[/var/log/cfssl-gc-expired-certs]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/zuul/cfssl.conf]", "content": "--- /etc/cfssl/signers/zuul/cfssl.conf.orig\n+++ /etc/cfssl/signers/zuul/cfssl.conf\n@@ -1,63 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/zuul\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/zuul\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/zuul/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/zuul/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_debmonitor.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label network_devices -profile ocsp /etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/srv/cfssl/bundles/wikikube_staging.pem]", "content": "--- /srv/cfssl/bundles/wikikube_staging.pem.orig\n+++ /srv/cfssl/bundles/wikikube_staging.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsTCCAxSgAwIBAgIUKJGxrsUkuGnKTwrJIdYlm1ZK6uMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB+\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRkwFwYDVQQDDBB3aWtpa3ViZV9zdGFnaW5nMIGbMBAGByqGSM49AgEGBSuB\n-BAAjA4GGAAQBJQPiRDYxLnr33KdzugCHk21yjDhyRHMrAIJ0qGmasdcMNZpK9P9u\n-6ISJRfTC73WiKOSSWBuJAhsdK2Y7hIoUOikAexL5MOVOFAK8MtWXx6j7MmuuPGnC\n-MIyIk1pqxzoacZWJ8uJe/WGw/Udd/RPxAfsxN8loKKT0+zs3WzGw63saO6yjggEM\n-MIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4E\n-FgQU8bcT1hszDpGqcobdFXNOugsbu0MwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81\n-cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtp\n-LmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NB\n-MEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2Ny\n-bC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYC\n-QTKbWZ4u9V6ei9rgB4XXyyVEzIZMgVCdwuytcmqEaB9ZavqjYsdrgTOsgcy2Jw1C\n-id1Sw/9g5YpcZBLaXh52CuNVAkFnnXo7+fe5kgOs2vTIsbIG4huh6ftI/8bmIdr2\n-9FHm9FXlmSIDWQIn7Fq4TFLVmiatI/TdiGK+n3oT/st73jwn1A==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/wikikube_staging.pem].orig\n+++ File[/srv/cfssl/bundles/wikikube_staging.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"f87f54115f2f782169eed72541c30a1e\" --timeout 10 --check-command \"check_check_certificate_expiry_cloud_wmnet_ca\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_cloud_wmnet_ca command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]", "parameters": "--- File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem].orig\n+++ File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]\n\n-    owner  => root\n-    source => /var/lib/puppet/ssl/certs/ca.pem\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Systemd::Timer[wmf_auto_restart_apache-htcacheclean].orig\n+++ Systemd::Timer[wmf_auto_restart_apache-htcacheclean]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => wmf_auto_restart_apache-htcacheclean.service\n-    ensure             => absent\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 3:51:00'}]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-mlserve_staging]\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery2026 -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]\n"}, {"resource": "Cfssl::Ocsp[wikikube_staging_front_proxy]", "parameters": "--- Cfssl::Ocsp[wikikube_staging_front_proxy].orig\n+++ Cfssl::Ocsp[wikikube_staging_front_proxy]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20021\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Class[Nftables]", "parameters": "--- Class[Nftables].orig\n+++ Class[Nftables]\n\n+    ensure => present\n"}, {"resource": "Confd::File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- Confd::File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ Confd::File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "File[/usr/local/sbin/cfssl-ocsprefresh]", "parameters": "--- File[/usr/local/sbin/cfssl-ocsprefresh].orig\n+++ File[/usr/local/sbin/cfssl-ocsprefresh]\n\n-    owner  => root\n-    source => puppet:///modules/cfssl/cfssl_ocsprefresh.py\n-    group  => root\n-    mode   => 0550\n-    ensure => file\n"}, {"resource": "File[/var/log/wmf_auto_restart_apache2]", "parameters": "--- File[/var/log/wmf_auto_restart_apache2].orig\n+++ File[/var/log/wmf_auto_restart_apache2]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-discovery\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-discovery/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n"}, {"resource": "File[/var/log/ulogd]", "parameters": "--- File[/var/log/ulogd].orig\n+++ File[/var/log/ulogd]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Cfssl::Config[cloud_wmnet_ca]", "parameters": "--- Cfssl::Config[cloud_wmnet_ca].orig\n+++ Cfssl::Config[cloud_wmnet_ca]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/cloud_wmnet_ca\n-    path                => /etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/cloud_wmnet_ca\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-network_devices]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-network_devices].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-network_devices]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (wikikube_staging_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20021 \\\n-          -responses /etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]\n\n+    hosts  => ['10.194.61.0/24', '2620:0:860:302::/64']\n+    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft\n@@ -0,0 +1,99 @@\n+# Autogenerated by puppet\n+set MW_APPSERVER_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.64.0.0/22,\n+             10.64.130.0/24,\n+             10.64.131.0/24,\n+             10.64.132.0/24,\n+             10.64.133.0/24,\n+             10.64.134.0/24,\n+             10.64.135.0/24,\n+             10.64.136.0/24,\n+             10.64.141.0/24,\n+             10.64.152.0/24,\n+             10.64.154.0/24,\n+             10.64.156.0/24,\n+             10.64.158.0/24,\n+             10.64.16.0/22,\n+             10.64.160.0/24,\n+             10.64.162.0/24,\n+             10.64.164.0/24,\n+             10.64.166.0/24,\n+             10.64.169.0/24,\n+             10.64.171.0/24,\n+             10.64.173.0/24,\n+             10.64.175.0/24,\n+             10.64.177.0/24,\n+             10.64.179.0/24,\n+             10.64.181.0/24,\n+             10.64.183.0/24,\n+             10.64.185.0/24,\n+             10.64.187.0/24,\n+             10.64.189.0/24,\n+             10.64.32.0/22,\n+             10.64.48.0/22,\n+             10.192.0.0/22,\n+             10.192.10.0/24,\n+             10.192.11.0/24,\n+             10.192.12.0/24,\n+             10.192.13.0/24,\n+             10.192.14.0/24,\n+             10.192.15.0/24,\n+             10.192.16.0/22,\n+             10.192.21.0/24,\n+             10.192.22.0/24,\n+             10.192.23.0/24,\n+             10.192.26.0/24,\n+             10.192.27.0/24,\n+             10.192.28.0/24,\n+             10.192.29.0/24,\n+             10.192.30.0/24,\n+             10.192.31.0/24,\n+             10.192.32.0/22,\n+             10.192.36.0/24,\n+             10.192.37.0/24,\n+             10.192.38.0/24,\n+             10.192.39.0/24,\n+             10.192.4.0/24,\n+             10.192.40.0/24,\n+             10.192.41.0/24,\n+             10.192.42.0/24,\n+             10.192.43.0/24,\n+             10.192.44.0/24,\n+             10.192.45.0/24,\n+             10.192.46.0/24,\n+             10.192.47.0/24,\n+             10.192.48.0/22,\n+             10.192.5.0/24,\n+             10.192.52.0/24,\n+             10.192.56.0/24,\n+             10.192.57.0/24,\n+             10.192.58.0/24,\n+             10.192.59.0/24,\n+             10.192.6.0/24,\n+             10.192.7.0/24,\n+             10.192.8.0/24,\n+             10.192.9.0/24,\n+             10.192.64.0/21,\n+             10.192.96.0/21,\n+             10.194.128.0/17,\n+             10.194.16.0/21,\n+             10.194.61.0/24,\n+             10.194.80.0/21,\n+             10.64.64.0/21,\n+             10.67.128.0/17,\n+             10.67.16.0/21,\n+             10.67.24.0/21,\n+             10.67.80.0/21,\n+             208.80.154.0/26,\n+             208.80.154.128/26,\n+             208.80.154.64/26,\n+             208.80.155.96/27,\n+             208.80.153.0/27,\n+             208.80.153.32/27,\n+             208.80.153.64/27,\n+             208.80.153.96/27\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/BASTION_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/BASTION_HOSTS_ipv4.nft\n@@ -0,0 +1,12 @@\n+# Autogenerated by puppet\n+set BASTION_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 208.80.154.7,\n+             208.80.153.110,\n+             185.15.59.99,\n+             198.35.26.104,\n+             103.102.166.103,\n+             185.15.58.6,\n+             195.200.68.99\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Service[cfssl-ocspserve@mlserve_staging]", "parameters": "--- Service[cfssl-ocspserve@mlserve_staging].orig\n+++ Service[cfssl-ocspserve@mlserve_staging]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Sudo::User[nrpe_certificate_check_zuul]", "parameters": "--- Sudo::User[nrpe_certificate_check_zuul].orig\n+++ Sudo::User[nrpe_certificate_check_zuul]\n\n-    user       => nrpe_certificate_check_zuul\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__wikikube\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"d2a76a31e44e204e2d4788a2698d0e6c\",check_name=\"check_check_certificate_expiry_wikikube\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_wikikube))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Cfssl::Ocsp[mlserve_front_proxy]", "parameters": "--- Cfssl::Ocsp[mlserve_front_proxy].orig\n+++ Cfssl::Ocsp[mlserve_front_proxy]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20031\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label debmonitor -profile ocsp /etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[Generate initial CRL for zuul]", "parameters": "--- Exec[Generate initial CRL for zuul].orig\n+++ Exec[Generate initial CRL for zuul]\n\n-    creates => /srv/cfssl/crl/zuul\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/zuul/ca/zuul.pem /etc/cfssl/signers/zuul/ca/zuul-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/zuul\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-wikikube_staging_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-mlserve_staging]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-mlserve_staging.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/apache2/ports.conf]", "parameters": "--- File[/etc/apache2/ports.conf].orig\n+++ File[/etc/apache2/ports.conf]\n\n-    notify  => Service[apache2]\n-    owner   => root\n-    ensure  => file\n-    group   => root\n-    source  => puppet:///modules/httpd/default-ports.conf\n-    require => Package[apache2]\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Service[cfssl-gc-expired-certs.timer]", "parameters": "--- Service[cfssl-gc-expired-certs.timer].orig\n+++ Service[cfssl-gc-expired-certs.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/cfssl/signers/mlserve]", "parameters": "--- File[/etc/cfssl/signers/mlserve].orig\n+++ File[/etc/cfssl/signers/mlserve]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set LABSTORE_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 208.80.154.142,\n+             208.80.154.71\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_mlserve_front_proxy!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_debmonitor.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Profile::Auto_restarts::Service[apache-htcacheclean]", "parameters": "--- Profile::Auto_restarts::Service[apache-htcacheclean].orig\n+++ Profile::Auto_restarts::Service[apache-htcacheclean]\n\n-    ensure => absent\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Systemd::Service[nftables]", "parameters": "--- Systemd::Service[nftables].orig\n+++ Systemd::Service[nftables]\n\n+    unit_type                => service\n+    monitoring_enabled       => False\n+    monitoring_critical      => False\n+    override                 => True\n+    service_params           => {'hasrestart': True, 'restart': '/usr/bin/systemctl reload nftables'}\n+    monitoring_contact_group => admins\n+    restart                  => False\n+    migration_task           => T407130\n+    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-network_devices.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-network_devices.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-network_devices.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-network_devices.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Config[etcd]", "parameters": "--- Cfssl::Config[etcd].orig\n+++ Cfssl::Config[etcd]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/etcd\n-    path                => /etc/cfssl/signers/etcd/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/etcd\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-mlserve]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-mlserve].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-mlserve]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-mlserve.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Firewall::Service[csr_and_ocsp_responder]", "parameters": "--- Firewall::Service[csr_and_ocsp_responder].orig\n+++ Firewall::Service[csr_and_ocsp_responder]\n\n-    src_sets            => ['DOMAIN_NETWORKS', 'MGMT_NETWORKS']\n-    unrestricted_access => False\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    ensure              => present\n-    port                => 80\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_ulogd2.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_ulogd2.service].orig\n+++ Systemd::Unit[wmf_auto_restart_ulogd2.service]\n\n-    unit              => wmf_auto_restart_ulogd2.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Config[discovery2026]", "parameters": "--- Cfssl::Config[discovery2026].orig\n+++ Cfssl::Config[discovery2026]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/discovery2026\n-    path                => /etc/cfssl/signers/discovery2026/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/discovery2026\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-mlserve_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-mlserve_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet\n+set ZOOKEEPER_FLINK_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:102:10:64:16:9,\n+             2620:0:861:101:10:64:0:8,\n+             2620:0:861:103:10:64:32:41,\n+             2620:0:860:102:10:192:16:227,\n+             2620:0:860:103:10:192:32:179,\n+             2620:0:860:104:10:192:48:219\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_debmonitor].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Exec[systemd daemon-reload for nftables.service (nftables)]", "parameters": "--- Exec[systemd daemon-reload for nftables.service (nftables)].orig\n+++ Exec[systemd daemon-reload for nftables.service (nftables)]\n\n+    before      => ['Service[nftables]']\n+    refreshonly => True\n+    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/srv/cfssl]", "parameters": "--- File[/srv/cfssl].orig\n+++ File[/srv/cfssl]\n\n-    group  => root\n-    ensure => directory\n-    owner  => root\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-check-nft.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-check-nft.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Systemd timer to gather node metrics for check-nft\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/check-nft", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-check-nft.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]\n\n+    notify => Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft\n@@ -0,0 +1,13 @@\n+# Autogenerated by puppet\n+set SANDBOX_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2001:df2:e500:202::/64,\n+             2620:0:860:201::/64,\n+             2620:0:861:202::/64,\n+             2620:0:863:201::/64,\n+             2a02:ec80:300:202::/64,\n+             2a02:ec80:700:201::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Service[cfssl-ocsprefresh-syslog.timer]", "parameters": "--- Service[cfssl-ocsprefresh-syslog.timer].orig\n+++ Service[cfssl-ocsprefresh-syslog.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__mlserve\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"bfd2f7c6497e1da6323bef48d24f9e8e\",check_name=\"check_check_certificate_expiry_mlserve\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_mlserve))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Systemd::Service[cfssl-ocsprefresh-mlserve_staging]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate initial CRL for etcd]", "parameters": "--- Exec[Generate initial CRL for etcd].orig\n+++ Exec[Generate initial CRL for etcd]\n\n-    creates => /srv/cfssl/crl/etcd\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/etcd/ca/etcd.pem /etc/cfssl/signers/etcd/ca/etcd-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/etcd\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/nftables/]", "parameters": "--- File[/etc/nftables/].orig\n+++ File[/etc/nftables/]\n\n+    group   => root\n+    recurse => True\n+    purge   => True\n+    owner   => root\n+    path    => /etc/nftables\n+    ensure  => directory\n"}, {"resource": "File[/etc/ferm]", "parameters": "--- File[/etc/ferm].orig\n+++ File[/etc/ferm]\n\n@@\n-    ensure => directory\n+    ensure => absent\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[dse]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[dse].orig\n+++ Profile::Pki::Multirootca::Monitoring[dse]\n\n-    ca_file      => /etc/cfssl/signers/dse/ca/dse.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => dse\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-discovery.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-discovery.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocspserve@debmonitor]", "parameters": "--- Service[cfssl-ocspserve@debmonitor].orig\n+++ Service[cfssl-ocspserve@debmonitor]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-cassandra\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-cassandra/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_debmonitor]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_debmonitor].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_debmonitor]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: debmonitor\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_apache2]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_apache2].orig\n+++ Logrotate::Conf[wmf_auto_restart_apache2]\n\n-    ensure => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-kafka-certificate-expiry --cert-path /etc/cfssl/signers/kafka/ca/kafka.pem --outfile /var/lib/prometheus/node.d/kafka_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-discovery].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-discovery]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-discovery]\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (aux_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20051 \\\n-          -responses /etc/cfssl/ocsp/aux_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_front_proxy_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-cloud_wmnet_ca-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry --cert-path /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --outfile /var/lib/prometheus/node.d/cloud_wmnet_ca_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/apache2/sites-available]", "parameters": "--- File[/etc/apache2/sites-available].orig\n+++ File[/etc/apache2/sites-available]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0755\n-    require => Package[apache2]\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"72h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/wikikube_staging_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/wikikube_staging_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n"}, {"resource": "File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]", "parameters": "--- File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl].orig\n+++ File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@zuul]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@zuul].orig\n+++ Systemd::Unit[cfssl-ocspserve@zuul]\n\n-    unit              => cfssl-ocspserve@zuul\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@wikikube_staging]", "parameters": "--- Systemd::Service[cfssl-ocspserve@wikikube_staging].orig\n+++ Systemd::Service[cfssl-ocspserve@wikikube_staging]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[Generate initial CRL for wikikube_staging]", "parameters": "--- Exec[Generate initial CRL for wikikube_staging].orig\n+++ Exec[Generate initial CRL for wikikube_staging]\n\n-    creates => /srv/cfssl/crl/wikikube_staging\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/wikikube_staging\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-check-nft]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-check-nft].orig\n+++ Logrotate::Conf[prometheus-node-textfile-check-nft]\n\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-puppet_rsa\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-puppet_rsa/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_cassandra!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: cassandra\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-network_devices-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-network_devices-certificate-expiry --cert-path /etc/cfssl/signers/network_devices/ca/network_devices.pem --outfile /var/lib/prometheus/node.d/network_devices_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_puppet_rsa command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_puppet_rsa\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"c1b324b3d8ac107f8d7483b4017f5edf\" --timeout 10 --check-command \"check_check_certificate_expiry_puppet_rsa\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/srv/cfssl/bundles/aux_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/aux_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/aux_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUcL3aZt8/kOKuFw8g90SCOk9VZSYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9hdXhfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAFQamNeMXOM8jZDTMiL/0Cgk641Tps3tMBQ6f1OD7fqLh7JGWZXSWIE\n-9v25H6dgcqSIWAlvBkbHQUPU51GmXigXtwCW1bYWFZc+MTjXFo2LBUJVUIxh2mh3\n-pNZYlgVZXP7a0l3zt2u5vegKRuJ6l0ELtjCJjo/TNYo/BA28XrzCL45HO6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBQv7ovDzaQTat1sfWJFkZ+n8+aGSTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AZ7oTip5kp2Yt9BABNEqYi6GjwpXZvmZOgd6So8UA76jP8duYicuOoNvpoHdEy58\n-ZOGpo0lqqIzB8xQcvzvmX7uiAkIAxHVKylOLCoPsUXaZVfUGhNavXXwrbIHTQXDo\n-HEHmc9lIMh9hO5z4vPMEbMkSRuAskcT1K/ydEqp4xI191jnovUg=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/aux_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/aux_front_proxy.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-network_devices]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-network_devices].orig\n+++ File[/var/log/cfssl-ocsprefresh-network_devices]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Cfssl::Config[aux_front_proxy]", "parameters": "--- Cfssl::Config[aux_front_proxy].orig\n+++ Cfssl::Config[aux_front_proxy]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/aux_front_proxy\n-    path                => /etc/cfssl/signers/aux_front_proxy/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/aux_front_proxy\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_front_proxy_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-wikikube_staging_front_proxy-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft\n@@ -0,0 +1,189 @@\n+# Autogenerated by puppet\n+set DOMAIN_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.128.0.0/24,\n+             10.128.1.0/24,\n+             10.128.2.0/24,\n+             10.132.0.0/24,\n+             10.132.2.0/24,\n+             10.136.0.0/24,\n+             10.136.1.0/24,\n+             10.140.0.0/24,\n+             10.140.1.0/24,\n+             10.140.2.0/24,\n+             10.192.0.0/22,\n+             10.192.10.0/24,\n+             10.192.11.0/24,\n+             10.192.12.0/24,\n+             10.192.13.0/24,\n+             10.192.14.0/24,\n+             10.192.15.0/24,\n+             10.192.16.0/22,\n+             10.192.20.0/24,\n+             10.192.21.0/24,\n+             10.192.22.0/24,\n+             10.192.23.0/24,\n+             10.192.24.0/23,\n+             10.192.26.0/24,\n+             10.192.27.0/24,\n+             10.192.28.0/24,\n+             10.192.29.0/24,\n+             10.192.30.0/24,\n+             10.192.31.0/24,\n+             10.192.32.0/22,\n+             10.192.36.0/24,\n+             10.192.37.0/24,\n+             10.192.38.0/24,\n+             10.192.39.0/24,\n+             10.192.4.0/24,\n+             10.192.40.0/24,\n+             10.192.41.0/24,\n+             10.192.42.0/24,\n+             10.192.43.0/24,\n+             10.192.44.0/24,\n+             10.192.45.0/24,\n+             10.192.46.0/24,\n+             10.192.47.0/24,\n+             10.192.48.0/22,\n+             10.192.5.0/24,\n+             10.192.52.0/24,\n+             10.192.56.0/24,\n+             10.192.57.0/24,\n+             10.192.58.0/24,\n+             10.192.59.0/24,\n+             10.192.6.0/24,\n+             10.192.64.0/21,\n+             10.192.7.0/24,\n+             10.192.72.0/24,\n+             10.192.76.0/24,\n+             10.192.8.0/24,\n+             10.192.80.0/20,\n+             10.192.9.0/24,\n+             10.192.96.0/21,\n+             10.194.0.0/20,\n+             10.194.128.0/17,\n+             10.194.16.0/21,\n+             10.194.61.0/24,\n+             10.194.62.0/23,\n+             10.194.64.0/20,\n+             10.194.80.0/21,\n+             10.2.1.0/24,\n+             10.2.2.0/24,\n+             10.2.3.0/24,\n+             10.2.4.0/24,\n+             10.2.5.0/24,\n+             10.2.6.0/24,\n+             10.2.7.0/24,\n+             10.64.0.0/22,\n+             10.64.130.0/24,\n+             10.64.131.0/24,\n+             10.64.132.0/24,\n+             10.64.133.0/24,\n+             10.64.134.0/24,\n+             10.64.135.0/24,\n+             10.64.136.0/24,\n+             10.64.137.0/24,\n+             10.64.138.0/24,\n+             10.64.139.0/24,\n+             10.64.140.0/24,\n+             10.64.141.0/24,\n+             10.64.142.0/24,\n+             10.64.143.0/24,\n+             10.64.144.0/24,\n+             10.64.145.0/24,\n+             10.64.148.0/24,\n+             10.64.149.0/24,\n+             10.64.150.0/24,\n+             10.64.151.0/24,\n+             10.64.152.0/24,\n+             10.64.153.0/24,\n+             10.64.154.0/24,\n+             10.64.155.0/24,\n+             10.64.156.0/24,\n+             10.64.157.0/24,\n+             10.64.158.0/24,\n+             10.64.159.0/24,\n+             10.64.16.0/22,\n+             10.64.160.0/24,\n+             10.64.161.0/24,\n+             10.64.162.0/24,\n+             10.64.163.0/24,\n+             10.64.164.0/24,\n+             10.64.165.0/24,\n+             10.64.166.0/24,\n+             10.64.167.0/24,\n+             10.64.169.0/24,\n+             10.64.170.0/24,\n+             10.64.171.0/24,\n+             10.64.172.0/24,\n+             10.64.173.0/24,\n+             10.64.174.0/24,\n+             10.64.175.0/24,\n+             10.64.176.0/24,\n+             10.64.177.0/24,\n+             10.64.178.0/24,\n+             10.64.179.0/24,\n+             10.64.180.0/24,\n+             10.64.181.0/24,\n+             10.64.182.0/24,\n+             10.64.183.0/24,\n+             10.64.184.0/24,\n+             10.64.185.0/24,\n+             10.64.186.0/24,\n+             10.64.187.0/24,\n+             10.64.188.0/24,\n+             10.64.189.0/24,\n+             10.64.190.0/24,\n+             10.64.20.0/24,\n+             10.64.21.0/24,\n+             10.64.24.0/23,\n+             10.64.32.0/22,\n+             10.64.36.0/24,\n+             10.64.48.0/22,\n+             10.64.5.0/24,\n+             10.64.53.0/24,\n+             10.64.64.0/21,\n+             10.64.72.0/24,\n+             10.64.76.0/24,\n+             10.67.0.0/20,\n+             10.67.128.0/17,\n+             10.67.16.0/21,\n+             10.67.24.0/21,\n+             10.67.32.0/20,\n+             10.67.64.0/20,\n+             10.67.80.0/21,\n+             10.80.0.0/24,\n+             10.80.1.0/24,\n+             10.80.2.0/24,\n+             103.102.166.0/28,\n+             103.102.166.224/27,\n+             103.102.166.96/27,\n+             185.15.58.0/27,\n+             185.15.58.224/27,\n+             185.15.58.32/27,\n+             185.15.59.0/27,\n+             185.15.59.224/27,\n+             185.15.59.32/27,\n+             185.15.59.96/27,\n+             195.200.68.0/27,\n+             195.200.68.224/27,\n+             195.200.68.32/27,\n+             195.200.68.96/27,\n+             198.35.26.0/27,\n+             198.35.26.32/27,\n+             198.35.26.96/27,\n+             208.80.152.128/27,\n+             208.80.153.0/27,\n+             208.80.153.224/27,\n+             208.80.153.32/27,\n+             208.80.153.64/27,\n+             208.80.153.96/27,\n+             208.80.154.0/26,\n+             208.80.154.128/26,\n+             208.80.154.224/27,\n+             208.80.154.64/26,\n+             208.80.155.96/27\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Sudo::User[nrpe_certificate_check_puppet_rsa]", "parameters": "--- Sudo::User[nrpe_certificate_check_puppet_rsa].orig\n+++ Sudo::User[nrpe_certificate_check_puppet_rsa]\n\n-    user       => nrpe_certificate_check_puppet_rsa\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label kafka -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]\n"}, {"resource": "File[/etc/cfssl/multiroot.conf]", "content": "--- /etc/cfssl/multiroot.conf.orig\n+++ /etc/cfssl/multiroot.conf\n@@ -1,138 +0,0 @@\n-[debmonitor]\n-private = file:///etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n-certificate = /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-config = /etc/cfssl/signers/debmonitor/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[discovery]\n-private = file:///etc/cfssl/signers/discovery/ca/discovery-key.pem\n-certificate = /etc/cfssl/signers/discovery/ca/discovery.pem\n-config = /etc/cfssl/signers/discovery/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[kafka]\n-private = file:///etc/cfssl/signers/kafka/ca/kafka-key.pem\n-certificate = /etc/cfssl/signers/kafka/ca/kafka.pem\n-config = /etc/cfssl/signers/kafka/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[cloud_wmnet_ca]\n-private = file:///etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem\n-certificate = /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-config = /etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[etcd]\n-private = file:///etc/cfssl/signers/etcd/ca/etcd-key.pem\n-certificate = /etc/cfssl/signers/etcd/ca/etcd.pem\n-config = /etc/cfssl/signers/etcd/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[cassandra]\n-private = file:///etc/cfssl/signers/cassandra/ca/cassandra-key.pem\n-certificate = /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-config = /etc/cfssl/signers/cassandra/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[syslog]\n-private = file:///etc/cfssl/signers/syslog/ca/syslog-key.pem\n-certificate = /etc/cfssl/signers/syslog/ca/syslog.pem\n-config = /etc/cfssl/signers/syslog/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[puppet_rsa]\n-private = file:///etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem\n-certificate = /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-config = /etc/cfssl/signers/puppet_rsa/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[zuul]\n-private = file:///etc/cfssl/signers/zuul/ca/zuul-key.pem\n-certificate = /etc/cfssl/signers/zuul/ca/zuul.pem\n-config = /etc/cfssl/signers/zuul/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[discovery2026]\n-private = file:///etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem\n-certificate = /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-config = /etc/cfssl/signers/discovery2026/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[wikikube]\n-private = file:///etc/cfssl/signers/wikikube/ca/wikikube-key.pem\n-certificate = /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-config = /etc/cfssl/signers/wikikube/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[wikikube_front_proxy]\n-private = file:///etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-config = /etc/cfssl/signers/wikikube_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[wikikube_staging]\n-private = file:///etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem\n-certificate = /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-config = /etc/cfssl/signers/wikikube_staging/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[wikikube_staging_front_proxy]\n-private = file:///etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-config = /etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[mlserve]\n-private = file:///etc/cfssl/signers/mlserve/ca/mlserve-key.pem\n-certificate = /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-config = /etc/cfssl/signers/mlserve/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[mlserve_front_proxy]\n-private = file:///etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-config = /etc/cfssl/signers/mlserve_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[mlserve_staging]\n-private = file:///etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem\n-certificate = /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-config = /etc/cfssl/signers/mlserve_staging/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[mlserve_staging_front_proxy]\n-private = file:///etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-config = /etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[aux]\n-private = file:///etc/cfssl/signers/aux/ca/aux-key.pem\n-certificate = /etc/cfssl/signers/aux/ca/aux.pem\n-config = /etc/cfssl/signers/aux/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[aux_front_proxy]\n-private = file:///etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-config = /etc/cfssl/signers/aux_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[dse]\n-private = file:///etc/cfssl/signers/dse/ca/dse-key.pem\n-certificate = /etc/cfssl/signers/dse/ca/dse.pem\n-config = /etc/cfssl/signers/dse/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[dse_front_proxy]\n-private = file:///etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-config = /etc/cfssl/signers/dse_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[network_devices]\n-private = file:///etc/cfssl/signers/network_devices/ca/network_devices-key.pem\n-certificate = /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-config = /etc/cfssl/signers/network_devices/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-", "parameters": "--- File[/etc/cfssl/multiroot.conf].orig\n+++ File[/etc/cfssl/multiroot.conf]\n\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n-    ensure => present\n"}, {"resource": "Cfssl::Signer[wikikube_front_proxy]", "parameters": "--- Cfssl::Signer[wikikube_front_proxy].orig\n+++ Cfssl::Signer[wikikube_front_proxy]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDuDCCAxmgAwIBAgIUCqmj+2MwaOqLPb5TPXkbkF/PGkUwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\ngjELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\naW9uczEdMBsGA1UEAwwUd2lraWt1YmVfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0C\nAQYFK4EEACMDgYYABAAUuXSlLM/Sq6jmsr6/+aqYnBNDoelW5+uJ8kWFyR/9xaFf\nhmvvui358ZLmOym6cA1tpoA1+PVZ1sVOE++GDsWQ3QDAG2kk8o0QxpXsCXLWBmJZ\n92Z/pIO7Fc65qe6XDnuZLEaqbb6VWkqQPI15cL9AhJ8HgNbaoaxrT51MfCrHEteP\nraOCAQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0G\nA1UdDgQWBBTlGjpQ7L1N14lCjcKcI/4LLNraBjAfBgNVHSMEGDAWgBQ7raJx5jS9\nG/yAvzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6\nLy9wa2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jv\nb3RfQ0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21u\nZXQvY3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GM\nADCBiAJCAYT0XLJdjumemn8jpqv058zb+c+3zb+05EhNcj15wcjRUq8SU+c2+H8a\nhzfph97+CVSvGaV6Cf7phTSEBDPk9+T4AkIBdOmzIcRH+K9UcDzvdxqerOiXJaBC\n0Bgbg9dOhcd6d0j3CObOuIp760FFQLSli2ocG3WLkfNsXlL1/3+VL+yarNo=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/wikikube_front_proxy\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/wikikube_front_proxy\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => test\n\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer]\n\n-    unit              => cfssl-ocsprefresh-wikikube_front_proxy.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]\n\n-    before      => ['Service[cfssl-gc-expired-certs.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_network_devices\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"21dac3775d059b8c991626e2ca33f951\" --timeout 10 --check-command \"check_check_certificate_expiry_network_devices\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_network_devices command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-mlserve_staging_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Signer[discovery2026]", "parameters": "--- Cfssl::Signer[discovery2026].orig\n+++ Cfssl::Signer[discovery2026]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDrzCCAxGgAwIBAgIUa46nWae1FhV+WZzdsRMJchzTP54wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjYwNDIwMTUzNjAwWhcNMzEwNDE5MTUzNjAwWjB7\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRYwFAYDVQQDEw1kaXNjb3ZlcnkyMDI2MIGbMBAGByqGSM49AgEGBSuBBAAj\nA4GGAAQBNeE+xxvbq00KO92aWhHFTLosZBkXul9ufZINtOUd90TXpQnJvpEv7kK8\nHQpufac9Dez+MBhLzQXoTY+ElhRCsQQBwlu+rIeqpbJEh87DQ2RTfzhTJmlm/9de\n1fiM38/51DacwYS/vW0psN/lKSoM7cX/Paw6Qg7pBUmUGCq2vE9wDbmjggEMMIIB\nCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU\nSXZcMeXrgnEYbZ3z1m8j/+8XmugwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR\n0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRp\nc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoG\nA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9X\naWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQgD4\nUGn506FGvacDvYS6t8JEMo6YH7jxK8dKeiZNEnhG5FSjA4Lt2BCz85sOBczxSD9h\nb9wLCxy5wOpifRePlyrZQgJBNKUXBImWpyoHmt6hNOA6X7+FmGl0tD5tLnbeuPx7\naTlv8rfJ0d7JdsZXx+7M6YcsmxMgZCKUh4UMYu/WcczIq30=\n-----END CERTIFICATE-----\n-    ca_file          => /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/discovery2026\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/discovery2026\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => ##### FAKE FOR PUPPET ######\n\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Class[Httpd]", "parameters": "--- Class[Httpd].orig\n+++ Class[Httpd]\n\n-    enable_forensic_log  => False\n-    wait_network_online  => False\n-    legacy_compat        => present\n-    http_only            => False\n-    purge_manual_config  => True\n-    remove_default_ports => False\n-    modules              => ['proxy_http', 'ssl', 'headers']\n-    rotate               => 30\n-    period               => daily\n-    extra_pkgs           => []\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    require                   => File[/usr/local/sbin/wmf-auto-restart]\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/wmf-auto-restart -s apache-htcacheclean\n-    description               => Auto restart job: apache-htcacheclean\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 3:51:00'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[wikikube]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[wikikube].orig\n+++ Profile::Pki::Multirootca::Monitoring[wikikube]\n\n-    ca_file      => /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => wikikube\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --responses-file /etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_staging_front_proxy' wikikube_staging_front_proxy \n-    description               => OCSP Refresh job - wikikube_staging_front_proxy\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_cassandra\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"f5e260f525c48c963fb2e6c86a0d5d63\" --timeout 10 --check-command \"check_check_certificate_expiry_cassandra\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_cassandra command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Service[apache2]", "parameters": "--- Service[apache2].orig\n+++ Service[apache2]\n\n-    before     => ['Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]']\n-    enable     => True\n-    ensure     => running\n-    restart    => systemctl reload apache2\n-    hasrestart => True\n-    require    => Package[apache2]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-puppet_rsa\n-\n-/var/log/cfssl-ocsprefresh-puppet_rsa/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-cassandra.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-cassandra\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-cassandra\n-\n-/var/log/cfssl-ocsprefresh-cassandra/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: etcd\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__etcd\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"c834f873297e445663ead81279c0b928\",check_name=\"check_check_certificate_expiry_etcd\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: etcd\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_etcd))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]\n"}, {"resource": "Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-mlserve_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]", "content": "--- /etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf.orig\n+++ /etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/cloud_wmnet_ca\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/cloud_wmnet_ca\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-kafka.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-kafka\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-kafka\n-\n-/var/log/cfssl-ocsprefresh-kafka/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-kafka].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer]\n\n-    unit              => cfssl-ocsprefresh-cloud_wmnet_ca.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-zuul]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-zuul].orig\n+++ Systemd::Service[cfssl-ocsprefresh-zuul]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-zuul.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_mlserve_staging_front_proxy!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/wikikube_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/wikikube_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/wikikube_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/wikikube_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/etc/cfssl/signers/zuul]", "parameters": "--- File[/etc/cfssl/signers/zuul].orig\n+++ File[/etc/cfssl/signers/zuul]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-etcd.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-etcd\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-etcd\n-\n-/var/log/cfssl-ocsprefresh-etcd/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-etcd].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Config[kafka]", "parameters": "--- Cfssl::Config[kafka].orig\n+++ Cfssl::Config[kafka]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/kafka\n-    path                => /etc/cfssl/signers/kafka/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'kafka_11': {'expiry': '8760h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/kafka\n"}, {"resource": "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label etcd -profile ocsp /etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/apache2/sites-enabled]", "parameters": "--- File[/etc/apache2/sites-enabled].orig\n+++ File[/etc/apache2/sites-enabled]\n\n-    owner   => root\n-    group   => root\n-    mode    => 0755\n-    require => Package[apache2]\n-    recurse => True\n-    purge   => True\n-    notify  => Service[apache2]\n-    ensure  => directory\n"}, {"resource": "Nftables::Set[INSTALL_HOSTS]", "parameters": "--- Nftables::Set[INSTALL_HOSTS].orig\n+++ Nftables::Set[INSTALL_HOSTS]\n\n+    hosts  => ['208.80.154.134', '208.80.153.70', '185.15.59.101', '198.35.26.98', '103.102.166.11', '185.15.58.7', '195.200.68.100', '2620:0:861:2:208:80:154:134', '2620:0:860:3:208:80:153:70', '2a02:ec80:300:3:185:15:59:101', '2620:0:863:3:198:35:26:98', '2001:df2:e500:1:103:102:166:11', '2a02:ec80:600:1:185:15:58:7', '2a02:ec80:700:3:195:200:68:100']\n+    ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_dse]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_dse].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_dse]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: dse\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-etcd]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-etcd].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-etcd]\n\n-    ensure => present\n"}, {"resource": "Nftables::Service[full-monitoring-metrics-access-tcp]", "parameters": "--- Nftables::Service[full-monitoring-metrics-access-tcp].orig\n+++ Nftables::Service[full-monitoring-metrics-access-tcp]\n\n+    unrestricted_access => False\n+    port_range          => [1, 65535]\n+    prio                => 10\n+    desc                => \n+    proto               => tcp\n+    src_ips             => ['10.64.0.82', '10.64.16.62', '10.64.32.85', '10.64.48.171', '208.80.153.42', '208.80.154.78', '2620:0:860:2:208:80:153:42', '2620:0:861:101:10:64:0:82', '2620:0:861:102:10:64:16:62', '2620:0:861:103:10:64:32:85', '2620:0:861:107:10:64:48:171', '2620:0:861:3:208:80:154:78']\n+    notrack             => False\n+    ensure              => present\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-discovery2026.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_debmonitor\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"224e2ac3574a9ce482218106d95a2931\" --timeout 10 --check-command \"check_check_certificate_expiry_debmonitor\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_debmonitor command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/srv/cfssl/bundles/etcd.pem]", "content": "--- /srv/cfssl/bundles/etcd.pem.orig\n+++ /srv/cfssl/bundles/etcd.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpzCCAwigAwIBAgIUOk3cFWirYBfYaO6q8zyqfEHxwVEwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIwODEwMTAzODAwWhcNMjcwODA5MTAzODAwWjBy\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ0wCwYDVQQDEwRldGNkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAgtdp\n-7nZHIAQhEm2IlJ7AzfGjWIGGzKzCfnBQ8d+euPiOZ3ccv1YXfx0f+WmV35vuEmA/\n-ZSw/6iJrKBnYsZAR6U0ByUUqg6nUYg4P47Sc/kMTWmVIgRuNhmrgavCK+qRQdnZs\n-N/OOGTgFNG0icty63dUF4NZz80HxHSrPQYaNxZ9ydY2jggEMMIIBCDAOBgNVHQ8B\n-Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUtvZYHyYnZHZP\n-ZLIB5kqPcVOVI9owHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\n-KwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\n-bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\n-P6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\n-SW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgEgYyeOREniK9JC\n-4hvIiuv9D7mVVXzX5/s8GuhTbRadqZr41ulpHT53lFcbt+xhAsyqMxXPhgT/OyMQ\n-jkXuEh5oBQJCAM22xLZpt2XwKCp0opgXlC5fm5+YjKba2COlr43q78I2la57aYdp\n-UF7sFgBRFVx7FNY7CASuZMYsW+4wltPTXVau\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/etcd.pem].orig\n+++ File[/srv/cfssl/bundles/etcd.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]", "content": "--- /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft.orig\n+++ /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft\n@@ -0,0 +1,4 @@\n+# Autogenerated by puppet\n+set MYSQL_ROOT_CLIENTS_ipv6 {\n+    type ipv6_addr\n+}", "parameters": "--- File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - mlserve_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --responses-file /etc/cfssl/ocsp/mlserve_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_front_proxy' mlserve_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_wikikube!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: wikikube\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Cfssl::Config[mlserve_staging]", "parameters": "--- Cfssl::Config[mlserve_staging].orig\n+++ Cfssl::Config[mlserve_staging]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/mlserve_staging\n-    path                => /etc/cfssl/signers/mlserve_staging/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 72h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/mlserve_staging\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_debmonitor command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_debmonitor\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"224e2ac3574a9ce482218106d95a2931\" --timeout 10 --check-command \"check_check_certificate_expiry_debmonitor\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocsprefresh-mlserve.timer]", "parameters": "--- Service[cfssl-ocsprefresh-mlserve.timer].orig\n+++ Service[cfssl-ocsprefresh-mlserve.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[Generate initial CRL for wikikube_front_proxy]", "parameters": "--- Exec[Generate initial CRL for wikikube_front_proxy].orig\n+++ Exec[Generate initial CRL for wikikube_front_proxy]\n\n-    creates => /srv/cfssl/crl/wikikube_front_proxy\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/wikikube_front_proxy\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@zuul]']\n"}, {"resource": "Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]\n\n+    hosts  => ['10.67.128.0/17', '2620:0:861:cabe::/64', '10.194.128.0/17', '2620:0:860:cabe::/64']\n+    ensure => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_dse_front_proxy!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Httpd::Mod_conf[access_compat]", "parameters": "--- Httpd::Mod_conf[access_compat].orig\n+++ Httpd::Mod_conf[access_compat]\n\n-    mod      => access_compat\n-    loadfile => access_compat.load\n-    ensure   => present\n"}, {"resource": "File[/etc/ferm/conf.d/98_filter_log_filter-bootp]", "content": "--- /etc/ferm/conf.d/98_filter_log_filter-bootp.orig\n+++ /etc/ferm/conf.d/98_filter_log_filter-bootp\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# 98_filter_log_filter-bootp: \n-\n-domain (ip ip6) {\n-\ttable filter {\n-\t\tchain INPUT {\n-\t\t\tproto udp  daddr 255.255.255.255 sport 67 dport 68 DROP;\n-\t\t}\n-\t}\n-}", "parameters": "--- File[/etc/ferm/conf.d/98_filter_log_filter-bootp].orig\n+++ File[/etc/ferm/conf.d/98_filter_log_filter-bootp]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_mlserve]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_mlserve].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_mlserve]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Sudo::User[nrpe_certificate_check_aux_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_aux_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_aux_front_proxy]\n\n-    user       => nrpe_certificate_check_aux_front_proxy\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Exec[Generate initial CRL for dse]", "parameters": "--- Exec[Generate initial CRL for dse].orig\n+++ Exec[Generate initial CRL for dse]\n\n-    creates => /srv/cfssl/crl/dse\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/dse/ca/dse.pem /etc/cfssl/signers/dse/ca/dse-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/dse\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-network_devices.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-network_devices.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-network_devices.service]\n\n-    unit              => cfssl-ocsprefresh-network_devices.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@kafka.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@kafka.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@kafka.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (kafka)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10003 \\\n-          -responses /etc/cfssl/ocsp/kafka.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@kafka.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@kafka.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@mlserve]", "parameters": "--- Systemd::Service[cfssl-ocspserve@mlserve].orig\n+++ Systemd::Service[cfssl-ocspserve@mlserve]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-wikikube_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-wikikube_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[Generate initial CRL for mlserve_staging]", "parameters": "--- Exec[Generate initial CRL for mlserve_staging].orig\n+++ Exec[Generate initial CRL for mlserve_staging]\n\n-    creates => /srv/cfssl/crl/mlserve_staging\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/mlserve_staging\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-mlserve.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-mlserve.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-gc-expired-certs.timer]", "parameters": "--- Systemd::Unit[cfssl-gc-expired-certs.timer].orig\n+++ Systemd::Unit[cfssl-gc-expired-certs.timer]\n\n-    unit              => cfssl-gc-expired-certs.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_aux]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_aux].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_aux]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_ulogd2]", "parameters": "--- Systemd::Timer[wmf_auto_restart_ulogd2].orig\n+++ Systemd::Timer[wmf_auto_restart_ulogd2]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => wmf_auto_restart_ulogd2.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 5:37:00'}]\n"}, {"resource": "File[/etc/cfssl/signers/zuul/ca/zuul.pem]", "content": "--- /etc/cfssl/signers/zuul/ca/zuul.pem.orig\n+++ /etc/cfssl/signers/zuul/ca/zuul.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpzCCAwigAwIBAgIUMIxkteGnxVGRNFWjJZ+eXPnOeM8wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjUwODIwMTg1NTAwWhcNMzAwODE5MTg1NTAwWjBy\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ0wCwYDVQQDEwR6dXVsMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBNx/m\n-dSpc4EWI68Y36PVvDkvyqlJ6pA4sEXQCrNOM+0jSACRM8Shwqr7uC/JmuP8GIdK3\n-g+SgxQOjF9pfelX2OpAB6leOfgHXhFtzJquX261tKsxQm74cszycF9YTiWDKVq0V\n-g7bFNgf4NcC7NxGfN4SuA58I7dQWJxSWdzTJNQsF2uijggEMMIIBCDAOBgNVHQ8B\n-Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUqyQEoVfbsJqL\n-jr5RyZovCpWdRZUwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\n-KwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\n-bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\n-P6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\n-SW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgER9R3mwAtzYcIh\n-HAnL2SiHTXBpqitQp6Ce+7nYFP0qyu+Ggkx2bu86bl32lGmvA6ecTKXDiyXW5pMW\n-atmKn0wAegJCAaU9pfWuLIgsVqzB2zvDWMR2HgBMa6MO7dRlG2VUoLvR16NF9cln\n-XjNzIqPRxUpiD5TNC4+p9BoT+RRXEDUeRufH\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/zuul/ca/zuul.pem].orig\n+++ File[/etc/cfssl/signers/zuul/ca/zuul.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-discovery.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-discovery\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-discovery\n-\n-/var/log/cfssl-ocsprefresh-discovery/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-discovery].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Httpd::Mod_conf[headers]", "parameters": "--- Httpd::Mod_conf[headers].orig\n+++ Httpd::Mod_conf[headers]\n\n-    mod      => headers\n-    loadfile => headers.load\n-    ensure   => present\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-mlserve_staging-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-cloud_wmnet_ca.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-cloud_wmnet_ca.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Class[Profile::Firewall::Log::Ferm]", "parameters": "--- Class[Profile::Firewall::Log::Ferm].orig\n+++ Class[Profile::Firewall::Log::Ferm]\n\n-    separate_file => True\n-    log_rate      => 1/second\n-    log_burst     => 5\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]", "content": "--- /srv/cfssl/bundles/cloud_wmnet_ca.pem.orig\n+++ /srv/cfssl/bundles/cloud_wmnet_ca.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrzCCAxKgAwIBAgIURAaLNJ85iLqv3Tqt4ylu7Dhe0o0wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjExMjEzMTg1NTAwWhcNMjYxMjEyMTg1NTAwWjB8\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRcwFQYDVQQDDA5jbG91ZF93bW5ldF9jYTCBmzAQBgcqhkjOPQIBBgUrgQQA\n-IwOBhgAEAFsH4mfZKGu87WTpX9yabGE0+vO4UBQaN/IUGnjmscZTZ7761iAwuZcs\n-33yjwzoX2W+R0IwAPJbagtB92uYPmA6eAUDV4WAuOml+AqAP0elVtW7i+T/Bm4qc\n-SrlGCDsALgJ765YZCDS9OmzAm9rXbQXFmsxqrm9I3aPXIOWIww5+Zg1mo4IBDDCC\n-AQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\n-FMavCWJlEuGLgOx5zgBdQCQ0Zxj7MB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGD\n-kdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5k\n-aXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBK\n-BgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwv\n-V2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYoAMIGGAkEQ\n-XFKpUB99oxOp7uK3GztZblTr8DECjcwbJOXYfZLGyfzzNIKPMGPkBGNmGkP7Ie1G\n-RSCNRsI1VR8/geUR0YUrpwJBRZWF4DZM3cga+6VB7pEv/7r/pQERs/ivzckNwDLi\n-/LK1pbHc/MeNOdoy7TouLf1djsw40VYtGNT7/9FldHoWqsA=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/cloud_wmnet_ca.pem].orig\n+++ File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_ulogd2.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_ulogd2.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of wmf_auto_restart_ulogd2.service\n-\n-[Timer]\n-Unit=wmf_auto_restart_ulogd2.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 5:37:00\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]\n\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve -profile ocsp /etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_staging\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__mlserve_staging\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"7cff186656c3cabbca85b5b57d0c8679\",check_name=\"check_check_certificate_expiry_mlserve_staging\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_staging\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_mlserve_staging))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-mlserve_staging.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-puppet_rsa].orig\n+++ File[/var/log/cfssl-ocsprefresh-puppet_rsa]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_mlserve_staging!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: mlserve_staging\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/srv/cfssl/bundles/dse.pem]", "content": "--- /srv/cfssl/bundles/dse.pem.orig\n+++ /srv/cfssl/bundles/dse.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpTCCAwegAwIBAgIUb4Tdc/LBMz08oj3vXm9vyvVoa8kwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjBx\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQwwCgYDVQQDEwNkc2UwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEKIsRi\n-rMZazQ75DhhEGhtUEr3248uYpcVNJ3Mp/1IdsIkgdy3vU97D4x+FWvbcITOzw9xz\n-apIVnwWIAU7hei4jEwCAIr3llako75gtbD7Xvq9y6UDUcp/LOGBkmGMBktL2Q9qz\n-Dgc4AgI29X2/hGBuYEglW2Qhpnbu0+q+7Xi/eKSG3aOCAQwwggEIMA4GA1UdDwEB\n-/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSp3KLmcR8APKuf\n-wQNUAmw4ugiWrzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\n-BgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\n-bmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\n-oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\n-bnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCBhwJCAYGa4oeqY5OQzJhU\n-JqhW7Wn0V5dXQ3F0LJKbf70afe5Xx/jkMKMXv6cpUoCgq6OW5CzFHvwyYGDYc3Uy\n-Dj63k3tQAkFP3CHPBJahbaziMXpat5mFpYeRit/bScad+W+ysdXe4wLSRK3skzhU\n-pOp2n7NgGJQbM1fWuRcBPMQLEZVFsbo04A==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/dse.pem].orig\n+++ File[/srv/cfssl/bundles/dse.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Nftables::Service[ssh-from-cumin-masters]", "parameters": "--- Nftables::Service[ssh-from-cumin-masters].orig\n+++ Nftables::Service[ssh-from-cumin-masters]\n\n+    src_sets            => ['CUMIN_MASTERS']\n+    unrestricted_access => False\n+    prio                => 10\n+    desc                => \n+    proto               => tcp\n+    notrack             => False\n+    ensure              => present\n+    port                => 22\n"}, {"resource": "Alternatives::Select[iptables]", "parameters": "--- Alternatives::Select[iptables].orig\n+++ Alternatives::Select[iptables]\n\n-    path    => /usr/sbin/iptables-legacy\n-    require => Package[iptables]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Cfssl::Ocsp[etcd]", "parameters": "--- Cfssl::Ocsp[etcd].orig\n+++ Cfssl::Ocsp[etcd]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/etcd/ca/etcd.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10005\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft\n@@ -0,0 +1,14 @@\n+# Autogenerated by puppet\n+set KAFKA_BROKERS_JUMBO_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:109:10:64:130:10,\n+             2620:0:861:10a:10:64:131:16,\n+             2620:0:861:10b:10:64:132:21,\n+             2620:0:861:10d:10:64:134:9,\n+             2620:0:861:10e:10:64:135:16,\n+             2620:0:861:10f:10:64:136:11,\n+             2620:0:861:122:10:64:154:15,\n+             2620:0:861:128:10:64:160:16,\n+             2620:0:861:101:10:64:0:126\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set LABSTORE_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:2:208:80:154:142,\n+             2620:0:861:3:208:80:154:71\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocspserve@kafka]", "parameters": "--- Service[cfssl-ocspserve@kafka].orig\n+++ Service[cfssl-ocspserve@kafka]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft\n@@ -0,0 +1,12 @@\n+# Autogenerated by puppet\n+set CLOUD_PRIVATE_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2a02:ec80:a000:201::/64,\n+             2a02:ec80:a000:202::/64,\n+             2a02:ec80:a000:203::/64,\n+             2a02:ec80:a000:204::/64,\n+             2a02:ec80:a100:205::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_discovery].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_discovery]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: discovery\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --responses-file /etc/cfssl/ocsp/puppet_rsa.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@puppet_rsa' puppet_rsa \n-    description               => OCSP Refresh job - puppet_rsa\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Cfssl::Config[debmonitor]", "parameters": "--- Cfssl::Config[debmonitor].orig\n+++ Cfssl::Config[debmonitor]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/debmonitor\n-    path                => /etc/cfssl/signers/debmonitor/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/debmonitor\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_dse\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"4384c5ebc49e03dbe331e279fac3f393\" --timeout 10 --check-command \"check_check_certificate_expiry_dse\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_dse command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-check-nft]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-check-nft.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-check-nft\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for prometheus-node-textfile-check-nft\n+\n+/var/log/prometheus-node-textfile-check-nft/*.log {\n+    daily\n+    copytruncate\n+    missingok\n+    compress\n+    delaycompress\n+    notifempty\n+    rotate 15\n+    size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-check-nft].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-check-nft]\n\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Config[aux]", "parameters": "--- Cfssl::Config[aux].orig\n+++ Cfssl::Config[aux]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/aux\n-    path                => /etc/cfssl/signers/aux/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/aux\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_zuul.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_mlserve_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_mlserve_front_proxy!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__cloud_wmnet_ca\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"f87f54115f2f782169eed72541c30a1e\",check_name=\"check_check_certificate_expiry_cloud_wmnet_ca\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_cloud_wmnet_ca))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Cfssl::Signer[mlserve_staging_front_proxy]", "parameters": "--- Cfssl::Signer[mlserve_staging_front_proxy].orig\n+++ Cfssl::Signer[mlserve_staging_front_proxy]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDvjCCAyCgAwIBAgIUV8ha2UdjViI49Xr/fZzbY4YPZdYwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\niTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\naW9uczEkMCIGA1UEAwwbbWxzZXJ2ZV9zdGFnaW5nX2Zyb250X3Byb3h5MIGbMBAG\nByqGSM49AgEGBSuBBAAjA4GGAAQAyrMiWBRjOWCaMXsvXC0wS6VzHyLLGFT8BpM9\nEhYcloDfNnb8no2+YXrBzj4+lAg3D3dq53q+hyHko3+YsVVF/qABa55syWkYtxDB\nxy5FNq6Iq/s2E3vO2YpQifWXlaSZvvuZCGhhTPDOp/zdI/kKdco9Jehsu6CdyElj\nlCgJTZupZCmjggEMMIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB\n/wIBATAdBgNVHQ4EFgQUj5l8xt65hr4t5yj8xKYmUsKwk9YwHwYDVR0jBBgwFoAU\nO62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAB\nhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRl\ncm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292\nZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjO\nPQQDBAOBiwAwgYcCQgD24XA2cP2pFwE3onWEosbFqDEaFwD5kNg7eSOkncJIceFU\nbCX1f6VOYSv6UbiEQV0EwS0d34EawydbLcqXqfHgpgJBJJjdNhpjAcwyRt1+unRc\ndYn6ys1ZElRXMld7NUq+nCInX5cVk8uPeSev6IxIJc2eyBCb4jtjvE3TAQ2RHvT9\nsBI=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 72h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/mlserve_staging_front_proxy\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/mlserve_staging_front_proxy\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_cassandra.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-aux-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-aux.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-aux.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-aux.timer]\n\n-    unit              => cfssl-ocsprefresh-aux.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]\n\n-    unit              => cfssl-ocsprefresh-cloud_wmnet_ca.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Class[Profile::Firewall::Nftables_base_sets]", "parameters": "--- Class[Profile::Firewall::Nftables_base_sets].orig\n+++ Class[Profile::Firewall::Nftables_base_sets]\n\n+    kafka_brokers_logging => ['10.64.16.205', '2620:0:861:102:10:64:16:205', '10.64.133.11', '2620:0:861:10c:10:64:133:11', '10.64.183.12', '2620:0:861:13d:10:64:183:12', '10.64.131.13', '2620:0:861:10a:10:64:131:13', '10.64.135.13', '2620:0:861:10e:10:64:135:13', '10.192.23.29', '2620:0:860:113:10:192:23:29', '10.192.11.28', '2620:0:860:10c:10:192:11:28', '10.192.26.22', '2620:0:860:105:10:192:26:22', '10.192.11.27', '2620:0:860:10c:10:192:11:27', '10.192.39.25', '2620:0:860:11e:10:192:39:25']\n+    bastion_hosts         => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']\n+    mysql_root_clients    => ['10.64.16.90', '10.192.16.191', '10.64.16.154', '10.192.32.49', '208.80.155.103', '208.80.154.9', '10.64.0.20']\n+    install_hosts         => {'eqiad': '208.80.154.134', 'codfw': '208.80.153.70', 'esams': '185.15.59.101', 'ulsfo': '198.35.26.98', 'eqsin': '103.102.166.11', 'drmrs': '185.15.58.7', 'magru': '195.200.68.100'}\n+    cache_hosts           => ['10.64.0.79', '2620:0:861:101:10:64:0:79', '10.64.0.229', '2620:0:861:101:10:64:0:229', '10.64.0.14', '2620:0:861:101:10:64:0:14', '10.64.0.51', '2620:0:861:101:10:64:0:51', '10.64.16.241', '2620:0:861:102:10:64:16:241', '10.64.16.94', '2620:0:861:102:10:64:16:94', '10.64.16.95', '2620:0:861:102:10:64:16:95', '10.64.16.240', '2620:0:861:102:10:64:16:240', '10.64.32.14', '2620:0:861:103:10:64:32:14', '10.64.32.60', '2620:0:861:103:10:64:32:60', '10.64.32.15', '2620:0:861:103:10:64:32:15', '10.64.32.65', '2620:0:861:103:10:64:32:65', '10.64.48.16', '2620:0:861:107:10:64:48:16', '10.64.48.41', '2620:0:861:107:10:64:48:41', '10.64.48.27', '2620:0:861:107:10:64:48:27', '10.64.48.28', '2620:0:861:107:10:64:48:28', '10.192.23.26', '2620:0:860:113:10:192:23:26', '10.192.6.20', '2620:0:860:107:10:192:6:20', '10.192.12.35', '2620:0:860:10d:10:192:12:35', '10.192.14.25', '2620:0:860:10f:10:192:14:25', '10.192.4.22', '2620:0:860:100:10:192:4:22', '10.192.29.26', '2620:0:860:116:10:192:29:26', '10.192.30.29', '2620:0:860:119:10:192:30:29', '10.192.36.19', '2620:0:860:11b:10:192:36:19', '10.192.40.25', '2620:0:860:11f:10:192:40:25', '10.192.41.21', '2620:0:860:120:10:192:41:21', '10.192.56.3', '2620:0:860:12b:10:192:56:3', '10.192.56.4', '2620:0:860:12b:10:192:56:4', '10.192.57.3', '2620:0:860:12c:10:192:57:3', '10.192.58.2', '2620:0:860:12d:10:192:58:2', '10.192.58.3', '2620:0:860:12d:10:192:58:3', '10.192.59.2', '2620:0:860:12e:10:192:59:2', '10.80.0.14', '2a02:ec80:300:101:10:80:0:14', '10.80.1.11', '2a02:ec80:300:102:10:80:1:11', '10.80.0.13', '2a02:ec80:300:101:10:80:0:13', '10.80.1.9', '2a02:ec80:300:102:10:80:1:9', '10.80.0.12', '2a02:ec80:300:101:10:80:0:12', '10.80.1.7', '2a02:ec80:300:102:10:80:1:7', '10.80.0.11', '2a02:ec80:300:101:10:80:0:11', '10.80.1.6', '2a02:ec80:300:102:10:80:1:6', '10.80.0.10', '2a02:ec80:300:101:10:80:0:10', '10.80.1.5', '2a02:ec80:300:102:10:80:1:5', '10.80.0.8', '2a02:ec80:300:101:10:80:0:8', '10.80.1.4', '2a02:ec80:300:102:10:80:1:4', '10.80.0.7', '2a02:ec80:300:101:10:80:0:7', '10.80.1.3', '2a02:ec80:300:102:10:80:1:3', '10.80.0.6', '2a02:ec80:300:101:10:80:0:6', '10.80.1.2', '2a02:ec80:300:102:10:80:1:2', '10.128.0.19', '2620:0:863:101:10:128:0:19', '10.128.0.27', '2620:0:863:101:10:128:0:27', '10.128.0.22', '2620:0:863:101:10:128:0:22', '10.128.0.28', '2620:0:863:101:10:128:0:28', '10.128.0.25', '2620:0:863:101:10:128:0:25', '10.128.0.29', '2620:0:863:101:10:128:0:29', '10.128.0.26', '2620:0:863:101:10:128:0:26', '10.128.0.31', '2620:0:863:101:10:128:0:31', '10.128.0.14', '2620:0:863:101:10:128:0:14', '10.128.0.35', '2620:0:863:101:10:128:0:35', '10.128.0.21', '2620:0:863:101:10:128:0:21', '10.128.0.36', '2620:0:863:101:10:128:0:36', '10.128.0.24', '2620:0:863:101:10:128:0:24', '10.128.0.10', '2620:0:863:101:10:128:0:10', '10.128.0.37', '2620:0:863:101:10:128:0:37', '10.128.0.12', '2620:0:863:101:10:128:0:12', '10.132.0.17', '2001:df2:e500:101:10:132:0:17', '10.132.0.18', '2001:df2:e500:101:10:132:0:18', '10.132.0.19', '2001:df2:e500:101:10:132:0:19', '10.132.0.24', '2001:df2:e500:101:10:132:0:24', '10.132.0.29', '2001:df2:e500:101:10:132:0:29', '10.132.0.30', '2001:df2:e500:101:10:132:0:30', '10.132.0.34', '2001:df2:e500:101:10:132:0:34', '10.132.0.35', '2001:df2:e500:101:10:132:0:35', '10.132.0.36', '2001:df2:e500:101:10:132:0:36', '10.132.0.37', '2001:df2:e500:101:10:132:0:37', '10.132.0.38', '2001:df2:e500:101:10:132:0:38', '10.132.0.25', '2001:df2:e500:101:10:132:0:25', '10.132.0.26', '2001:df2:e500:101:10:132:0:26', '10.132.0.27', '2001:df2:e500:101:10:132:0:27', '10.132.0.28', '2001:df2:e500:101:10:132:0:28', '10.132.0.16', '2001:df2:e500:101:10:132:0:16', '10.136.0.6', '2a02:ec80:600:101:10:136:0:6', '10.136.1.6', '2a02:ec80:600:102:10:136:1:6', '10.136.0.7', '2a02:ec80:600:101:10:136:0:7', '10.136.1.7', '2a02:ec80:600:102:10:136:1:7', '10.136.0.8', '2a02:ec80:600:101:10:136:0:8', '10.136.1.8', '2a02:ec80:600:102:10:136:1:8', '10.136.0.9', '2a02:ec80:600:101:10:136:0:9', '10.136.1.9', '2a02:ec80:600:102:10:136:1:9', '10.136.0.10', '2a02:ec80:600:101:10:136:0:10', '10.136.1.10', '2a02:ec80:600:102:10:136:1:10', '10.136.0.11', '2a02:ec80:600:101:10:136:0:11', '10.136.1.11', '2a02:ec80:600:102:10:136:1:11', '10.136.0.12', '2a02:ec80:600:101:10:136:0:12', '10.136.1.12', '2a02:ec80:600:102:10:136:1:12', '10.136.0.13', '2a02:ec80:600:101:10:136:0:13', '10.136.1.13', '2a02:ec80:600:102:10:136:1:13', '10.140.0.3', '2a02:ec80:700:101:10:140:0:3', '10.140.1.4', '2a02:ec80:700:102:10:140:1:4', '10.140.0.4', '2a02:ec80:700:101:10:140:0:4', '10.140.1.5', '2a02:ec80:700:102:10:140:1:5', '10.140.0.5', '2a02:ec80:700:101:10:140:0:5', '10.140.1.6', '2a02:ec80:700:102:10:140:1:6', '10.140.0.6', '2a02:ec80:700:101:10:140:0:6', '10.140.1.7', '2a02:ec80:700:102:10:140:1:7', '10.140.0.7', '2a02:ec80:700:101:10:140:0:7', '10.140.1.8', '2a02:ec80:700:102:10:140:1:8', '10.140.0.8', '2a02:ec80:700:101:10:140:0:8', '10.140.1.9', '2a02:ec80:700:102:10:140:1:9', '10.140.0.9', '2a02:ec80:700:101:10:140:0:9', '10.140.1.10', '2a02:ec80:700:102:10:140:1:10', '10.140.0.10', '2a02:ec80:700:101:10:140:0:10', '10.140.1.11', '2a02:ec80:700:102:10:140:1:11']\n+    install_hosts6        => {'eqiad': '2620:0:861:2:208:80:154:134', 'codfw': '2620:0:860:3:208:80:153:70', 'esams': '2a02:ec80:300:3:185:15:59:101', 'ulsfo': '2620:0:863:3:198:35:26:98', 'eqsin': '2001:df2:e500:1:103:102:166:11', 'drmrs': '2a02:ec80:600:1:185:15:58:7', 'magru': '2a02:ec80:700:3:195:200:68:100'}\n+    labstore_hosts        => ['208.80.154.142', '2620:0:861:2:208:80:154:142', '208.80.154.71', '2620:0:861:3:208:80:154:71']\n+    monitoring_hosts      => ['208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n+    prometheus_nodes      => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet']\n+    kafkamon_hosts        => ['10.64.32.11', '2620:0:861:103:10:64:32:11', '10.192.16.139', '2620:0:860:102:10:192:16:139']\n+    deployment_hosts      => ['10.64.16.93', '2620:0:861:102:10:64:16:93', '10.192.32.7', '2620:0:860:103:10:192:32:7']\n+    cumin_masters         => ['10.64.16.154', '2620:0:861:102:10:64:16:154', '10.192.32.49', '2620:0:860:103:10:192:32:49']\n+    zookeeper_hosts_main  => ['10.64.0.207', '2620:0:861:101:10:64:0:207', '10.64.16.110', '2620:0:861:102:10:64:16:110', '10.64.48.154', '2620:0:861:107:10:64:48:154', '10.192.16.45', '2620:0:860:102:10:192:16:45', '10.192.32.52', '2620:0:860:103:10:192:32:52', '10.192.48.59', '2620:0:860:104:10:192:48:59']\n+    kafka_brokers_main    => ['10.192.5.9', '2620:0:860:106:10:192:5:9', '10.192.22.6', '2620:0:860:112:10:192:22:6', '10.192.32.4', '2620:0:860:103:10:192:32:4', '10.192.48.33', '2620:0:860:104:10:192:48:33', '10.192.48.35', '2620:0:860:104:10:192:48:35', '10.64.0.101', '2620:0:861:101:10:64:0:101', '10.64.16.30', '2620:0:861:102:10:64:16:30', '10.64.32.45', '2620:0:861:103:10:64:32:45', '10.64.48.37', '2620:0:861:107:10:64:48:37', '10.64.152.5', '2620:0:861:120:10:64:152:5']\n+    zookeeper_flink_hosts => ['10.64.16.9', '2620:0:861:102:10:64:16:9', '10.64.0.8', '2620:0:861:101:10:64:0:8', '10.64.32.41', '2620:0:861:103:10:64:32:41', '10.192.16.227', '2620:0:860:102:10:192:16:227', '10.192.32.179', '2620:0:860:103:10:192:32:179', '10.192.48.219', '2620:0:860:104:10:192:48:219']\n+    druid_public_hosts    => ['10.64.131.9', '2620:0:861:10a:10:64:131:9', '10.64.132.12', '2620:0:861:10b:10:64:132:12', '10.64.135.9', '2620:0:861:10e:10:64:135:9', '10.64.32.101', '2620:0:861:103:10:64:32:101', '10.64.48.185', '2620:0:861:107:10:64:48:185']\n+    kafka_brokers_jumbo   => ['10.64.130.10', '2620:0:861:109:10:64:130:10', '10.64.131.16', '2620:0:861:10a:10:64:131:16', '10.64.132.21', '2620:0:861:10b:10:64:132:21', '10.64.134.9', '2620:0:861:10d:10:64:134:9', '10.64.135.16', '2620:0:861:10e:10:64:135:16', '10.64.136.11', '2620:0:861:10f:10:64:136:11', '10.64.154.15', '2620:0:861:122:10:64:154:15', '10.64.160.16', '2620:0:861:128:10:64:160:16', '10.64.0.126', '2620:0:861:101:10:64:0:126']\n+    lb_health_checks      => ['10.64.0.136', '10.64.16.60', '10.64.158.19', '10.64.166.19', '10.64.133.19', '10.64.141.19', '10.64.169.19', '10.64.171.19', '10.64.173.19', '10.64.175.19', '10.64.177.19', '10.64.179.19', '10.64.181.19', '10.64.183.19', '10.64.185.19', '10.64.187.19', '10.64.189.19', '10.64.48.72', '10.64.37.17', '10.64.1.17', '10.64.17.17', '10.64.33.17', '10.64.130.20', '10.64.131.20', '10.64.132.20', '10.64.134.20', '10.64.135.20', '10.64.136.20', '10.64.158.20', '10.64.166.20', '10.64.133.20', '10.64.141.20', '10.64.169.20', '10.64.171.20', '10.64.173.20', '10.64.175.20', '10.64.177.20', '10.64.179.20', '10.64.181.20', '10.64.183.20', '10.64.185.20', '10.64.187.20', '10.64.189.20', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:119::/64', '2620:0:861:10c::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.23.8', '10.192.0.29', '10.192.17.8', '10.192.33.8', '10.192.49.8', '10.192.23.2', '10.192.5.2', '10.192.6.2', '10.192.7.2', '10.192.8.2', '10.192.9.2', '10.192.10.2', '10.192.11.2', '10.192.12.2', '10.192.13.2', '10.192.14.2', '10.192.15.2', '10.192.21.2', '10.192.22.2', '10.192.4.2', '10.192.26.2', '10.192.27.2', '10.192.28.2', '10.192.29.2', '10.192.30.2', '10.192.31.2', '10.192.36.2', '10.192.37.2', '10.192.38.2', '10.192.39.2', '10.192.40.2', '10.192.41.2', '10.192.42.2', '10.192.43.2', '10.192.11.8', '10.192.16.140', '10.192.1.8', '10.192.33.9', '10.192.49.9', '10.192.23.3', '10.192.5.3', '10.192.6.3', '10.192.7.3', '10.192.8.3', '10.192.9.3', '10.192.10.3', '10.192.11.3', '10.192.12.3', '10.192.13.3', '10.192.14.3', '10.192.15.3', '10.192.21.3', '10.192.22.3', '10.192.4.3', '10.192.26.3', '10.192.27.3', '10.192.28.3', '10.192.29.3', '10.192.30.3', '10.192.31.3', '10.192.36.3', '10.192.37.3', '10.192.38.3', '10.192.39.4', '10.192.40.3', '10.192.41.3', '10.192.42.3', '10.192.43.3', '10.192.32.14', '10.192.1.9', '10.192.17.9', '10.192.49.10', '10.192.23.4', '10.192.5.4', '10.192.6.4', '10.192.7.4', '10.192.8.4', '10.192.9.4', '10.192.10.4', '10.192.11.4', '10.192.12.4', '10.192.13.4', '10.192.14.4', '10.192.15.4', '10.192.21.4', '10.192.22.4', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '10.192.48.213', '10.192.1.13', '10.192.17.10', '10.192.33.10', '10.192.23.5', '10.192.5.8', '10.192.6.5', '10.192.7.5', '10.192.8.5', '10.192.9.5', '10.192.10.5', '10.192.11.5', '10.192.12.5', '10.192.13.5', '10.192.14.5', '10.192.15.5', '10.192.21.5', '10.192.22.5', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '10.80.0.3', '10.80.1.8', '10.80.1.14', '10.80.0.9', '10.80.0.2', '10.80.1.10', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '10.128.0.18', '10.128.0.9', '10.128.0.11', '2620:0:863:101::/64', '10.132.0.39', '10.132.0.6', '10.132.0.7', '2001:df2:e500:101::/64', '10.136.0.16', '10.136.1.19', '10.136.1.15', '10.136.0.19', '10.136.0.17', '10.136.1.20', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '10.140.0.13', '10.140.1.2', '10.140.1.14', '10.140.0.2', '10.140.0.14', '10.140.1.3', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"wmf_auto_restart_apache-htcacheclean\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/wmf_auto_restart_apache-htcacheclean/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[ensure_present_mod_status]", "parameters": "--- Exec[ensure_present_mod_status].orig\n+++ Exec[ensure_present_mod_status]\n\n-    creates => /etc/apache2/mods-enabled/status.load\n-    command => /usr/sbin/a2enmod status\n-    notify  => Service[apache2]\n-    require => Package[apache2]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@aux_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@aux_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@aux_front_proxy]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/cfssl/ocsp/wikikube_staging.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/wikikube_staging.ocsp].orig\n+++ File[/etc/cfssl/ocsp/wikikube_staging.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-gc-expired-certs.service]", "content": "--- /lib/systemd/system/cfssl-gc-expired-certs.service.orig\n+++ /lib/systemd/system/cfssl-gc-expired-certs.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Delete expired Certificates from the cfssl DB\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-certs clean", "parameters": "--- File[/lib/systemd/system/cfssl-gc-expired-certs.service].orig\n+++ File[/lib/systemd/system/cfssl-gc-expired-certs.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/MGMT_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/MGMT_NETWORKS_ipv4.nft\n@@ -0,0 +1,14 @@\n+# Autogenerated by puppet\n+set MGMT_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.65.0.0/16,\n+             10.128.128.0/17,\n+             10.193.0.0/16,\n+             10.80.128.0/17,\n+             10.132.128.0/17,\n+             10.136.128.0/17,\n+             10.140.128.0/17\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@syslog.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@syslog.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@syslog.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (syslog)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10007 \\\n-          -responses /etc/cfssl/ocsp/syslog.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@syslog.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@syslog.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_wikikube_staging\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]", "content": "--- /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft.orig\n+++ /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft\n@@ -0,0 +1,191 @@\n+# Autogenerated by puppet\n+set LOAD_BALANCER_HEALTH_CHECKS_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.0.136,\n+             10.64.16.60,\n+             10.64.158.19,\n+             10.64.166.19,\n+             10.64.133.19,\n+             10.64.141.19,\n+             10.64.169.19,\n+             10.64.171.19,\n+             10.64.173.19,\n+             10.64.175.19,\n+             10.64.177.19,\n+             10.64.179.19,\n+             10.64.181.19,\n+             10.64.183.19,\n+             10.64.185.19,\n+             10.64.187.19,\n+             10.64.189.19,\n+             10.64.48.72,\n+             10.64.37.17,\n+             10.64.1.17,\n+             10.64.17.17,\n+             10.64.33.17,\n+             10.64.130.20,\n+             10.64.131.20,\n+             10.64.132.20,\n+             10.64.134.20,\n+             10.64.135.20,\n+             10.64.136.20,\n+             10.64.158.20,\n+             10.64.166.20,\n+             10.64.133.20,\n+             10.64.141.20,\n+             10.64.169.20,\n+             10.64.171.20,\n+             10.64.173.20,\n+             10.64.175.20,\n+             10.64.177.20,\n+             10.64.179.20,\n+             10.64.181.20,\n+             10.64.183.20,\n+             10.64.185.20,\n+             10.64.187.20,\n+             10.64.189.20,\n+             10.192.23.8,\n+             10.192.0.29,\n+             10.192.17.8,\n+             10.192.33.8,\n+             10.192.49.8,\n+             10.192.23.2,\n+             10.192.5.2,\n+             10.192.6.2,\n+             10.192.7.2,\n+             10.192.8.2,\n+             10.192.9.2,\n+             10.192.10.2,\n+             10.192.11.2,\n+             10.192.12.2,\n+             10.192.13.2,\n+             10.192.14.2,\n+             10.192.15.2,\n+             10.192.21.2,\n+             10.192.22.2,\n+             10.192.4.2,\n+             10.192.26.2,\n+             10.192.27.2,\n+             10.192.28.2,\n+             10.192.29.2,\n+             10.192.30.2,\n+             10.192.31.2,\n+             10.192.36.2,\n+             10.192.37.2,\n+             10.192.38.2,\n+             10.192.39.2,\n+             10.192.40.2,\n+             10.192.41.2,\n+             10.192.42.2,\n+             10.192.43.2,\n+             10.192.11.8,\n+             10.192.16.140,\n+             10.192.1.8,\n+             10.192.33.9,\n+             10.192.49.9,\n+             10.192.23.3,\n+             10.192.5.3,\n+             10.192.6.3,\n+             10.192.7.3,\n+             10.192.8.3,\n+             10.192.9.3,\n+             10.192.10.3,\n+             10.192.11.3,\n+             10.192.12.3,\n+             10.192.13.3,\n+             10.192.14.3,\n+             10.192.15.3,\n+             10.192.21.3,\n+             10.192.22.3,\n+             10.192.4.3,\n+             10.192.26.3,\n+             10.192.27.3,\n+             10.192.28.3,\n+             10.192.29.3,\n+             10.192.30.3,\n+             10.192.31.3,\n+             10.192.36.3,\n+             10.192.37.3,\n+             10.192.38.3,\n+             10.192.39.4,\n+             10.192.40.3,\n+             10.192.41.3,\n+             10.192.42.3,\n+             10.192.43.3,\n+             10.192.32.14,\n+             10.192.1.9,\n+             10.192.17.9,\n+             10.192.49.10,\n+             10.192.23.4,\n+             10.192.5.4,\n+             10.192.6.4,\n+             10.192.7.4,\n+             10.192.8.4,\n+             10.192.9.4,\n+             10.192.10.4,\n+             10.192.11.4,\n+             10.192.12.4,\n+             10.192.13.4,\n+             10.192.14.4,\n+             10.192.15.4,\n+             10.192.21.4,\n+             10.192.22.4,\n+             10.192.4.5,\n+             10.192.26.5,\n+             10.192.27.5,\n+             10.192.28.5,\n+             10.192.29.5,\n+             10.192.30.5,\n+             10.192.31.5,\n+             10.192.36.5,\n+             10.192.37.5,\n+             10.192.38.5,\n+             10.192.39.6,\n+             10.192.40.5,\n+             10.192.41.5,\n+             10.192.42.5,\n+             10.192.43.5,\n+             10.192.48.213,\n+             10.192.1.13,\n+             10.192.17.10,\n+             10.192.33.10,\n+             10.192.23.5,\n+             10.192.5.8,\n+             10.192.6.5,\n+             10.192.7.5,\n+             10.192.8.5,\n+             10.192.9.5,\n+             10.192.10.5,\n+             10.192.11.5,\n+             10.192.12.5,\n+             10.192.13.5,\n+             10.192.14.5,\n+             10.192.15.5,\n+             10.192.21.5,\n+             10.192.22.5,\n+             10.80.0.3,\n+             10.80.1.8,\n+             10.80.1.14,\n+             10.80.0.9,\n+             10.80.0.2,\n+             10.80.1.10,\n+             10.128.0.18,\n+             10.128.0.9,\n+             10.128.0.11,\n+             10.132.0.39,\n+             10.132.0.6,\n+             10.132.0.7,\n+             10.136.0.16,\n+             10.136.1.19,\n+             10.136.1.15,\n+             10.136.0.19,\n+             10.136.0.17,\n+             10.136.1.20,\n+             10.140.0.13,\n+             10.140.1.2,\n+             10.140.1.14,\n+             10.140.0.2,\n+             10.140.0.14,\n+             10.140.1.3\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Cfssl::Config[wikikube_front_proxy]", "parameters": "--- Cfssl::Config[wikikube_front_proxy].orig\n+++ Cfssl::Config[wikikube_front_proxy]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/wikikube_front_proxy\n-    path                => /etc/cfssl/signers/wikikube_front_proxy/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/wikikube_front_proxy\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label zuul -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]\n"}, {"resource": "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]", "content": "--- /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft.orig\n+++ /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet\n+set ZOOKEEPER_HOSTS_MAIN_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:101:10:64:0:207,\n+             2620:0:861:102:10:64:16:110,\n+             2620:0:861:107:10:64:48:154,\n+             2620:0:860:102:10:192:16:45,\n+             2620:0:860:103:10:192:32:52,\n+             2620:0:860:104:10:192:48:59\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft].orig\n+++ File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@mlserve]']\n"}, {"resource": "Service[nrpe2nodexp-ferm_active.timer]", "parameters": "--- Service[nrpe2nodexp-ferm_active.timer].orig\n+++ Service[nrpe2nodexp-ferm_active.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (mlserve_staging_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20041 \\\n-          -responses /etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_dse.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n"}, {"resource": "File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/aux_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Service[wmf_auto_restart_apache2.timer]", "parameters": "--- Service[wmf_auto_restart_apache2.timer].orig\n+++ Service[wmf_auto_restart_apache2.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => wikikube_staging\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@wikikube_staging]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Nrpe::Plugin[check_ferm]", "parameters": "--- Nrpe::Plugin[check_ferm].orig\n+++ Nrpe::Plugin[check_ferm]\n\n-    source => puppet:///modules/base/firewall/check_ferm\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_wikikube.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_wikikube.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]\n\n-    before      => ['Service[nrpe2nodexp-ferm_active.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocsprefresh-network_devices.timer]", "parameters": "--- Service[cfssl-ocsprefresh-network_devices.timer].orig\n+++ Service[cfssl-ocsprefresh-network_devices.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@debmonitor]", "parameters": "--- Systemd::Service[cfssl-ocspserve@debmonitor].orig\n+++ Systemd::Service[cfssl-ocspserve@debmonitor]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "parameters": "--- Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer].orig\n+++ Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/usr/local/sbin/ferm-status]", "parameters": "--- File[/usr/local/sbin/ferm-status].orig\n+++ File[/usr/local/sbin/ferm-status]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_cassandra]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_cassandra].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_cassandra]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"cassandra\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-puppet_rsa]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery2026\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__discovery2026\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"bf2e3510cb63e5f05f545e816bab4edf\",check_name=\"check_check_certificate_expiry_discovery2026\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery2026\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_discovery2026))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]", "content": "--- /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem.orig\n+++ /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem\n@@ -1 +0,0 @@\n-fake", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 disk_space].orig\n+++ Monitoring::Exported_nagios_service[pki1001 disk_space]\n\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-wikikube_staging\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-wikikube_staging/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocspserve@mlserve_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@mlserve_front_proxy].orig\n+++ Service[cfssl-ocspserve@mlserve_front_proxy]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@wikikube_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@wikikube_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@wikikube_front_proxy]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[kafka]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[kafka].orig\n+++ Profile::Pki::Multirootca::Monitoring[kafka]\n\n-    ca_file      => /etc/cfssl/signers/kafka/ca/kafka.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => kafka\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-discovery2026-certificate-expiry --cert-path /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --outfile /var/lib/prometheus/node.d/discovery2026_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_wikikube_staging]", "parameters": "--- Sudo::User[nrpe_certificate_check_wikikube_staging].orig\n+++ Sudo::User[nrpe_certificate_check_wikikube_staging]\n\n-    user       => nrpe_certificate_check_wikikube_staging\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Systemd::Syslog[cfssl-gc-expired-certs]", "parameters": "--- Systemd::Syslog[cfssl-gc-expired-certs].orig\n+++ Systemd::Syslog[cfssl-gc-expired-certs]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry --cert-path /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --outfile /var/lib/prometheus/node.d/puppet_rsa_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-puppet_rsa-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_aux_front_proxy!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocspserve@syslog]", "parameters": "--- Service[cfssl-ocspserve@syslog].orig\n+++ Service[cfssl-ocspserve@syslog]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "File[/etc/cfssl/signers/syslog/ca]", "parameters": "--- File[/etc/cfssl/signers/syslog/ca].orig\n+++ File[/etc/cfssl/signers/syslog/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-cassandra-certificate-expiry --cert-path /etc/cfssl/signers/cassandra/ca/cassandra.pem --outfile /var/lib/prometheus/node.d/cassandra_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-cassandra-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_zuul]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_zuul].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_zuul]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Cfssl::Signer[kafka]", "parameters": "--- Cfssl::Signer[kafka].orig\n+++ Cfssl::Signer[kafka]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqDCCAwmgAwIBAgIUTWT2navXkMW9fz3oUB7Fc6azbKcwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjExMDI4MTMwNjAwWhcNMjYxMDI3MTMwNjAwWjBz\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQ4wDAYDVQQDEwVrYWZrYTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAScI\nAVY36upnobdfvpQJ7Y5uefRAv0OsdtR++HEqm2kTatOG4BJTdjdBv3+gyd3rJccd\nDEifyU1EcxVVXjjXzqdHADiJ+Zol5mwexbnrpF8JDBiJv7ntNamdr7Xjv4kw8Tkp\nkgl70aFalPLjpwjDNyrm2ACxPmHxK8EOu7eXb8RImqeVo4IBDDCCAQgwDgYDVR0P\nAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGIY/nB0tTtl\nRGdO5J4ck+RM8p8rMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2MFYG\nCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zlcnku\nd21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBB\nMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1lZGlh\nX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBv8ZMP7g8aPkc\ntcrO4rXcBkhFIWH9+4H4iTbuSBtjVtUXdsRW++IU89BjVVKQxv/4ZDm8hlpd+vJU\nb9xj3WUpi8cCQgFpjYqKVM+I5eRpIjhWoPxognJtGI3626wAOpV2CPauciD51gP3\nup2xe36OG3Z8XDcbNGoNiG3505+af9zBrt3c4g==\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/kafka/ca/kafka.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/kafka\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/kafka\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/kafka/ca/kafka-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'kafka_11': {'expiry': '8760h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => \n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-mlserve_staging.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-mlserve_staging.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-wikikube_staging.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Exec[Generate initial CRL for wikikube]", "parameters": "--- Exec[Generate initial CRL for wikikube].orig\n+++ Exec[Generate initial CRL for wikikube]\n\n-    creates => /srv/cfssl/crl/wikikube\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/wikikube/ca/wikikube.pem /etc/cfssl/signers/wikikube/ca/wikikube-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/wikikube\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@puppet_rsa]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/ferm/conf.d/10_ssh_from_bastion]", "content": "--- /etc/ferm/conf.d/10_ssh_from_bastion.orig\n+++ /etc/ferm/conf.d/10_ssh_from_bastion\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 22, (103.102.166.103 185.15.58.6 185.15.59.99 195.200.68.99 198.35.26.104 2001:df2:e500:3:103:102:166:103 208.80.153.110 208.80.154.7 2620:0:860:4:208:80:153:110 2620:0:861:1:208:80:154:7 2620:0:863:3:198:35:26:104 2a02:ec80:300:3:185:15:59:99 2a02:ec80:600:1:185:15:58:6 2a02:ec80:700:3:195:200:68:99));\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_ssh_from_bastion].orig\n+++ File[/etc/ferm/conf.d/10_ssh_from_bastion]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Rsyslog::Conf[cfssl-gc-expired-certs]", "parameters": "--- Rsyslog::Conf[cfssl-gc-expired-certs].orig\n+++ Rsyslog::Conf[cfssl-gc-expired-certs]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-gc-expired-certs]\n"}, {"resource": "Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@kafka]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@kafka].orig\n+++ Systemd::Unit[cfssl-ocspserve@kafka]\n\n-    unit              => cfssl-ocspserve@kafka\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_puppet_rsa]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_puppet_rsa].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_puppet_rsa]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"puppet_rsa\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-zuul]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-zuul].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-zuul]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-zuul.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[aux]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[aux].orig\n+++ Profile::Pki::Multirootca::Monitoring[aux]\n\n-    ca_file      => /etc/cfssl/signers/aux/ca/aux.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => aux\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nftables/sets/CACHES_ipv4.nft]", "content": "--- /etc/nftables/sets/CACHES_ipv4.nft.orig\n+++ /etc/nftables/sets/CACHES_ipv4.nft\n@@ -0,0 +1,117 @@\n+# Autogenerated by puppet\n+set CACHES_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.0.79,\n+             10.64.0.229,\n+             10.64.0.14,\n+             10.64.0.51,\n+             10.64.16.241,\n+             10.64.16.94,\n+             10.64.16.95,\n+             10.64.16.240,\n+             10.64.32.14,\n+             10.64.32.60,\n+             10.64.32.15,\n+             10.64.32.65,\n+             10.64.48.16,\n+             10.64.48.41,\n+             10.64.48.27,\n+             10.64.48.28,\n+             10.192.23.26,\n+             10.192.6.20,\n+             10.192.12.35,\n+             10.192.14.25,\n+             10.192.4.22,\n+             10.192.29.26,\n+             10.192.30.29,\n+             10.192.36.19,\n+             10.192.40.25,\n+             10.192.41.21,\n+             10.192.56.3,\n+             10.192.56.4,\n+             10.192.57.3,\n+             10.192.58.2,\n+             10.192.58.3,\n+             10.192.59.2,\n+             10.80.0.14,\n+             10.80.1.11,\n+             10.80.0.13,\n+             10.80.1.9,\n+             10.80.0.12,\n+             10.80.1.7,\n+             10.80.0.11,\n+             10.80.1.6,\n+             10.80.0.10,\n+             10.80.1.5,\n+             10.80.0.8,\n+             10.80.1.4,\n+             10.80.0.7,\n+             10.80.1.3,\n+             10.80.0.6,\n+             10.80.1.2,\n+             10.128.0.19,\n+             10.128.0.27,\n+             10.128.0.22,\n+             10.128.0.28,\n+             10.128.0.25,\n+             10.128.0.29,\n+             10.128.0.26,\n+             10.128.0.31,\n+             10.128.0.14,\n+             10.128.0.35,\n+             10.128.0.21,\n+             10.128.0.36,\n+             10.128.0.24,\n+             10.128.0.10,\n+             10.128.0.37,\n+             10.128.0.12,\n+             10.132.0.17,\n+             10.132.0.18,\n+             10.132.0.19,\n+             10.132.0.24,\n+             10.132.0.29,\n+             10.132.0.30,\n+             10.132.0.34,\n+             10.132.0.35,\n+             10.132.0.36,\n+             10.132.0.37,\n+             10.132.0.38,\n+             10.132.0.25,\n+             10.132.0.26,\n+             10.132.0.27,\n+             10.132.0.28,\n+             10.132.0.16,\n+             10.136.0.6,\n+             10.136.1.6,\n+             10.136.0.7,\n+             10.136.1.7,\n+             10.136.0.8,\n+             10.136.1.8,\n+             10.136.0.9,\n+             10.136.1.9,\n+             10.136.0.10,\n+             10.136.1.10,\n+             10.136.0.11,\n+             10.136.1.11,\n+             10.136.0.12,\n+             10.136.1.12,\n+             10.136.0.13,\n+             10.136.1.13,\n+             10.140.0.3,\n+             10.140.1.4,\n+             10.140.0.4,\n+             10.140.1.5,\n+             10.140.0.5,\n+             10.140.1.6,\n+             10.140.0.6,\n+             10.140.1.7,\n+             10.140.0.7,\n+             10.140.1.8,\n+             10.140.0.8,\n+             10.140.1.9,\n+             10.140.0.9,\n+             10.140.1.10,\n+             10.140.0.10,\n+             10.140.1.11\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CACHES_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CACHES_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-mlserve-certificate-expiry --cert-path /etc/cfssl/signers/mlserve/ca/mlserve.pem --outfile /var/lib/prometheus/node.d/mlserve_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-wikikube-certificate-expiry --cert-path /etc/cfssl/signers/wikikube/ca/wikikube.pem --outfile /var/lib/prometheus/node.d/wikikube_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-wikikube-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "content": "--- /etc/cfssl/signers/discovery/ca/discovery.pem.orig\n+++ /etc/cfssl/signers/discovery/ca/discovery.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n-3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\n-wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n-5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\n-q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\n-ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n-4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/discovery/ca/discovery.pem].orig\n+++ File[/etc/cfssl/signers/discovery/ca/discovery.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_zuul]", "parameters": "--- Monitoring::Service[check_certificate_expiry_zuul].orig\n+++ Monitoring::Service[check_certificate_expiry_zuul]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_zuul!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: zuul\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy]\n\n-    unit              => cfssl-ocspserve@mlserve_front_proxy\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Nftables::Set[KAFKA_BROKERS_LOGGING]", "parameters": "--- Nftables::Set[KAFKA_BROKERS_LOGGING].orig\n+++ Nftables::Set[KAFKA_BROKERS_LOGGING]\n\n+    hosts  => ['10.64.16.205', '2620:0:861:102:10:64:16:205', '10.64.133.11', '2620:0:861:10c:10:64:133:11', '10.64.183.12', '2620:0:861:13d:10:64:183:12', '10.64.131.13', '2620:0:861:10a:10:64:131:13', '10.64.135.13', '2620:0:861:10e:10:64:135:13', '10.192.23.29', '2620:0:860:113:10:192:23:29', '10.192.11.28', '2620:0:860:10c:10:192:11:28', '10.192.26.22', '2620:0:860:105:10:192:26:22', '10.192.11.27', '2620:0:860:10c:10:192:11:27', '10.192.39.25', '2620:0:860:11e:10:192:39:25']\n+    ensure => present\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-discovery]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery/ca/discovery.pem --responses-file /etc/cfssl/ocsp/discovery.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery' discovery \n-    description               => OCSP Refresh job - discovery\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Nftables::Set[BASTION_HOSTS]", "parameters": "--- Nftables::Set[BASTION_HOSTS].orig\n+++ Nftables::Set[BASTION_HOSTS]\n\n+    hosts  => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']\n+    ensure => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-cassandra-certificate-expiry --cert-path /etc/cfssl/signers/cassandra/ca/cassandra.pem --outfile /var/lib/prometheus/node.d/cassandra_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]", "content": "--- /etc/cfssl/signers/wikikube/ca/wikikube.pem.orig\n+++ /etc/cfssl/signers/wikikube/ca/wikikube.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqzCCAwygAwIBAgIUWXrkQs5GEdgVcV7/XAEZOXQLYlowCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB2\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMREwDwYDVQQDEwh3aWtpa3ViZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAE\n-AX4fMTh3NrBZlCMop5eKr6F/RXTefrSSdu6DE39OOKTTdYM3TxK8tPmTDm9EE+XT\n-4rO+VHuaIVVirgB2JQtla8oZAZb60Pw8v9BlJ1JLLK9vpWA9Vce7DKmMNxIWK9GA\n-YIUQufjHVD2eibYJsK54NGkBe3frhPhwayIvzJ3gGO34GRaRo4IBDDCCAQgwDgYD\n-VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAaU1Sae\n-B9+FDd+SrIADU8yIo+xJMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2\n-MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zl\n-cnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8E\n-QzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1l\n-ZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBFZVjRbh3\n-GaouRaz9IPef3q+9s+TleKGby7nJQ6z71M3rpJIsHr9lncr/9GPq5v5cHDYOHmgK\n-GBupTY7FNMwL8aACQgCgoDP6PO23Dw6tuswLIbeY+o5l3K8R5L3RS1DO59OXXV2f\n-9FmoJNLgGXgP87rOkFW1fn9/QcvX85zD0urkq8gNjg==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/wikikube/ca/wikikube.pem].orig\n+++ File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_mlserve]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_mlserve].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_mlserve]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/srv/cfssl/bundles]", "parameters": "--- File[/srv/cfssl/bundles].orig\n+++ File[/srv/cfssl/bundles]\n\n-    group  => root\n-    ensure => directory\n-    owner  => root\n"}, {"resource": "Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => wikikube_front_proxy\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@wikikube_front_proxy]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Systemd::Override[ferm-service-status-restart]", "parameters": "--- Systemd::Override[ferm-service-status-restart].orig\n+++ Systemd::Override[ferm-service-status-restart]\n\n-    unit    => ferm\n-    restart => False\n-    source  => puppet:///modules/ferm/ferm_systemd_override\n-    ensure  => present\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-zuul]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-zuul].orig\n+++ File[/var/log/cfssl-ocsprefresh-zuul]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]", "content": "--- /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft.orig\n+++ /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft\n@@ -0,0 +1,42 @@\n+# Autogenerated by puppet\n+set LOAD_BALANCER_HEALTH_CHECKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:861:101::/64,\n+             2620:0:861:102::/64,\n+             2620:0:861:103::/64,\n+             2620:0:861:107::/64,\n+             2620:0:861:109::/64,\n+             2620:0:861:10a::/64,\n+             2620:0:861:10b::/64,\n+             2620:0:861:10d::/64,\n+             2620:0:861:10e::/64,\n+             2620:0:861:10f::/64,\n+             2620:0:861:119::/64,\n+             2620:0:861:10c::/64,\n+             2620:0:861:113::/64,\n+             2620:0:861:131::/64,\n+             2620:0:861:133::/64,\n+             2620:0:861:135::/64,\n+             2620:0:861:137::/64,\n+             2620:0:861:139::/64,\n+             2620:0:861:13b::/64,\n+             2620:0:861:13d::/64,\n+             2620:0:861:13f::/64,\n+             2620:0:861:142::/64,\n+             2620:0:861:144::/64,\n+             2620:0:860:101::/64,\n+             2620:0:860:102::/64,\n+             2620:0:860:103::/64,\n+             2620:0:860:104::/64,\n+             2a02:ec80:300:101::/64,\n+             2a02:ec80:300:102::/64,\n+             2620:0:863:101::/64,\n+             2001:df2:e500:101::/64,\n+             2a02:ec80:600:101::/64,\n+             2a02:ec80:600:102::/64,\n+             2a02:ec80:700:101::/64,\n+             2a02:ec80:700:102::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_cloud_wmnet_ca]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[discovery]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[discovery].orig\n+++ Profile::Pki::Multirootca::Monitoring[discovery]\n\n-    ca_file      => /etc/cfssl/signers/discovery/ca/discovery.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => discovery\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube.service]\n\n-    unit              => cfssl-ocsprefresh-wikikube.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/dse_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@debmonitor.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@debmonitor.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (debmonitor)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10001 \\\n-          -responses /etc/cfssl/ocsp/debmonitor.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-aux-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-aux-certificate-expiry --cert-path /etc/cfssl/signers/aux/ca/aux.pem --outfile /var/lib/prometheus/node.d/aux_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"b194b5b9b6c9d6e05b9eed8dcfcc40cf\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_staging_front_proxy\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_staging_front_proxy command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Sudo::User[nrpe_certificate_check_mlserve_staging]", "parameters": "--- Sudo::User[nrpe_certificate_check_mlserve_staging].orig\n+++ Sudo::User[nrpe_certificate_check_mlserve_staging]\n\n-    user       => nrpe_certificate_check_mlserve_staging\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/usr/local/bin/prometheus-check-dse-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-dse-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-dse-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Concat_fragment[main]", "content": "--- main.orig\n+++ main\n@@ -14,7 +14,6 @@\n [agent]\n use_srv_records = true\n srv_domain = eqiad.wmnet\n-dns_alt_names = pki.discovery.wmnet\n daemonize = false\n http_connect_timeout = 60\n http_read_timeout = 960"}, {"resource": "File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "content": "--- /etc/cfssl/signers/discovery/ca/discovery-key.pem.orig\n+++ /etc/cfssl/signers/discovery/ca/discovery-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/discovery/ca/discovery-key.pem].orig\n+++ File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_etcd]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]\n\n-    unit              => cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: dse\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__dse\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"4384c5ebc49e03dbe331e279fac3f393\",check_name=\"check_check_certificate_expiry_dse\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: dse\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_dse))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_zuul.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]", "content": "--- /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem.orig\n+++ /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUHWrqd3I2VME7z6A5M3brKa5UlOgwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9tbHNlcnZlX3N0YWdpbmcwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAAu0g2dBBEAH2iUfZLPv+mA+1srb6S3bdVyH/kRk+QZDoOMnM0H8Edn\n-V+dakFKXnwl+w+qsOsWj1NP2FlOm3bTglwCIxFAzX5XaDfqWa74L1tIqDH6kx+bX\n-yxnuGWT/U1cv8rIHFap7ccH3h5YxPQfHy73KRTWxPln6ByswgxekotwnCKOCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBSRzdapYuh57Gp5MstVlUJNJ+6zTzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AY8VuLFo6MpcfxrDG8Junk8mESfQTMRbfeZM6WpHqKYBTESkpeV8HIdTYliFDAMX\n-JqE94+xbPVaTS8DZ0xiXz4SjAkIBEIIXA4nOdLYbX/MvdKWr7aDunH8n1oO3K/op\n-7NktfJd5CXuECxdSonHOb7PFW5lbpCtZrLxFzhB2Hlp1TBWHX84=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]", "content": "--- /etc/cfssl/signers/wikikube_staging/cfssl.conf.orig\n+++ /etc/cfssl/signers/wikikube_staging/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"72h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/wikikube_staging\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/wikikube_staging\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"72h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"72h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]", "content": "--- /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem.orig\n+++ /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem\n@@ -1,19 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDBjCCAmegAwIBAgIUJzV1YuedEKoaCkVVX4sGAX6x9eMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwMzI1MTMyNzAwWhcNMzEwMzIzMTMyNzAwWjCB\n-nDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\n-biBGcmFuY2lzY28xIjAgBgNVBAoTGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMx\n-FzAVBgNVBAsTDkNsb3VkIFNlcnZpY2VzMSMwIQYDVQQDDBpXaWtpbWVkaWFfSW50\n-ZXJuYWxfUm9vdF9DQTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAVJE6KrM3i7m\n-7uw5oZ71qWvcQv9wBoNU3nrEqPCDPRd4FS/THrd+OqmnxhJ5UIUhE31H3Ev52dNP\n-LQ+274G2MR9dACOGB4/21O1Ng5aKNAgF0NjwS50RAQmRaGs9f7kQg7coDDBqKQj0\n-GF6wG1tMI0/wdmi71d1qPX5BDYy+xGQZe1Bao0IwQDAOBgNVHQ8BAf8EBAMCAQYw\n-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO62iceY0vRv8gL81cYOR0O9pEzYw\n-CgYIKoZIzj0EAwQDgYwAMIGIAkIB64t/CBqDBhti8ERNX+rUh7k7zaZw0mllpfDa\n-90Gp4vUr5jNTOYi5+Was8xNHz6SCtZK6BkxjF+yb8ogG4ZknV7kCQgD6jCQHgXUx\n-mwKWMrxkrfv/yLCSytHfKCm0HSSyXKpHzKbPaIkt83JQxOoKpBmdHjPjkzVC1vjR\n-EVQD+PGFu+xryQ==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem].orig\n+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]", "content": "--- /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem.orig\n+++ /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n@@ -1,23 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDvjCCAyCgAwIBAgIUV8ha2UdjViI49Xr/fZzbY4YPZdYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\n-iTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEkMCIGA1UEAwwbbWxzZXJ2ZV9zdGFnaW5nX2Zyb250X3Byb3h5MIGbMBAG\n-ByqGSM49AgEGBSuBBAAjA4GGAAQAyrMiWBRjOWCaMXsvXC0wS6VzHyLLGFT8BpM9\n-EhYcloDfNnb8no2+YXrBzj4+lAg3D3dq53q+hyHko3+YsVVF/qABa55syWkYtxDB\n-xy5FNq6Iq/s2E3vO2YpQifWXlaSZvvuZCGhhTPDOp/zdI/kKdco9Jehsu6CdyElj\n-lCgJTZupZCmjggEMMIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB\n-/wIBATAdBgNVHQ4EFgQUj5l8xt65hr4t5yj8xKYmUsKwk9YwHwYDVR0jBBgwFoAU\n-O62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAB\n-hjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRl\n-cm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjO\n-PQQDBAOBiwAwgYcCQgD24XA2cP2pFwE3onWEosbFqDEaFwD5kNg7eSOkncJIceFU\n-bCX1f6VOYSv6UbiEQV0EwS0d34EawydbLcqXqfHgpgJBJJjdNhpjAcwyRt1+unRc\n-dYn6ys1ZElRXMld7NUq+nCInX5cVk8uPeSev6IxIJc2eyBCb4jtjvE3TAQ2RHvT9\n-sBI=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --responses-file /etc/cfssl/ocsp/debmonitor.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@debmonitor' debmonitor \n-    description               => OCSP Refresh job - debmonitor\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]", "content": "--- /etc/cfssl/signers/discovery2026/ca/discovery2026.pem.orig\n+++ /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrzCCAxGgAwIBAgIUa46nWae1FhV+WZzdsRMJchzTP54wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjYwNDIwMTUzNjAwWhcNMzEwNDE5MTUzNjAwWjB7\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRYwFAYDVQQDEw1kaXNjb3ZlcnkyMDI2MIGbMBAGByqGSM49AgEGBSuBBAAj\n-A4GGAAQBNeE+xxvbq00KO92aWhHFTLosZBkXul9ufZINtOUd90TXpQnJvpEv7kK8\n-HQpufac9Dez+MBhLzQXoTY+ElhRCsQQBwlu+rIeqpbJEh87DQ2RTfzhTJmlm/9de\n-1fiM38/51DacwYS/vW0psN/lKSoM7cX/Paw6Qg7pBUmUGCq2vE9wDbmjggEMMIIB\n-CDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU\n-SXZcMeXrgnEYbZ3z1m8j/+8XmugwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR\n-0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRp\n-c2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoG\n-A1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9X\n-aWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQgD4\n-UGn506FGvacDvYS6t8JEMo6YH7jxK8dKeiZNEnhG5FSjA4Lt2BCz85sOBczxSD9h\n-b9wLCxy5wOpifRePlyrZQgJBNKUXBImWpyoHmt6hNOA6X7+FmGl0tD5tLnbeuPx7\n-aTlv8rfJ0d7JdsZXx+7M6YcsmxMgZCKUh4UMYu/WcczIq30=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem].orig\n+++ File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_aux.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-dse\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-dse/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-zuul.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-zuul.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-zuul.service]\n\n-    unit              => cfssl-ocsprefresh-zuul.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Package[apache2]", "parameters": "--- Package[apache2].orig\n+++ Package[apache2]\n\n-    ensure   => installed\n-    provider => apt\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - mlserve_staging_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --responses-file /etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_staging_front_proxy' mlserve_staging_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-kafka.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-kafka.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - kafka\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/kafka/ca/kafka.pem --responses-file /etc/cfssl/ocsp/kafka.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@kafka' kafka ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry --cert-path /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --outfile /var/lib/prometheus/node.d/cloud_wmnet_ca_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-cloud_wmnet_ca-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-debmonitor\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-debmonitor/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/cfssl/signers/cassandra/cfssl.conf]", "content": "--- /etc/cfssl/signers/cassandra/cfssl.conf.orig\n+++ /etc/cfssl/signers/cassandra/cfssl.conf\n@@ -1,65 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/cassandra\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/cassandra\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/cassandra/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/cassandra/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-puppet_rsa-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry --cert-path /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --outfile /var/lib/prometheus/node.d/puppet_rsa_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_cfssl-multirootca_status command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_cfssl-multirootca_status\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"52832284a5fb8b8ea6f55bb6271912c9\" --timeout 10 --check-command \"check_check_cfssl-multirootca_status\" --page", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Nrpe::Monitor_service[ferm_active]", "parameters": "--- Nrpe::Monitor_service[ferm_active].orig\n+++ Nrpe::Monitor_service[ferm_active]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm\n-    description                 => Check whether ferm is active by checking the default input chain\n-    retries                     => 3\n-    check_interval              => 30\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/local/lib/nagios/plugins/check_ferm\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => True\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_zuul]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_zuul].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_zuul]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: zuul\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_network_devices.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"cloud_wmnet_ca\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Cfssl::Signer[cassandra]", "parameters": "--- Cfssl::Signer[cassandra].orig\n+++ Cfssl::Signer[cassandra]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqjCCAw2gAwIBAgIUN8PPoG0JeyUfDWKQhN0B2AOw4G8wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjE5MTI1MDAwWhcNMjgwNjE3MTI1MDAwWjB3\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRIwEAYDVQQDEwljYXNzYW5kcmEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\nBABpd+xtElegZM2bsg1caGxmHV5hs7l7qxmKFS3oSAu1jo1+N/uSppDtSWZzG+8C\nzjIrytBMxBWhNqsOw9msEWhbBAEYESw1oKj+APqOlCafGdXQI1ZvMafexxTqDNN1\nCA2gq4ivn82r2Ya3LLqwICxK3MlcmGuLwR5amxiLchok3cZ3X6OCAQwwggEIMA4G\nA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQBN6m6\neyaSV8l2Il/bwcfpWTmplDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\nNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\nZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\nBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\nZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GKADCBhgJBRhCSOg5L\n+EuYGdsW8T9S/tXzYURZpnQItn2nYjM6ky1nxqG6F+V2WsiijiPpEQxr7QUvfZhf\nD2zhB5BS8ynWCpYCQRGo4eZuUHyRMNqg/ZDljT1dqr09n0wQhszrJ4eCmebLVsDm\nB6AM3pPRygYo0REwxHbpTBAIt26zjGiKiFQqUjwa\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/cassandra\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/cassandra\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/cassandra/ca/cassandra-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "Service[cfssl-ocsprefresh-dse_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-dse_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-dse_front_proxy.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-discovery].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-discovery]\n\n-    ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --responses-file /etc/cfssl/ocsp/cloud_wmnet_ca.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@cloud_wmnet_ca' cloud_wmnet_ca \n-    description               => OCSP Refresh job - cloud_wmnet_ca\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => etcd\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-etcd]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@etcd]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Service[cfssl-ocsprefresh-discovery2026.timer]", "parameters": "--- Service[cfssl-ocsprefresh-discovery2026.timer].orig\n+++ Service[cfssl-ocsprefresh-discovery2026.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_dse]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_dse].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_dse]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-aux-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@wikikube_staging]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@wikikube_staging].orig\n+++ Systemd::Unit[cfssl-ocspserve@wikikube_staging]\n\n-    unit              => cfssl-ocspserve@wikikube_staging\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/ferm/conf.d/02_main]", "parameters": "--- File[/etc/ferm/conf.d/02_main].orig\n+++ File[/etc/ferm/conf.d/02_main]\n\n-    tag     => ferm\n-    owner   => root\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n-    notify  => Service[ferm]\n-    source  => puppet:///modules/base/firewall/main-input-default-drop.conf\n-    ensure  => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-kafka-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-kafka-certificate-expiry --cert-path /etc/cfssl/signers/kafka/ca/kafka.pem --outfile /var/lib/prometheus/node.d/kafka_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_cassandra]", "parameters": "--- Monitoring::Service[check_certificate_expiry_cassandra].orig\n+++ Monitoring::Service[check_certificate_expiry_cassandra]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_cassandra!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: cassandra\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-gc-expired-certs]", "content": "--- /etc/logrotate.d/cfssl-gc-expired-certs.orig\n+++ /etc/logrotate.d/cfssl-gc-expired-certs\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-gc-expired-certs\n-\n-/var/log/cfssl-gc-expired-certs/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-gc-expired-certs].orig\n+++ File[/etc/logrotate.d/cfssl-gc-expired-certs]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@syslog]", "parameters": "--- Systemd::Service[cfssl-ocspserve@syslog].orig\n+++ Systemd::Service[cfssl-ocspserve@syslog]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_ulogd2.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_ulogd2.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Auto restart job: ulogd2\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/wmf-auto-restart -s ulogd2", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_ulogd2.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]\n\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]", "content": "--- /etc/cfssl/signers/puppet_rsa/cfssl.conf.orig\n+++ /etc/cfssl/signers/puppet_rsa/cfssl.conf\n@@ -1,73 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/puppet_rsa\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/puppet_rsa\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"mtls\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Exec[ensure_present_mod_headers]", "parameters": "--- Exec[ensure_present_mod_headers].orig\n+++ Exec[ensure_present_mod_headers]\n\n-    creates => /etc/apache2/mods-enabled/headers.load\n-    command => /usr/sbin/a2enmod headers\n-    notify  => Service[apache2]\n-    require => Package[apache2]\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_network_devices]", "parameters": "--- Monitoring::Service[check_certificate_expiry_network_devices].orig\n+++ Monitoring::Service[check_certificate_expiry_network_devices]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_network_devices!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: network_devices\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026/cfssl.conf]", "content": "--- /etc/cfssl/signers/discovery2026/cfssl.conf.orig\n+++ /etc/cfssl/signers/discovery2026/cfssl.conf\n@@ -1,129 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/discovery2026\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/discovery2026\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_staging\": {\n-        \"auth_key\": \"k8s_staging\",\n-        \"expiry\": \"24h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_wikikube\": {\n-        \"auth_key\": \"k8s_wikikube\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_mlserve\": {\n-        \"auth_key\": \"k8s_mlserve\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_mlstaging\": {\n-        \"auth_key\": \"k8s_mlstaging\",\n-        \"expiry\": \"24h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_dse\": {\n-        \"auth_key\": \"k8s_dse\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      },\n-      \"k8s_dse_opensearch\": {\n-        \"auth_key\": \"k8s_dse\",\n-        \"expiry\": \"4380h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      },\n-      \"k8s_aux\": {\n-        \"auth_key\": \"k8s_aux\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/discovery2026/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/discovery2026/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft\n@@ -0,0 +1,15 @@\n+# Autogenerated by puppet\n+set KAFKA_BROKERS_LOGGING_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.16.205,\n+             10.64.133.11,\n+             10.64.183.12,\n+             10.64.131.13,\n+             10.64.135.13,\n+             10.192.23.29,\n+             10.192.11.28,\n+             10.192.26.22,\n+             10.192.11.27,\n+             10.192.39.25\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-kafka]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-kafka].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-kafka]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-kafka]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/modules-load.d/conntrack.conf]", "parameters": "--- File[/etc/modules-load.d/conntrack.conf].orig\n+++ File[/etc/modules-load.d/conntrack.conf]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "Sudo::User[nrpe_certificate_check_mlserve_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_mlserve_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_mlserve_front_proxy]\n\n-    user       => nrpe_certificate_check_mlserve_front_proxy\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]", "content": "--- /etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf.orig\n+++ /etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf\n@@ -1,3 +0,0 @@\n-[Unit]\n-After=network-online.target\n-Wants=network-online.target", "parameters": "--- File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf].orig\n+++ File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]\n\n-    notify => Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-puppet_rsa.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-puppet_rsa.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: aux\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__aux\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"f7dfe9e2cd77303dfae7ae11c5c56d90\",check_name=\"check_check_certificate_expiry_aux\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: aux\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_aux))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_apache2]", "content": "--- /etc/logrotate.d/wmf_auto_restart_apache2.orig\n+++ /etc/logrotate.d/wmf_auto_restart_apache2\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for wmf_auto_restart_apache2\n-\n-/var/log/wmf_auto_restart_apache2/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_apache2].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_apache2]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-kafka]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-kafka].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-kafka]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-ferm_active.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-ferm_active.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-ferm_active.timer]\n\n-    unit              => nrpe2nodexp-ferm_active.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_aux]", "parameters": "--- Monitoring::Service[check_certificate_expiry_aux].orig\n+++ Monitoring::Service[check_certificate_expiry_aux]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_aux!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: aux\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-dse_front_proxy]\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]\n\n-    owner   => root\n-    group   => root\n-    ensure  => file\n-    require => Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_syslog]", "parameters": "--- Monitoring::Service[check_certificate_expiry_syslog].orig\n+++ Monitoring::Service[check_certificate_expiry_syslog]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_syslog!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: syslog\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]", "content": "--- /etc/logrotate.d/wmf_auto_restart_apache-htcacheclean.orig\n+++ /etc/logrotate.d/wmf_auto_restart_apache-htcacheclean\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for wmf_auto_restart_apache-htcacheclean\n-\n-/var/log/wmf_auto_restart_apache-htcacheclean/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Package[nftables]", "parameters": "--- Package[nftables].orig\n+++ Package[nftables]\n\n+    ensure   => present\n+    provider => apt\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_discovery2026]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_discovery2026].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_discovery2026]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer]\n\n-    unit              => cfssl-ocsprefresh-debmonitor.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label kafka -profile ocsp /etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]", "content": "--- /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft.orig\n+++ /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set CLOUD_NETWORKS_PUBLIC_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2a02:ec80:a000:4000::/64,\n+             2a02:ec80:a100:4000::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => cassandra\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@cassandra]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]", "parameters": "--- File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf].orig\n+++ File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]\n\n-    notify => Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]\n-    owner  => root\n-    source => puppet:///modules/ferm/ferm_systemd_override\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]\n\n-    unit              => cfssl-ocsprefresh-mlserve_staging_front_proxy.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_discovery!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: discovery\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/syslog/ca/syslog.pem]", "content": "--- /etc/cfssl/signers/syslog/ca/syslog.pem.orig\n+++ /etc/cfssl/signers/syslog/ca/syslog.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqTCCAwqgAwIBAgIUI5/ixOCtnw8ZXV6xWw6RVC/D6rwwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwOTI4MTAzNzAwWhcNMjgwOTI2MTAzNzAwWjB0\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ8wDQYDVQQDEwZzeXNsb2cwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABL\n-CaZwsDnVcBhApShaeA1j8/9w4S2re0Zmjx7GTeBXiJcKF0dAhgAQRCMrGtWEimmQ\n-W94s5015H1MknO61lLOY+wDAFYkq98rZF2aRRILm1w/5iRkqTDiBECBVE15jrPzD\n-q4zZCQ5V5ellWhzfGfPMxFOogIm1sqZsqZvB7zZaCSOrbaOCAQwwggEIMA4GA1Ud\n-DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRvwMc33QVQ\n-qaT1dZmUUtkBeYiyzjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBW\n-BggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5\n-LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMw\n-QTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRp\n-YV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAUtK7APyQamN\n-8DYOBCd1wJQ1DbYlzcQOcupJns2RKKcxFp1evo2GQjDA15TN1OXtA+pvK/liCAEh\n-p828+NcE6fPMAkIBN/Yjhvy0lrtVzshqckUEciShFhbDU0QZOHuzIXCVjdskzQfu\n-as4ZMO15kIv0MZUJ6V9aKEE6nqzi9QXifjuoY54=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/syslog/ca/syslog.pem].orig\n+++ File[/etc/cfssl/signers/syslog/ca/syslog.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File_line[load_env_enabled]", "parameters": "--- File_line[load_env_enabled].orig\n+++ File_line[load_env_enabled]\n\n-    path    => /etc/apache2/envvars\n-    match   => env-enabled\n-    line    => for f in /etc/apache2/env-enabled/*.sh; do [ -r \"$f\" ] && . \"$f\" >&2; done || true\n-    require => Package[apache2]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@dse_front_proxy]']\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-ferm_active.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-ferm_active.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-ferm_active.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-ferm_active.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=10min\n-OnActiveSec=1s\n-RandomizedDelaySec=600\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Nftables::Set[KAFKA_BROKERS_MAIN]", "parameters": "--- Nftables::Set[KAFKA_BROKERS_MAIN].orig\n+++ Nftables::Set[KAFKA_BROKERS_MAIN]\n\n+    hosts  => ['10.192.5.9', '2620:0:860:106:10:192:5:9', '10.192.22.6', '2620:0:860:112:10:192:22:6', '10.192.32.4', '2620:0:860:103:10:192:32:4', '10.192.48.33', '2620:0:860:104:10:192:48:33', '10.192.48.35', '2620:0:860:104:10:192:48:35', '10.64.0.101', '2620:0:861:101:10:64:0:101', '10.64.16.30', '2620:0:861:102:10:64:16:30', '10.64.32.45', '2620:0:861:103:10:64:32:45', '10.64.48.37', '2620:0:861:107:10:64:48:37', '10.64.152.5', '2620:0:861:120:10:64:152:5']\n+    ensure => present\n"}, {"resource": "File[/etc/apache2/mods-enabled/status.conf]", "parameters": "--- File[/etc/apache2/mods-enabled/status.conf].orig\n+++ File[/etc/apache2/mods-enabled/status.conf]\n\n-    before  => Httpd::Mod_conf[status]\n-    owner   => root\n-    ensure  => absent\n-    group   => root\n-    require => Package[apache2]\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Httpd::Mod_conf[ssl]", "parameters": "--- Httpd::Mod_conf[ssl].orig\n+++ Httpd::Mod_conf[ssl]\n\n-    mod      => ssl\n-    loadfile => ssl.load\n-    ensure   => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery2026.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery2026.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - discovery2026\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --responses-file /etc/cfssl/ocsp/discovery2026.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery2026' discovery2026 ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-aux_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-aux_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_cassandra.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_wikikube_staging_front_proxy!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_etcd command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_etcd\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"c834f873297e445663ead81279c0b928\" --timeout 10 --check-command \"check_check_certificate_expiry_etcd\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_kafka\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"22922fd6bc2d570e018cbe5ccd8d1727\" --timeout 10 --check-command \"check_check_certificate_expiry_kafka\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_kafka command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Auto restart job: apache-htcacheclean\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/wmf-auto-restart -s apache-htcacheclean", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]\n\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Service[cfssl-ocsprefresh-puppet_rsa.timer]", "parameters": "--- Service[cfssl-ocsprefresh-puppet_rsa.timer].orig\n+++ Service[cfssl-ocsprefresh-puppet_rsa.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_zuul]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_zuul].orig\n+++ Nrpe::Check[check_check_certificate_expiry_zuul]\n\n-    before    => Monitoring::Service[check_certificate_expiry_zuul]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Cfssl::Db[multirootca-db]", "parameters": "--- Cfssl::Db[multirootca-db].orig\n+++ Cfssl::Db[multirootca-db]\n\n-    username          => pki\n-    host              => m1-master.eqiad.wmnet\n-    driver            => mysql\n-    dbname            => pki\n-    password          => changeme\n-    conf_file         => /etc/cfssl/db.conf\n-    python_config     => True\n-    ssl_ca            => /etc/ssl/certs/wmf-ca-certificates.crt\n-    ssl_checkhostname => False\n-    dbcharset         => utf8mb4\n-    notify_service    => cfssl-multirootca\n-    port              => 3306\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp]", "parameters": "--- File[/etc/cfssl/ssl/ocsp].orig\n+++ File[/etc/cfssl/ssl/ocsp]\n\n-    recurse => True\n-    owner   => root\n-    group   => root\n-    mode    => 0740\n-    ensure  => directory\n"}, {"resource": "Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => cloud_wmnet_ca\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@cloud_wmnet_ca]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => ['pki1001.eqiad.wmnet']\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki.discovery.wmnet\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-zuul-certificate-expiry --cert-path /etc/cfssl/signers/zuul/ca/zuul.pem --outfile /var/lib/prometheus/node.d/zuul_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-zuul-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@dse_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@dse_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@dse_front_proxy]\n\n-    unit              => cfssl-ocspserve@dse_front_proxy\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Ferm::Service[ssh_from_cumin_masters]", "parameters": "--- Ferm::Service[ssh_from_cumin_masters].orig\n+++ Ferm::Service[ssh_from_cumin_masters]\n\n-    src_sets            => ['CUMIN_MASTERS']\n-    unrestricted_access => False\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    ensure              => present\n-    port                => 22\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-cloud_wmnet_ca.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-wikikube_staging\n-\n-/var/log/cfssl-ocsprefresh-wikikube_staging/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_mlserve_staging_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File_line[auto_restart_file_presence_apache-htcacheclean]", "parameters": "--- File_line[auto_restart_file_presence_apache-htcacheclean].orig\n+++ File_line[auto_restart_file_presence_apache-htcacheclean]\n\n-    path    => /etc/debdeploy-client/autorestarts.conf\n-    line    => apache-htcacheclean\n-    ensure  => absent\n-    require => File[/etc/debdeploy-client/autorestarts.conf]\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_mlserve]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_mlserve].orig\n+++ Nrpe::Check[check_check_certificate_expiry_mlserve]\n\n-    before    => Monitoring::Service[check_certificate_expiry_mlserve]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-syslog.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_zuul!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: zuul\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-debmonitor-certificate-expiry --cert-path /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --outfile /var/lib/prometheus/node.d/debmonitor_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_network_devices]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_network_devices].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_network_devices]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/cfssl/signers/network_devices/ca]", "parameters": "--- File[/etc/cfssl/signers/network_devices/ca].orig\n+++ File[/etc/cfssl/signers/network_devices/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy]\n\n-    user       => nrpe_certificate_check_mlserve_staging_front_proxy\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --responses-file /etc/cfssl/ocsp/wikikube_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_front_proxy' wikikube_front_proxy \n-    description               => OCSP Refresh job - wikikube_front_proxy\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-aux_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --outfile /var/lib/prometheus/node.d/aux_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-wikikube]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-wikikube].orig\n+++ File[/var/log/cfssl-ocsprefresh-wikikube]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@aux_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@aux_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@aux_front_proxy]\n\n-    unit              => cfssl-ocspserve@aux_front_proxy\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Nftables::Set[MW_APPSERVER_NETWORKS]", "parameters": "--- Nftables::Set[MW_APPSERVER_NETWORKS].orig\n+++ Nftables::Set[MW_APPSERVER_NETWORKS]\n\n+    hosts  => ['10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.141.0/24', '10.64.152.0/24', '10.64.154.0/24', '10.64.156.0/24', '10.64.158.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.162.0/24', '10.64.164.0/24', '10.64.166.0/24', '10.64.169.0/24', '10.64.171.0/24', '10.64.173.0/24', '10.64.175.0/24', '10.64.177.0/24', '10.64.179.0/24', '10.64.181.0/24', '10.64.183.0/24', '10.64.185.0/24', '10.64.187.0/24', '10.64.189.0/24', '10.64.32.0/22', '10.64.48.0/22', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:120::/64', '2620:0:861:122::/64', '2620:0:861:124::/64', '2620:0:861:126::/64', '2620:0:861:128::/64', '2620:0:861:12a::/64', '2620:0:861:12c::/64', '2620:0:861:12e::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.7.0/24', '10.192.8.0/24', '10.192.9.0/24', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '10.192.64.0/21', '10.192.96.0/21', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.80.0/21', '10.64.64.0/21', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.80.0/21', '2620:0:860:300::/64', '2620:0:860:302::/64', '2620:0:860:305::/64', '2620:0:860:308::/64', '2620:0:860:babe::/64', '2620:0:860:cabe::/64', '2620:0:861:300::/64', '2620:0:861:302::/64', '2620:0:861:305::/64', '2620:0:861:babe::/64', '2620:0:861:cabe::/64', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.64/26', '208.80.155.96/27', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '208.80.153.0/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:3::/64', '2620:0:860:4::/64']\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]\n\n-    unit              => cfssl-ocsprefresh-wikikube_staging_front_proxy.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_etcd!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: etcd\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-network_devices]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-network_devices].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-network_devices]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-network_devices.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Ocsp[kafka]", "parameters": "--- Cfssl::Ocsp[kafka].orig\n+++ Cfssl::Ocsp[kafka]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/kafka/ca/kafka.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10003\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/cfssl/signers/aux/ca]", "parameters": "--- File[/etc/cfssl/signers/aux/ca].orig\n+++ File[/etc/cfssl/signers/aux/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_kafka]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Ferm::Rule[drop-blocked-nets]", "parameters": "--- Ferm::Rule[drop-blocked-nets].orig\n+++ Ferm::Rule[drop-blocked-nets]\n\n-    table  => filter\n-    chain  => INPUT\n-    ensure => present\n-    domain => (ip ip6)\n-    prio   => 01\n-    desc   => drop abuse/blocked_nets.yaml defined in the requestctl private repo\n-    rule   => saddr $BLOCKED_NETS DROP;\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => aux_front_proxy\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@aux_front_proxy]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Cfssl::Ocsp[discovery]", "parameters": "--- Cfssl::Ocsp[discovery].orig\n+++ Cfssl::Ocsp[discovery]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/discovery/ca/discovery.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10002\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-wikikube]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-wikikube].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-wikikube]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-wikikube.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__mlserve_front_proxy\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"9d6dd05c8e5e1bb294462d932b24bd1a\",check_name=\"check_check_certificate_expiry_mlserve_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_mlserve_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]\n"}, {"resource": "Systemd::Timer[cfssl-gc-expired-certs]", "parameters": "--- Systemd::Timer[cfssl-gc-expired-certs].orig\n+++ Systemd::Timer[cfssl-gc-expired-certs]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-gc-expired-certs.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': 'hourly'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Cfssl::Config[zuul]", "parameters": "--- Cfssl::Config[zuul].orig\n+++ Cfssl::Config[zuul]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/zuul\n-    path                => /etc/cfssl/signers/zuul/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['server auth', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/zuul\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-wikikube]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-wikikube].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-wikikube]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-wikikube]\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Ocsp[puppet_rsa]", "parameters": "--- Cfssl::Ocsp[puppet_rsa].orig\n+++ Cfssl::Ocsp[puppet_rsa]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10008\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca]", "parameters": "--- File[/etc/cfssl/signers/discovery/ca].orig\n+++ File[/etc/cfssl/signers/discovery/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Nrpe::Check[check_check_cfssl-multirootca_status]", "parameters": "--- Nrpe::Check[check_check_cfssl-multirootca_status].orig\n+++ Nrpe::Check[check_check_cfssl-multirootca_status]\n\n-    before  => Monitoring::Service[check_cfssl-multirootca_status]\n-    command => /usr/local/lib/nagios/plugins/check_systemd_unit_status cfssl-multirootca\n-    ensure  => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy]\n\n-    ensure => present\n"}, {"resource": "File[/usr/local/sbin/cfssl-certs]", "parameters": "--- File[/usr/local/sbin/cfssl-certs].orig\n+++ File[/usr/local/sbin/cfssl-certs]\n\n-    owner  => root\n-    source => puppet:///modules/cfssl/cfssl_certs.py\n-    group  => root\n-    mode   => 0500\n-    ensure => file\n"}, {"resource": "Sudo::User[nrpe_certificate_check_syslog]", "parameters": "--- Sudo::User[nrpe_certificate_check_syslog].orig\n+++ Sudo::User[nrpe_certificate_check_syslog]\n\n-    user       => nrpe_certificate_check_syslog\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Nftables::Set[ZOOKEEPER_FLINK_HOSTS]", "parameters": "--- Nftables::Set[ZOOKEEPER_FLINK_HOSTS].orig\n+++ Nftables::Set[ZOOKEEPER_FLINK_HOSTS]\n\n+    hosts  => ['10.64.16.9', '2620:0:861:102:10:64:16:9', '10.64.0.8', '2620:0:861:101:10:64:0:8', '10.64.32.41', '2620:0:861:103:10:64:32:41', '10.192.16.227', '2620:0:860:102:10:192:16:227', '10.192.32.179', '2620:0:860:103:10:192:32:179', '10.192.48.219', '2620:0:860:104:10:192:48:219']\n+    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft\n@@ -0,0 +1,14 @@\n+# Autogenerated by puppet\n+set KAFKA_BROKERS_JUMBO_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.130.10,\n+             10.64.131.16,\n+             10.64.132.21,\n+             10.64.134.9,\n+             10.64.135.16,\n+             10.64.136.11,\n+             10.64.154.15,\n+             10.64.160.16,\n+             10.64.0.126\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]", "parameters": "--- Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c].orig\n+++ Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check whether ferm is active by checking the default input chain\n-    alert_name         => nrpe_Check_whether_ferm_is_active_by_checking_the_default_input_chain\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"bba0a2572329bb500b832470e08b381c\",check_name=\"check_ferm_active\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check whether ferm is active by checking the default input chain\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_ferm_active))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm\n-    instance           => ops\n-    ensure             => present\n-    for                => 32m\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]", "content": "--- /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem.orig\n+++ /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem\n@@ -1 +0,0 @@\n-FAKE FAKE FAKE", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]\n\n-    before    => Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n-    show_diff => False\n-    notify    => Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_dse.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_dse\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label network_devices -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]\n"}, {"resource": "Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label debmonitor -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]\n"}, {"resource": "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "parameters": "--- File[/usr/local/lib/nagios/plugins/check_systemd_unit_status].orig\n+++ File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]\n\n-    tag     => nrpe::plugin\n-    owner   => root\n-    ensure  => file\n-    source  => puppet:///modules/systemd/check_systemd_unit_status\n-    group   => root\n-    mode    => 0555\n-    require => File[/usr/local/lib/nagios/plugins/]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "content": "--- /etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf.orig\n+++ /etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf\n@@ -1 +0,0 @@\n-Listen 8443", "parameters": "--- File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf].orig\n+++ File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]\n\n-    notify => Service[apache2]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[dse_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[dse_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[dse_front_proxy]\n\n-    ca_file      => /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => dse_front_proxy\n"}, {"resource": "Cfssl::Signer[discovery]", "parameters": "--- Cfssl::Signer[discovery].orig\n+++ Cfssl::Signer[discovery]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\nBAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\nwyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\nA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\nNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\nZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\nBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\nZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\nq+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\nZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/discovery/ca/discovery.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/discovery\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/discovery\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/discovery/ca/discovery-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => ##### FAKE FOR PUPPET ######\n\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_debmonitor]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_debmonitor].orig\n+++ Nrpe::Check[check_check_certificate_expiry_debmonitor]\n\n-    before    => Monitoring::Service[check_certificate_expiry_debmonitor]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_discovery].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_discovery]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => wikikube\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@wikikube]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/srv/cfssl/crl]", "parameters": "--- File[/srv/cfssl/crl].orig\n+++ File[/srv/cfssl/crl]\n\n-    group  => root\n-    ensure => directory\n-    owner  => root\n"}, {"resource": "Cfssl::Config[discovery]", "parameters": "--- Cfssl::Config[discovery].orig\n+++ Cfssl::Config[discovery]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/discovery\n-    path                => /etc/cfssl/signers/discovery/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/discovery\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-zuul-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-zuul-certificate-expiry --cert-path /etc/cfssl/signers/zuul/ca/zuul.pem --outfile /var/lib/prometheus/node.d/zuul_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label etcd -profile ocsp /etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/ferm/ferm.conf]", "parameters": "--- File[/etc/ferm/ferm.conf].orig\n+++ File[/etc/ferm/ferm.conf]\n\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => file\n-    source  => puppet:///modules/ferm/ferm.conf\n-    group   => root\n-    mode    => 0400\n-    require => Package[ferm]\n"}, {"resource": "Service[cfssl-ocsprefresh-aux.timer]", "parameters": "--- Service[cfssl-ocsprefresh-aux.timer].orig\n+++ Service[cfssl-ocsprefresh-aux.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_wikikube_staging!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: wikikube_staging\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer]\n\n-    unit              => nrpe2nodexp-check_cfssl-multirootca_status.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "File[/etc/cfssl/signers/kafka/ca/kafka.pem]", "content": "--- /etc/cfssl/signers/kafka/ca/kafka.pem.orig\n+++ /etc/cfssl/signers/kafka/ca/kafka.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqDCCAwmgAwIBAgIUTWT2navXkMW9fz3oUB7Fc6azbKcwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjExMDI4MTMwNjAwWhcNMjYxMDI3MTMwNjAwWjBz\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ4wDAYDVQQDEwVrYWZrYTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAScI\n-AVY36upnobdfvpQJ7Y5uefRAv0OsdtR++HEqm2kTatOG4BJTdjdBv3+gyd3rJccd\n-DEifyU1EcxVVXjjXzqdHADiJ+Zol5mwexbnrpF8JDBiJv7ntNamdr7Xjv4kw8Tkp\n-kgl70aFalPLjpwjDNyrm2ACxPmHxK8EOu7eXb8RImqeVo4IBDDCCAQgwDgYDVR0P\n-AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGIY/nB0tTtl\n-RGdO5J4ck+RM8p8rMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2MFYG\n-CCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zlcnku\n-d21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBB\n-MD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1lZGlh\n-X0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBv8ZMP7g8aPkc\n-tcrO4rXcBkhFIWH9+4H4iTbuSBtjVtUXdsRW++IU89BjVVKQxv/4ZDm8hlpd+vJU\n-b9xj3WUpi8cCQgFpjYqKVM+I5eRpIjhWoPxognJtGI3626wAOpV2CPauciD51gP3\n-up2xe36OG3Z8XDcbNGoNiG3505+af9zBrt3c4g==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/kafka/ca/kafka.pem].orig\n+++ File[/etc/cfssl/signers/kafka/ca/kafka.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-dse_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-dse_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Signer[wikikube_staging]", "parameters": "--- Cfssl::Signer[wikikube_staging].orig\n+++ Cfssl::Signer[wikikube_staging]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsTCCAxSgAwIBAgIUKJGxrsUkuGnKTwrJIdYlm1ZK6uMwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB+\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRkwFwYDVQQDDBB3aWtpa3ViZV9zdGFnaW5nMIGbMBAGByqGSM49AgEGBSuB\nBAAjA4GGAAQBJQPiRDYxLnr33KdzugCHk21yjDhyRHMrAIJ0qGmasdcMNZpK9P9u\n6ISJRfTC73WiKOSSWBuJAhsdK2Y7hIoUOikAexL5MOVOFAK8MtWXx6j7MmuuPGnC\nMIyIk1pqxzoacZWJ8uJe/WGw/Udd/RPxAfsxN8loKKT0+zs3WzGw63saO6yjggEM\nMIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4E\nFgQU8bcT1hszDpGqcobdFXNOugsbu0MwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81\ncYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtp\nLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NB\nMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2Ny\nbC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYC\nQTKbWZ4u9V6ei9rgB4XXyyVEzIZMgVCdwuytcmqEaB9ZavqjYsdrgTOsgcy2Jw1C\nid1Sw/9g5YpcZBLaXh52CuNVAkFnnXo7+fe5kgOs2vTIsbIG4huh6ftI/8bmIdr2\n9FHm9FXlmSIDWQIn7Fq4TFLVmiatI/TdiGK+n3oT/st73jwn1A==\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 72h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/wikikube_staging\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/wikikube_staging\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => test\n\n"}, {"resource": "Exec[Generate initial CRL for aux_front_proxy]", "parameters": "--- Exec[Generate initial CRL for aux_front_proxy].orig\n+++ Exec[Generate initial CRL for aux_front_proxy]\n\n-    creates => /srv/cfssl/crl/aux_front_proxy\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/aux_front_proxy\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::pki::multirootca:\n+role::insetup::infrastructure_foundations_nftables:\n - Infrastructure Foundations"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-mlserve_staging-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - wikikube\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube/ca/wikikube.pem --responses-file /etc/cfssl/ocsp/wikikube.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube' wikikube ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Ferm::Rule[filter_log_filter-bootp]", "parameters": "--- Ferm::Rule[filter_log_filter-bootp].orig\n+++ Ferm::Rule[filter_log_filter-bootp]\n\n-    table  => filter\n-    chain  => INPUT\n-    ensure => present\n-    domain => (ip ip6)\n-    prio   => 98\n-    desc   => \n-    rule   => proto udp  daddr 255.255.255.255 sport 67 dport 68 DROP;\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_debmonitor]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_zuul.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-dse-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-dse-certificate-expiry --cert-path /etc/cfssl/signers/dse/ca/dse.pem --outfile /var/lib/prometheus/node.d/dse_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_mlserve_staging]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Unit[ferm-ferm-service-status-restart]", "parameters": "--- Systemd::Unit[ferm-ferm-service-status-restart].orig\n+++ Systemd::Unit[ferm-ferm-service-status-restart]\n\n-    unit              => ferm\n-    override          => True\n-    ensure            => present\n-    restart           => False\n-    override_filename => ferm-service-status-restart\n-    source            => puppet:///modules/ferm/ferm_systemd_override\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/var/log/prometheus-node-textfile-check-nft]", "parameters": "--- File[/var/log/prometheus-node-textfile-check-nft].orig\n+++ File[/var/log/prometheus-node-textfile-check-nft]\n\n+    owner  => root\n+    force  => True\n+    backup => False\n+    group  => root\n+    mode   => 0755\n+    ensure => directory\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_cassandra.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_cassandra.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]", "content": "--- /etc/cfssl/signers/zuul/ca/zuul-key.pem.orig\n+++ /etc/cfssl/signers/zuul/ca/zuul-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/zuul/ca/zuul-key.pem].orig\n+++ File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_etcd]", "parameters": "--- Monitoring::Service[check_certificate_expiry_etcd].orig\n+++ Monitoring::Service[check_certificate_expiry_etcd]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_etcd!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: etcd\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse -profile ocsp /etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]", "content": "--- /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem.orig\n+++ /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDmzCCAvygAwIBAgIUN3uLiKCNVwnGG5H9qKGwTGT4fJowCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwMzI1MTQ1MTAwWhcNMjYwMzI0MTQ1MTAwWjCB\n-mTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxFzAVBgNVBAsTDkNsb3VkIFNlcnZp\n-Y2VzMTUwMwYDVQQDDCxXaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQV9vY3NwX3Np\n-Z25pbmdfY2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLmGOcHNNTGsOVTG\n-17o/lTVCgVJqX751quqBZvJQUbAgfAv0PRgv6yjWzTmZnojzKHYRaV8NXhDIVBzo\n-l2DRWUOjggEbMIIBFzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\n-AwkwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULRRzzcjqWQc2Fjci5s2v0FKSPJww\n-HwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBI\n-MEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dp\n-a2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6\n-Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\n-dF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgCI41DoiQFxqs9gDCZs4VhwcNeatHqe\n-98IqBIzFOMdZdkUnyTNiXf0VDkUYZ+n2mYmB5ZAaBTPYhTHgLNrc3KsmpQJCAfHM\n-Qr3AEz1MlZq2krL+7Mx9OuBQ3B/hXyC+met7EmKDziU8UyScxFfSIY1lwwgAmZHA\n-OEOWpgzuF4fGZFVf0dFi\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]\n\n-    before => Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n-    notify => Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]", "content": "--- /etc/cfssl/signers/network_devices/ca/network_devices-key.pem.orig\n+++ /etc/cfssl/signers/network_devices/ca/network_devices-key.pem\n@@ -1 +0,0 @@\n-fake key", "parameters": "--- File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem].orig\n+++ File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "File[/etc/ferm/conf.d/99_dscp-default]", "content": "--- /etc/ferm/conf.d/99_dscp-default.orig\n+++ /etc/ferm/conf.d/99_dscp-default\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# 99_dscp-default: \n-\n-domain (ip ip6) {\n-\ttable mangle {\n-\t\tchain POSTROUTING {\n-\t\t\tDSCP set-dscp-class CS0;\n-\t\t}\n-\t}\n-}", "parameters": "--- File[/etc/ferm/conf.d/99_dscp-default].orig\n+++ File[/etc/ferm/conf.d/99_dscp-default]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Cfssl::Ocsp[wikikube]", "parameters": "--- Cfssl::Ocsp[wikikube].orig\n+++ Cfssl::Ocsp[wikikube]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20010\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-cassandra]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-cassandra].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-cassandra]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-cassandra]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Cfssl::Signer[aux_front_proxy]", "parameters": "--- Cfssl::Signer[aux_front_proxy].orig\n+++ Cfssl::Signer[aux_front_proxy]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsjCCAxOgAwIBAgIUcL3aZt8/kOKuFw8g90SCOk9VZSYwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjB9\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRgwFgYDVQQDDA9hdXhfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\nACMDgYYABAFQamNeMXOM8jZDTMiL/0Cgk641Tps3tMBQ6f1OD7fqLh7JGWZXSWIE\n9v25H6dgcqSIWAlvBkbHQUPU51GmXigXtwCW1bYWFZc+MTjXFo2LBUJVUIxh2mh3\npNZYlgVZXP7a0l3zt2u5vegKRuJ6l0ELtjCJjo/TNYo/BA28XrzCL45HO6OCAQww\nggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\nBBQv7ovDzaQTat1sfWJFkZ+n8+aGSTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\ng5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\nZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\nSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\nL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\nAZ7oTip5kp2Yt9BABNEqYi6GjwpXZvmZOgd6So8UA76jP8duYicuOoNvpoHdEy58\nZOGpo0lqqIzB8xQcvzvmX7uiAkIAxHVKylOLCoPsUXaZVfUGhNavXXwrbIHTQXDo\nHEHmc9lIMh9hO5z4vPMEbMkSRuAskcT1K/ydEqp4xI191jnovUg=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/aux_front_proxy\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/aux_front_proxy\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "Httpd::Mod_conf[proxy_http]", "parameters": "--- Httpd::Mod_conf[proxy_http].orig\n+++ Httpd::Mod_conf[proxy_http]\n\n-    mod      => proxy_http\n-    loadfile => proxy_http.load\n-    ensure   => present\n"}, {"resource": "Package[ferm]", "parameters": "--- Package[ferm].orig\n+++ Package[ferm]\n\n@@\n-    ensure => installed\n+    ensure => purged\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Ocsp[wikikube_staging]", "parameters": "--- Cfssl::Ocsp[wikikube_staging].orig\n+++ Cfssl::Ocsp[wikikube_staging]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20020\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Service[cfssl-ocspserve@aux_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@aux_front_proxy].orig\n+++ Service[cfssl-ocspserve@aux_front_proxy]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Nftables::Set[NETWORK_INFRA]", "parameters": "--- Nftables::Set[NETWORK_INFRA].orig\n+++ Nftables::Set[NETWORK_INFRA]\n\n+    hosts  => ['185.15.59.128/27', '2a02:ec80:300:fe00::/55', '198.35.26.128/27', '2620:0:863:fe00::/55', '208.80.153.192/27', '2620:0:860:fe00::/55', '10.192.255.0/24', '2620:0:860:13f::/64', '10.192.253.0/24', '2620:0:860:139::/64', '208.80.154.192/27', '2620:0:861:fe00::/55', '10.64.146.0/24', '2620:0:861:11b::/128', '10.64.168.0/24', '2620:0:861:130::/64', '10.64.147.0/24', '103.102.166.128/27', '2001:df2:e500:fe00::/55', '185.15.58.128/27', '2a02:ec80:600:fe00::/55', '195.200.68.128/27', '2a02:ec80:700:fe00::/55']\n+    ensure => present\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-aux\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-aux/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-puppet_rsa.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Sudo::User[nrpe_certificate_check_discovery2026]", "parameters": "--- Sudo::User[nrpe_certificate_check_discovery2026].orig\n+++ Sudo::User[nrpe_certificate_check_discovery2026]\n\n-    user       => nrpe_certificate_check_discovery2026\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/usr/local/bin/check-nft]", "parameters": "--- File[/usr/local/bin/check-nft].orig\n+++ File[/usr/local/bin/check-nft]\n\n+    owner  => root\n+    source => puppet:///modules/profile/firewall/check_nftables.py\n+    group  => root\n+    mode   => 0555\n+    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]", "content": "--- /etc/nftables/sets/CUMIN_MASTERS_ipv4.nft.orig\n+++ /etc/nftables/sets/CUMIN_MASTERS_ipv4.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set CUMIN_MASTERS_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.16.154,\n+             10.192.32.49\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-dse-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/aux]", "parameters": "--- File[/etc/cfssl/signers/aux].orig\n+++ File[/etc/cfssl/signers/aux]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]", "content": "--- /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft.orig\n+++ /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft\n@@ -0,0 +1,12 @@\n+# Autogenerated by puppet\n+set MYSQL_ROOT_CLIENTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.16.90,\n+             10.192.16.191,\n+             10.64.16.154,\n+             10.192.32.49,\n+             208.80.155.103,\n+             208.80.154.9,\n+             10.64.0.20\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Service[cfssl-ocspserve@cloud_wmnet_ca]", "parameters": "--- Service[cfssl-ocspserve@cloud_wmnet_ca].orig\n+++ Service[cfssl-ocspserve@cloud_wmnet_ca]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - wikikube_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --responses-file /etc/cfssl/ocsp/wikikube_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_front_proxy' wikikube_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-dse_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@debmonitor]']\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]\n"}, {"resource": "Nftables::Set[MYSQL_ROOT_CLIENTS]", "parameters": "--- Nftables::Set[MYSQL_ROOT_CLIENTS].orig\n+++ Nftables::Set[MYSQL_ROOT_CLIENTS]\n\n+    hosts  => ['10.64.16.90', '10.192.16.191', '10.64.16.154', '10.192.32.49', '208.80.155.103', '208.80.154.9', '10.64.0.20']\n+    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/INSTALL_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/INSTALL_HOSTS_ipv6.nft\n@@ -0,0 +1,12 @@\n+# Autogenerated by puppet\n+set INSTALL_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:2:208:80:154:134,\n+             2620:0:860:3:208:80:153:70,\n+             2a02:ec80:300:3:185:15:59:101,\n+             2620:0:863:3:198:35:26:98,\n+             2001:df2:e500:1:103:102:166:11,\n+             2a02:ec80:600:1:185:15:58:7,\n+             2a02:ec80:700:3:195:200:68:100\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Cfssl::Config[puppet_rsa]", "parameters": "--- Cfssl::Config[puppet_rsa].orig\n+++ Cfssl::Config[puppet_rsa]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/puppet_rsa\n-    path                => /etc/cfssl/signers/puppet_rsa/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/puppet_rsa\n"}, {"resource": "Nftables::Set[DRUID_PUBLIC_HOSTS]", "parameters": "--- Nftables::Set[DRUID_PUBLIC_HOSTS].orig\n+++ Nftables::Set[DRUID_PUBLIC_HOSTS]\n\n+    hosts  => ['10.64.131.9', '2620:0:861:10a:10:64:131:9', '10.64.132.12', '2620:0:861:10b:10:64:132:12', '10.64.135.9', '2620:0:861:10e:10:64:135:9', '10.64.32.101', '2620:0:861:103:10:64:32:101', '10.64.48.185', '2620:0:861:107:10:64:48:185']\n+    ensure => present\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-etcd]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-etcd].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-etcd]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/etcd/ca/etcd.pem --responses-file /etc/cfssl/ocsp/etcd.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@etcd' etcd \n-    description               => OCSP Refresh job - etcd\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-dse.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-dse.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-dse.timer]\n\n-    unit              => cfssl-ocsprefresh-dse.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]", "content": "--- /etc/ferm/conf.d/10_csr_and_ocsp_responder.orig\n+++ /etc/ferm/conf.d/10_csr_and_ocsp_responder\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 80, ($DOMAIN_NETWORKS $MGMT_NETWORKS));\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_csr_and_ocsp_responder].orig\n+++ File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "content": "--- /etc/apache2/sites-available/50-pki-discovery-wmnet.conf.orig\n+++ /etc/apache2/sites-available/50-pki-discovery-wmnet.conf\n@@ -1,149 +0,0 @@\n-#####################################################################\n-\n-### THIS FILE IS MANAGED BY PUPPET\n-#####################################################################\n-# vim: filetype=apache\n-<VirtualHost *:80>\n-  ServerName pki.discovery.wmnet\n-  ServerAlias pki1001.eqiad.wmnet\n-  DocumentRoot /srv/cfssl\n-\n-  <Directory  /srv/cfssl>\n-    Require all granted\n-  </Directory>\n-\n-  <Location /metrics>\n-    Require host prometheus1005.eqiad.wmnet prometheus1006.eqiad.wmnet prometheus1007.eqiad.wmnet prometheus1008.eqiad.wmnet\n-    ProxyPass http://127.0.0.1:8888/metrics\n-    ProxyPassReverse http://127.0.0.1:8888/metrics\n-  </Location>\n-\n-  # Wikimedia_Internal_Root_CA\n-  ProxyPass /ocsp/Wikimedia_Internal_Root_CA  http://localhost:10000/\n-  ProxyPassReverse /ocsp/Wikimedia_Internal_Root_CA  http://localhost:10000/\n-  # debmonitor\n-  ProxyPass /ocsp/debmonitor  http://localhost:10001/\n-  ProxyPassReverse /ocsp/debmonitor  http://localhost:10001/\n-  # discovery\n-  ProxyPass /ocsp/discovery  http://localhost:10002/\n-  ProxyPassReverse /ocsp/discovery  http://localhost:10002/\n-  # kafka\n-  ProxyPass /ocsp/kafka  http://localhost:10003/\n-  ProxyPassReverse /ocsp/kafka  http://localhost:10003/\n-  # cloud_wmnet_ca\n-  ProxyPass /ocsp/cloud_wmnet_ca  http://localhost:10004/\n-  ProxyPassReverse /ocsp/cloud_wmnet_ca  http://localhost:10004/\n-  # etcd\n-  ProxyPass /ocsp/etcd  http://localhost:10005/\n-  ProxyPassReverse /ocsp/etcd  http://localhost:10005/\n-  # cassandra\n-  ProxyPass /ocsp/cassandra  http://localhost:10006/\n-  ProxyPassReverse /ocsp/cassandra  http://localhost:10006/\n-  # syslog\n-  ProxyPass /ocsp/syslog  http://localhost:10007/\n-  ProxyPassReverse /ocsp/syslog  http://localhost:10007/\n-  # puppet_rsa\n-  ProxyPass /ocsp/puppet_rsa  http://localhost:10008/\n-  ProxyPassReverse /ocsp/puppet_rsa  http://localhost:10008/\n-  # zuul\n-  ProxyPass /ocsp/zuul  http://localhost:10009/\n-  ProxyPassReverse /ocsp/zuul  http://localhost:10009/\n-  # discovery2026\n-  ProxyPass /ocsp/discovery2026  http://localhost:10010/\n-  ProxyPassReverse /ocsp/discovery2026  http://localhost:10010/\n-  # wikikube\n-  ProxyPass /ocsp/wikikube  http://localhost:20010/\n-  ProxyPassReverse /ocsp/wikikube  http://localhost:20010/\n-  # wikikube_front_proxy\n-  ProxyPass /ocsp/wikikube_front_proxy  http://localhost:20011/\n-  ProxyPassReverse /ocsp/wikikube_front_proxy  http://localhost:20011/\n-  # wikikube_staging\n-  ProxyPass /ocsp/wikikube_staging  http://localhost:20020/\n-  ProxyPassReverse /ocsp/wikikube_staging  http://localhost:20020/\n-  # wikikube_staging_front_proxy\n-  ProxyPass /ocsp/wikikube_staging_front_proxy  http://localhost:20021/\n-  ProxyPassReverse /ocsp/wikikube_staging_front_proxy  http://localhost:20021/\n-  # mlserve\n-  ProxyPass /ocsp/mlserve  http://localhost:20030/\n-  ProxyPassReverse /ocsp/mlserve  http://localhost:20030/\n-  # mlserve_front_proxy\n-  ProxyPass /ocsp/mlserve_front_proxy  http://localhost:20031/\n-  ProxyPassReverse /ocsp/mlserve_front_proxy  http://localhost:20031/\n-  # mlserve_staging\n-  ProxyPass /ocsp/mlserve_staging  http://localhost:20040/\n-  ProxyPassReverse /ocsp/mlserve_staging  http://localhost:20040/\n-  # mlserve_staging_front_proxy\n-  ProxyPass /ocsp/mlserve_staging_front_proxy  http://localhost:20041/\n-  ProxyPassReverse /ocsp/mlserve_staging_front_proxy  http://localhost:20041/\n-  # aux\n-  ProxyPass /ocsp/aux  http://localhost:20050/\n-  ProxyPassReverse /ocsp/aux  http://localhost:20050/\n-  # aux_front_proxy\n-  ProxyPass /ocsp/aux_front_proxy  http://localhost:20051/\n-  ProxyPassReverse /ocsp/aux_front_proxy  http://localhost:20051/\n-  # dse\n-  ProxyPass /ocsp/dse  http://localhost:20061/\n-  ProxyPassReverse /ocsp/dse  http://localhost:20061/\n-  # dse_front_proxy\n-  ProxyPass /ocsp/dse_front_proxy  http://localhost:20062/\n-  ProxyPassReverse /ocsp/dse_front_proxy  http://localhost:20062/\n-  # network_devices\n-  ProxyPass /ocsp/network_devices  http://localhost:20063/\n-  ProxyPassReverse /ocsp/network_devices  http://localhost:20063/\n-\n-  LogLevel warn\n-  ErrorLog /var/log/apache2/pki.discovery.wmnet_error.log\n-  CustomLog /var/log/apache2/pki.discovery.wmnet_access.log wmf\n-</VirtualHost>\n-\n-<VirtualHost *:443>\n-  # Protected by client auth\n-  ServerName pki.discovery.wmnet\n-  ServerAlias pki1001.eqiad.wmnet\n-  DocumentRoot /srv/cfssl\n-\n-  SSLEngine on\n-  SSLCertificateFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem\n-  SSLCertificateKeyFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem\n-  SSLCertificateChainFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem\n-  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\n-  SSLCipherSuite -ALL:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256\n-  SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256\n-  SSLHonorCipherOrder On\n-  SSLOpenSSLConfCmd DHParameters \"/etc/ssl/dhparam.pem\"\n-  Header always set Strict-Transport-Security \"max-age=106384710; includeSubDomains; preload\"\n-  SSLVerifyClient require\n-  SSLVerifyDepth 2\n-  SSLCACertificateFile /etc/ssl/localcerts/multiroot_ca.pem\n-\n-  ProxyPass /  http://127.0.0.1:8888/\n-  ProxyPassReverse / http://127.0.0.1:8888/\n-\n-  LogLevel warn ssl:info\n-  ErrorLog /var/log/apache2/pki.discovery.wmnet_ssl_error.log\n-  CustomLog /var/log/apache2/pki.discovery.wmnet_ssl_access.log wmf\n-</VirtualHost>\n-<VirtualHost *:8443>\n-  # Protected by iptables\n-  ServerName pki.discovery.wmnet\n-  ServerAlias pki1001.eqiad.wmnet\n-  DocumentRoot /srv/cfssl\n-\n-  SSLEngine on\n-  SSLCertificateFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem\n-  SSLCertificateKeyFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem\n-  SSLCertificateChainFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem\n-  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\n-  SSLCipherSuite -ALL:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256\n-  SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256\n-  SSLHonorCipherOrder On\n-  SSLOpenSSLConfCmd DHParameters \"/etc/ssl/dhparam.pem\"\n-  Header always set Strict-Transport-Security \"max-age=106384710; includeSubDomains; preload\"\n-\n-  ProxyPass /  http://127.0.0.1:8888/\n-  ProxyPassReverse / http://127.0.0.1:8888/\n-\n-  LogLevel warn ssl:info\n-  ErrorLog /var/log/apache2/pki.discovery.wmnet_k8s_error.log\n-  CustomLog /var/log/apache2/pki.discovery.wmnet_k8s_access.log wmf\n-</VirtualHost>", "parameters": "--- File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf].orig\n+++ File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]\n\n-    notify => Service[apache2]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-check-nft]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-check-nft].orig\n+++ Systemd::Timer[prometheus-node-textfile-check-nft]\n\n+    accuracy           => 15sec\n+    splay              => 0\n+    unit_name          => prometheus-node-textfile-check-nft.service\n+    ensure             => present\n+    fixed_random_delay => False\n+    timer_intervals    => [{'start': 'OnCalendar', 'interval': '*:0/30'}]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[wikikube_staging]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[wikikube_staging].orig\n+++ Profile::Pki::Multirootca::Monitoring[wikikube_staging]\n\n-    ca_file      => /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => wikikube_staging\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_ulogd2.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_ulogd2.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_ulogd2.timer]\n\n-    unit              => wmf_auto_restart_ulogd2.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Nftables::Set[CLOUD_PRIVATE_NETWORKS]", "parameters": "--- Nftables::Set[CLOUD_PRIVATE_NETWORKS].orig\n+++ Nftables::Set[CLOUD_PRIVATE_NETWORKS]\n\n+    hosts  => ['172.20.1.0/24', '172.20.2.0/24', '172.20.3.0/24', '172.20.4.0/24', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '172.20.5.0/24', '2a02:ec80:a100:205::/64']\n+    ensure => present\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_wikikube_staging]", "parameters": "--- Monitoring::Service[check_certificate_expiry_wikikube_staging].orig\n+++ Monitoring::Service[check_certificate_expiry_wikikube_staging]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_wikikube_staging!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: wikikube_staging\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Class[Firewall]", "parameters": "--- Class[Firewall].orig\n+++ Class[Firewall]\n\n@@\n-    provider => ferm\n+    provider => nftables\n"}, {"resource": "File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-aux]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-aux].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-aux]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-aux.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Exec[Generate cert puppet_rsa__pki_discovery_wmnet]", "parameters": "--- Exec[Generate cert puppet_rsa__pki_discovery_wmnet].orig\n+++ Exec[Generate cert puppet_rsa__pki_discovery_wmnet]\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa  /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet\n\n-    notify      => ['Service[apache2]']\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-wikikube-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-wikikube-certificate-expiry --cert-path /etc/cfssl/signers/wikikube/ca/wikikube.pem --outfile /var/lib/prometheus/node.d/wikikube_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_zuul.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocspserve@cassandra]", "parameters": "--- Service[cfssl-ocspserve@cassandra].orig\n+++ Service[cfssl-ocspserve@cassandra]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-zuul.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-zuul.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-zuul.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-zuul.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nftables::Set[LABSTORE_HOSTS]", "parameters": "--- Nftables::Set[LABSTORE_HOSTS].orig\n+++ Nftables::Set[LABSTORE_HOSTS]\n\n+    hosts  => ['208.80.154.142', '2620:0:861:2:208:80:154:142', '208.80.154.71', '2620:0:861:3:208:80:154:71']\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy]\n\n-    unit              => cfssl-ocspserve@wikikube_front_proxy\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer]\n\n-    unit              => cfssl-ocsprefresh-mlserve_staging.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/ferm/conf.d]", "parameters": "--- File[/etc/ferm/conf.d].orig\n+++ File[/etc/ferm/conf.d]\n\n-    owner   => root\n-    group   => adm\n-    mode    => 0551\n-    force   => True\n-    require => Package[ferm]\n-    recurse => True\n-    purge   => True\n-    notify  => Service[ferm]\n-    ignore  => ['.*']\n-    ensure  => directory\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-cassandra]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-cassandra].orig\n+++ File[/var/log/cfssl-ocsprefresh-cassandra]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-aux]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-aux.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-aux\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-aux\n-\n-/var/log/cfssl-ocsprefresh-aux/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-aux].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-aux]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-zuul]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-zuul].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-zuul]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-zuul]\n"}, {"resource": "File[/etc/nftables.conf]", "parameters": "--- File[/etc/nftables.conf].orig\n+++ File[/etc/nftables.conf]\n\n+    group  => root\n+    ensure => absent\n+    owner  => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-wikikube_staging.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-wikikube_staging.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[pki1001 ferm_active]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 30\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_ferm_active!10\n-    host_name              => pki1001\n-    service_description    => Check whether ferm is active by checking the default input chain\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"wikikube_front_proxy\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/etc/cfssl/signers/dse/ca]", "parameters": "--- File[/etc/cfssl/signers/dse/ca].orig\n+++ File[/etc/cfssl/signers/dse/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@aux_front_proxy]']\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_dse]", "parameters": "--- Monitoring::Service[check_certificate_expiry_dse].orig\n+++ Monitoring::Service[check_certificate_expiry_dse]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_dse!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: dse\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label debmonitor -profile ocsp /etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/signers/network_devices]", "parameters": "--- File[/etc/cfssl/signers/network_devices].orig\n+++ File[/etc/cfssl/signers/network_devices]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-discovery2026-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-discovery2026-certificate-expiry --cert-path /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --outfile /var/lib/prometheus/node.d/discovery2026_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => wikikube_staging_front_proxy\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@wikikube_staging_front_proxy]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_apache2]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_apache2].orig\n+++ Systemd::Syslog[wmf_auto_restart_apache2]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-dse_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --outfile /var/lib/prometheus/node.d/dse_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ocsp/wikikube.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/wikikube.ocsp].orig\n+++ File[/etc/cfssl/ocsp/wikikube.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_discovery2026]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_discovery2026].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_discovery2026]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: discovery2026\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_apache2]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_apache2].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_apache2]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    require                   => File[/usr/local/sbin/wmf-auto-restart]\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/wmf-auto-restart -s apache2\n-    description               => Auto restart job: apache2\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 22:8:00'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n\n-    unit              => cfssl-ocspserve@Wikimedia_Internal_Root_CA\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_syslog.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@wikikube.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@wikikube.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (wikikube)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20010 \\\n-          -responses /etc/cfssl/ocsp/wikikube.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@wikikube.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_cfssl-multirootca_status\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_discovery.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Nftables::Set[LABS_NETWORKS]", "parameters": "--- Nftables::Set[LABS_NETWORKS].orig\n+++ Nftables::Set[LABS_NETWORKS]\n\n+    hosts  => ['172.16.0.0/21', '172.16.128.0/24', '172.16.129.0/24', '172.16.130.0/24', '172.16.131.0/24', '172.16.16.0/21', '172.16.24.0/24', '172.16.8.0/21', '172.20.1.0/24', '172.20.2.0/24', '172.20.254.0/24', '172.20.255.0/24', '172.20.3.0/24', '172.20.4.0/24', '172.20.5.0/24', '185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:100::/64', '2a02:ec80:a000:1::/64', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '2a02:ec80:a000:2ff::/64', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:100::/64', '2a02:ec80:a100:1::/64', '2a02:ec80:a100:205::/64', '2a02:ec80:a100:2ff::/64', '2a02:ec80:a100:4000::/64']\n+    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - puppet_rsa\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --responses-file /etc/cfssl/ocsp/puppet_rsa.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@puppet_rsa' puppet_rsa ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_kafka]", "parameters": "--- Monitoring::Service[check_certificate_expiry_kafka].orig\n+++ Monitoring::Service[check_certificate_expiry_kafka]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_kafka!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: kafka\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]", "content": "--- /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem.orig\n+++ /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsTCCAxSgAwIBAgIUKJGxrsUkuGnKTwrJIdYlm1ZK6uMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB+\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRkwFwYDVQQDDBB3aWtpa3ViZV9zdGFnaW5nMIGbMBAGByqGSM49AgEGBSuB\n-BAAjA4GGAAQBJQPiRDYxLnr33KdzugCHk21yjDhyRHMrAIJ0qGmasdcMNZpK9P9u\n-6ISJRfTC73WiKOSSWBuJAhsdK2Y7hIoUOikAexL5MOVOFAK8MtWXx6j7MmuuPGnC\n-MIyIk1pqxzoacZWJ8uJe/WGw/Udd/RPxAfsxN8loKKT0+zs3WzGw63saO6yjggEM\n-MIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4E\n-FgQU8bcT1hszDpGqcobdFXNOugsbu0MwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81\n-cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtp\n-LmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NB\n-MEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2Ny\n-bC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYC\n-QTKbWZ4u9V6ei9rgB4XXyyVEzIZMgVCdwuytcmqEaB9ZavqjYsdrgTOsgcy2Jw1C\n-id1Sw/9g5YpcZBLaXh52CuNVAkFnnXo7+fe5kgOs2vTIsbIG4huh6ftI/8bmIdr2\n-9FHm9FXlmSIDWQIn7Fq4TFLVmiatI/TdiGK+n3oT/st73jwn1A==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Service[cfssl-ocspserve@wikikube]", "parameters": "--- Service[cfssl-ocspserve@wikikube].orig\n+++ Service[cfssl-ocspserve@wikikube]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-mlserve-certificate-expiry --cert-path /etc/cfssl/signers/mlserve/ca/mlserve.pem --outfile /var/lib/prometheus/node.d/mlserve_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-mlserve-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Service[cfssl-ocspserve@puppet_rsa]", "parameters": "--- Service[cfssl-ocspserve@puppet_rsa].orig\n+++ Service[cfssl-ocspserve@puppet_rsa]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[etcd]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[etcd].orig\n+++ Profile::Pki::Multirootca::Monitoring[etcd]\n\n-    ca_file      => /etc/cfssl/signers/etcd/ca/etcd.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => etcd\n"}, {"resource": "Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cloud_wmnet_ca -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@syslog]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Sudo::User[nrpe-check_check_cfssl-multirootca_status]", "parameters": "--- Sudo::User[nrpe-check_check_cfssl-multirootca_status].orig\n+++ Sudo::User[nrpe-check_check_cfssl-multirootca_status]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]", "content": "--- /etc/nftables/input/10_full-monitoring-metrics-access-udp.nft.orig\n+++ /etc/nftables/input/10_full-monitoring-metrics-access-udp.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr { 10.64.0.82, 10.64.16.62, 10.64.32.85, 10.64.48.171, 208.80.153.42, 208.80.154.78 } udp dport 1-65535 accept\n+ip6 saddr { 2620:0:860:2:208:80:153:42, 2620:0:861:101:10:64:0:82, 2620:0:861:102:10:64:16:62, 2620:0:861:103:10:64:32:85, 2620:0:861:107:10:64:48:171, 2620:0:861:3:208:80:154:78 } udp dport 1-65535 accept", "parameters": "--- File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft].orig\n+++ File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_wikikube.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-ferm_active.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-ferm_active.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_ferm_active command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-ferm_active\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"bba0a2572329bb500b832470e08b381c\" --timeout 10 --check-command \"check_ferm_active\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-ferm_active.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-wikikube]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-wikikube].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-wikikube]\n\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"wmf_auto_restart_ulogd2\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/wmf_auto_restart_ulogd2/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label network_devices -profile ocsp /etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_ulogd2]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_ulogd2].orig\n+++ Systemd::Syslog[wmf_auto_restart_ulogd2]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]", "content": "--- /etc/cfssl/signers/debmonitor/ca/debmonitor.pem.orig\n+++ /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqzCCAw6gAwIBAgIUD8gl+8iTKG2ZJ9eRsZs5/C9/7ZMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMzE0MTM0NTAwWhcNMjgwMzEyMTM0NTAwWjB4\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRMwEQYDVQQDEwpkZWJtb25pdG9yMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG\n-AAQBNH4qwApzKzoZpcUF5+rzNhzi2ETF1ToNoWJ4XIJH/PmYzcXmDj41+b+4p4++\n-M+ENQtHt6dfCVv0BmGr8XYTU3YUAQUiLhv/X41GLwCV4Nx5jsnpnlfyi2tfXY2b1\n-WgpdkxBTQi79fWYWJFvuy7AFhP0ahKcKfauegEHf1zJ/j7pKyjSjggEMMIIBCDAO\n-BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU35FY\n-TrdI8tZ8bKAVj8qkrn5sp9QwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9p\n-EzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2Nv\n-dmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1Ud\n-HwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtp\n-bWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYCQXXZh0fs\n-XIlOkz1OPSSRBbEZ6zjvGEJvR6qPVpdkQ8IY+bwqe6J/wrhlAgWfTq7ODhEQYCnx\n-y9Jdg7TfybUaOnmiAkEGKMoHIi/MXfzVrKicaCo4aHIL14vN3V4go08bIsMuIs7p\n-EknA+x7QLKFunnrATNeeF6ETr+3u9/MUDWGW+fBqEw==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem].orig\n+++ File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-debmonitor].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-debmonitor]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-debmonitor]\n"}, {"resource": "Exec[Generate initial CRL for cassandra]", "parameters": "--- Exec[Generate initial CRL for cassandra].orig\n+++ Exec[Generate initial CRL for cassandra]\n\n-    creates => /srv/cfssl/crl/cassandra\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/cassandra/ca/cassandra.pem /etc/cfssl/signers/cassandra/ca/cassandra-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/cassandra\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]", "content": "--- /etc/nftables/input/10_ssh-from-cumin-masters.nft.orig\n+++ /etc/nftables/input/10_ssh-from-cumin-masters.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr @CUMIN_MASTERS_ipv4 tcp dport { 22 } accept\n+ip6 saddr @CUMIN_MASTERS_ipv6 tcp dport { 22 } accept", "parameters": "--- File[/etc/nftables/input/10_ssh-from-cumin-masters.nft].orig\n+++ File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]\n\n+    tag     => nft\n+    notify  => ['Service[nftables]']\n+    owner   => root\n+    ensure  => present\n+    group   => root\n+    mode    => 0444\n+    require => ['Nftables::Set[CUMIN_MASTERS]']\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_mlserve]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_mlserve].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_mlserve]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"mlserve\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]", "content": "--- /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft.orig\n+++ /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft\n@@ -0,0 +1,12 @@\n+# Autogenerated by puppet\n+set CLOUD_NETWORKS_PUBLIC_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 185.15.56.0/25,\n+             185.15.56.160/28,\n+             185.15.57.0/29,\n+             185.15.57.16/29,\n+             185.15.57.24/29\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-ferm_active]", "parameters": "--- Systemd::Service[nrpe2nodexp-ferm_active].orig\n+++ Systemd::Service[nrpe2nodexp-ferm_active]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-ferm_active.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[ensure_present_mod_access_compat]", "parameters": "--- Exec[ensure_present_mod_access_compat].orig\n+++ Exec[ensure_present_mod_access_compat]\n\n-    creates => /etc/apache2/mods-enabled/access_compat.load\n-    command => /usr/sbin/a2enmod access_compat\n-    notify  => Service[apache2]\n-    require => Package[apache2]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-check-nft.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-check-nft.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of prometheus-node-textfile-check-nft.service\n+\n+[Timer]\n+Unit=prometheus-node-textfile-check-nft.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*:0/30\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]\n\n+    notify => Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_aux]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_wikikube_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/discovery]", "parameters": "--- File[/etc/cfssl/signers/discovery].orig\n+++ File[/etc/cfssl/signers/discovery]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging]", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging].orig\n+++ File[/etc/cfssl/signers/mlserve_staging]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@dse_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@dse_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@dse_front_proxy]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_dse_front_proxy\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"2560f4f577ba169af651cf96bd5dc1ba\" --timeout 10 --check-command \"check_check_certificate_expiry_dse_front_proxy\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_dse_front_proxy command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-mlserve]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-mlserve].orig\n+++ File[/var/log/cfssl-ocsprefresh-mlserve]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-check-nft]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-check-nft].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-check-nft]\n\n+    user                      => root\n+    logfile_group             => root\n+    send_mail_only_on_error   => True\n+    send_mail                 => False\n+    success_exit_status       => []\n+    command                   => /usr/local/bin/check-nft\n+    description               => Systemd timer to gather node metrics for check-nft\n+    syslog_force_stop         => True\n+    monitoring_contact_groups => admins\n+    interval                  => {'start': 'OnCalendar', 'interval': '*:0/30'}\n+    logfile_perms             => all\n+    logging_enabled           => True\n+    syslog_match_startswith   => True\n+    logfile_name              => syslog.log\n+    send_mail_to              => root@pki1001.eqiad.wmnet\n+    environment               => {}\n+    private_tmp               => False\n+    monitoring_enabled        => False\n+    fixed_random_delay        => False\n+    ignore_errors             => False\n+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+    logfile_basedir           => /var/log\n+    ensure                    => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-dse-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/apache2/conf-enabled/00-defaults.conf]", "parameters": "--- File[/etc/apache2/conf-enabled/00-defaults.conf].orig\n+++ File[/etc/apache2/conf-enabled/00-defaults.conf]\n\n-    target => /etc/apache2/conf-available/00-defaults.conf\n-    owner  => root\n-    notify => Service[apache2]\n-    group  => root\n-    ensure => link\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem\n@@ -1 +0,0 @@\n-test", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_wikikube_staging]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_wikikube_staging].orig\n+++ Nrpe::Check[check_check_certificate_expiry_wikikube_staging]\n\n-    before    => Monitoring::Service[check_certificate_expiry_wikikube_staging]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => mlserve_staging\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@mlserve_staging]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_debmonitor]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_debmonitor].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_debmonitor]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"debmonitor\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Service[cfssl-ocspserve@etcd]", "parameters": "--- Service[cfssl-ocspserve@etcd].orig\n+++ Service[cfssl-ocspserve@etcd]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca/ca]", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca/ca].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube -profile ocsp /etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Class[Ferm]", "parameters": "--- Class[Ferm].orig\n+++ Class[Ferm]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]\n\n-    owner   => root\n-    group   => root\n-    ensure  => absent\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/default/ferm]", "parameters": "--- File[/etc/default/ferm].orig\n+++ File[/etc/default/ferm]\n\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => file\n-    source  => puppet:///modules/ferm/ferm.default\n-    group   => root\n-    mode    => 0400\n-    require => Package[ferm]\n"}, {"resource": "Cfssl::Ocsp[cloud_wmnet_ca]", "parameters": "--- Cfssl::Ocsp[cloud_wmnet_ca].orig\n+++ Cfssl::Ocsp[cloud_wmnet_ca]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10004\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-aux_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-aux_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-aux_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-aux_front_proxy]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_wikikube_staging_front_proxy!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_syslog.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_aux_front_proxy\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"99cf4f8f014e8fd527800abcc213f494\" --timeout 10 --check-command \"check_check_certificate_expiry_aux_front_proxy\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_aux_front_proxy command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_discovery]", "parameters": "--- Monitoring::Service[check_certificate_expiry_discovery].orig\n+++ Monitoring::Service[check_certificate_expiry_discovery]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_discovery!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: discovery\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@wikikube_staging_front_proxy]']\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_discovery2026\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_wikikube\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"d2a76a31e44e204e2d4788a2698d0e6c\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/MGMT_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/MGMT_NETWORKS_ipv6.nft\n@@ -0,0 +1,4 @@\n+# Autogenerated by puppet\n+set MGMT_NETWORKS_ipv6 {\n+    type ipv6_addr\n+}", "parameters": "--- File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@puppet_rsa.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@puppet_rsa.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (puppet_rsa)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10008 \\\n-          -responses /etc/cfssl/ocsp/puppet_rsa.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-network_devices.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-network_devices\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-network_devices\n-\n-/var/log/cfssl-ocsprefresh-network_devices/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nftables::Set[SANDBOX_NETWORKS]", "parameters": "--- Nftables::Set[SANDBOX_NETWORKS].orig\n+++ Nftables::Set[SANDBOX_NETWORKS]\n\n+    hosts  => ['103.102.166.72/29', '185.15.59.72/29', '195.200.68.64/29', '198.35.26.240/28', '2001:df2:e500:202::/64', '208.80.152.240/28', '208.80.155.64/28', '2620:0:860:201::/64', '2620:0:861:202::/64', '2620:0:863:201::/64', '2a02:ec80:300:202::/64', '2a02:ec80:700:201::/64']\n+    ensure => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_aux_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_aux_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_aux_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_aux_front_proxy]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --responses-file /etc/cfssl/ocsp/dse_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@dse_front_proxy' dse_front_proxy \n-    description               => OCSP Refresh job - dse_front_proxy\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-wikikube_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_mlserve]", "parameters": "--- Monitoring::Service[check_certificate_expiry_mlserve].orig\n+++ Monitoring::Service[check_certificate_expiry_mlserve]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_mlserve!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: mlserve\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/etc/systemd/system/nftables.service.d/puppet-override.conf]", "content": "--- /etc/systemd/system/nftables.service.d/puppet-override.conf.orig\n+++ /etc/systemd/system/nftables.service.d/puppet-override.conf\n@@ -0,0 +1,5 @@\n+[Service]\n+ExecStart=\n+ExecStart=/usr/sbin/nft -f /etc/nftables/main.nft\n+ExecReload=\n+ExecReload=/usr/sbin/nft -f /etc/nftables/main.nft", "parameters": "--- File[/etc/systemd/system/nftables.service.d/puppet-override.conf].orig\n+++ File[/etc/systemd/system/nftables.service.d/puppet-override.conf]\n\n+    notify => Exec[systemd daemon-reload for nftables.service (nftables)]\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube.timer]\n\n-    unit              => cfssl-ocsprefresh-wikikube.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@wikikube_staging_front_proxy].orig\n+++ Service[cfssl-ocspserve@wikikube_staging_front_proxy]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[apache2]', 'Package[links]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[python3-pymysql]', 'Package[python3-cryptography]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Cfssl::Signer[mlserve_staging]", "parameters": "--- Cfssl::Signer[mlserve_staging].orig\n+++ Cfssl::Signer[mlserve_staging]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsjCCAxOgAwIBAgIUHWrqd3I2VME7z6A5M3brKa5UlOgwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB9\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRgwFgYDVQQDDA9tbHNlcnZlX3N0YWdpbmcwgZswEAYHKoZIzj0CAQYFK4EE\nACMDgYYABAAu0g2dBBEAH2iUfZLPv+mA+1srb6S3bdVyH/kRk+QZDoOMnM0H8Edn\nV+dakFKXnwl+w+qsOsWj1NP2FlOm3bTglwCIxFAzX5XaDfqWa74L1tIqDH6kx+bX\nyxnuGWT/U1cv8rIHFap7ccH3h5YxPQfHy73KRTWxPln6ByswgxekotwnCKOCAQww\nggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\nBBSRzdapYuh57Gp5MstVlUJNJ+6zTzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\ng5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\nZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\nSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\nL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\nAY8VuLFo6MpcfxrDG8Junk8mESfQTMRbfeZM6WpHqKYBTESkpeV8HIdTYliFDAMX\nJqE94+xbPVaTS8DZ0xiXz4SjAkIBEIIXA4nOdLYbX/MvdKWr7aDunH8n1oO3K/op\n7NktfJd5CXuECxdSonHOb7PFW5lbpCtZrLxFzhB2Hlp1TBWHX84=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 72h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/mlserve_staging\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/mlserve_staging\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label kafka -profile ocsp /etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n"}, {"resource": "Service[cfssl-ocsprefresh-debmonitor.timer]", "parameters": "--- Service[cfssl-ocsprefresh-debmonitor.timer].orig\n+++ Service[cfssl-ocsprefresh-debmonitor.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@wikikube]", "parameters": "--- Systemd::Service[cfssl-ocspserve@wikikube].orig\n+++ Systemd::Service[cfssl-ocspserve@wikikube]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@network_devices.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@network_devices.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (network_devices)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20063 \\\n-          -responses /etc/cfssl/ocsp/network_devices.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@network_devices.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-network_devices]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-network_devices].orig\n+++ Systemd::Service[cfssl-ocsprefresh-network_devices]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-network_devices.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-gc-expired-certs.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-gc-expired-certs.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-gc-expired-certs\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-gc-expired-certs/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nftables::Set[DEPLOYMENT_HOSTS]", "parameters": "--- Nftables::Set[DEPLOYMENT_HOSTS].orig\n+++ Nftables::Set[DEPLOYMENT_HOSTS]\n\n+    hosts  => ['10.64.16.93', '2620:0:861:102:10:64:16:93', '10.192.32.7', '2620:0:860:103:10:192:32:7']\n+    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_ferm_active]", "content": "--- /etc/sudoers.d/nrpe-check_ferm_active.orig\n+++ /etc/sudoers.d/nrpe-check_ferm_active\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/local/lib/nagios/plugins/check_ferm", "parameters": "--- File[/etc/sudoers.d/nrpe-check_ferm_active].orig\n+++ File[/etc/sudoers.d/nrpe-check_ferm_active]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[update_alternative_ip6tables]", "parameters": "--- Exec[update_alternative_ip6tables].orig\n+++ Exec[update_alternative_ip6tables]\n\n-    command => /usr/bin/update-alternatives --force --set ip6tables /usr/sbin/ip6tables-legacy\n-    unless  => /usr/bin/update-alternatives --query ip6tables | /bin/grep 'Value: /usr/sbin/ip6tables-legacy'\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-kafka]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-kafka].orig\n+++ Systemd::Service[cfssl-ocsprefresh-kafka]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-kafka.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-etcd-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ocsp/mlserve.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/mlserve.ocsp].orig\n+++ File[/etc/cfssl/ocsp/mlserve.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Systemd::Service[wmf_auto_restart_apache2]", "parameters": "--- Systemd::Service[wmf_auto_restart_apache2].orig\n+++ Systemd::Service[wmf_auto_restart_apache2]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[wmf_auto_restart_apache2.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging -profile ocsp /etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-cassandra]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-cassandra].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-cassandra]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/cfssl/signers/etcd/cfssl.conf]", "content": "--- /etc/cfssl/signers/etcd/cfssl.conf.orig\n+++ /etc/cfssl/signers/etcd/cfssl.conf\n@@ -1,65 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/etcd\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/etcd\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/etcd/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/etcd/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_wikikube_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_wikikube_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_wikikube_front_proxy]\n\n-    user       => nrpe_certificate_check_wikikube_front_proxy\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-aux_front_proxy]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]", "content": "--- /etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp.orig\n+++ /etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 1:65535, (10.64.0.82 10.64.16.62 10.64.32.85 10.64.48.171 208.80.153.42 208.80.154.78 2620:0:860:2:208:80:153:42 2620:0:861:101:10:64:0:82 2620:0:861:102:10:64:16:62 2620:0:861:103:10:64:32:85 2620:0:861:107:10:64:48:171 2620:0:861:3:208:80:154:78));\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp].orig\n+++ File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_cloud_wmnet_ca!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_apache2]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_apache2].orig\n+++ Rsyslog::Conf[wmf_auto_restart_apache2]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/wmf_auto_restart_apache2]\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-network_devices].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/network_devices/ca/network_devices.pem --responses-file /etc/cfssl/ocsp/network_devices.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@network_devices' network_devices \n-    description               => OCSP Refresh job - network_devices\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set STAGING_KUBEPODS_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:861:babe::/64,\n+             2620:0:860:babe::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (Wikimedia_Internal_Root_CA)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10000 \\\n-          -responses /etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-kafka.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/aux/ca/aux.pem]", "content": "--- /etc/cfssl/signers/aux/ca/aux.pem.orig\n+++ /etc/cfssl/signers/aux/ca/aux.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpjCCAwegAwIBAgIUB83dKT9lbMGOLf38Jx6fmsSa714wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjBx\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQwwCgYDVQQDEwNhdXgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADhzJSO\n-h264ltJ1CVADYcfi1rIxQOY3gtAsxonZ6CWNueKg0vjvDeL32l+NZ3f2yj2CIzl5\n-sa6sZjXmwAKziuuvCAHmsZDY5gzgBdwhZ6UeGAbwlLMgQajwRvCA2RUMuH8iAd6o\n-QcfZyHQFb0zl9mCHYNkjLT4jpwrL4Lx/DGbmkE/ulqOCAQwwggEIMA4GA1UdDwEB\n-/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSPVQ8kSyOIH5l4\n-1mVGCudJoaowtTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\n-BgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\n-bmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\n-oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\n-bnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCALJuWafVNInsE4Q8\n-tEHYHqhweF6bEArm7d3dqqTjKHuOcrmhXo4rgX5VsXHtI3qq9XGHoik6JUSwgftV\n-Sr+GWrIZAkIAuqmJ5vv2LgFcJWvYDkIPH9HXB9rIwAUHPFJ/iX2Ig9By+ss8nJbU\n-A3Ml/4NKRsXZwwyScmowVWQHfMpv53BsBv8=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/aux/ca/aux.pem].orig\n+++ File[/etc/cfssl/signers/aux/ca/aux.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_discovery].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_discovery]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-wikikube_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-wikikube_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft\n@@ -0,0 +1,189 @@\n+# Autogenerated by puppet\n+set PRODUCTION_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.128.0.0/24,\n+             10.128.1.0/24,\n+             10.128.2.0/24,\n+             10.132.0.0/24,\n+             10.132.2.0/24,\n+             10.136.0.0/24,\n+             10.136.1.0/24,\n+             10.140.0.0/24,\n+             10.140.1.0/24,\n+             10.140.2.0/24,\n+             10.192.0.0/22,\n+             10.192.10.0/24,\n+             10.192.11.0/24,\n+             10.192.12.0/24,\n+             10.192.13.0/24,\n+             10.192.14.0/24,\n+             10.192.15.0/24,\n+             10.192.16.0/22,\n+             10.192.20.0/24,\n+             10.192.21.0/24,\n+             10.192.22.0/24,\n+             10.192.23.0/24,\n+             10.192.24.0/23,\n+             10.192.26.0/24,\n+             10.192.27.0/24,\n+             10.192.28.0/24,\n+             10.192.29.0/24,\n+             10.192.30.0/24,\n+             10.192.31.0/24,\n+             10.192.32.0/22,\n+             10.192.36.0/24,\n+             10.192.37.0/24,\n+             10.192.38.0/24,\n+             10.192.39.0/24,\n+             10.192.4.0/24,\n+             10.192.40.0/24,\n+             10.192.41.0/24,\n+             10.192.42.0/24,\n+             10.192.43.0/24,\n+             10.192.44.0/24,\n+             10.192.45.0/24,\n+             10.192.46.0/24,\n+             10.192.47.0/24,\n+             10.192.48.0/22,\n+             10.192.5.0/24,\n+             10.192.52.0/24,\n+             10.192.56.0/24,\n+             10.192.57.0/24,\n+             10.192.58.0/24,\n+             10.192.59.0/24,\n+             10.192.6.0/24,\n+             10.192.64.0/21,\n+             10.192.7.0/24,\n+             10.192.72.0/24,\n+             10.192.76.0/24,\n+             10.192.8.0/24,\n+             10.192.80.0/20,\n+             10.192.9.0/24,\n+             10.192.96.0/21,\n+             10.194.0.0/20,\n+             10.194.128.0/17,\n+             10.194.16.0/21,\n+             10.194.61.0/24,\n+             10.194.62.0/23,\n+             10.194.64.0/20,\n+             10.194.80.0/21,\n+             10.2.1.0/24,\n+             10.2.2.0/24,\n+             10.2.3.0/24,\n+             10.2.4.0/24,\n+             10.2.5.0/24,\n+             10.2.6.0/24,\n+             10.2.7.0/24,\n+             10.64.0.0/22,\n+             10.64.130.0/24,\n+             10.64.131.0/24,\n+             10.64.132.0/24,\n+             10.64.133.0/24,\n+             10.64.134.0/24,\n+             10.64.135.0/24,\n+             10.64.136.0/24,\n+             10.64.137.0/24,\n+             10.64.138.0/24,\n+             10.64.139.0/24,\n+             10.64.140.0/24,\n+             10.64.141.0/24,\n+             10.64.142.0/24,\n+             10.64.143.0/24,\n+             10.64.144.0/24,\n+             10.64.145.0/24,\n+             10.64.148.0/24,\n+             10.64.149.0/24,\n+             10.64.150.0/24,\n+             10.64.151.0/24,\n+             10.64.152.0/24,\n+             10.64.153.0/24,\n+             10.64.154.0/24,\n+             10.64.155.0/24,\n+             10.64.156.0/24,\n+             10.64.157.0/24,\n+             10.64.158.0/24,\n+             10.64.159.0/24,\n+             10.64.16.0/22,\n+             10.64.160.0/24,\n+             10.64.161.0/24,\n+             10.64.162.0/24,\n+             10.64.163.0/24,\n+             10.64.164.0/24,\n+             10.64.165.0/24,\n+             10.64.166.0/24,\n+             10.64.167.0/24,\n+             10.64.169.0/24,\n+             10.64.170.0/24,\n+             10.64.171.0/24,\n+             10.64.172.0/24,\n+             10.64.173.0/24,\n+             10.64.174.0/24,\n+             10.64.175.0/24,\n+             10.64.176.0/24,\n+             10.64.177.0/24,\n+             10.64.178.0/24,\n+             10.64.179.0/24,\n+             10.64.180.0/24,\n+             10.64.181.0/24,\n+             10.64.182.0/24,\n+             10.64.183.0/24,\n+             10.64.184.0/24,\n+             10.64.185.0/24,\n+             10.64.186.0/24,\n+             10.64.187.0/24,\n+             10.64.188.0/24,\n+             10.64.189.0/24,\n+             10.64.190.0/24,\n+             10.64.20.0/24,\n+             10.64.21.0/24,\n+             10.64.24.0/23,\n+             10.64.32.0/22,\n+             10.64.36.0/24,\n+             10.64.48.0/22,\n+             10.64.5.0/24,\n+             10.64.53.0/24,\n+             10.64.64.0/21,\n+             10.64.72.0/24,\n+             10.64.76.0/24,\n+             10.67.0.0/20,\n+             10.67.128.0/17,\n+             10.67.16.0/21,\n+             10.67.24.0/21,\n+             10.67.32.0/20,\n+             10.67.64.0/20,\n+             10.67.80.0/21,\n+             10.80.0.0/24,\n+             10.80.1.0/24,\n+             10.80.2.0/24,\n+             103.102.166.0/28,\n+             103.102.166.224/27,\n+             103.102.166.96/27,\n+             185.15.58.0/27,\n+             185.15.58.224/27,\n+             185.15.58.32/27,\n+             185.15.59.0/27,\n+             185.15.59.224/27,\n+             185.15.59.32/27,\n+             185.15.59.96/27,\n+             195.200.68.0/27,\n+             195.200.68.224/27,\n+             195.200.68.32/27,\n+             195.200.68.96/27,\n+             198.35.26.0/27,\n+             198.35.26.32/27,\n+             198.35.26.96/27,\n+             208.80.152.128/27,\n+             208.80.153.0/27,\n+             208.80.153.224/27,\n+             208.80.153.32/27,\n+             208.80.153.64/27,\n+             208.80.153.96/27,\n+             208.80.154.0/26,\n+             208.80.154.128/26,\n+             208.80.154.224/27,\n+             208.80.154.64/26,\n+             208.80.155.96/27\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/etcd/ca/etcd.pem]", "content": "--- /etc/cfssl/signers/etcd/ca/etcd.pem.orig\n+++ /etc/cfssl/signers/etcd/ca/etcd.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpzCCAwigAwIBAgIUOk3cFWirYBfYaO6q8zyqfEHxwVEwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIwODEwMTAzODAwWhcNMjcwODA5MTAzODAwWjBy\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ0wCwYDVQQDEwRldGNkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAgtdp\n-7nZHIAQhEm2IlJ7AzfGjWIGGzKzCfnBQ8d+euPiOZ3ccv1YXfx0f+WmV35vuEmA/\n-ZSw/6iJrKBnYsZAR6U0ByUUqg6nUYg4P47Sc/kMTWmVIgRuNhmrgavCK+qRQdnZs\n-N/OOGTgFNG0icty63dUF4NZz80HxHSrPQYaNxZ9ydY2jggEMMIIBCDAOBgNVHQ8B\n-Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUtvZYHyYnZHZP\n-ZLIB5kqPcVOVI9owHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\n-KwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\n-bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\n-P6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\n-SW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgEgYyeOREniK9JC\n-4hvIiuv9D7mVVXzX5/s8GuhTbRadqZr41ulpHT53lFcbt+xhAsyqMxXPhgT/OyMQ\n-jkXuEh5oBQJCAM22xLZpt2XwKCp0opgXlC5fm5+YjKba2COlr43q78I2la57aYdp\n-UF7sFgBRFVx7FNY7CASuZMYsW+4wltPTXVau\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/etcd/ca/etcd.pem].orig\n+++ File[/etc/cfssl/signers/etcd/ca/etcd.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-Wikimedia_Internal_Root_CA\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-cassandra.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-cassandra.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-cassandra.timer]\n\n-    unit              => cfssl-ocsprefresh-cassandra.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]\n\n-    before      => ['Service[wmf_auto_restart_apache2.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/dse]", "parameters": "--- File[/etc/cfssl/signers/dse].orig\n+++ File[/etc/cfssl/signers/dse]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set AUX_KUBEPODS_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.67.80.0/21,\n+             10.194.80.0/21\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_dse]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_dse].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_dse]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging -profile ocsp /etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@wikikube_staging]']\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean].orig\n+++ Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => absent\n-    require  => File[/var/log/wmf_auto_restart_apache-htcacheclean]\n"}, {"resource": "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft\n@@ -0,0 +1,8 @@\n+# Autogenerated by puppet\n+set MLSTAGE_KUBEPODS_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.194.61.0/24\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_cassandra.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => aux\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-aux]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@aux]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-zuul.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Sudo::User[nrpe-check_ferm_active]", "parameters": "--- Sudo::User[nrpe-check_ferm_active].orig\n+++ Sudo::User[nrpe-check_ferm_active]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/local/lib/nagios/plugins/check_ferm']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Service[cfssl-multirootca]", "parameters": "--- Systemd::Service[cfssl-multirootca].orig\n+++ Systemd::Service[cfssl-multirootca]\n\n-    unit_type                => service\n-    monitoring_enabled       => True\n-    monitoring_critical      => True\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    monitoring_notes_url     => https://wikitech.wikimedia.org/wiki/PKI\n-    migration_task           => T350694\n-    ensure                   => present\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-discovery2026].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-discovery2026]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-wikikube_staging-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_discovery2026]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-mlserve_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-mlserve_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate initial CRL for syslog]", "parameters": "--- Exec[Generate initial CRL for syslog].orig\n+++ Exec[Generate initial CRL for syslog]\n\n-    creates => /srv/cfssl/crl/syslog\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/syslog/ca/syslog.pem /etc/cfssl/signers/syslog/ca/syslog-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/syslog\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-aux]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-aux].orig\n+++ File[/var/log/cfssl-ocsprefresh-aux]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Ferm::Service[full_monitoring_metrics_access_udp]", "parameters": "--- Ferm::Service[full_monitoring_metrics_access_udp].orig\n+++ Ferm::Service[full_monitoring_metrics_access_udp]\n\n-    unrestricted_access => False\n-    port_range          => [1, 65535]\n-    prio                => 10\n-    desc                => \n-    proto               => udp\n-    notrack             => False\n-    ensure              => present\n-    srange              => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet', '208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 raid_md].orig\n+++ Monitoring::Exported_nagios_service[pki1001 raid_md]\n\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-zuul]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-zuul].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-zuul]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/zuul/ca/zuul.pem --responses-file /etc/cfssl/ocsp/zuul.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@zuul' zuul \n-    description               => OCSP Refresh job - zuul\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_dse.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_cassandra]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_cassandra].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_cassandra]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: cassandra\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cassandra -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_kafka\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-wikikube]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-wikikube].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-wikikube]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]\n\n+    refreshonly => True\n+    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-cassandra]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-cassandra].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-cassandra]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-cassandra.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]", "content": "--- /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem.orig\n+++ /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDtzCCAxigAwIBAgIUIw4+rszPiPmnvGoMBfrD29oWNKcwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\n-gTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEcMBoGA1UEAwwTbWxzZXJ2ZV9mcm9udF9wcm94eTCBmzAQBgcqhkjOPQIB\n-BgUrgQQAIwOBhgAEATdxtFPSx+kYYz4a6PyKfBi000SHiFxHSQqS71Bs13jbumD2\n-h6uPdTyD3dT79AdxQVzoer7inVQZM1vz5ZioLN0mAVH9OdSm8NLPpy9CAjT/2puk\n-6PZWtowGmcoOkXeZeZDIUOYam0f4udjmot9TDQPF07pSqABlhz1ejSC3AKOJDym+\n-o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD\n-VR0OBBYEFDoU1EzaIZxR2ktTe35M8ILp07mdMB8GA1UdIwQYMBaAFDutonHmNL0b\n-/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDov\n-L3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\n-dF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5l\n-dC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwA\n-MIGIAkIBsRpAWU0SxP3lwtUrriS8Dtal1vh2vfBMUzvx8hzjHGSYCg3xlG2cfnXN\n-lFIhsQaWUmiJFZg8m+rCdYNkUMsdpeACQgCCHUls+Tf5Kcc756qs2iC2JSf2yd2U\n-EM7VAJqZRVG9HrCUnzDLJT7bIQswE6i/O1zNhKjYV9xgd6LW+XCF0cVB7A==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-syslog.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-syslog\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-syslog\n-\n-/var/log/cfssl-ocsprefresh-syslog/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-syslog].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca].orig\n+++ Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca]\n\n-    ca_file      => /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => cloud_wmnet_ca\n"}, {"resource": "Service[cfssl-ocsprefresh-etcd.timer]", "parameters": "--- Service[cfssl-ocsprefresh-etcd.timer].orig\n+++ Service[cfssl-ocsprefresh-etcd.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-cassandra.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-cassandra.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-cassandra.service]\n\n-    unit              => cfssl-ocsprefresh-cassandra.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_puppet_rsa\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"c1b324b3d8ac107f8d7483b4017f5edf\" --timeout 10 --check-command \"check_check_certificate_expiry_puppet_rsa\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_puppet_rsa command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_front_proxy_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => puppet_rsa\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@puppet_rsa]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]", "content": "--- /etc/nftables/sets/NETWORK_INFRA_ipv4.nft.orig\n+++ /etc/nftables/sets/NETWORK_INFRA_ipv4.nft\n@@ -0,0 +1,19 @@\n+# Autogenerated by puppet\n+set NETWORK_INFRA_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 185.15.59.128/27,\n+             198.35.26.128/27,\n+             208.80.153.192/27,\n+             10.192.255.0/24,\n+             10.192.253.0/24,\n+             208.80.154.192/27,\n+             10.64.146.0/24,\n+             10.64.168.0/24,\n+             10.64.147.0/24,\n+             103.102.166.128/27,\n+             185.15.58.128/27,\n+             195.200.68.128/27\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft].orig\n+++ File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-etcd]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-etcd].orig\n+++ File[/var/log/cfssl-ocsprefresh-etcd]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-aux_front_proxy.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-debmonitor]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-debmonitor].orig\n+++ File[/var/log/cfssl-ocsprefresh-debmonitor]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor/cfssl.conf]", "content": "--- /etc/cfssl/signers/debmonitor/cfssl.conf.orig\n+++ /etc/cfssl/signers/debmonitor/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/debmonitor\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/debmonitor\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/debmonitor/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/debmonitor/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa]\n\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]\n\n-    before      => ['Service[wmf_auto_restart_ulogd2.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft\n@@ -0,0 +1,13 @@\n+# Autogenerated by puppet\n+set SANDBOX_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 103.102.166.72/29,\n+             185.15.59.72/29,\n+             195.200.68.64/29,\n+             198.35.26.240/28,\n+             208.80.152.240/28,\n+             208.80.155.64/28\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_aux_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_aux_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"99cf4f8f014e8fd527800abcc213f494\" --timeout 10 --check-command \"check_check_certificate_expiry_aux_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/ocsp/network_devices.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/network_devices.ocsp].orig\n+++ File[/etc/cfssl/ocsp/network_devices.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-kafka]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-kafka].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-kafka]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/kafka/ca/kafka.pem --responses-file /etc/cfssl/ocsp/kafka.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@kafka' kafka \n-    description               => OCSP Refresh job - kafka\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-network_devices\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-network_devices/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-kafka.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-kafka.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-kafka.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-kafka.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_kafka.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]", "parameters": "--- File[/etc/cfssl/signers/kafka/ca/kafka-key.pem].orig\n+++ File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]\n\n-    unit              => cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_wikikube_front_proxy!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Cfssl::Ocsp[syslog]", "parameters": "--- Cfssl::Ocsp[syslog].orig\n+++ Cfssl::Ocsp[syslog]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/syslog/ca/syslog.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10007\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Ferm::Service[csr_and_ocsp_responder]", "parameters": "--- Ferm::Service[csr_and_ocsp_responder].orig\n+++ Ferm::Service[csr_and_ocsp_responder]\n\n-    src_sets            => ['DOMAIN_NETWORKS', 'MGMT_NETWORKS']\n-    unrestricted_access => False\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    ensure              => present\n-    port                => 80\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service].orig\n+++ Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]\n\n-    unit              => wmf_auto_restart_apache-htcacheclean.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]", "content": "--- /etc/cfssl/signers/syslog/ca/syslog-key.pem.orig\n+++ /etc/cfssl/signers/syslog/ca/syslog-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/syslog/ca/syslog-key.pem].orig\n+++ File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nftables/sets/INTERNAL_ipv6.nft]", "content": "--- /etc/nftables/sets/INTERNAL_ipv6.nft.orig\n+++ /etc/nftables/sets/INTERNAL_ipv6.nft\n@@ -0,0 +1,15 @@\n+# Autogenerated by puppet\n+set INTERNAL_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:860:100::/56,\n+             2620:0:861:100::/56,\n+             2620:0:863:100::/56,\n+             2a02:ec80:300:100::/56,\n+             2a02:ec80:600:100::/56,\n+             2a02:ec80:700:100::/56,\n+             2001:df2:e500:100::/56,\n+             2a02:ec80:ff00:100::/56\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/INTERNAL_ipv6.nft].orig\n+++ File[/etc/nftables/sets/INTERNAL_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Rsyslog::Conf[ulogd]", "parameters": "--- Rsyslog::Conf[ulogd].orig\n+++ Rsyslog::Conf[ulogd]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/ulogd]\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery.service]\n\n-    unit              => cfssl-ocsprefresh-discovery.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Ferm::Service[ssh_from_bastion]", "parameters": "--- Ferm::Service[ssh_from_bastion].orig\n+++ Ferm::Service[ssh_from_bastion]\n\n-    unrestricted_access => False\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    port                => 22\n-    ensure              => present\n-    srange              => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']\n"}, {"resource": "Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]", "parameters": "--- Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS].orig\n+++ Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]\n\n+    hosts  => ['10.64.0.136', '10.64.16.60', '10.64.158.19', '10.64.166.19', '10.64.133.19', '10.64.141.19', '10.64.169.19', '10.64.171.19', '10.64.173.19', '10.64.175.19', '10.64.177.19', '10.64.179.19', '10.64.181.19', '10.64.183.19', '10.64.185.19', '10.64.187.19', '10.64.189.19', '10.64.48.72', '10.64.37.17', '10.64.1.17', '10.64.17.17', '10.64.33.17', '10.64.130.20', '10.64.131.20', '10.64.132.20', '10.64.134.20', '10.64.135.20', '10.64.136.20', '10.64.158.20', '10.64.166.20', '10.64.133.20', '10.64.141.20', '10.64.169.20', '10.64.171.20', '10.64.173.20', '10.64.175.20', '10.64.177.20', '10.64.179.20', '10.64.181.20', '10.64.183.20', '10.64.185.20', '10.64.187.20', '10.64.189.20', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:119::/64', '2620:0:861:10c::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.23.8', '10.192.0.29', '10.192.17.8', '10.192.33.8', '10.192.49.8', '10.192.23.2', '10.192.5.2', '10.192.6.2', '10.192.7.2', '10.192.8.2', '10.192.9.2', '10.192.10.2', '10.192.11.2', '10.192.12.2', '10.192.13.2', '10.192.14.2', '10.192.15.2', '10.192.21.2', '10.192.22.2', '10.192.4.2', '10.192.26.2', '10.192.27.2', '10.192.28.2', '10.192.29.2', '10.192.30.2', '10.192.31.2', '10.192.36.2', '10.192.37.2', '10.192.38.2', '10.192.39.2', '10.192.40.2', '10.192.41.2', '10.192.42.2', '10.192.43.2', '10.192.11.8', '10.192.16.140', '10.192.1.8', '10.192.33.9', '10.192.49.9', '10.192.23.3', '10.192.5.3', '10.192.6.3', '10.192.7.3', '10.192.8.3', '10.192.9.3', '10.192.10.3', '10.192.11.3', '10.192.12.3', '10.192.13.3', '10.192.14.3', '10.192.15.3', '10.192.21.3', '10.192.22.3', '10.192.4.3', '10.192.26.3', '10.192.27.3', '10.192.28.3', '10.192.29.3', '10.192.30.3', '10.192.31.3', '10.192.36.3', '10.192.37.3', '10.192.38.3', '10.192.39.4', '10.192.40.3', '10.192.41.3', '10.192.42.3', '10.192.43.3', '10.192.32.14', '10.192.1.9', '10.192.17.9', '10.192.49.10', '10.192.23.4', '10.192.5.4', '10.192.6.4', '10.192.7.4', '10.192.8.4', '10.192.9.4', '10.192.10.4', '10.192.11.4', '10.192.12.4', '10.192.13.4', '10.192.14.4', '10.192.15.4', '10.192.21.4', '10.192.22.4', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '10.192.48.213', '10.192.1.13', '10.192.17.10', '10.192.33.10', '10.192.23.5', '10.192.5.8', '10.192.6.5', '10.192.7.5', '10.192.8.5', '10.192.9.5', '10.192.10.5', '10.192.11.5', '10.192.12.5', '10.192.13.5', '10.192.14.5', '10.192.15.5', '10.192.21.5', '10.192.22.5', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '10.80.0.3', '10.80.1.8', '10.80.1.14', '10.80.0.9', '10.80.0.2', '10.80.1.10', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '10.128.0.18', '10.128.0.9', '10.128.0.11', '2620:0:863:101::/64', '10.132.0.39', '10.132.0.6', '10.132.0.7', '2001:df2:e500:101::/64', '10.136.0.16', '10.136.1.19', '10.136.1.15', '10.136.0.19', '10.136.0.17', '10.136.1.20', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '10.140.0.13', '10.140.1.2', '10.140.1.14', '10.140.0.2', '10.140.0.14', '10.140.1.3', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64']\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@wikikube]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@wikikube].orig\n+++ Systemd::Unit[cfssl-ocspserve@wikikube]\n\n-    unit              => cfssl-ocspserve@wikikube\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => mlserve_front_proxy\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@mlserve_front_proxy]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_network_devices]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_network_devices].orig\n+++ Nrpe::Check[check_check_certificate_expiry_network_devices]\n\n-    before    => Monitoring::Service[check_certificate_expiry_network_devices]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-network_devices]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-network_devices].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-network_devices]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-network_devices]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Motd::Script[pki::multirootca]", "parameters": "--- Motd::Script[pki::multirootca].orig\n+++ Motd::Script[pki::multirootca]\n\n-    priority => 5\n-    ensure   => present\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-wikikube_staging]\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_puppet_rsa]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_mlserve\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"bfd2f7c6497e1da6323bef48d24f9e8e\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Cfssl::Config[dse_front_proxy]", "parameters": "--- Cfssl::Config[dse_front_proxy].orig\n+++ Cfssl::Config[dse_front_proxy]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/dse_front_proxy\n-    path                => /etc/cfssl/signers/dse_front_proxy/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/dse_front_proxy\n"}, {"resource": "Nftables::Set[CLOUD_NETWORKS_PUBLIC]", "parameters": "--- Nftables::Set[CLOUD_NETWORKS_PUBLIC].orig\n+++ Nftables::Set[CLOUD_NETWORKS_PUBLIC]\n\n+    hosts  => ['185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:4000::/64']\n+    ensure => present\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_dse]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods]", "parameters": "--- Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods].orig\n+++ Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods]\n\n-    src_sets            => ['WIKIKUBE_KUBEPODS_NETWORKS', 'STAGING_KUBEPODS_NETWORKS', 'MLSERVE_KUBEPODS_NETWORKS', 'MLSTAGE_KUBEPODS_NETWORKS', 'DSE_KUBEPODS_NETWORKS', 'AUX_KUBEPODS_NETWORKS']\n-    unrestricted_access => False\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    ensure              => present\n-    port                => 8443\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]", "content": "--- /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem.orig\n+++ /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem\n@@ -1 +0,0 @@\n-test", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve.service]\n\n-    unit              => cfssl-ocsprefresh-mlserve.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Service[cfssl-ocsprefresh-kafka.timer]", "parameters": "--- Service[cfssl-ocsprefresh-kafka.timer].orig\n+++ Service[cfssl-ocsprefresh-kafka.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery2026 -profile ocsp /etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry --cert-path /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --outfile /var/lib/prometheus/node.d/puppet_rsa_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Package[python3-pymysql]", "parameters": "--- Package[python3-pymysql].orig\n+++ Package[python3-pymysql]\n\n-    ensure   => installed\n-    provider => apt\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@wikikube_front_proxy]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@zuul.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@zuul.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@zuul.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (zuul)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10009 \\\n-          -responses /etc/cfssl/ocsp/zuul.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@zuul.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@zuul.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Concat::Fragment[main]"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-discovery]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Exec[ensure_present_mod_filter]", "parameters": "--- Exec[ensure_present_mod_filter].orig\n+++ Exec[ensure_present_mod_filter]\n\n-    creates => /etc/apache2/mods-enabled/filter.load\n-    command => /usr/sbin/a2enmod filter\n-    notify  => Service[apache2]\n-    require => Package[apache2]\n"}, {"resource": "File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]", "content": "--- /etc/nftables/sets/NETWORK_INFRA_ipv6.nft.orig\n+++ /etc/nftables/sets/NETWORK_INFRA_ipv6.nft\n@@ -0,0 +1,18 @@\n+# Autogenerated by puppet\n+set NETWORK_INFRA_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2a02:ec80:300:fe00::/55,\n+             2620:0:863:fe00::/55,\n+             2620:0:860:fe00::/55,\n+             2620:0:860:13f::/64,\n+             2620:0:860:139::/64,\n+             2620:0:861:fe00::/55,\n+             2620:0:861:11b::/128,\n+             2620:0:861:130::/64,\n+             2001:df2:e500:fe00::/55,\n+             2a02:ec80:600:fe00::/55,\n+             2a02:ec80:700:fe00::/55\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft].orig\n+++ File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@etcd]", "parameters": "--- Systemd::Service[cfssl-ocspserve@etcd].orig\n+++ Systemd::Service[cfssl-ocspserve@etcd]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_network_devices!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: network_devices\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft\n@@ -0,0 +1,99 @@\n+# Autogenerated by puppet\n+set MW_APPSERVER_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:861:101::/64,\n+             2620:0:861:102::/64,\n+             2620:0:861:103::/64,\n+             2620:0:861:107::/64,\n+             2620:0:861:109::/64,\n+             2620:0:861:10a::/64,\n+             2620:0:861:10b::/64,\n+             2620:0:861:10c::/64,\n+             2620:0:861:10d::/64,\n+             2620:0:861:10e::/64,\n+             2620:0:861:10f::/64,\n+             2620:0:861:113::/64,\n+             2620:0:861:119::/64,\n+             2620:0:861:120::/64,\n+             2620:0:861:122::/64,\n+             2620:0:861:124::/64,\n+             2620:0:861:126::/64,\n+             2620:0:861:128::/64,\n+             2620:0:861:12a::/64,\n+             2620:0:861:12c::/64,\n+             2620:0:861:12e::/64,\n+             2620:0:861:131::/64,\n+             2620:0:861:133::/64,\n+             2620:0:861:135::/64,\n+             2620:0:861:137::/64,\n+             2620:0:861:139::/64,\n+             2620:0:861:13b::/64,\n+             2620:0:861:13d::/64,\n+             2620:0:861:13f::/64,\n+             2620:0:861:142::/64,\n+             2620:0:861:144::/64,\n+             2620:0:860:100::/64,\n+             2620:0:860:101::/64,\n+             2620:0:860:102::/64,\n+             2620:0:860:103::/64,\n+             2620:0:860:104::/64,\n+             2620:0:860:105::/64,\n+             2620:0:860:106::/64,\n+             2620:0:860:107::/64,\n+             2620:0:860:108::/64,\n+             2620:0:860:109::/64,\n+             2620:0:860:10a::/64,\n+             2620:0:860:10b::/64,\n+             2620:0:860:10c::/64,\n+             2620:0:860:10d::/64,\n+             2620:0:860:10e::/64,\n+             2620:0:860:10f::/64,\n+             2620:0:860:110::/64,\n+             2620:0:860:111::/64,\n+             2620:0:860:112::/64,\n+             2620:0:860:113::/64,\n+             2620:0:860:114::/64,\n+             2620:0:860:115::/64,\n+             2620:0:860:116::/64,\n+             2620:0:860:119::/64,\n+             2620:0:860:11a::/64,\n+             2620:0:860:11b::/64,\n+             2620:0:860:11c::/64,\n+             2620:0:860:11d::/64,\n+             2620:0:860:11e::/64,\n+             2620:0:860:11f::/64,\n+             2620:0:860:120::/64,\n+             2620:0:860:121::/64,\n+             2620:0:860:122::/64,\n+             2620:0:860:123::/64,\n+             2620:0:860:124::/64,\n+             2620:0:860:125::/64,\n+             2620:0:860:126::/64,\n+             2620:0:860:127::/64,\n+             2620:0:860:12b::/64,\n+             2620:0:860:12c::/64,\n+             2620:0:860:12d::/64,\n+             2620:0:860:12e::/64,\n+             2620:0:860:300::/64,\n+             2620:0:860:302::/64,\n+             2620:0:860:305::/64,\n+             2620:0:860:308::/64,\n+             2620:0:860:babe::/64,\n+             2620:0:860:cabe::/64,\n+             2620:0:861:300::/64,\n+             2620:0:861:302::/64,\n+             2620:0:861:305::/64,\n+             2620:0:861:babe::/64,\n+             2620:0:861:cabe::/64,\n+             2620:0:861:1::/64,\n+             2620:0:861:2::/64,\n+             2620:0:861:3::/64,\n+             2620:0:861:4::/64,\n+             2620:0:860:1::/64,\n+             2620:0:860:2::/64,\n+             2620:0:860:3::/64,\n+             2620:0:860:4::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/ulogd]", "content": "--- /etc/logrotate.d/ulogd.orig\n+++ /etc/logrotate.d/ulogd\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for ulogd\n-\n-/var/log/ulogd/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/ulogd].orig\n+++ File[/etc/logrotate.d/ulogd]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-syslog]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-syslog].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-syslog]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-syslog]\n"}, {"resource": "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]", "content": "--- /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft.orig\n+++ /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet\n+set ZOOKEEPER_HOSTS_MAIN_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.0.207,\n+             10.64.16.110,\n+             10.64.48.154,\n+             10.192.16.45,\n+             10.192.32.52,\n+             10.192.48.59\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft].orig\n+++ File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-aux_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Service[ferm]", "parameters": "--- Service[ferm].orig\n+++ Service[ferm]\n\n-    restart => /bin/systemctl reload-or-restart ferm\n-    ensure  => running\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => discovery2026\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@discovery2026]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Service[cfssl-ocspserve@mlserve]", "parameters": "--- Service[cfssl-ocspserve@mlserve].orig\n+++ Service[cfssl-ocspserve@mlserve]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Sudo::User[nrpe_certificate_check_wikikube]", "parameters": "--- Sudo::User[nrpe_certificate_check_wikikube].orig\n+++ Sudo::User[nrpe_certificate_check_wikikube]\n\n-    user       => nrpe_certificate_check_wikikube\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-kafka]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-kafka].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-kafka]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-kafka.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]", "parameters": "--- Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh].orig\n+++ Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]\n\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa  /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n-    notify      => ['Service[apache2]']\n-    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_wikikube]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_wikikube].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_wikikube]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/nftables/input]", "parameters": "--- File[/etc/nftables/input].orig\n+++ File[/etc/nftables/input]\n\n+    recurse => True\n+    purge   => True\n+    owner   => root\n+    group   => root\n+    ensure  => directory\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Cfssl::Config[mlserve_staging_front_proxy]", "parameters": "--- Cfssl::Config[mlserve_staging_front_proxy].orig\n+++ Cfssl::Config[mlserve_staging_front_proxy]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/mlserve_staging_front_proxy\n-    path                => /etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 72h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/mlserve_staging_front_proxy\n"}, {"resource": "File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/mlserve_staging_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/mlserve_staging_front_proxy.pem\n@@ -1,23 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDvjCCAyCgAwIBAgIUV8ha2UdjViI49Xr/fZzbY4YPZdYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\n-iTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEkMCIGA1UEAwwbbWxzZXJ2ZV9zdGFnaW5nX2Zyb250X3Byb3h5MIGbMBAG\n-ByqGSM49AgEGBSuBBAAjA4GGAAQAyrMiWBRjOWCaMXsvXC0wS6VzHyLLGFT8BpM9\n-EhYcloDfNnb8no2+YXrBzj4+lAg3D3dq53q+hyHko3+YsVVF/qABa55syWkYtxDB\n-xy5FNq6Iq/s2E3vO2YpQifWXlaSZvvuZCGhhTPDOp/zdI/kKdco9Jehsu6CdyElj\n-lCgJTZupZCmjggEMMIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB\n-/wIBATAdBgNVHQ4EFgQUj5l8xt65hr4t5yj8xKYmUsKwk9YwHwYDVR0jBBgwFoAU\n-O62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAB\n-hjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRl\n-cm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjO\n-PQQDBAOBiwAwgYcCQgD24XA2cP2pFwE3onWEosbFqDEaFwD5kNg7eSOkncJIceFU\n-bCX1f6VOYSv6UbiEQV0EwS0d34EawydbLcqXqfHgpgJBJJjdNhpjAcwyRt1+unRc\n-dYn6ys1ZElRXMld7NUq+nCInX5cVk8uPeSev6IxIJc2eyBCb4jtjvE3TAQ2RHvT9\n-sBI=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging]", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging].orig\n+++ File[/etc/cfssl/signers/wikikube_staging]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@wikikube_staging.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@wikikube_staging.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (wikikube_staging)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20020 \\\n-          -responses /etc/cfssl/ocsp/wikikube_staging.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --responses-file /etc/cfssl/ocsp/mlserve_staging.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_staging' mlserve_staging \n-    description               => OCSP Refresh job - mlserve_staging\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Class[Profile::Pki::Multirootca]", "parameters": "--- Class[Profile::Pki::Multirootca].orig\n+++ Class[Profile::Pki::Multirootca]\n\n-    enable_monitoring  => True\n-    cfssl_httpd_cert   => True\n-    vhost              => pki.discovery.wmnet\n-    root_ocsp_key      => pki/ROOT/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem\n-    db_pass            => changeme\n-    root_ocsp_port     => 10000\n-    root_ca_cn         => Wikimedia_Internal_Root_CA\n-    db_user            => pki\n-    enable_k8s_vhost   => True\n-    default_auth_keys  => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    client_ca_source   => puppet:///modules/profile/pki/production/client_auth_CA.pem\n-    default_expiry     => 672h\n-    prometheus_nodes   => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet']\n-    db_driver          => mysql\n-    db_host            => m1-master.eqiad.wmnet\n-    root_ocsp_cert     => profile/pki/ROOT/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem\n-    db_name            => pki\n-    default_profiles   => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_usages     => ['signing', 'key encipherment', 'client auth']\n-    public_cert_base   => profile/pki/intermediates\n-    maintenance_jobs   => True\n-    private_cert_base  => pki/intermediates\n-    default_nets       => ['127.0.0.1/32']\n-    intermediates      => {'debmonitor': {'ocsp_port': 10001}, 'discovery': {'ocsp_port': 10002, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'kafka': {'ocsp_port': 10003, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth'], 'profiles': {'kafka_11': {'expiry': '8760h'}}}, 'cloud_wmnet_ca': {'ocsp_port': 10004, 'default_usages': ['digital signature', 'key encipherment', 'server auth']}, 'etcd': {'ocsp_port': 10005, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'cassandra': {'ocsp_port': 10006, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'syslog': {'ocsp_port': 10007, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'puppet_rsa': {'ocsp_port': 10008, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'zuul': {'ocsp_port': 10009, 'default_usages': ['server auth', 'client auth']}, 'discovery2026': {'ocsp_port': 10010, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'wikikube': {'ocsp_port': 20010, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_front_proxy': {'ocsp_port': 20011}, 'wikikube_staging': {'ocsp_port': 20020, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_staging_front_proxy': {'ocsp_port': 20021, 'default_expiry': '72h'}, 'mlserve': {'ocsp_port': 20030, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_front_proxy': {'ocsp_port': 20031}, 'mlserve_staging': {'ocsp_port': 20040, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_staging_front_proxy': {'ocsp_port': 20041, 'default_expiry': '72h'}, 'aux': {'ocsp_port': 20050, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'aux_front_proxy': {'ocsp_port': 20051}, 'dse': {'ocsp_port': 20061, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'dse_front_proxy': {'ocsp_port': 20062}, 'network_devices': {'ocsp_port': 20063, 'default_expiry': '8760h', 'default_usages': ['digital signature', 'key encipherment', 'server auth']}}\n-    root_ca_cert       => profile/pki/ROOT/Wikimedia_Internal_Root_CA.pem\n-    enable_client_auth => True\n"}, {"resource": "Cfssl::Ocsp[aux]", "parameters": "--- Cfssl::Ocsp[aux].orig\n+++ Cfssl::Ocsp[aux]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/aux/ca/aux.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20050\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/nftables/output]", "parameters": "--- File[/etc/nftables/output].orig\n+++ File[/etc/nftables/output]\n\n+    recurse => True\n+    purge   => True\n+    owner   => root\n+    group   => root\n+    ensure  => directory\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-check-nft]", "parameters": "--- Systemd::Service[prometheus-node-textfile-check-nft].orig\n+++ Systemd::Service[prometheus-node-textfile-check-nft]\n\n+    unit_type                => timer\n+    monitoring_enabled       => False\n+    require                  => Systemd::Unit[prometheus-node-textfile-check-nft.service]\n+    monitoring_critical      => False\n+    override                 => False\n+    service_params           => {}\n+    monitoring_contact_group => admins\n+    restart                  => False\n+    migration_task           => T407130\n+    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@dse]']\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/srv/cfssl/bundles/puppet_rsa.pem]", "content": "--- /srv/cfssl/bundles/puppet_rsa.pem.orig\n+++ /srv/cfssl/bundles/puppet_rsa.pem\n@@ -1,30 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIFNDCCBJagAwIBAgIUOR+ZAFtrzLKYphDIGMa9eF6O0LIwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjIwMTIwNTAwWhcNMjgwNjE4MTIwNTAwWjB4\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRMwEQYDVQQDDApwdXBwZXRfcnNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n-MIICCgKCAgEA4urK5Og7RVGoXg6KzYywzaXyRROuj0Kauc7n/BgCWvsKv9Ll4f/p\n-lbVGOSln3akzhBlJwmVTGrgCmWQVxMF2agKAR+R1aV2Wc+yEfofUbW1oRgBCelMQ\n-Xutw0cApO+lzjHNtduffeIEVBjwLcEG/OdaUa2CGFGLG/dHox7o8AZgkH7SFJyby\n-z/rzip+szHpMThhjs0PKx91VS1srb7Q1jE1OlB7ydhX+gLRWTjwxOp1ITFXjNobk\n-i16jcP3YYgCvj8qwWMcYmtI7iExSeFdptv3fmajBeoi1o52LUWKUrslwtNa/emaB\n-FBGRZfu8ap+BWWpYYarI4mOCyvetw/6FZ2LnuWy5cNA3GoALB5xfLpO3twYnrveP\n-BnxULp4Q8szITB/bjPBMkd8FG8Frpe3eZNKNHG9xjJGdS1Bxhq7Zgfy09V1RJCym\n-AJSWERHRrxjEnRCDd7HUAhfaDCygeooe4wGRR5bG8WqOpkQDtYPP3yfk5NBhcJpW\n-mXTRFTFkuslEL/2bwa9EPIOAKAINDeJOCHqJMQd6EXwTP2LabWU3oI+sfeBdCoSd\n-Rn+q2Z0kSLu8fqXsgPgvdgyWjfPkQnyLAz9rdsal2x4x9SilDkov+l6Q9DXGGoYO\n-GGOHHFCFhM9CS02zFGLe1JbqiHPuYuIkEnGjGJyCqdIB8Rz0JxdypEcCAwEAAaOC\n-AQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud\n-DgQWBBRrq/ZHBKl8OZGQrQCiUq4GRc86YDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yA\n-vzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9w\n-a2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3Rf\n-Q0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQv\n-Y3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCB\n-hwJBJHrjuBvyK8Sv40xCW/TrVtOCIVaXfjwsKau9lkmt/6purO/xkppZDMajueYw\n-9koKhj6SvliOpiwgypfOKP7nbsACQgFAnawARDYCoOQ8pQDoqpRkPBBScMOTMPFu\n-xTekxW2V7POn9dn6uavLJz/wha+sNgAnYT4wHWkRJzbUk+1H3Hb3NA==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/puppet_rsa.pem].orig\n+++ File[/srv/cfssl/bundles/puppet_rsa.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/nftables/sets]", "parameters": "--- File[/etc/nftables/sets].orig\n+++ File[/etc/nftables/sets]\n\n+    recurse => True\n+    purge   => True\n+    owner   => root\n+    group   => root\n+    ensure  => directory\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-etcd.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca]", "parameters": "--- Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca].orig\n+++ Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]", "content": "--- /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem.orig\n+++ /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDuDCCAxmgAwIBAgIUCqmj+2MwaOqLPb5TPXkbkF/PGkUwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\n-gjELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEdMBsGA1UEAwwUd2lraWt1YmVfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0C\n-AQYFK4EEACMDgYYABAAUuXSlLM/Sq6jmsr6/+aqYnBNDoelW5+uJ8kWFyR/9xaFf\n-hmvvui358ZLmOym6cA1tpoA1+PVZ1sVOE++GDsWQ3QDAG2kk8o0QxpXsCXLWBmJZ\n-92Z/pIO7Fc65qe6XDnuZLEaqbb6VWkqQPI15cL9AhJ8HgNbaoaxrT51MfCrHEteP\n-raOCAQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0G\n-A1UdDgQWBBTlGjpQ7L1N14lCjcKcI/4LLNraBjAfBgNVHSMEGDAWgBQ7raJx5jS9\n-G/yAvzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6\n-Ly9wa2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jv\n-b3RfQ0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21u\n-ZXQvY3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GM\n-ADCBiAJCAYT0XLJdjumemn8jpqv058zb+c+3zb+05EhNcj15wcjRUq8SU+c2+H8a\n-hzfph97+CVSvGaV6Cf7phTSEBDPk9+T4AkIBdOmzIcRH+K9UcDzvdxqerOiXJaBC\n-0Bgbg9dOhcd6d0j3CObOuIp760FFQLSli2ocG3WLkfNsXlL1/3+VL+yarNo=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy]\n\n-    ca_file      => /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => wikikube_front_proxy\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_mlserve!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: mlserve\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/db.conf.json]", "content": "--- /etc/cfssl/db.conf.json.orig\n+++ /etc/cfssl/db.conf.json\n@@ -1,12 +0,0 @@\n-{\n-  \"host\": \"m1-master.eqiad.wmnet\",\n-  \"port\": 3306,\n-  \"user\": \"pki\",\n-  \"password\": \"changeme\",\n-  \"db\": \"pki\",\n-  \"charset\": \"utf8mb4\",\n-  \"ssl\": {\n-    \"ca\": \"/etc/ssl/certs/wmf-ca-certificates.crt\",\n-    \"check_hostname\": false\n-  }\n-}", "parameters": "--- File[/etc/cfssl/db.conf.json].orig\n+++ File[/etc/cfssl/db.conf.json]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_discovery2026.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Ocsp[dse_front_proxy]", "parameters": "--- Cfssl::Ocsp[dse_front_proxy].orig\n+++ Cfssl::Ocsp[dse_front_proxy]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20062\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer]\n\n-    unit              => wmf_auto_restart_apache-htcacheclean.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_mlserve]", "parameters": "--- Sudo::User[nrpe_certificate_check_mlserve].orig\n+++ Sudo::User[nrpe_certificate_check_mlserve]\n\n-    user       => nrpe_certificate_check_mlserve\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]", "content": "--- /etc/ferm/conf.d/10_full_monitoring_metrics_access_udp.orig\n+++ /etc/ferm/conf.d/10_full_monitoring_metrics_access_udp\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(udp, 1:65535, (10.64.0.82 10.64.16.62 10.64.32.85 10.64.48.171 208.80.153.42 208.80.154.78 2620:0:860:2:208:80:153:42 2620:0:861:101:10:64:0:82 2620:0:861:102:10:64:16:62 2620:0:861:103:10:64:32:85 2620:0:861:107:10:64:48:171 2620:0:861:3:208:80:154:78));\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp].orig\n+++ File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Cfssl::Ocsp[Wikimedia_Internal_Root_CA]", "parameters": "--- Cfssl::Ocsp[Wikimedia_Internal_Root_CA].orig\n+++ Cfssl::Ocsp[Wikimedia_Internal_Root_CA]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10000\n-    require            => Service[cfssl-multirootca]\n-    common_name        => pki1001.eqiad.wmnet\n-    key_content        => FAKE FAKE FAKE\n\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    cert_content       => -----BEGIN CERTIFICATE-----\nMIIDmzCCAvygAwIBAgIUN3uLiKCNVwnGG5H9qKGwTGT4fJowCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjEwMzI1MTQ1MTAwWhcNMjYwMzI0MTQ1MTAwWjCB\nmTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxFzAVBgNVBAsTDkNsb3VkIFNlcnZp\nY2VzMTUwMwYDVQQDDCxXaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQV9vY3NwX3Np\nZ25pbmdfY2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLmGOcHNNTGsOVTG\n17o/lTVCgVJqX751quqBZvJQUbAgfAv0PRgv6yjWzTmZnojzKHYRaV8NXhDIVBzo\nl2DRWUOjggEbMIIBFzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwkwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULRRzzcjqWQc2Fjci5s2v0FKSPJww\nHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBI\nMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dp\na2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6\nLy9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\ndF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgCI41DoiQFxqs9gDCZs4VhwcNeatHqe\n98IqBIzFOMdZdkUnyTNiXf0VDkUYZ+n2mYmB5ZAaBTPYhTHgLNrc3KsmpQJCAfHM\nQr3AEz1MlZq2krL+7Mx9OuBQ3B/hXyC+met7EmKDziU8UyScxFfSIY1lwwgAmZHA\nOEOWpgzuF4fGZFVf0dFi\n-----END CERTIFICATE-----\n\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "Ferm::Rule[dscp-default]", "parameters": "--- Ferm::Rule[dscp-default].orig\n+++ Ferm::Rule[dscp-default]\n\n-    table  => mangle\n-    chain  => POSTROUTING\n-    ensure => present\n-    domain => (ip ip6)\n-    prio   => 99\n-    desc   => \n-    rule   => DSCP set-dscp-class CS0;\n"}, {"resource": "Nrpe::Check[check_ferm_active]", "parameters": "--- Nrpe::Check[check_ferm_active].orig\n+++ Nrpe::Check[check_ferm_active]\n\n-    before    => Monitoring::Service[ferm_active]\n-    command   => /usr/local/lib/nagios/plugins/check_ferm\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_dse]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_dse].orig\n+++ Nrpe::Check[check_check_certificate_expiry_dse]\n\n-    before    => Monitoring::Service[check_certificate_expiry_dse]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Exec[Generate initial CRL for wikikube_staging_front_proxy]", "parameters": "--- Exec[Generate initial CRL for wikikube_staging_front_proxy].orig\n+++ Exec[Generate initial CRL for wikikube_staging_front_proxy]\n\n-    creates => /srv/cfssl/crl/wikikube_staging_front_proxy\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/wikikube_staging_front_proxy\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-syslog.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-syslog.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-syslog.timer]\n\n-    unit              => cfssl-ocsprefresh-syslog.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nftables/input/10_ssh-from-bastion.nft]", "content": "--- /etc/nftables/input/10_ssh-from-bastion.nft.orig\n+++ /etc/nftables/input/10_ssh-from-bastion.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr { 103.102.166.103, 185.15.58.6, 185.15.59.99, 195.200.68.99, 198.35.26.104, 208.80.153.110, 208.80.154.7 } tcp dport { 22 } accept\n+ip6 saddr { 2001:df2:e500:3:103:102:166:103, 2620:0:860:4:208:80:153:110, 2620:0:861:1:208:80:154:7, 2620:0:863:3:198:35:26:104, 2a02:ec80:300:3:185:15:59:99, 2a02:ec80:600:1:185:15:58:6, 2a02:ec80:700:3:195:200:68:99 } tcp dport { 22 } accept", "parameters": "--- File[/etc/nftables/input/10_ssh-from-bastion.nft].orig\n+++ File[/etc/nftables/input/10_ssh-from-bastion.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (mlserve_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20031 \\\n-          -responses /etc/cfssl/ocsp/mlserve_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-puppet_rsa]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-puppet_rsa.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery.timer]\n\n-    unit              => cfssl-ocsprefresh-discovery.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]", "content": "--- /etc/nftables/sets/LINK_LOCAL_ipv6.nft.orig\n+++ /etc/nftables/sets/LINK_LOCAL_ipv6.nft\n@@ -0,0 +1,8 @@\n+# Autogenerated by puppet\n+set LINK_LOCAL_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { fe80::/10\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft].orig\n+++ File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_dse.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_dse.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-dse_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-dse_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_zuul]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_zuul].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_zuul]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/srv/cfssl/bundles/zuul.pem]", "content": "--- /srv/cfssl/bundles/zuul.pem.orig\n+++ /srv/cfssl/bundles/zuul.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpzCCAwigAwIBAgIUMIxkteGnxVGRNFWjJZ+eXPnOeM8wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjUwODIwMTg1NTAwWhcNMzAwODE5MTg1NTAwWjBy\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ0wCwYDVQQDEwR6dXVsMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBNx/m\n-dSpc4EWI68Y36PVvDkvyqlJ6pA4sEXQCrNOM+0jSACRM8Shwqr7uC/JmuP8GIdK3\n-g+SgxQOjF9pfelX2OpAB6leOfgHXhFtzJquX261tKsxQm74cszycF9YTiWDKVq0V\n-g7bFNgf4NcC7NxGfN4SuA58I7dQWJxSWdzTJNQsF2uijggEMMIIBCDAOBgNVHQ8B\n-Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUqyQEoVfbsJqL\n-jr5RyZovCpWdRZUwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\n-KwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\n-bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\n-P6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\n-SW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgER9R3mwAtzYcIh\n-HAnL2SiHTXBpqitQp6Ce+7nYFP0qyu+Ggkx2bu86bl32lGmvA6ecTKXDiyXW5pMW\n-atmKn0wAegJCAaU9pfWuLIgsVqzB2zvDWMR2HgBMa6MO7dRlG2VUoLvR16NF9cln\n-XjNzIqPRxUpiD5TNC4+p9BoT+RRXEDUeRufH\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/zuul.pem].orig\n+++ File[/srv/cfssl/bundles/zuul.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp].orig\n+++ File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-dse.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]", "content": "--- /etc/nftables/sets/LINK_LOCAL_ipv4.nft.orig\n+++ /etc/nftables/sets/LINK_LOCAL_ipv4.nft\n@@ -0,0 +1,8 @@\n+# Autogenerated by puppet\n+set LINK_LOCAL_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 169.254.0.0/16\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft].orig\n+++ File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/ulogd.conf]", "content": "--- /etc/ulogd.conf.orig\n+++ /etc/ulogd.conf\n@@ -1,71 +0,0 @@\n-# MANAGED BY PUPPET\n-[global]\n-logfile=syslog\n-loglevel=3\n-\n-\n-stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,syslog1:SYSLOG\n-\n-\n-\n-\n-[ct1]\n-\n-[ct2]\n-hash_enable=0\n-\n-[mark]\n-\n-[log1]\n-group=0\n-\n-[log2]\n-group=1\n-\n-[log3]\n-group=2\n-\n-[logemu1]\n-sync=1\n-file=/var/log/ulog/syslogemu.log\n-\n-[emunfct1]\n-sync=1\n-file=/var/log/ulog/syslogemu_nfct.log\n-\n-[json1]\n-sync=1\n-file=/var/log/ulog/ulogd.json\n-\n-[jsonnfct1]\n-sync=1\n-file=/var/log/ulog/ulogd_nfct.json\n-\n-\n-[oprint1]\n-sync=1\n-file=/var/log/ulog/oprint.log\n-\n-[gprint1]\n-sync=1\n-file=/var/log/ulog/gprint.log\n-\n-[json1]\n-sync=1\n-file=/var/log/ulog/ulogd.json\n-\n-[xml1]\n-sync=1\n-file=/var/log/ulog/\n-\n-[pcap1]\n-sync=1\n-file=\n-\n-[nacct1]\n-sync=1\n-file=\n-\n-[syslog1]\n-facility=LOG_LOCAL7\n-level=LOG_INFO", "parameters": "--- File[/etc/ulogd.conf].orig\n+++ File[/etc/ulogd.conf]\n\n-    owner  => root\n-    group  => root\n-    notify => Service[ulogd2]\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft\n@@ -0,0 +1,8 @@\n+# Autogenerated by puppet\n+set MLSTAGE_KUBEPODS_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:860:302::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve.timer]\n\n-    unit              => cfssl-ocsprefresh-mlserve.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[syslog]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[syslog].orig\n+++ Profile::Pki::Multirootca::Monitoring[syslog]\n\n-    ca_file      => /etc/cfssl/signers/syslog/ca/syslog.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => syslog\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft\n@@ -0,0 +1,27 @@\n+# Autogenerated by puppet\n+set CLOUD_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 172.16.0.0/21,\n+             172.16.128.0/24,\n+             172.16.129.0/24,\n+             172.16.130.0/24,\n+             172.16.131.0/24,\n+             172.16.16.0/21,\n+             172.16.24.0/24,\n+             172.16.8.0/21,\n+             172.20.1.0/24,\n+             172.20.2.0/24,\n+             172.20.254.0/24,\n+             172.20.255.0/24,\n+             172.20.3.0/24,\n+             172.20.4.0/24,\n+             172.20.5.0/24,\n+             185.15.56.0/25,\n+             185.15.56.160/28,\n+             185.15.57.0/29,\n+             185.15.57.16/29,\n+             185.15.57.24/29\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Logrotate::Conf[ulogd]", "parameters": "--- Logrotate::Conf[ulogd].orig\n+++ Logrotate::Conf[ulogd]\n\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-debmonitor-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-debmonitor-certificate-expiry --cert-path /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --outfile /var/lib/prometheus/node.d/debmonitor_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]", "content": "--- /etc/ferm/conf.d/10_ssh_from_cumin_masters.orig\n+++ /etc/ferm/conf.d/10_ssh_from_cumin_masters\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 22, $CUMIN_MASTERS);\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_ssh_from_cumin_masters].orig\n+++ File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/ferm/conf.d/00_defs]", "content": "--- /etc/ferm/conf.d/00_defs.orig\n+++ /etc/ferm/conf.d/00_defs\n@@ -1,1139 +0,0 @@\n-\n-@def $LINK_LOCAL = (169.254.0.0/16 fe80::/10);\n-@def $INTERNAL = (10.0.0.0/8 2620:0:860:100::/56 2620:0:861:100::/56 2620:0:863:100::/56 2001:df2:e500:100::/56 2a02:ec80:300:100::/56 2a02:ec80:600:100::/56 2a02:ec80:700:100::/56 2a02:ec80:ff00:100::/56);\n-# $DOMAIN_NETWORKS is a set of all networks belonging to a domain.\n-# a domain is a realm currently, but the notion is more generic than that on purpose\n-@def $DOMAIN_NETWORKS = (10.128.0.0/24 10.128.1.0/24 10.128.2.0/24 10.132.0.0/24 10.132.2.0/24 10.136.0.0/24 10.136.1.0/24 10.140.0.0/24 10.140.1.0/24 10.140.2.0/24 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.20.0/24 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.24.0/23 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.64.0/21 10.192.7.0/24 10.192.72.0/24 10.192.76.0/24 10.192.8.0/24 10.192.80.0/20 10.192.9.0/24 10.192.96.0/21 10.194.0.0/20 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.62.0/23 10.194.64.0/20 10.194.80.0/21 10.2.1.0/24 10.2.2.0/24 10.2.3.0/24 10.2.4.0/24 10.2.5.0/24 10.2.6.0/24 10.2.7.0/24 10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.141.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.148.0/24 10.64.149.0/24 10.64.150.0/24 10.64.151.0/24 10.64.152.0/24 10.64.153.0/24 10.64.154.0/24 10.64.155.0/24 10.64.156.0/24 10.64.157.0/24 10.64.158.0/24 10.64.159.0/24 10.64.16.0/22 10.64.160.0/24 10.64.161.0/24 10.64.162.0/24 10.64.163.0/24 10.64.164.0/24 10.64.165.0/24 10.64.166.0/24 10.64.167.0/24 10.64.169.0/24 10.64.170.0/24 10.64.171.0/24 10.64.172.0/24 10.64.173.0/24 10.64.174.0/24 10.64.175.0/24 10.64.176.0/24 10.64.177.0/24 10.64.178.0/24 10.64.179.0/24 10.64.180.0/24 10.64.181.0/24 10.64.182.0/24 10.64.183.0/24 10.64.184.0/24 10.64.185.0/24 10.64.186.0/24 10.64.187.0/24 10.64.188.0/24 10.64.189.0/24 10.64.190.0/24 10.64.20.0/24 10.64.21.0/24 10.64.24.0/23 10.64.32.0/22 10.64.36.0/24 10.64.48.0/22 10.64.5.0/24 10.64.53.0/24 10.64.64.0/21 10.64.72.0/24 10.64.76.0/24 10.67.0.0/20 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.32.0/20 10.67.64.0/20 10.67.80.0/21 10.80.0.0/24 10.80.1.0/24 10.80.2.0/24 103.102.166.0/28 103.102.166.224/27 103.102.166.96/27 185.15.58.0/27 185.15.58.224/27 185.15.58.32/27 185.15.59.0/27 185.15.59.224/27 185.15.59.32/27 185.15.59.96/27 195.200.68.0/27 195.200.68.224/27 195.200.68.32/27 195.200.68.96/27 198.35.26.0/27 198.35.26.32/27 198.35.26.96/27 198.35.26.96/27 2001:df2:e500:101::/64 2001:df2:e500:103::/64 2001:df2:e500:1::/64 2001:df2:e500:3::/64 2001:df2:e500:ed1a::/64 208.80.152.128/27 208.80.153.0/27 208.80.153.224/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 208.80.154.0/26 208.80.154.128/26 208.80.154.224/27 208.80.154.64/26 208.80.155.96/27 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:118::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 2620:0:860:140::/64 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:300::/64 2620:0:860:301::/64 2620:0:860:302::/64 2620:0:860:303::/64 2620:0:860:304::/64 2620:0:860:305::/64 2620:0:860:307::/64 2620:0:860:308::/64 2620:0:860:3::/64 2620:0:860:4::/64 2620:0:860:5::/64 2620:0:860:babe::/64 2620:0:860:babf::/64 2620:0:860:cabe::/64 2620:0:860:cabf::/64 2620:0:860:ed1a::/64 2620:0:861:100::/64 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:107::/64 2620:0:861:108::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:113::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:118::/64 2620:0:861:119::/64 2620:0:861:11a::/64 2620:0:861:11c::/64 2620:0:861:11d::/64 2620:0:861:11e::/64 2620:0:861:11f::/64 2620:0:861:120::/64 2620:0:861:121::/64 2620:0:861:122::/64 2620:0:861:123::/64 2620:0:861:124::/64 2620:0:861:125::/64 2620:0:861:126::/64 2620:0:861:127::/64 2620:0:861:128::/64 2620:0:861:129::/64 2620:0:861:12a::/64 2620:0:861:12b::/64 2620:0:861:12c::/64 2620:0:861:12d::/64 2620:0:861:12e::/64 2620:0:861:12f::/64 2620:0:861:131::/64 2620:0:861:132::/64 2620:0:861:133::/64 2620:0:861:134::/64 2620:0:861:135::/64 2620:0:861:136::/64 2620:0:861:137::/64 2620:0:861:138::/64 2620:0:861:139::/64 2620:0:861:13a::/64 2620:0:861:13b::/64 2620:0:861:13c::/64 2620:0:861:13d::/64 2620:0:861:13e::/64 2620:0:861:13f::/64 2620:0:861:140::/64 2620:0:861:141::/64 2620:0:861:142::/64 2620:0:861:143::/64 2620:0:861:144::/64 2620:0:861:145::/64 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:300::/64 2620:0:861:301::/116 2620:0:861:302::/64 2620:0:861:303::/116 2620:0:861:304::/116 2620:0:861:305::/64 2620:0:861:3::/64 2620:0:861:4::/64 2620:0:861:babe::/64 2620:0:861:babf::/116 2620:0:861:cabe::/64 2620:0:861:cabf::/116 2620:0:861:ed1a::/64 2620:0:863:101::/64 2620:0:863:102::/64 2620:0:863:103::/64 2620:0:863:1::/64 2620:0:863:2::/64 2620:0:863:3::/64 2620:0:863:ed1a::/64 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 2a02:ec80:300:103::/64 2a02:ec80:300:1::/64 2a02:ec80:300:2::/64 2a02:ec80:300:3::/64 2a02:ec80:300:ed1a::/64 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 2a02:ec80:600:1::/64 2a02:ec80:600:2::/64 2a02:ec80:600:ed1a::/64 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 2a02:ec80:700:103::/64 2a02:ec80:700:1::/64 2a02:ec80:700:2::/64 2a02:ec80:700:3::/64 2a02:ec80:700:ed1a::/64 );\n-\n-# $PRODUCTION_NETWORKS is a set of all production networks\n-@def $PRODUCTION_NETWORKS = (10.128.0.0/24 10.128.1.0/24 10.128.2.0/24 10.132.0.0/24 10.132.2.0/24 10.136.0.0/24 10.136.1.0/24 10.140.0.0/24 10.140.1.0/24 10.140.2.0/24 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.20.0/24 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.24.0/23 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.64.0/21 10.192.7.0/24 10.192.72.0/24 10.192.76.0/24 10.192.8.0/24 10.192.80.0/20 10.192.9.0/24 10.192.96.0/21 10.194.0.0/20 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.62.0/23 10.194.64.0/20 10.194.80.0/21 10.2.1.0/24 10.2.2.0/24 10.2.3.0/24 10.2.4.0/24 10.2.5.0/24 10.2.6.0/24 10.2.7.0/24 10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.141.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.148.0/24 10.64.149.0/24 10.64.150.0/24 10.64.151.0/24 10.64.152.0/24 10.64.153.0/24 10.64.154.0/24 10.64.155.0/24 10.64.156.0/24 10.64.157.0/24 10.64.158.0/24 10.64.159.0/24 10.64.16.0/22 10.64.160.0/24 10.64.161.0/24 10.64.162.0/24 10.64.163.0/24 10.64.164.0/24 10.64.165.0/24 10.64.166.0/24 10.64.167.0/24 10.64.169.0/24 10.64.170.0/24 10.64.171.0/24 10.64.172.0/24 10.64.173.0/24 10.64.174.0/24 10.64.175.0/24 10.64.176.0/24 10.64.177.0/24 10.64.178.0/24 10.64.179.0/24 10.64.180.0/24 10.64.181.0/24 10.64.182.0/24 10.64.183.0/24 10.64.184.0/24 10.64.185.0/24 10.64.186.0/24 10.64.187.0/24 10.64.188.0/24 10.64.189.0/24 10.64.190.0/24 10.64.20.0/24 10.64.21.0/24 10.64.24.0/23 10.64.32.0/22 10.64.36.0/24 10.64.48.0/22 10.64.5.0/24 10.64.53.0/24 10.64.64.0/21 10.64.72.0/24 10.64.76.0/24 10.67.0.0/20 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.32.0/20 10.67.64.0/20 10.67.80.0/21 10.80.0.0/24 10.80.1.0/24 10.80.2.0/24 103.102.166.0/28 103.102.166.224/27 103.102.166.96/27 185.15.58.0/27 185.15.58.224/27 185.15.58.32/27 185.15.59.0/27 185.15.59.224/27 185.15.59.32/27 185.15.59.96/27 195.200.68.0/27 195.200.68.224/27 195.200.68.32/27 195.200.68.96/27 198.35.26.0/27 198.35.26.32/27 198.35.26.96/27 198.35.26.96/27 2001:df2:e500:101::/64 2001:df2:e500:103::/64 2001:df2:e500:1::/64 2001:df2:e500:3::/64 2001:df2:e500:ed1a::/64 208.80.152.128/27 208.80.153.0/27 208.80.153.224/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 208.80.154.0/26 208.80.154.128/26 208.80.154.224/27 208.80.154.64/26 208.80.155.96/27 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:118::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 2620:0:860:140::/64 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:300::/64 2620:0:860:301::/64 2620:0:860:302::/64 2620:0:860:303::/64 2620:0:860:304::/64 2620:0:860:305::/64 2620:0:860:307::/64 2620:0:860:308::/64 2620:0:860:3::/64 2620:0:860:4::/64 2620:0:860:5::/64 2620:0:860:babe::/64 2620:0:860:babf::/64 2620:0:860:cabe::/64 2620:0:860:cabf::/64 2620:0:860:ed1a::/64 2620:0:861:100::/64 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:107::/64 2620:0:861:108::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:113::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:118::/64 2620:0:861:119::/64 2620:0:861:11a::/64 2620:0:861:11c::/64 2620:0:861:11d::/64 2620:0:861:11e::/64 2620:0:861:11f::/64 2620:0:861:120::/64 2620:0:861:121::/64 2620:0:861:122::/64 2620:0:861:123::/64 2620:0:861:124::/64 2620:0:861:125::/64 2620:0:861:126::/64 2620:0:861:127::/64 2620:0:861:128::/64 2620:0:861:129::/64 2620:0:861:12a::/64 2620:0:861:12b::/64 2620:0:861:12c::/64 2620:0:861:12d::/64 2620:0:861:12e::/64 2620:0:861:12f::/64 2620:0:861:131::/64 2620:0:861:132::/64 2620:0:861:133::/64 2620:0:861:134::/64 2620:0:861:135::/64 2620:0:861:136::/64 2620:0:861:137::/64 2620:0:861:138::/64 2620:0:861:139::/64 2620:0:861:13a::/64 2620:0:861:13b::/64 2620:0:861:13c::/64 2620:0:861:13d::/64 2620:0:861:13e::/64 2620:0:861:13f::/64 2620:0:861:140::/64 2620:0:861:141::/64 2620:0:861:142::/64 2620:0:861:143::/64 2620:0:861:144::/64 2620:0:861:145::/64 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:300::/64 2620:0:861:301::/116 2620:0:861:302::/64 2620:0:861:303::/116 2620:0:861:304::/116 2620:0:861:305::/64 2620:0:861:3::/64 2620:0:861:4::/64 2620:0:861:babe::/64 2620:0:861:babf::/116 2620:0:861:cabe::/64 2620:0:861:cabf::/116 2620:0:861:ed1a::/64 2620:0:863:101::/64 2620:0:863:102::/64 2620:0:863:103::/64 2620:0:863:1::/64 2620:0:863:2::/64 2620:0:863:3::/64 2620:0:863:ed1a::/64 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 2a02:ec80:300:103::/64 2a02:ec80:300:1::/64 2a02:ec80:300:2::/64 2a02:ec80:300:3::/64 2a02:ec80:300:ed1a::/64 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 2a02:ec80:600:1::/64 2a02:ec80:600:2::/64 2a02:ec80:600:ed1a::/64 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 2a02:ec80:700:103::/64 2a02:ec80:700:1::/64 2a02:ec80:700:2::/64 2a02:ec80:700:3::/64 2a02:ec80:700:ed1a::/64 );\n-# $CLOUD_NETWORKS is a set of all Cloud VPS instance networks\n-@def $CLOUD_NETWORKS = (172.16.0.0/21 172.16.128.0/24 172.16.129.0/24 172.16.130.0/24 172.16.131.0/24 172.16.16.0/21 172.16.24.0/24 172.16.8.0/21 172.20.1.0/24 172.20.2.0/24 172.20.254.0/24 172.20.255.0/24 172.20.3.0/24 172.20.4.0/24 172.20.5.0/24 185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:100::/64 2a02:ec80:a000:1::/64 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 2a02:ec80:a000:2ff::/64 2a02:ec80:a000:4000::/64 2a02:ec80:a100:100::/64 2a02:ec80:a100:1::/64 2a02:ec80:a100:205::/64 2a02:ec80:a100:2ff::/64 2a02:ec80:a100:4000::/64 );\n-# $LABS_NETWORKS is a deprecated alias for $CLOUD_NETWORKS\n-@def $LABS_NETWORKS = (172.16.0.0/21 172.16.128.0/24 172.16.129.0/24 172.16.130.0/24 172.16.131.0/24 172.16.16.0/21 172.16.24.0/24 172.16.8.0/21 172.20.1.0/24 172.20.2.0/24 172.20.254.0/24 172.20.255.0/24 172.20.3.0/24 172.20.4.0/24 172.20.5.0/24 185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:100::/64 2a02:ec80:a000:1::/64 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 2a02:ec80:a000:2ff::/64 2a02:ec80:a000:4000::/64 2a02:ec80:a100:100::/64 2a02:ec80:a100:1::/64 2a02:ec80:a100:205::/64 2a02:ec80:a100:2ff::/64 2a02:ec80:a100:4000::/64 );\n-# $CLOUD_NETWORKS_PUBLIC is meant to be a set of all Cloud public networks\n-@def $CLOUD_NETWORKS_PUBLIC = (185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:4000::/64 2a02:ec80:a100:4000::/64 );\n-# $CLOUD_PRIVATE_NETWORKS is the cloud-private networks with WMCS\n-# hardware with cloud realm private 172.20.x.x addresses. These\n-# hosts are dual-homed, usually also in at least cloud-hosts.\n-@def $CLOUD_PRIVATE_NETWORKS = (172.20.1.0/24 172.20.2.0/24 172.20.3.0/24 172.20.4.0/24 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 172.20.5.0/24 2a02:ec80:a100:205::/64);\n-# $FRACK_NETWORKS is meant to be a set of all fundraising networks\n-@def $FRACK_NETWORKS = (10.195.0.0/27 10.195.0.128/29 10.195.0.32/27 10.195.0.64/28 10.195.0.80/29 10.195.0.96/27 10.195.1.0/25 10.64.40.0/27 10.64.40.160/27 10.64.40.192/26 10.64.40.32/27 10.64.40.64/27 10.64.40.96/27 208.80.152.224/28 208.80.155.0/27 );\n-\n-@def $ANALYTICS_NETWORKS = (10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.153.0/24 10.64.155.0/24 10.64.157.0/24 10.64.159.0/24 10.64.161.0/24 10.64.163.0/24 10.64.165.0/24 10.64.167.0/24 10.64.170.0/24 10.64.172.0/24 10.64.174.0/24 10.64.176.0/24 10.64.178.0/24 10.64.180.0/24 10.64.182.0/24 10.64.184.0/24 10.64.186.0/24 10.64.188.0/24 10.64.190.0/24 10.64.21.0/24 10.64.36.0/24 10.64.5.0/24 10.64.53.0/24 2620:0:861:100::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:108::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:11a::/64 2620:0:861:121::/64 2620:0:861:123::/64 2620:0:861:125::/64 2620:0:861:127::/64 2620:0:861:129::/64 2620:0:861:12b::/64 2620:0:861:12d::/64 2620:0:861:12f::/64 2620:0:861:132::/64 2620:0:861:134::/64 2620:0:861:136::/64 2620:0:861:138::/64 2620:0:861:13a::/64 2620:0:861:13c::/64 2620:0:861:13e::/64 2620:0:861:141::/64 2620:0:861:143::/64 2620:0:861:145::/64 );\n-@def $MW_APPSERVER_NETWORKS = (10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.141.0/24 10.64.152.0/24 10.64.154.0/24 10.64.156.0/24 10.64.158.0/24 10.64.16.0/22 10.64.160.0/24 10.64.162.0/24 10.64.164.0/24 10.64.166.0/24 10.64.169.0/24 10.64.171.0/24 10.64.173.0/24 10.64.175.0/24 10.64.177.0/24 10.64.179.0/24 10.64.181.0/24 10.64.183.0/24 10.64.185.0/24 10.64.187.0/24 10.64.189.0/24 10.64.32.0/22 10.64.48.0/22 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:107::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:113::/64 2620:0:861:119::/64 2620:0:861:120::/64 2620:0:861:122::/64 2620:0:861:124::/64 2620:0:861:126::/64 2620:0:861:128::/64 2620:0:861:12a::/64 2620:0:861:12c::/64 2620:0:861:12e::/64 2620:0:861:131::/64 2620:0:861:133::/64 2620:0:861:135::/64 2620:0:861:137::/64 2620:0:861:139::/64 2620:0:861:13b::/64 2620:0:861:13d::/64 2620:0:861:13f::/64 2620:0:861:142::/64 2620:0:861:144::/64 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.7.0/24 10.192.8.0/24 10.192.9.0/24 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 10.192.64.0/21 10.192.96.0/21 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.80.0/21 10.64.64.0/21 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.80.0/21 2620:0:860:300::/64 2620:0:860:302::/64 2620:0:860:305::/64 2620:0:860:308::/64 2620:0:860:babe::/64 2620:0:860:cabe::/64 2620:0:861:300::/64 2620:0:861:302::/64 2620:0:861:305::/64 2620:0:861:babe::/64 2620:0:861:cabe::/64 208.80.154.0/26 208.80.154.128/26 208.80.154.64/26 208.80.155.96/27 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:3::/64 2620:0:861:4::/64 208.80.153.0/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:3::/64 2620:0:860:4::/64 );\n-@def $WIKIKUBE_KUBEPODS_NETWORKS  = (10.67.128.0/17 2620:0:861:cabe::/64 10.194.128.0/17 2620:0:860:cabe::/64 );\n-@def $STAGING_KUBEPODS_NETWORKS  = (10.64.64.0/21 2620:0:861:babe::/64 10.192.64.0/21 2620:0:860:babe::/64 );\n-@def $MLSERVE_KUBEPODS_NETWORKS = (10.67.16.0/21 2620:0:861:300::/64 10.194.16.0/21 2620:0:860:300::/64 );\n-@def $MLSTAGE_KUBEPODS_NETWORKS = (10.194.61.0/24 2620:0:860:302::/64 );\n-@def $DSE_KUBEPODS_NETWORKS = (10.67.24.0/21 2620:0:861:302::/64 10.192.96.0/21 2620:0:860:308::/64 );\n-@def $AUX_KUBEPODS_NETWORKS = (10.67.80.0/21 2620:0:861:305::/64 10.194.80.0/21 2620:0:860:305::/64 );\n-\n-@def $NETWORK_INFRA = (185.15.59.128/27 2a02:ec80:300:fe00::/55 198.35.26.128/27 2620:0:863:fe00::/55 208.80.153.192/27 2620:0:860:fe00::/55 10.192.255.0/24 2620:0:860:13f::/64 10.192.253.0/24 2620:0:860:139::/64 208.80.154.192/27 2620:0:861:fe00::/55 10.64.146.0/24 2620:0:861:11b::/128 10.64.168.0/24 2620:0:861:130::/64 10.64.147.0/24 103.102.166.128/27 2001:df2:e500:fe00::/55 185.15.58.128/27 2a02:ec80:600:fe00::/55 195.200.68.128/27 2a02:ec80:700:fe00::/55);\n-@def $MGMT_NETWORKS = (10.65.0.0/16 10.128.128.0/17 10.193.0.0/16 10.80.128.0/17 10.132.128.0/17 10.136.128.0/17 10.140.128.0/17 );\n-@def $SANDBOX_NETWORKS = (103.102.166.72/29 185.15.59.72/29 195.200.68.64/29 198.35.26.240/28 2001:df2:e500:202::/64 208.80.152.240/28 208.80.155.64/28 2620:0:860:201::/64 2620:0:861:202::/64 2620:0:863:201::/64 2a02:ec80:300:202::/64 2a02:ec80:700:201::/64 );\n-\n-@def $DEPLOYMENT_HOSTS = (10.64.16.93 2620:0:861:102:10:64:16:93 10.192.32.7 2620:0:860:103:10:192:32:7 );\n-@def $CUMIN_MASTERS = (10.64.16.154 2620:0:861:102:10:64:16:154 10.192.32.49 2620:0:860:103:10:192:32:49 );\n-@def $CACHES = (10.64.0.79 2620:0:861:101:10:64:0:79 10.64.0.229 2620:0:861:101:10:64:0:229 10.64.0.14 2620:0:861:101:10:64:0:14 10.64.0.51 2620:0:861:101:10:64:0:51 10.64.16.241 2620:0:861:102:10:64:16:241 10.64.16.94 2620:0:861:102:10:64:16:94 10.64.16.95 2620:0:861:102:10:64:16:95 10.64.16.240 2620:0:861:102:10:64:16:240 10.64.32.14 2620:0:861:103:10:64:32:14 10.64.32.60 2620:0:861:103:10:64:32:60 10.64.32.15 2620:0:861:103:10:64:32:15 10.64.32.65 2620:0:861:103:10:64:32:65 10.64.48.16 2620:0:861:107:10:64:48:16 10.64.48.41 2620:0:861:107:10:64:48:41 10.64.48.27 2620:0:861:107:10:64:48:27 10.64.48.28 2620:0:861:107:10:64:48:28 10.192.23.26 2620:0:860:113:10:192:23:26 10.192.6.20 2620:0:860:107:10:192:6:20 10.192.12.35 2620:0:860:10d:10:192:12:35 10.192.14.25 2620:0:860:10f:10:192:14:25 10.192.4.22 2620:0:860:100:10:192:4:22 10.192.29.26 2620:0:860:116:10:192:29:26 10.192.30.29 2620:0:860:119:10:192:30:29 10.192.36.19 2620:0:860:11b:10:192:36:19 10.192.40.25 2620:0:860:11f:10:192:40:25 10.192.41.21 2620:0:860:120:10:192:41:21 10.192.56.3 2620:0:860:12b:10:192:56:3 10.192.56.4 2620:0:860:12b:10:192:56:4 10.192.57.3 2620:0:860:12c:10:192:57:3 10.192.58.2 2620:0:860:12d:10:192:58:2 10.192.58.3 2620:0:860:12d:10:192:58:3 10.192.59.2 2620:0:860:12e:10:192:59:2 10.80.0.14 2a02:ec80:300:101:10:80:0:14 10.80.1.11 2a02:ec80:300:102:10:80:1:11 10.80.0.13 2a02:ec80:300:101:10:80:0:13 10.80.1.9 2a02:ec80:300:102:10:80:1:9 10.80.0.12 2a02:ec80:300:101:10:80:0:12 10.80.1.7 2a02:ec80:300:102:10:80:1:7 10.80.0.11 2a02:ec80:300:101:10:80:0:11 10.80.1.6 2a02:ec80:300:102:10:80:1:6 10.80.0.10 2a02:ec80:300:101:10:80:0:10 10.80.1.5 2a02:ec80:300:102:10:80:1:5 10.80.0.8 2a02:ec80:300:101:10:80:0:8 10.80.1.4 2a02:ec80:300:102:10:80:1:4 10.80.0.7 2a02:ec80:300:101:10:80:0:7 10.80.1.3 2a02:ec80:300:102:10:80:1:3 10.80.0.6 2a02:ec80:300:101:10:80:0:6 10.80.1.2 2a02:ec80:300:102:10:80:1:2 10.128.0.19 2620:0:863:101:10:128:0:19 10.128.0.27 2620:0:863:101:10:128:0:27 10.128.0.22 2620:0:863:101:10:128:0:22 10.128.0.28 2620:0:863:101:10:128:0:28 10.128.0.25 2620:0:863:101:10:128:0:25 10.128.0.29 2620:0:863:101:10:128:0:29 10.128.0.26 2620:0:863:101:10:128:0:26 10.128.0.31 2620:0:863:101:10:128:0:31 10.128.0.14 2620:0:863:101:10:128:0:14 10.128.0.35 2620:0:863:101:10:128:0:35 10.128.0.21 2620:0:863:101:10:128:0:21 10.128.0.36 2620:0:863:101:10:128:0:36 10.128.0.24 2620:0:863:101:10:128:0:24 10.128.0.10 2620:0:863:101:10:128:0:10 10.128.0.37 2620:0:863:101:10:128:0:37 10.128.0.12 2620:0:863:101:10:128:0:12 10.132.0.17 2001:df2:e500:101:10:132:0:17 10.132.0.18 2001:df2:e500:101:10:132:0:18 10.132.0.19 2001:df2:e500:101:10:132:0:19 10.132.0.24 2001:df2:e500:101:10:132:0:24 10.132.0.29 2001:df2:e500:101:10:132:0:29 10.132.0.30 2001:df2:e500:101:10:132:0:30 10.132.0.34 2001:df2:e500:101:10:132:0:34 10.132.0.35 2001:df2:e500:101:10:132:0:35 10.132.0.36 2001:df2:e500:101:10:132:0:36 10.132.0.37 2001:df2:e500:101:10:132:0:37 10.132.0.38 2001:df2:e500:101:10:132:0:38 10.132.0.25 2001:df2:e500:101:10:132:0:25 10.132.0.26 2001:df2:e500:101:10:132:0:26 10.132.0.27 2001:df2:e500:101:10:132:0:27 10.132.0.28 2001:df2:e500:101:10:132:0:28 10.132.0.16 2001:df2:e500:101:10:132:0:16 10.136.0.6 2a02:ec80:600:101:10:136:0:6 10.136.1.6 2a02:ec80:600:102:10:136:1:6 10.136.0.7 2a02:ec80:600:101:10:136:0:7 10.136.1.7 2a02:ec80:600:102:10:136:1:7 10.136.0.8 2a02:ec80:600:101:10:136:0:8 10.136.1.8 2a02:ec80:600:102:10:136:1:8 10.136.0.9 2a02:ec80:600:101:10:136:0:9 10.136.1.9 2a02:ec80:600:102:10:136:1:9 10.136.0.10 2a02:ec80:600:101:10:136:0:10 10.136.1.10 2a02:ec80:600:102:10:136:1:10 10.136.0.11 2a02:ec80:600:101:10:136:0:11 10.136.1.11 2a02:ec80:600:102:10:136:1:11 10.136.0.12 2a02:ec80:600:101:10:136:0:12 10.136.1.12 2a02:ec80:600:102:10:136:1:12 10.136.0.13 2a02:ec80:600:101:10:136:0:13 10.136.1.13 2a02:ec80:600:102:10:136:1:13 10.140.0.3 2a02:ec80:700:101:10:140:0:3 10.140.1.4 2a02:ec80:700:102:10:140:1:4 10.140.0.4 2a02:ec80:700:101:10:140:0:4 10.140.1.5 2a02:ec80:700:102:10:140:1:5 10.140.0.5 2a02:ec80:700:101:10:140:0:5 10.140.1.6 2a02:ec80:700:102:10:140:1:6 10.140.0.6 2a02:ec80:700:101:10:140:0:6 10.140.1.7 2a02:ec80:700:102:10:140:1:7 10.140.0.7 2a02:ec80:700:101:10:140:0:7 10.140.1.8 2a02:ec80:700:102:10:140:1:8 10.140.0.8 2a02:ec80:700:101:10:140:0:8 10.140.1.9 2a02:ec80:700:102:10:140:1:9 10.140.0.9 2a02:ec80:700:101:10:140:0:9 10.140.1.10 2a02:ec80:700:102:10:140:1:10 10.140.0.10 2a02:ec80:700:101:10:140:0:10 10.140.1.11 2a02:ec80:700:102:10:140:1:11 );\n-@def $LOAD_BALANCER_HEALTH_CHECKS = (10.64.0.136 10.64.16.60 10.64.158.19 10.64.166.19 10.64.133.19 10.64.141.19 10.64.169.19 10.64.171.19 10.64.173.19 10.64.175.19 10.64.177.19 10.64.179.19 10.64.181.19 10.64.183.19 10.64.185.19 10.64.187.19 10.64.189.19 10.64.48.72 10.64.37.17 10.64.1.17 10.64.17.17 10.64.33.17 10.64.130.20 10.64.131.20 10.64.132.20 10.64.134.20 10.64.135.20 10.64.136.20 10.64.158.20 10.64.166.20 10.64.133.20 10.64.141.20 10.64.169.20 10.64.171.20 10.64.173.20 10.64.175.20 10.64.177.20 10.64.179.20 10.64.181.20 10.64.183.20 10.64.185.20 10.64.187.20 10.64.189.20 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:107::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:119::/64 2620:0:861:10c::/64 2620:0:861:113::/64 2620:0:861:119::/64 2620:0:861:131::/64 2620:0:861:133::/64 2620:0:861:135::/64 2620:0:861:137::/64 2620:0:861:139::/64 2620:0:861:13b::/64 2620:0:861:13d::/64 2620:0:861:13f::/64 2620:0:861:142::/64 2620:0:861:144::/64 10.192.23.8 10.192.0.29 10.192.17.8 10.192.33.8 10.192.49.8 10.192.23.2 10.192.5.2 10.192.6.2 10.192.7.2 10.192.8.2 10.192.9.2 10.192.10.2 10.192.11.2 10.192.12.2 10.192.13.2 10.192.14.2 10.192.15.2 10.192.21.2 10.192.22.2 10.192.4.2 10.192.26.2 10.192.27.2 10.192.28.2 10.192.29.2 10.192.30.2 10.192.31.2 10.192.36.2 10.192.37.2 10.192.38.2 10.192.39.2 10.192.40.2 10.192.41.2 10.192.42.2 10.192.43.2 10.192.11.8 10.192.16.140 10.192.1.8 10.192.33.9 10.192.49.9 10.192.23.3 10.192.5.3 10.192.6.3 10.192.7.3 10.192.8.3 10.192.9.3 10.192.10.3 10.192.11.3 10.192.12.3 10.192.13.3 10.192.14.3 10.192.15.3 10.192.21.3 10.192.22.3 10.192.4.3 10.192.26.3 10.192.27.3 10.192.28.3 10.192.29.3 10.192.30.3 10.192.31.3 10.192.36.3 10.192.37.3 10.192.38.3 10.192.39.4 10.192.40.3 10.192.41.3 10.192.42.3 10.192.43.3 10.192.32.14 10.192.1.9 10.192.17.9 10.192.49.10 10.192.23.4 10.192.5.4 10.192.6.4 10.192.7.4 10.192.8.4 10.192.9.4 10.192.10.4 10.192.11.4 10.192.12.4 10.192.13.4 10.192.14.4 10.192.15.4 10.192.21.4 10.192.22.4 10.192.4.5 10.192.26.5 10.192.27.5 10.192.28.5 10.192.29.5 10.192.30.5 10.192.31.5 10.192.36.5 10.192.37.5 10.192.38.5 10.192.39.6 10.192.40.5 10.192.41.5 10.192.42.5 10.192.43.5 10.192.48.213 10.192.1.13 10.192.17.10 10.192.33.10 10.192.23.5 10.192.5.8 10.192.6.5 10.192.7.5 10.192.8.5 10.192.9.5 10.192.10.5 10.192.11.5 10.192.12.5 10.192.13.5 10.192.14.5 10.192.15.5 10.192.21.5 10.192.22.5 10.192.4.5 10.192.26.5 10.192.27.5 10.192.28.5 10.192.29.5 10.192.30.5 10.192.31.5 10.192.36.5 10.192.37.5 10.192.38.5 10.192.39.6 10.192.40.5 10.192.41.5 10.192.42.5 10.192.43.5 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 10.80.0.3 10.80.1.8 10.80.1.14 10.80.0.9 10.80.0.2 10.80.1.10 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 10.128.0.18 10.128.0.9 10.128.0.11 2620:0:863:101::/64 10.132.0.39 10.132.0.6 10.132.0.7 2001:df2:e500:101::/64 10.136.0.16 10.136.1.19 10.136.1.15 10.136.0.19 10.136.0.17 10.136.1.20 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 10.140.0.13 10.140.1.2 10.140.1.14 10.140.0.2 10.140.0.14 10.140.1.3 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 );\n-@def $KAFKA_BROKERS_MAIN = (10.192.5.9 2620:0:860:106:10:192:5:9 10.192.22.6 2620:0:860:112:10:192:22:6 10.192.32.4 2620:0:860:103:10:192:32:4 10.192.48.33 2620:0:860:104:10:192:48:33 10.192.48.35 2620:0:860:104:10:192:48:35 10.64.0.101 2620:0:861:101:10:64:0:101 10.64.16.30 2620:0:861:102:10:64:16:30 10.64.32.45 2620:0:861:103:10:64:32:45 10.64.48.37 2620:0:861:107:10:64:48:37 10.64.152.5 2620:0:861:120:10:64:152:5 );\n-@def $KAFKA_BROKERS_JUMBO = (10.64.130.10 2620:0:861:109:10:64:130:10 10.64.131.16 2620:0:861:10a:10:64:131:16 10.64.132.21 2620:0:861:10b:10:64:132:21 10.64.134.9 2620:0:861:10d:10:64:134:9 10.64.135.16 2620:0:861:10e:10:64:135:16 10.64.136.11 2620:0:861:10f:10:64:136:11 10.64.154.15 2620:0:861:122:10:64:154:15 10.64.160.16 2620:0:861:128:10:64:160:16 10.64.0.126 2620:0:861:101:10:64:0:126 );\n-@def $KAFKA_BROKERS_LOGGING = (10.64.16.205 2620:0:861:102:10:64:16:205 10.64.133.11 2620:0:861:10c:10:64:133:11 10.64.183.12 2620:0:861:13d:10:64:183:12 10.64.131.13 2620:0:861:10a:10:64:131:13 10.64.135.13 2620:0:861:10e:10:64:135:13 10.192.23.29 2620:0:860:113:10:192:23:29 10.192.11.28 2620:0:860:10c:10:192:11:28 10.192.26.22 2620:0:860:105:10:192:26:22 10.192.11.27 2620:0:860:10c:10:192:11:27 10.192.39.25 2620:0:860:11e:10:192:39:25 );\n-@def $KAFKAMON_HOSTS = (10.64.32.11 2620:0:861:103:10:64:32:11 10.192.16.139 2620:0:860:102:10:192:16:139 );\n-@def $ZOOKEEPER_HOSTS_MAIN = (10.64.0.207 2620:0:861:101:10:64:0:207 10.64.16.110 2620:0:861:102:10:64:16:110 10.64.48.154 2620:0:861:107:10:64:48:154 10.192.16.45 2620:0:860:102:10:192:16:45 10.192.32.52 2620:0:860:103:10:192:32:52 10.192.48.59 2620:0:860:104:10:192:48:59 );\n-@def $ZOOKEEPER_FLINK_HOSTS = (10.64.16.9 2620:0:861:102:10:64:16:9 10.64.0.8 2620:0:861:101:10:64:0:8 10.64.32.41 2620:0:861:103:10:64:32:41 10.192.16.227 2620:0:860:102:10:192:16:227 10.192.32.179 2620:0:860:103:10:192:32:179 10.192.48.219 2620:0:860:104:10:192:48:219 );\n-@def $DRUID_PUBLIC_HOSTS = (10.64.131.9 2620:0:861:10a:10:64:131:9 10.64.132.12 2620:0:861:10b:10:64:132:12 10.64.135.9 2620:0:861:10e:10:64:135:9 10.64.32.101 2620:0:861:103:10:64:32:101 10.64.48.185 2620:0:861:107:10:64:48:185 );\n-@def $LABSTORE_HOSTS = (208.80.154.142 2620:0:861:2:208:80:154:142 208.80.154.71 2620:0:861:3:208:80:154:71 );\n-@def $MYSQL_ROOT_CLIENTS = (10.64.16.90 10.192.16.191 10.64.16.154 10.192.32.49 208.80.155.103 208.80.154.9 10.64.0.20 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-codfw-bgp-private-vips\n-@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV4 = (172.20.254.0/24);\n-@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV6 = (2a02:ec80:a100:2ff::/64);\n-@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS = ($CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV4 $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV6 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-flat3-codfw\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV4 = (172.16.129.0/24);\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV6 = (2a02:ec80:a100:1::/64);\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV6 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-octavia-lb-mgmt-net-codfw1dev\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV4 = (172.16.131.0/24);\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV6 = (2a02:ec80:a100:100::/64);\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV = ($CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV4 $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV6 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-vxlan-ipv4-only-codfw\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW_IPV4 = (172.16.130.0/24);\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW_IPV4 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances2-b-codfw\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW_IPV4 = (172.16.128.0/24);\n-@def $CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW_IPV4 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-private-b1-codfw\n-@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV4 = (172.20.5.0/24);\n-@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV6 = (2a02:ec80:a100:205::/64);\n-@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW = ($CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV6 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-bgp-public-vips\n-@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV4 = (185.15.57.24/29);\n-@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV6 = (2a02:ec80:a100:4000::/64);\n-@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV4 $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV6 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-floating\n-@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_IPV4 = (185.15.57.0/29);\n-@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_IPV4 );\n-\n-# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-floating-additional\n-@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL_IPV4 = (185.15.57.16/29);\n-@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL_IPV4 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-eqiad-bgp-private-vips\n-@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV4 = (172.20.255.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV6 = (2a02:ec80:a000:2ff::/64);\n-@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS = ($EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV4 $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV6 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-octavia-lb-mgmt-net-eqiad1\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV4 = (172.16.24.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV6 = (2a02:ec80:a000:100::/64);\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1 = ($EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV4 $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV6 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-vxlan-dualstack-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV4 = (172.16.16.0/21);\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV6 = (2a02:ec80:a000:1::/64);\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV6 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-vxlan-v4only-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD_IPV4 = (172.16.8.0/21);\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD_IPV4 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances2-b-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD_IPV4 = (172.16.0.0/21);\n-@def $EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD_IPV4 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-c8-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV4 = (172.20.1.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV6 = (2a02:ec80:a000:201::/64);\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV6 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-d5-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV4 = (172.20.2.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV6 = (2a02:ec80:a000:202::/64);\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV6 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-e4-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV4 = (172.20.3.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV6 = (2a02:ec80:a000:203::/64);\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV6 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-f4-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV4 = (172.20.4.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV6 = (2a02:ec80:a000:204::/64);\n-@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV6 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: public, # Network: cloud-eqiad1-bgp-public-vips\n-@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV4 = (185.15.56.160/28);\n-@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV6 = (2a02:ec80:a000:4000::/64);\n-@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS = ($EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV4 $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV6 );\n-\n-# Realm: cloud, # Site: eqiad, # Sphere: public, # Network: cloud-eqiad1-floating\n-@def $EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING_IPV4 = (185.15.56.0/25);\n-@def $EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING = ($EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING_IPV4 );\n-\n-# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-administration-codfw\n-@def $CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW_IPV4 = (10.195.0.64/28);\n-@def $CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW = ($CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW_IPV4 );\n-\n-# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-bastion-codfw\n-@def $CODFW_PRIVATE_FRACK_BASTION_CODFW_IPV4 = (10.195.0.128/29);\n-@def $CODFW_PRIVATE_FRACK_BASTION_CODFW = ($CODFW_PRIVATE_FRACK_BASTION_CODFW_IPV4 );\n-\n-# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-fundraising-codfw\n-@def $CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW_IPV4 = (10.195.0.32/27);\n-@def $CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW = ($CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW_IPV4 );\n-\n-# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-listenerdmz-codfw\n-@def $CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW_IPV4 = (10.195.0.80/29);\n-@def $CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW = ($CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW_IPV4 );\n-\n-# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-management-codfw\n-@def $CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW_IPV4 = (10.195.1.0/25);\n-@def $CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW = ($CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW_IPV4 );\n-\n-# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-management-legacy-codfw\n-@def $CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW_IPV4 = (10.195.0.96/27);\n-@def $CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW = ($CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW_IPV4 );\n-\n-# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-payments-codfw\n-@def $CODFW_PRIVATE_FRACK_PAYMENTS_CODFW_IPV4 = (10.195.0.0/27);\n-@def $CODFW_PRIVATE_FRACK_PAYMENTS_CODFW = ($CODFW_PRIVATE_FRACK_PAYMENTS_CODFW_IPV4 );\n-\n-# Realm: frack, # Site: codfw, # Sphere: public, # Network: frack-external-codfw\n-@def $CODFW_PUBLIC_FRACK_EXTERNAL_CODFW_IPV4 = (208.80.152.224/28);\n-@def $CODFW_PUBLIC_FRACK_EXTERNAL_CODFW = ($CODFW_PUBLIC_FRACK_EXTERNAL_CODFW_IPV4 );\n-\n-# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-administration1-e15-eqiad\n-@def $EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD_IPV4 = (10.64.40.64/27);\n-@def $EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD_IPV4 );\n-\n-# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-bastion1-e15-eqiad\n-@def $EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD_IPV4 = (10.64.40.32/27);\n-@def $EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD_IPV4 );\n-\n-# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-fundraising1-e16-eqiad\n-@def $EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD_IPV4 = (10.64.40.96/27);\n-@def $EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD = ($EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD_IPV4 );\n-\n-# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-listenerdmz1-e15-eqiad\n-@def $EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD_IPV4 = (10.64.40.160/27);\n-@def $EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD_IPV4 );\n-\n-# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-management1-eqiad\n-@def $EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD_IPV4 = (10.64.40.192/26);\n-@def $EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD = ($EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD_IPV4 );\n-\n-# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-payments1-e15-eqiad\n-@def $EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD_IPV4 = (10.64.40.0/27);\n-@def $EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD_IPV4 );\n-\n-# Realm: frack, # Site: eqiad, # Sphere: public, # Network: frack-external1-eqiad\n-@def $EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD_IPV4 = (208.80.155.0/27);\n-@def $EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD = ($EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD_IPV4 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: cloud-hosts1-b1-codfw\n-@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV4 = (10.192.20.0/24);\n-@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV6 = (2620:0:860:118::/64);\n-@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW = ($CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV4 = (10.192.0.0/22);\n-@def $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV6 = (2620:0:860:101::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_A_CODFW = ($CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a2-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV4 = (10.192.23.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV6 = (2620:0:860:113::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW = ($CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a3-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV4 = (10.192.5.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV6 = (2620:0:860:106::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW = ($CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a4-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV4 = (10.192.6.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV6 = (2620:0:860:107::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW = ($CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a5-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV4 = (10.192.7.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV6 = (2620:0:860:108::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW = ($CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a6-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV4 = (10.192.8.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV6 = (2620:0:860:109::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW = ($CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a7-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV4 = (10.192.9.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV6 = (2620:0:860:10a::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW = ($CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a8-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV4 = (10.192.10.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV6 = (2620:0:860:10b::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW = ($CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-aux-kubepods-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV4 = (10.194.80.0/21);\n-@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV6 = (2620:0:860:305::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-aux-kubesvc-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV4 = (10.194.64.0/20);\n-@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV6 = (2620:0:860:304::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV4 = (10.192.16.0/22);\n-@def $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV6 = (2620:0:860:102::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_B_CODFW = ($CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b2-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV4 = (10.192.11.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV6 = (2620:0:860:10c::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW = ($CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b3-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV4 = (10.192.12.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV6 = (2620:0:860:10d::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW = ($CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b4-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV4 = (10.192.13.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV6 = (2620:0:860:10e::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW = ($CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b5-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV4 = (10.192.14.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV6 = (2620:0:860:10f::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW = ($CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b6-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV4 = (10.192.15.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV6 = (2620:0:860:110::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW = ($CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b7-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV4 = (10.192.21.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV6 = (2620:0:860:111::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW = ($CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b8-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV4 = (10.192.22.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV6 = (2620:0:860:112::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW = ($CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV4 = (10.192.32.0/22);\n-@def $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV6 = (2620:0:860:103::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_C_CODFW = ($CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c1-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV4 = (10.192.4.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV6 = (2620:0:860:100::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW = ($CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c2-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV4 = (10.192.26.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV6 = (2620:0:860:105::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW = ($CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c3-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV4 = (10.192.27.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV6 = (2620:0:860:114::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW = ($CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c4-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV4 = (10.192.28.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV6 = (2620:0:860:115::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW = ($CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c5-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV4 = (10.192.29.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV6 = (2620:0:860:116::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW = ($CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c6-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV4 = (10.192.30.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV6 = (2620:0:860:119::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW = ($CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c7-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV4 = (10.192.31.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV6 = (2620:0:860:11a::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW = ($CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV4 = (10.192.48.0/22);\n-@def $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV6 = (2620:0:860:104::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D_CODFW = ($CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d1-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV4 = (10.192.36.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV6 = (2620:0:860:11b::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW = ($CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d2-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV4 = (10.192.37.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV6 = (2620:0:860:11c::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW = ($CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d3-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV4 = (10.192.38.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV6 = (2620:0:860:11d::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW = ($CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d4-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV4 = (10.192.39.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV6 = (2620:0:860:11e::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW = ($CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d5-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV4 = (10.192.40.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV6 = (2620:0:860:11f::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW = ($CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d6-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV4 = (10.192.41.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV6 = (2620:0:860:120::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW = ($CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d7-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV4 = (10.192.42.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV6 = (2620:0:860:121::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW = ($CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d8-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV4 = (10.192.43.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV6 = (2620:0:860:122::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW = ($CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-dse-kubepods-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV4 = (10.192.96.0/21);\n-@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV6 = (2620:0:860:308::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-dse-kubesvc-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV4 = (10.192.80.0/20);\n-@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV6 = (2620:0:860:307::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e1-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV4 = (10.192.56.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV6 = (2620:0:860:12b::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW = ($CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e2-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV4 = (10.192.44.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV6 = (2620:0:860:123::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW = ($CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e3-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV4 = (10.192.57.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV6 = (2620:0:860:12c::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW = ($CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e4-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV4 = (10.192.45.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV6 = (2620:0:860:124::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW = ($CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e5-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV4 = (10.192.46.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV6 = (2620:0:860:125::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW = ($CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f1-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV4 = (10.192.58.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV6 = (2620:0:860:12d::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW = ($CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f2-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV4 = (10.192.47.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV6 = (2620:0:860:126::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW = ($CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f3-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV4 = (10.192.59.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV6 = (2620:0:860:12e::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW = ($CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f4-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV4 = (10.192.52.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV6 = (2620:0:860:127::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW = ($CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-lvs-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_LVS_CODFW_IPV4 = (10.2.1.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_LVS_CODFW = ($CODFW_PRIVATE_PRIVATE1_LVS_CODFW_IPV4 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlserve-kubepods-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV4 = (10.194.16.0/21);\n-@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV6 = (2620:0:860:300::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlserve-kubesvc-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV4 = (10.194.0.0/20);\n-@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV6 = (2620:0:860:301::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlstage-kubepods-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV4 = (10.194.61.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV6 = (2620:0:860:302::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlstage-kubesvc-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV4 = (10.194.62.0/23);\n-@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV6 = (2620:0:860:303::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-services-kubepods-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV4 = (10.194.128.0/17);\n-@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV6 = (2620:0:860:cabe::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-services-kubesvc-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV4 = (10.192.72.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV6 = (2620:0:860:cabf::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-staging-kubepods-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV4 = (10.192.64.0/21);\n-@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV6 = (2620:0:860:babe::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-staging-kubesvc-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV4 = (10.192.76.0/24);\n-@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV6 = (2620:0:860:babf::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-virtual-codfw\n-@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV4 = (10.192.24.0/23);\n-@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV6 = (2620:0:860:140::/64);\n-@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW = ($CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-a-codfw\n-@def $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV4 = (208.80.153.0/27);\n-@def $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV6 = (2620:0:860:1::/64);\n-@def $CODFW_PUBLIC_PUBLIC1_A_CODFW = ($CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-b-codfw\n-@def $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV4 = (208.80.153.32/27);\n-@def $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV6 = (2620:0:860:2::/64);\n-@def $CODFW_PUBLIC_PUBLIC1_B_CODFW = ($CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-c-codfw\n-@def $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV4 = (208.80.153.64/27);\n-@def $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV6 = (2620:0:860:3::/64);\n-@def $CODFW_PUBLIC_PUBLIC1_C_CODFW = ($CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-d-codfw\n-@def $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV4 = (208.80.153.96/27);\n-@def $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV6 = (2620:0:860:4::/64);\n-@def $CODFW_PUBLIC_PUBLIC1_D_CODFW = ($CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-lvs-codfw\n-@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV4 = (208.80.153.224/27);\n-@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV6 = (2620:0:860:ed1a::/64);\n-@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW = ($CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV6 );\n-\n-# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-virtual-codfw\n-@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV4 = (208.80.152.128/27);\n-@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV6 = (2620:0:860:5::/64);\n-@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW = ($CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV6 );\n-\n-# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-b12-drmrs\n-@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV4 = (10.136.0.0/24);\n-@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV6 = (2a02:ec80:600:101::/64);\n-@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV4 $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV6 );\n-\n-# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-b13-drmrs\n-@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV4 = (10.136.1.0/24);\n-@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV6 = (2a02:ec80:600:102::/64);\n-@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV4 $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV6 );\n-\n-# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-lvs-drmrs\n-@def $DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS_IPV4 = (10.2.6.0/24);\n-@def $DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS_IPV4 );\n-\n-# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-b12-drmrs\n-@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV4 = (185.15.58.0/27);\n-@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV6 = (2a02:ec80:600:1::/64);\n-@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV6 );\n-\n-# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-b13-drmrs\n-@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV4 = (185.15.58.32/27);\n-@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV6 = (2a02:ec80:600:2::/64);\n-@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV6 );\n-\n-# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-lvs-drmrs\n-@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV4 = (185.15.58.224/27);\n-@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV6 = (2a02:ec80:600:ed1a::/64);\n-@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-a-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV4 = (10.64.5.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV6 = (2620:0:861:104::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-b-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV4 = (10.64.21.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV6 = (2620:0:861:105::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV4 = (10.64.36.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV6 = (2620:0:861:106::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c2-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV4 = (10.64.137.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV6 = (2620:0:861:110::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c3-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV4 = (10.64.145.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV6 = (2620:0:861:117::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c4-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV4 = (10.64.170.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV6 = (2620:0:861:11a::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c5-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV4 = (10.64.172.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV6 = (2620:0:861:132::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c6-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV4 = (10.64.174.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV6 = (2620:0:861:134::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c7-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV4 = (10.64.176.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV6 = (2620:0:861:136::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV4 = (10.64.53.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV6 = (2620:0:861:108::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d1-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV4 = (10.64.178.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV6 = (2620:0:861:138::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d2-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV4 = (10.64.180.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV6 = (2620:0:861:13a::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d3-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV4 = (10.64.182.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV6 = (2620:0:861:13c::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d4-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV4 = (10.64.184.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV6 = (2620:0:861:13e::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d6-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV4 = (10.64.186.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV6 = (2620:0:861:141::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d7-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV4 = (10.64.188.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV6 = (2620:0:861:143::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d8-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV4 = (10.64.190.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV6 = (2620:0:861:145::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e1-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV4 = (10.64.138.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV6 = (2620:0:861:100::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e2-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV4 = (10.64.139.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV6 = (2620:0:861:111::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e3-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV4 = (10.64.140.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV6 = (2620:0:861:112::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e5-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV4 = (10.64.153.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV6 = (2620:0:861:121::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e6-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV4 = (10.64.155.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV6 = (2620:0:861:123::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e7-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV4 = (10.64.157.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV6 = (2620:0:861:125::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e8-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV4 = (10.64.159.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV6 = (2620:0:861:127::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f1-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV4 = (10.64.142.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV6 = (2620:0:861:114::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f2-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV4 = (10.64.143.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV6 = (2620:0:861:115::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f3-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV4 = (10.64.144.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV6 = (2620:0:861:116::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f5-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV4 = (10.64.161.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV6 = (2620:0:861:129::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f6-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV4 = (10.64.163.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV6 = (2620:0:861:12b::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f7-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV4 = (10.64.165.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV6 = (2620:0:861:12d::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f8-eqiad\n-@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV4 = (10.64.167.0/24);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV6 = (2620:0:861:12f::/64);\n-@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-c8-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV4 = (10.64.151.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV6 = (2620:0:861:11f::/64);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-d5-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV4 = (10.64.150.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV6 = (2620:0:861:11e::/64);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-e4-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV4 = (10.64.148.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV6 = (2620:0:861:11c::/64);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV4 = (10.64.20.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV6 = (2620:0:861:118::/64);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-f4-eqiad\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV4 = (10.64.149.0/24);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV6 = (2620:0:861:11d::/64);\n-@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-a-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV4 = (10.64.0.0/22);\n-@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV6 = (2620:0:861:101::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-aux-kubepods-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV4 = (10.67.80.0/21);\n-@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV6 = (2620:0:861:305::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-aux-kubesvc-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV4 = (10.67.64.0/20);\n-@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV6 = (2620:0:861:304::/116);\n-@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-b-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV4 = (10.64.16.0/22);\n-@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV6 = (2620:0:861:102::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV4 = (10.64.32.0/22);\n-@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV6 = (2620:0:861:103::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c2-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV4 = (10.64.133.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV6 = (2620:0:861:10c::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c3-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV4 = (10.64.141.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV6 = (2620:0:861:113::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c4-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV4 = (10.64.169.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV6 = (2620:0:861:119::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c5-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV4 = (10.64.171.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV6 = (2620:0:861:131::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c6-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV4 = (10.64.173.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV6 = (2620:0:861:133::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c7-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV4 = (10.64.175.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV6 = (2620:0:861:135::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV4 = (10.64.48.0/22);\n-@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV6 = (2620:0:861:107::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d1-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV4 = (10.64.177.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV6 = (2620:0:861:137::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d2-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV4 = (10.64.179.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV6 = (2620:0:861:139::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d3-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV4 = (10.64.181.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV6 = (2620:0:861:13b::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d4-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV4 = (10.64.183.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV6 = (2620:0:861:13d::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d6-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV4 = (10.64.185.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV6 = (2620:0:861:13f::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d7-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV4 = (10.64.187.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV6 = (2620:0:861:142::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d8-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV4 = (10.64.189.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV6 = (2620:0:861:144::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-dse-kubepods-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV4 = (10.67.24.0/21);\n-@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV6 = (2620:0:861:302::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-dse-kubesvc-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV4 = (10.67.32.0/20);\n-@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV6 = (2620:0:861:303::/116);\n-@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e1-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV4 = (10.64.130.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV6 = (2620:0:861:109::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e2-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV4 = (10.64.131.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV6 = (2620:0:861:10a::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e3-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV4 = (10.64.132.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV6 = (2620:0:861:10b::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e5-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV4 = (10.64.152.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV6 = (2620:0:861:120::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e6-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV4 = (10.64.154.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV6 = (2620:0:861:122::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e7-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV4 = (10.64.156.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV6 = (2620:0:861:124::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e8-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV4 = (10.64.158.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV6 = (2620:0:861:126::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f1-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV4 = (10.64.134.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV6 = (2620:0:861:10d::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f2-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV4 = (10.64.135.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV6 = (2620:0:861:10e::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f3-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV4 = (10.64.136.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV6 = (2620:0:861:10f::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f5-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV4 = (10.64.160.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV6 = (2620:0:861:128::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f6-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV4 = (10.64.162.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV6 = (2620:0:861:12a::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f7-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV4 = (10.64.164.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV6 = (2620:0:861:12c::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f8-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV4 = (10.64.166.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV6 = (2620:0:861:12e::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-lvs-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD_IPV4 = (10.2.2.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD_IPV4 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-mlserve-kubepods-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV4 = (10.67.16.0/21);\n-@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV6 = (2620:0:861:300::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-mlserve-kubesvc-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV4 = (10.67.0.0/20);\n-@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV6 = (2620:0:861:301::/116);\n-@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-services-kubepods-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV4 = (10.67.128.0/17);\n-@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV6 = (2620:0:861:cabe::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-services-kubesvc-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV4 = (10.64.72.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV6 = (2620:0:861:cabf::/116);\n-@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-staging-kubepods-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV4 = (10.64.64.0/21);\n-@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV6 = (2620:0:861:babe::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-staging-kubesvc-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV4 = (10.64.76.0/24);\n-@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV6 = (2620:0:861:babf::/116);\n-@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-virtual-eqiad\n-@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV4 = (10.64.24.0/23);\n-@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV6 = (2620:0:861:140::/64);\n-@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-a-eqiad\n-@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV4 = (208.80.154.0/26);\n-@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV6 = (2620:0:861:1::/64);\n-@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-b-eqiad\n-@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV4 = (208.80.154.128/26);\n-@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV6 = (2620:0:861:2::/64);\n-@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-c-eqiad\n-@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV4 = (208.80.154.64/26);\n-@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV6 = (2620:0:861:3::/64);\n-@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-d-eqiad\n-@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV4 = (208.80.155.96/27);\n-@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV6 = (2620:0:861:4::/64);\n-@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-lvs-eqiad\n-@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV4 = (208.80.154.224/27);\n-@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV6 = (2620:0:861:ed1a::/64);\n-@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV6 );\n-\n-# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-eqsin\n-@def $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV4 = (10.132.0.0/24);\n-@def $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV6 = (2001:df2:e500:101::/64);\n-@def $EQSIN_PRIVATE_PRIVATE1_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV4 $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV6 );\n-\n-# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-lvs-eqsin\n-@def $EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN_IPV4 = (10.2.5.0/24);\n-@def $EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN_IPV4 );\n-\n-# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-virtual-eqsin\n-@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV4 = (10.132.2.0/24);\n-@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:103::/64);\n-@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV4 $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV6 );\n-\n-# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-eqsin\n-@def $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV4 = (103.102.166.0/28);\n-@def $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV6 = (2001:df2:e500:1::/64);\n-@def $EQSIN_PUBLIC_PUBLIC1_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV6 );\n-\n-# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-lvs-eqsin\n-@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV4 = (103.102.166.224/27);\n-@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV6 = (2001:df2:e500:ed1a::/64);\n-@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV6 );\n-\n-# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-virtual-eqsin\n-@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV4 = (103.102.166.96/27);\n-@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:3::/64);\n-@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV6 );\n-\n-# Realm: production, # Site: esams, # Sphere: private, # Network: private1-bw27-esams\n-@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV4 = (10.80.0.0/24);\n-@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV6 = (2a02:ec80:300:101::/64);\n-@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV6 );\n-\n-# Realm: production, # Site: esams, # Sphere: private, # Network: private1-by27-esams\n-@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV4 = (10.80.1.0/24);\n-@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV6 = (2a02:ec80:300:102::/64);\n-@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV6 );\n-\n-# Realm: production, # Site: esams, # Sphere: private, # Network: private1-lvs-esams\n-@def $ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS_IPV4 = (10.2.3.0/24);\n-@def $ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS_IPV4 );\n-\n-# Realm: production, # Site: esams, # Sphere: private, # Network: private1-virtual-esams\n-@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV4 = (10.80.2.0/24);\n-@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:103::/64);\n-@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV6 );\n-\n-# Realm: production, # Site: esams, # Sphere: public, # Network: public1-bw27-esams\n-@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV4 = (185.15.59.0/27);\n-@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV6 = (2a02:ec80:300:1::/64);\n-@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV6 );\n-\n-# Realm: production, # Site: esams, # Sphere: public, # Network: public1-by27-esams\n-@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV4 = (185.15.59.32/27);\n-@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV6 = (2a02:ec80:300:2::/64);\n-@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV6 );\n-\n-# Realm: production, # Site: esams, # Sphere: public, # Network: public1-lvs-esams\n-@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV4 = (185.15.59.224/27);\n-@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV6 = (2a02:ec80:300:ed1a::/64);\n-@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV6 );\n-\n-# Realm: production, # Site: esams, # Sphere: public, # Network: public1-virtual-esams\n-@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV4 = (185.15.59.96/27);\n-@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:3::/64);\n-@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV6 );\n-\n-# Realm: production, # Site: magru, # Sphere: private, # Network: private1-b3-magru\n-@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV4 = (10.140.0.0/24);\n-@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV6 = (2a02:ec80:700:101::/64);\n-@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV6 );\n-\n-# Realm: production, # Site: magru, # Sphere: private, # Network: private1-b4-magru\n-@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV4 = (10.140.1.0/24);\n-@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV6 = (2a02:ec80:700:102::/64);\n-@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV6 );\n-\n-# Realm: production, # Site: magru, # Sphere: private, # Network: private1-lvs-magru\n-@def $MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU_IPV4 = (10.2.7.0/24);\n-@def $MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU_IPV4 );\n-\n-# Realm: production, # Site: magru, # Sphere: private, # Network: private1-virtual-magru\n-@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV4 = (10.140.2.0/24);\n-@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:103::/64);\n-@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV6 );\n-\n-# Realm: production, # Site: magru, # Sphere: public, # Network: public1-b3-magru\n-@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV4 = (195.200.68.0/27);\n-@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV6 = (2a02:ec80:700:1::/64);\n-@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV6 );\n-\n-# Realm: production, # Site: magru, # Sphere: public, # Network: public1-b4-magru\n-@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV4 = (195.200.68.32/27);\n-@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV6 = (2a02:ec80:700:2::/64);\n-@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV6 );\n-\n-# Realm: production, # Site: magru, # Sphere: public, # Network: public1-lvs-magru\n-@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV4 = (195.200.68.224/27);\n-@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV6 = (2a02:ec80:700:ed1a::/64);\n-@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV6 );\n-\n-# Realm: production, # Site: magru, # Sphere: public, # Network: public1-virtual-magru\n-@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV4 = (195.200.68.96/27);\n-@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:3::/64);\n-@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV6 );\n-\n-# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-22-ulsfo\n-@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV4 = (10.128.0.0/24);\n-@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV6 = (2620:0:863:101::/64);\n-@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV6 );\n-\n-# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-23-ulsfo\n-@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV4 = (10.128.1.0/24);\n-@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV6 = (2620:0:863:102::/64);\n-@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV6 );\n-\n-# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-lvs-ulsfo\n-@def $ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO_IPV4 = (10.2.4.0/24);\n-@def $ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO_IPV4 );\n-\n-# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-virtual-ulsfo\n-@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV4 = (10.128.2.0/24);\n-@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV6 = (2620:0:863:103::/64);\n-@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV6 );\n-\n-# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-22-ulsfo\n-@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV4 = (198.35.26.0/27);\n-@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV6 = (2620:0:863:1::/64);\n-@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV6 );\n-\n-# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-23-ulsfo\n-@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV4 = (198.35.26.32/27);\n-@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV6 = (2620:0:863:2::/64);\n-@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV6 );\n-\n-# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-lvs-ulsfo\n-@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV4 = (198.35.26.96/27);\n-@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV6 = (2620:0:863:ed1a::/64);\n-@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV6 );\n-\n-# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-virtual-ulsfo\n-@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV4 = (198.35.26.96/27);\n-@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV6 = (2620:0:863:3::/64);\n-@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV6 );\n-\n-# Realm: sandbox, # Site: codfw, # Sphere: public, # Network: sandbox1-a-codfw\n-@def $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV4 = (208.80.152.240/28);\n-@def $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV6 = (2620:0:860:201::/64);\n-@def $CODFW_PUBLIC_SANDBOX1_A_CODFW = ($CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV4 $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV6 );\n-\n-# Realm: sandbox, # Site: eqiad, # Sphere: public, # Network: sandbox1-b-eqiad\n-@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV4 = (208.80.155.64/28);\n-@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV6 = (2620:0:861:202::/64);\n-@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD = ($EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV4 $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV6 );\n-\n-# Realm: sandbox, # Site: eqsin, # Sphere: public, # Network: sandbox1-virtual-eqsin\n-@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV4 = (103.102.166.72/29);\n-@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:202::/64);\n-@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN = ($EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV4 $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV6 );\n-\n-# Realm: sandbox, # Site: esams, # Sphere: public, # Network: sandbox1-virtual-esams\n-@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV4 = (185.15.59.72/29);\n-@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:202::/64);\n-@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS = ($ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV4 $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV6 );\n-\n-# Realm: sandbox, # Site: magru, # Sphere: public, # Network: sandbox1-virtual-magru\n-@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV4 = (195.200.68.64/29);\n-@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:201::/64);\n-@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU = ($MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV4 $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV6 );\n-\n-# Realm: sandbox, # Site: ulsfo, # Sphere: public, # Network: sandbox1-ulsfo\n-@def $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV4 = (198.35.26.240/28);\n-@def $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV6 = (2620:0:863:201::/64);\n-@def $ULSFO_PUBLIC_SANDBOX1_ULSFO = ($ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV4 $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV6 );", "parameters": "--- File[/etc/ferm/conf.d/00_defs].orig\n+++ File[/etc/ferm/conf.d/00_defs]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]\n\n-    unit              => cfssl-ocsprefresh-dse_front_proxy.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/LABS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/LABS_NETWORKS_ipv6.nft\n@@ -0,0 +1,20 @@\n+# Autogenerated by puppet\n+set LABS_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2a02:ec80:a000:100::/64,\n+             2a02:ec80:a000:1::/64,\n+             2a02:ec80:a000:201::/64,\n+             2a02:ec80:a000:202::/64,\n+             2a02:ec80:a000:203::/64,\n+             2a02:ec80:a000:204::/64,\n+             2a02:ec80:a000:2ff::/64,\n+             2a02:ec80:a000:4000::/64,\n+             2a02:ec80:a100:100::/64,\n+             2a02:ec80:a100:1::/64,\n+             2a02:ec80:a100:205::/64,\n+             2a02:ec80:a100:2ff::/64,\n+             2a02:ec80:a100:4000::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-cassandra-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-cassandra-certificate-expiry --cert-path /etc/cfssl/signers/cassandra/ca/cassandra.pem --outfile /var/lib/prometheus/node.d/cassandra_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Httpd::Mod_conf[status]", "parameters": "--- Httpd::Mod_conf[status].orig\n+++ Httpd::Mod_conf[status]\n\n-    mod      => status\n-    loadfile => status.load\n-    ensure   => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (wikikube_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20011 \\\n-          -responses /etc/cfssl/ocsp/wikikube_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/nftables/prerouting]", "parameters": "--- File[/etc/nftables/prerouting].orig\n+++ File[/etc/nftables/prerouting]\n\n+    recurse => True\n+    purge   => True\n+    owner   => root\n+    group   => root\n+    ensure  => directory\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@mlserve_staging]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@mlserve_staging].orig\n+++ Systemd::Unit[cfssl-ocspserve@mlserve_staging]\n\n-    unit              => cfssl-ocspserve@mlserve_staging\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@cassandra]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@cassandra].orig\n+++ Systemd::Unit[cfssl-ocspserve@cassandra]\n\n-    unit              => cfssl-ocspserve@cassandra\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unmask[nftables.service]", "parameters": "--- Systemd::Unmask[nftables.service].orig\n+++ Systemd::Unmask[nftables.service]\n\n+    unit        => nftables.service\n+    refreshonly => False\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Systemd::Service[cfssl-ocsprefresh-puppet_rsa]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Cfssl::Signer[puppet_rsa]", "parameters": "--- Cfssl::Signer[puppet_rsa].orig\n+++ Cfssl::Signer[puppet_rsa]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIFNDCCBJagAwIBAgIUOR+ZAFtrzLKYphDIGMa9eF6O0LIwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjIwMTIwNTAwWhcNMjgwNjE4MTIwNTAwWjB4\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRMwEQYDVQQDDApwdXBwZXRfcnNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\nMIICCgKCAgEA4urK5Og7RVGoXg6KzYywzaXyRROuj0Kauc7n/BgCWvsKv9Ll4f/p\nlbVGOSln3akzhBlJwmVTGrgCmWQVxMF2agKAR+R1aV2Wc+yEfofUbW1oRgBCelMQ\nXutw0cApO+lzjHNtduffeIEVBjwLcEG/OdaUa2CGFGLG/dHox7o8AZgkH7SFJyby\nz/rzip+szHpMThhjs0PKx91VS1srb7Q1jE1OlB7ydhX+gLRWTjwxOp1ITFXjNobk\ni16jcP3YYgCvj8qwWMcYmtI7iExSeFdptv3fmajBeoi1o52LUWKUrslwtNa/emaB\nFBGRZfu8ap+BWWpYYarI4mOCyvetw/6FZ2LnuWy5cNA3GoALB5xfLpO3twYnrveP\nBnxULp4Q8szITB/bjPBMkd8FG8Frpe3eZNKNHG9xjJGdS1Bxhq7Zgfy09V1RJCym\nAJSWERHRrxjEnRCDd7HUAhfaDCygeooe4wGRR5bG8WqOpkQDtYPP3yfk5NBhcJpW\nmXTRFTFkuslEL/2bwa9EPIOAKAINDeJOCHqJMQd6EXwTP2LabWU3oI+sfeBdCoSd\nRn+q2Z0kSLu8fqXsgPgvdgyWjfPkQnyLAz9rdsal2x4x9SilDkov+l6Q9DXGGoYO\nGGOHHFCFhM9CS02zFGLe1JbqiHPuYuIkEnGjGJyCqdIB8Rz0JxdypEcCAwEAAaOC\nAQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud\nDgQWBBRrq/ZHBKl8OZGQrQCiUq4GRc86YDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yA\nvzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9w\na2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3Rf\nQ0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQv\nY3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCB\nhwJBJHrjuBvyK8Sv40xCW/TrVtOCIVaXfjwsKau9lkmt/6purO/xkppZDMajueYw\n9koKhj6SvliOpiwgypfOKP7nbsACQgFAnawARDYCoOQ8pQDoqpRkPBBScMOTMPFu\nxTekxW2V7POn9dn6uavLJz/wha+sNgAnYT4wHWkRJzbUk+1H3Hb3NA==\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/puppet_rsa\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/puppet_rsa\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_syslog]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_syslog].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_syslog]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_wikikube]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_wikikube].orig\n+++ Nrpe::Check[check_check_certificate_expiry_wikikube]\n\n-    before    => Monitoring::Service[check_certificate_expiry_wikikube]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@discovery]", "parameters": "--- Systemd::Service[cfssl-ocspserve@discovery].orig\n+++ Systemd::Service[cfssl-ocspserve@discovery]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/cfssl/signers/discovery/cfssl.conf]", "content": "--- /etc/cfssl/signers/discovery/cfssl.conf.orig\n+++ /etc/cfssl/signers/discovery/cfssl.conf\n@@ -1,129 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/discovery\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/discovery\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_staging\": {\n-        \"auth_key\": \"k8s_staging\",\n-        \"expiry\": \"24h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_wikikube\": {\n-        \"auth_key\": \"k8s_wikikube\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_mlserve\": {\n-        \"auth_key\": \"k8s_mlserve\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_mlstaging\": {\n-        \"auth_key\": \"k8s_mlstaging\",\n-        \"expiry\": \"24h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_dse\": {\n-        \"auth_key\": \"k8s_dse\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      },\n-      \"k8s_dse_opensearch\": {\n-        \"auth_key\": \"k8s_dse\",\n-        \"expiry\": \"4380h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      },\n-      \"k8s_aux\": {\n-        \"auth_key\": \"k8s_aux\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/discovery/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/discovery/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__dse_front_proxy\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"2560f4f577ba169af651cf96bd5dc1ba\",check_name=\"check_check_certificate_expiry_dse_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_dse_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cassandra -profile ocsp /etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer]\n\n-    unit              => cfssl-ocsprefresh-aux_front_proxy.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_discovery2026].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"wikikube_staging_front_proxy\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Service[wmf_auto_restart_ulogd2.timer]", "parameters": "--- Service[wmf_auto_restart_ulogd2.timer].orig\n+++ Service[wmf_auto_restart_ulogd2.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-cassandra.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File_line[auto_restart_file_presence_apache2]", "parameters": "--- File_line[auto_restart_file_presence_apache2].orig\n+++ File_line[auto_restart_file_presence_apache2]\n\n-    path    => /etc/debdeploy-client/autorestarts.conf\n-    line    => apache2\n-    ensure  => present\n-    require => File[/etc/debdeploy-client/autorestarts.conf]\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_etcd.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_etcd.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Cfssl::Ocsp[dse]", "parameters": "--- Cfssl::Ocsp[dse].orig\n+++ Cfssl::Ocsp[dse]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/dse/ca/dse.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20061\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_zuul\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"373325faaa689f3e9b058d91d4eb6cdb\" --timeout 10 --check-command \"check_check_certificate_expiry_zuul\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_zuul command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_network_devices command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_network_devices\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"21dac3775d059b8c991626e2ca33f951\" --timeout 10 --check-command \"check_check_certificate_expiry_network_devices\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging/ca]", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging/ca].orig\n+++ File[/etc/cfssl/signers/mlserve_staging/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@dse]", "parameters": "--- Systemd::Service[cfssl-ocspserve@dse].orig\n+++ Systemd::Service[cfssl-ocspserve@dse]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_zuul]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_network_devices]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_network_devices].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_network_devices]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"network_devices\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca].orig\n+++ Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca]\n\n-    unit              => cfssl-ocspserve@cloud_wmnet_ca\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Sudo::User[nrpe_certificate_check_dse_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_dse_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_dse_front_proxy]\n\n-    user       => nrpe_certificate_check_dse_front_proxy\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-dse_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-dse_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[wmf_auto_restart_apache-htcacheclean.timer]", "parameters": "--- Service[wmf_auto_restart_apache-htcacheclean.timer].orig\n+++ Service[wmf_auto_restart_apache-htcacheclean.timer]\n\n-    before   => ['Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_front_proxy_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_kafka]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_kafka].orig\n+++ Nrpe::Check[check_check_certificate_expiry_kafka]\n\n-    before    => Monitoring::Service[check_certificate_expiry_kafka]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/BASTION_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/BASTION_HOSTS_ipv6.nft\n@@ -0,0 +1,12 @@\n+# Autogenerated by puppet\n+set BASTION_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:1:208:80:154:7,\n+             2a02:ec80:300:3:185:15:59:99,\n+             2620:0:860:4:208:80:153:110,\n+             2620:0:863:3:198:35:26:104,\n+             2001:df2:e500:3:103:102:166:103,\n+             2a02:ec80:600:1:185:15:58:6,\n+             2a02:ec80:700:3:195:200:68:99\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (cloud_wmnet_ca)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10004 \\\n-          -responses /etc/cfssl/ocsp/cloud_wmnet_ca.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-aux]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-aux].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-aux]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (dse_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20062 \\\n-          -responses /etc/cfssl/ocsp/dse_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_wikikube]", "parameters": "--- Monitoring::Service[check_certificate_expiry_wikikube].orig\n+++ Monitoring::Service[check_certificate_expiry_wikikube]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_wikikube!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: wikikube\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Nftables::Set[PROMETHEUS_HOSTS]", "parameters": "--- Nftables::Set[PROMETHEUS_HOSTS].orig\n+++ Nftables::Set[PROMETHEUS_HOSTS]\n\n+    hosts  => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet']\n+    ensure => present\n"}, {"resource": "Nftables::Set[FRACK_NETWORKS]", "parameters": "--- Nftables::Set[FRACK_NETWORKS].orig\n+++ Nftables::Set[FRACK_NETWORKS]\n\n+    hosts  => ['10.195.0.0/27', '10.195.0.128/29', '10.195.0.32/27', '10.195.0.64/28', '10.195.0.80/29', '10.195.0.96/27', '10.195.1.0/25', '10.64.40.0/27', '10.64.40.160/27', '10.64.40.192/26', '10.64.40.32/27', '10.64.40.64/27', '10.64.40.96/27', '208.80.152.224/28', '208.80.155.0/27']\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_staging_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"b194b5b9b6c9d6e05b9eed8dcfcc40cf\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_staging_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - Wikimedia_Internal_Root_CA\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem --responses-file /etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@Wikimedia_Internal_Root_CA' Wikimedia_Internal_Root_CA ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-aux.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-aux.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-aux.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-aux.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Signer[syslog]", "parameters": "--- Cfssl::Signer[syslog].orig\n+++ Cfssl::Signer[syslog]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqTCCAwqgAwIBAgIUI5/ixOCtnw8ZXV6xWw6RVC/D6rwwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwOTI4MTAzNzAwWhcNMjgwOTI2MTAzNzAwWjB0\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQ8wDQYDVQQDEwZzeXNsb2cwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABL\nCaZwsDnVcBhApShaeA1j8/9w4S2re0Zmjx7GTeBXiJcKF0dAhgAQRCMrGtWEimmQ\nW94s5015H1MknO61lLOY+wDAFYkq98rZF2aRRILm1w/5iRkqTDiBECBVE15jrPzD\nq4zZCQ5V5ellWhzfGfPMxFOogIm1sqZsqZvB7zZaCSOrbaOCAQwwggEIMA4GA1Ud\nDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRvwMc33QVQ\nqaT1dZmUUtkBeYiyzjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBW\nBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5\nLndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMw\nQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRp\nYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAUtK7APyQamN\n8DYOBCd1wJQ1DbYlzcQOcupJns2RKKcxFp1evo2GQjDA15TN1OXtA+pvK/liCAEh\np828+NcE6fPMAkIBN/Yjhvy0lrtVzshqckUEciShFhbDU0QZOHuzIXCVjdskzQfu\nas4ZMO15kIv0MZUJ6V9aKEE6nqzi9QXifjuoY54=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/syslog/ca/syslog.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/syslog\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/syslog\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/syslog/ca/syslog-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "File[/etc/ssl/dhparam.pem]", "parameters": "--- File[/etc/ssl/dhparam.pem].orig\n+++ File[/etc/ssl/dhparam.pem]\n\n-    owner  => root\n-    source => puppet:///modules/sslcert/dhparam.pem\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@etcd.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@etcd.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@etcd.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (etcd)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10005 \\\n-          -responses /etc/cfssl/ocsp/etcd.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@etcd.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@etcd.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[Generate initial CRL for discovery]", "parameters": "--- Exec[Generate initial CRL for discovery].orig\n+++ Exec[Generate initial CRL for discovery]\n\n-    creates => /srv/cfssl/crl/discovery\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/discovery/ca/discovery.pem /etc/cfssl/signers/discovery/ca/discovery-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/discovery\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "content": "--- /etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods.orig\n+++ /etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 8443, ($WIKIKUBE_KUBEPODS_NETWORKS $STAGING_KUBEPODS_NETWORKS $MLSERVE_KUBEPODS_NETWORKS $MLSTAGE_KUBEPODS_NETWORKS $DSE_KUBEPODS_NETWORKS $AUX_KUBEPODS_NETWORKS));\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods].orig\n+++ File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set DSE_KUBEPODS_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:861:302::/64,\n+             2620:0:860:308::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_cassandra command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_cassandra\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"f5e260f525c48c963fb2e6c86a0d5d63\" --timeout 10 --check-command \"check_check_certificate_expiry_cassandra\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[Generate initial CRL for discovery2026]", "parameters": "--- Exec[Generate initial CRL for discovery2026].orig\n+++ Exec[Generate initial CRL for discovery2026]\n\n-    creates => /srv/cfssl/crl/discovery2026\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/discovery2026/ca/discovery2026.pem /etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/discovery2026\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-discovery2026].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-discovery2026]\n\n-    ensure => present\n"}, {"resource": "File[/etc/systemd/system/ferm.service.d]", "parameters": "--- File[/etc/systemd/system/ferm.service.d].orig\n+++ File[/etc/systemd/system/ferm.service.d]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0555\n-    ensure => directory\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-kafka-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_dse_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_dse_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_dse_front_proxy]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_dse_front_proxy!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem --responses-file /etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@Wikimedia_Internal_Root_CA' Wikimedia_Internal_Root_CA \n-    description               => OCSP Refresh job - Wikimedia_Internal_Root_CA\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_syslog.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"e515778a769f523fb98a7f642670e011\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_staging_front_proxy\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_staging_front_proxy command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_cassandra]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_cassandra].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_cassandra]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_cloud_wmnet_ca command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"f87f54115f2f782169eed72541c30a1e\" --timeout 10 --check-command \"check_check_certificate_expiry_cloud_wmnet_ca\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_discovery2026]", "parameters": "--- Monitoring::Service[check_certificate_expiry_discovery2026].orig\n+++ Monitoring::Service[check_certificate_expiry_discovery2026]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_discovery2026!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: discovery2026\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/srv/cfssl/bundles/discovery2026.pem]", "content": "--- /srv/cfssl/bundles/discovery2026.pem.orig\n+++ /srv/cfssl/bundles/discovery2026.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrzCCAxGgAwIBAgIUa46nWae1FhV+WZzdsRMJchzTP54wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjYwNDIwMTUzNjAwWhcNMzEwNDE5MTUzNjAwWjB7\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRYwFAYDVQQDEw1kaXNjb3ZlcnkyMDI2MIGbMBAGByqGSM49AgEGBSuBBAAj\n-A4GGAAQBNeE+xxvbq00KO92aWhHFTLosZBkXul9ufZINtOUd90TXpQnJvpEv7kK8\n-HQpufac9Dez+MBhLzQXoTY+ElhRCsQQBwlu+rIeqpbJEh87DQ2RTfzhTJmlm/9de\n-1fiM38/51DacwYS/vW0psN/lKSoM7cX/Paw6Qg7pBUmUGCq2vE9wDbmjggEMMIIB\n-CDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU\n-SXZcMeXrgnEYbZ3z1m8j/+8XmugwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR\n-0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRp\n-c2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoG\n-A1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9X\n-aWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQgD4\n-UGn506FGvacDvYS6t8JEMo6YH7jxK8dKeiZNEnhG5FSjA4Lt2BCz85sOBczxSD9h\n-b9wLCxy5wOpifRePlyrZQgJBNKUXBImWpyoHmt6hNOA6X7+FmGl0tD5tLnbeuPx7\n-aTlv8rfJ0d7JdsZXx+7M6YcsmxMgZCKUh4UMYu/WcczIq30=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/discovery2026.pem].orig\n+++ File[/srv/cfssl/bundles/discovery2026.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Override[apache2-after-network-online-target]", "parameters": "--- Systemd::Override[apache2-after-network-online-target].orig\n+++ Systemd::Override[apache2-after-network-online-target]\n\n-    unit    => apache2\n-    restart => False\n-    ensure  => absent\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-dse]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-dse].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-dse]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-dse.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label syslog -profile ocsp /etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set PROMETHEUS_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.0.82,\n+             10.64.16.62,\n+             10.64.48.171,\n+             10.64.32.85\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Package[python3-cryptography]", "parameters": "--- Package[python3-cryptography].orig\n+++ Package[python3-cryptography]\n\n-    ensure   => installed\n-    provider => apt\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@mlserve_staging]", "parameters": "--- Systemd::Service[cfssl-ocspserve@mlserve_staging].orig\n+++ Systemd::Service[cfssl-ocspserve@mlserve_staging]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft\n@@ -0,0 +1,38 @@\n+# Autogenerated by puppet\n+set ANALYTICS_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.64.137.0/24,\n+             10.64.138.0/24,\n+             10.64.139.0/24,\n+             10.64.140.0/24,\n+             10.64.142.0/24,\n+             10.64.143.0/24,\n+             10.64.144.0/24,\n+             10.64.145.0/24,\n+             10.64.153.0/24,\n+             10.64.155.0/24,\n+             10.64.157.0/24,\n+             10.64.159.0/24,\n+             10.64.161.0/24,\n+             10.64.163.0/24,\n+             10.64.165.0/24,\n+             10.64.167.0/24,\n+             10.64.170.0/24,\n+             10.64.172.0/24,\n+             10.64.174.0/24,\n+             10.64.176.0/24,\n+             10.64.178.0/24,\n+             10.64.180.0/24,\n+             10.64.182.0/24,\n+             10.64.184.0/24,\n+             10.64.186.0/24,\n+             10.64.188.0/24,\n+             10.64.190.0/24,\n+             10.64.21.0/24,\n+             10.64.36.0/24,\n+             10.64.5.0/24,\n+             10.64.53.0/24\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-gc-expired-certs.timer]", "content": "--- /lib/systemd/system/cfssl-gc-expired-certs.timer.orig\n+++ /lib/systemd/system/cfssl-gc-expired-certs.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-gc-expired-certs.service\n-\n-[Timer]\n-Unit=cfssl-gc-expired-certs.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=hourly\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-gc-expired-certs.timer].orig\n+++ File[/lib/systemd/system/cfssl-gc-expired-certs.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_network_devices.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-ferm_active.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-ferm_active.service].orig\n+++ Systemd::Unit[nrpe2nodexp-ferm_active.service]\n\n-    unit              => nrpe2nodexp-ferm_active.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_etcd]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_etcd].orig\n+++ Nrpe::Check[check_check_certificate_expiry_etcd]\n\n-    before    => Monitoring::Service[check_certificate_expiry_etcd]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Exec[Generate initial CRL for network_devices]", "parameters": "--- Exec[Generate initial CRL for network_devices].orig\n+++ Exec[Generate initial CRL for network_devices]\n\n-    creates => /srv/cfssl/crl/network_devices\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/network_devices/ca/network_devices.pem /etc/cfssl/signers/network_devices/ca/network_devices-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/network_devices\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026/ca]", "parameters": "--- File[/etc/cfssl/signers/discovery2026/ca].orig\n+++ File[/etc/cfssl/signers/discovery2026/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-dse]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-dse].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-dse]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-dse]\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - discovery\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery/ca/discovery.pem --responses-file /etc/cfssl/ocsp/discovery.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery' discovery ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_discovery2026]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_discovery2026].orig\n+++ Nrpe::Check[check_check_certificate_expiry_discovery2026]\n\n-    before    => Monitoring::Service[check_certificate_expiry_discovery2026]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-syslog]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-syslog].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-syslog]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-syslog.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/srv/cfssl/bundles/syslog.pem]", "content": "--- /srv/cfssl/bundles/syslog.pem.orig\n+++ /srv/cfssl/bundles/syslog.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqTCCAwqgAwIBAgIUI5/ixOCtnw8ZXV6xWw6RVC/D6rwwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwOTI4MTAzNzAwWhcNMjgwOTI2MTAzNzAwWjB0\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ8wDQYDVQQDEwZzeXNsb2cwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABL\n-CaZwsDnVcBhApShaeA1j8/9w4S2re0Zmjx7GTeBXiJcKF0dAhgAQRCMrGtWEimmQ\n-W94s5015H1MknO61lLOY+wDAFYkq98rZF2aRRILm1w/5iRkqTDiBECBVE15jrPzD\n-q4zZCQ5V5ellWhzfGfPMxFOogIm1sqZsqZvB7zZaCSOrbaOCAQwwggEIMA4GA1Ud\n-DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRvwMc33QVQ\n-qaT1dZmUUtkBeYiyzjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBW\n-BggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5\n-LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMw\n-QTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRp\n-YV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAUtK7APyQamN\n-8DYOBCd1wJQ1DbYlzcQOcupJns2RKKcxFp1evo2GQjDA15TN1OXtA+pvK/liCAEh\n-p828+NcE6fPMAkIBN/Yjhvy0lrtVzshqckUEciShFhbDU0QZOHuzIXCVjdskzQfu\n-as4ZMO15kIv0MZUJ6V9aKEE6nqzi9QXifjuoY54=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/syslog.pem].orig\n+++ File[/srv/cfssl/bundles/syslog.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_syslog]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_syslog].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_syslog]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/cfssl/ocsp/puppet_rsa.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/puppet_rsa.ocsp].orig\n+++ File[/etc/cfssl/ocsp/puppet_rsa.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set PROMETHEUS_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:101:10:64:0:82,\n+             2620:0:861:102:10:64:16:62,\n+             2620:0:861:107:10:64:48:171,\n+             2620:0:861:103:10:64:32:85\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/usr/local/lib/nagios/plugins/check_ferm]", "parameters": "--- File[/usr/local/lib/nagios/plugins/check_ferm].orig\n+++ File[/usr/local/lib/nagios/plugins/check_ferm]\n\n-    tag     => nrpe::plugin\n-    owner   => root\n-    ensure  => file\n-    source  => puppet:///modules/base/firewall/check_ferm\n-    group   => root\n-    mode    => 0555\n-    require => File[/usr/local/lib/nagios/plugins/]\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_mlserve_staging\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[Generate initial CRL for mlserve_staging_front_proxy]", "parameters": "--- Exec[Generate initial CRL for mlserve_staging_front_proxy].orig\n+++ Exec[Generate initial CRL for mlserve_staging_front_proxy]\n\n-    creates => /srv/cfssl/crl/mlserve_staging_front_proxy\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/mlserve_staging_front_proxy\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer]\n\n-    unit              => cfssl-ocsprefresh-discovery2026.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --responses-file /etc/cfssl/ocsp/mlserve_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_front_proxy' mlserve_front_proxy \n-    description               => OCSP Refresh job - mlserve_front_proxy\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/srv/cfssl/bundles/mlserve.pem]", "content": "--- /srv/cfssl/bundles/mlserve.pem.orig\n+++ /srv/cfssl/bundles/mlserve.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqTCCAwugAwIBAgIUC2E+U3FwNsKpcXq1D5KD3ILh08QwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB1\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRAwDgYDVQQDEwdtbHNlcnZlMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA\n-4+yIcr5bDRYOqvzsS95b/CFOM84v7vZlxRXO9paOop7nSpVED1+upVrhfM69F4Rd\n-hMDYeRBUiXxZsecByAdWu0AAEWeCZiL+QqMEJeoGML8iobA6rGa+5y2qePBUcV5m\n-4u0sePHBq8CYXdIgPHo8bIho/A30Q/IhwEIln0OoSq1ZlcOjggEMMIIBCDAOBgNV\n-HQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUYMFEsH4H\n-fAVzgmuJIW+M+s7UPVEwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYw\n-VgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVy\n-eS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRD\n-MEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVk\n-aWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQUW5mZclFy2C\n-6VREX3v/LuAnzguojsBHnRSGXWR1TYoN8aBrtzC0w6KaC+5ka5VCByGmlMDY4GxF\n-GLuM8bnvHf4FAkIBva6mukWZ7ZKbNSGakTVG3PeEvZs1b4xkq7+6RYjlv819FjLm\n-jPag2y90JiWcyA7gw4IZqc3BgFuT46K+AqsKzhY=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/mlserve.pem].orig\n+++ File[/srv/cfssl/bundles/mlserve.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-syslog]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-syslog].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-syslog]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/syslog/ca/syslog.pem --responses-file /etc/cfssl/ocsp/syslog.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@syslog' syslog \n-    description               => OCSP Refresh job - syslog\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/srv/cfssl/bundles/aux.pem]", "content": "--- /srv/cfssl/bundles/aux.pem.orig\n+++ /srv/cfssl/bundles/aux.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpjCCAwegAwIBAgIUB83dKT9lbMGOLf38Jx6fmsSa714wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjBx\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQwwCgYDVQQDEwNhdXgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADhzJSO\n-h264ltJ1CVADYcfi1rIxQOY3gtAsxonZ6CWNueKg0vjvDeL32l+NZ3f2yj2CIzl5\n-sa6sZjXmwAKziuuvCAHmsZDY5gzgBdwhZ6UeGAbwlLMgQajwRvCA2RUMuH8iAd6o\n-QcfZyHQFb0zl9mCHYNkjLT4jpwrL4Lx/DGbmkE/ulqOCAQwwggEIMA4GA1UdDwEB\n-/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSPVQ8kSyOIH5l4\n-1mVGCudJoaowtTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\n-BgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\n-bmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\n-oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\n-bnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCALJuWafVNInsE4Q8\n-tEHYHqhweF6bEArm7d3dqqTjKHuOcrmhXo4rgX5VsXHtI3qq9XGHoik6JUSwgftV\n-Sr+GWrIZAkIAuqmJ5vv2LgFcJWvYDkIPH9HXB9rIwAUHPFJ/iX2Ig9By+ss8nJbU\n-A3Ml/4NKRsXZwwyScmowVWQHfMpv53BsBv8=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/aux.pem].orig\n+++ File[/srv/cfssl/bundles/aux.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]", "content": "--- /etc/update-motd.d/05-insetup--infrastructure-foundations-nftables.orig\n+++ /etc/update-motd.d/05-insetup--infrastructure-foundations-nftables\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+printf \"%s\\n\" \"pki1001 is a Host being setup by Infrastructure Foundations SREs with ntables (insetup::infrastructure_foundations_nftables)\"", "parameters": "--- File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables].orig\n+++ File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]\n\n+    owner  => root\n+    group  => root\n+    mode   => 0555\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/FRACK_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/FRACK_NETWORKS_ipv4.nft\n@@ -0,0 +1,22 @@\n+# Autogenerated by puppet\n+set FRACK_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.195.0.0/27,\n+             10.195.0.128/29,\n+             10.195.0.32/27,\n+             10.195.0.64/28,\n+             10.195.0.80/29,\n+             10.195.0.96/27,\n+             10.195.1.0/25,\n+             10.64.40.0/27,\n+             10.64.40.160/27,\n+             10.64.40.192/26,\n+             10.64.40.32/27,\n+             10.64.40.64/27,\n+             10.64.40.96/27,\n+             208.80.152.224/28,\n+             208.80.155.0/27\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_debmonitor.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_debmonitor.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => mlserve_staging_front_proxy\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@mlserve_staging_front_proxy]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: debmonitor\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__debmonitor\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"224e2ac3574a9ce482218106d95a2931\",check_name=\"check_check_certificate_expiry_debmonitor\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: debmonitor\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_debmonitor))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --responses-file /etc/cfssl/ocsp/discovery2026.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery2026' discovery2026 \n-    description               => OCSP Refresh job - discovery2026\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Monitoring::Exported_nagios_host[pki1001]", "parameters": "--- Monitoring::Exported_nagios_host[pki1001].orig\n+++ Monitoring::Exported_nagios_host[pki1001]\n\n@@\n-    hostgroups            => pki_eqiad,asw2-a-eqiad\n+    hostgroups            => insetup_eqiad,asw2-a-eqiad\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@mlserve_staging_front_proxy]']\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_puppet_rsa!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: puppet_rsa\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Service[cfssl-ocsprefresh-aux_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-aux_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-aux_front_proxy.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy]\n\n-    user       => nrpe_certificate_check_wikikube_staging_front_proxy\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 10\n-    max_check_attempts     => 2\n-    retry_interval         => 1\n-    contact_groups         => admins,sms,admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 240\n-    check_command          => nrpe_check!check_check_cfssl-multirootca_status!10\n-    host_name              => pki1001\n-    service_description    => Check unit status of cfssl-multirootca #page\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/srv/cfssl/bundles/wikikube.pem]", "content": "--- /srv/cfssl/bundles/wikikube.pem.orig\n+++ /srv/cfssl/bundles/wikikube.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqzCCAwygAwIBAgIUWXrkQs5GEdgVcV7/XAEZOXQLYlowCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB2\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMREwDwYDVQQDEwh3aWtpa3ViZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAE\n-AX4fMTh3NrBZlCMop5eKr6F/RXTefrSSdu6DE39OOKTTdYM3TxK8tPmTDm9EE+XT\n-4rO+VHuaIVVirgB2JQtla8oZAZb60Pw8v9BlJ1JLLK9vpWA9Vce7DKmMNxIWK9GA\n-YIUQufjHVD2eibYJsK54NGkBe3frhPhwayIvzJ3gGO34GRaRo4IBDDCCAQgwDgYD\n-VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAaU1Sae\n-B9+FDd+SrIADU8yIo+xJMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2\n-MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zl\n-cnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8E\n-QzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1l\n-ZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBFZVjRbh3\n-GaouRaz9IPef3q+9s+TleKGby7nJQ6z71M3rpJIsHr9lncr/9GPq5v5cHDYOHmgK\n-GBupTY7FNMwL8aACQgCgoDP6PO23Dw6tuswLIbeY+o5l3K8R5L3RS1DO59OXXV2f\n-9FmoJNLgGXgP87rOkFW1fn9/QcvX85zD0urkq8gNjg==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/wikikube.pem].orig\n+++ File[/srv/cfssl/bundles/wikikube.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-discovery]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-discovery.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-syslog\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-syslog/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Ferm::Service[multirootca_tls_termination]", "parameters": "--- Ferm::Service[multirootca_tls_termination].orig\n+++ Ferm::Service[multirootca_tls_termination]\n\n-    src_sets            => ['DOMAIN_NETWORKS']\n-    unrestricted_access => False\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    ensure              => present\n-    port                => 443\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-debmonitor].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-debmonitor]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Cfssl::Config[syslog]", "parameters": "--- Cfssl::Config[syslog].orig\n+++ Cfssl::Config[syslog]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/syslog\n-    path                => /etc/cfssl/signers/syslog/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/syslog\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_kafka.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: network_devices\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__network_devices\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"21dac3775d059b8c991626e2ca33f951\",check_name=\"check_check_certificate_expiry_network_devices\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: network_devices\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_network_devices))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_kafka command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_kafka\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"22922fd6bc2d570e018cbe5ccd8d1727\" --timeout 10 --check-command \"check_check_certificate_expiry_kafka\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]", "content": "--- /etc/cfssl/signers/mlserve/ca/mlserve.pem.orig\n+++ /etc/cfssl/signers/mlserve/ca/mlserve.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqTCCAwugAwIBAgIUC2E+U3FwNsKpcXq1D5KD3ILh08QwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB1\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRAwDgYDVQQDEwdtbHNlcnZlMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA\n-4+yIcr5bDRYOqvzsS95b/CFOM84v7vZlxRXO9paOop7nSpVED1+upVrhfM69F4Rd\n-hMDYeRBUiXxZsecByAdWu0AAEWeCZiL+QqMEJeoGML8iobA6rGa+5y2qePBUcV5m\n-4u0sePHBq8CYXdIgPHo8bIho/A30Q/IhwEIln0OoSq1ZlcOjggEMMIIBCDAOBgNV\n-HQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUYMFEsH4H\n-fAVzgmuJIW+M+s7UPVEwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYw\n-VgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVy\n-eS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRD\n-MEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVk\n-aWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQUW5mZclFy2C\n-6VREX3v/LuAnzguojsBHnRSGXWR1TYoN8aBrtzC0w6KaC+5ka5VCByGmlMDY4GxF\n-GLuM8bnvHf4FAkIBva6mukWZ7ZKbNSGakTVG3PeEvZs1b4xkq7+6RYjlv819FjLm\n-jPag2y90JiWcyA7gw4IZqc3BgFuT46K+AqsKzhY=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/mlserve/ca/mlserve.pem].orig\n+++ File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]", "content": "--- /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem.orig\n+++ /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUcL3aZt8/kOKuFw8g90SCOk9VZSYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9hdXhfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAFQamNeMXOM8jZDTMiL/0Cgk641Tps3tMBQ6f1OD7fqLh7JGWZXSWIE\n-9v25H6dgcqSIWAlvBkbHQUPU51GmXigXtwCW1bYWFZc+MTjXFo2LBUJVUIxh2mh3\n-pNZYlgVZXP7a0l3zt2u5vegKRuJ6l0ELtjCJjo/TNYo/BA28XrzCL45HO6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBQv7ovDzaQTat1sfWJFkZ+n8+aGSTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AZ7oTip5kp2Yt9BABNEqYi6GjwpXZvmZOgd6So8UA76jP8duYicuOoNvpoHdEy58\n-ZOGpo0lqqIzB8xQcvzvmX7uiAkIAxHVKylOLCoPsUXaZVfUGhNavXXwrbIHTQXDo\n-HEHmc9lIMh9hO5z4vPMEbMkSRuAskcT1K/ydEqp4xI191jnovUg=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "content": "--- /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft.orig\n+++ /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr { 10.64.0.82, 10.64.16.62, 10.64.32.85, 10.64.48.171, 208.80.153.42, 208.80.154.78 } tcp dport 1-65535 accept\n+ip6 saddr { 2620:0:860:2:208:80:153:42, 2620:0:861:101:10:64:0:82, 2620:0:861:102:10:64:16:62, 2620:0:861:103:10:64:32:85, 2620:0:861:107:10:64:48:171, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept", "parameters": "--- File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft].orig\n+++ File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Profile::Auto_restarts::Service[apache2]", "parameters": "--- Profile::Auto_restarts::Service[apache2].orig\n+++ Profile::Auto_restarts::Service[apache2]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Signer[wikikube]", "parameters": "--- Cfssl::Signer[wikikube].orig\n+++ Cfssl::Signer[wikikube]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqzCCAwygAwIBAgIUWXrkQs5GEdgVcV7/XAEZOXQLYlowCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB2\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMREwDwYDVQQDEwh3aWtpa3ViZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAE\nAX4fMTh3NrBZlCMop5eKr6F/RXTefrSSdu6DE39OOKTTdYM3TxK8tPmTDm9EE+XT\n4rO+VHuaIVVirgB2JQtla8oZAZb60Pw8v9BlJ1JLLK9vpWA9Vce7DKmMNxIWK9GA\nYIUQufjHVD2eibYJsK54NGkBe3frhPhwayIvzJ3gGO34GRaRo4IBDDCCAQgwDgYD\nVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAaU1Sae\nB9+FDd+SrIADU8yIo+xJMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2\nMFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zl\ncnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8E\nQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1l\nZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBFZVjRbh3\nGaouRaz9IPef3q+9s+TleKGby7nJQ6z71M3rpJIsHr9lncr/9GPq5v5cHDYOHmgK\nGBupTY7FNMwL8aACQgCgoDP6PO23Dw6tuswLIbeY+o5l3K8R5L3RS1DO59OXXV2f\n9FmoJNLgGXgP87rOkFW1fn9/QcvX85zD0urkq8gNjg==\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/wikikube\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/wikikube\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/wikikube/ca/wikikube-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => test\n\n"}, {"resource": "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set MLSERVE_KUBEPODS_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.67.16.0/21,\n+             10.194.16.0/21\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@dse]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@dse].orig\n+++ Systemd::Unit[cfssl-ocspserve@dse]\n\n-    unit              => cfssl-ocspserve@dse\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/systemd/system/nftables.service.d]", "parameters": "--- File[/etc/systemd/system/nftables.service.d].orig\n+++ File[/etc/systemd/system/nftables.service.d]\n\n+    owner  => root\n+    group  => root\n+    mode   => 0555\n+    ensure => directory\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_aux.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_aux.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-wikikube].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube/ca/wikikube.pem --responses-file /etc/cfssl/ocsp/wikikube.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube' wikikube \n-    description               => OCSP Refresh job - wikikube\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Nftables::Set[CLOUD_NETWORKS]", "parameters": "--- Nftables::Set[CLOUD_NETWORKS].orig\n+++ Nftables::Set[CLOUD_NETWORKS]\n\n+    hosts  => ['172.16.0.0/21', '172.16.128.0/24', '172.16.129.0/24', '172.16.130.0/24', '172.16.131.0/24', '172.16.16.0/21', '172.16.24.0/24', '172.16.8.0/21', '172.20.1.0/24', '172.20.2.0/24', '172.20.254.0/24', '172.20.255.0/24', '172.20.3.0/24', '172.20.4.0/24', '172.20.5.0/24', '185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:100::/64', '2a02:ec80:a000:1::/64', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '2a02:ec80:a000:2ff::/64', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:100::/64', '2a02:ec80:a100:1::/64', '2a02:ec80:a100:205::/64', '2a02:ec80:a100:2ff::/64', '2a02:ec80:a100:4000::/64']\n+    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_etcd\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_wikikube_staging]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Service[cfssl-ocsprefresh-zuul.timer]", "parameters": "--- Service[cfssl-ocsprefresh-zuul.timer].orig\n+++ Service[cfssl-ocsprefresh-zuul.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-cloud_wmnet_ca\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-cloud_wmnet_ca/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ocsp/aux.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/aux.ocsp].orig\n+++ File[/etc/cfssl/ocsp/aux.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/mlserve_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/mlserve_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/mlserve_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/mlserve_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: wikikube_staging\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-cassandra.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-cassandra.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-cassandra.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-cassandra.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-zuul.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-zuul.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-zuul.timer]\n\n-    unit              => cfssl-ocsprefresh-zuul.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer]\n\n-    unit              => cfssl-ocsprefresh-puppet_rsa.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Class[Ulogd]", "parameters": "--- Class[Ulogd].orig\n+++ Class[Ulogd]\n\n-    gprint_logfile      => /var/log/ulog/gprint.log\n-    nacct_file          => /var/log/ulog/nacct.log\n-    pcap_file           => /var/log/ulog/ulogd.pcap\n-    sync                => True\n-    config_file         => /etc/ulogd.conf\n-    nfct                => []\n-    oprint_logfile      => /var/log/ulog/oprint.log\n-    logemu_nfct_logfile => /var/log/ulog/syslogemu_nfct.log\n-    logemu_logfile      => /var/log/ulog/syslogemu.log\n-    syslog_level        => info\n-    logfile             => syslog\n-    json_nfct_logfile   => /var/log/ulog/ulogd_nfct.json\n-    syslog_facility     => local7\n-    xml_directory       => /var/log/ulog/\n-    json_logfile        => /var/log/ulog/ulogd.json\n-    nflog               => ['SYSLOG']\n-    log_level           => info\n-    acct                => []\n-    ensure              => present\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@aux]", "parameters": "--- Systemd::Service[cfssl-ocspserve@aux].orig\n+++ Systemd::Service[cfssl-ocspserve@aux]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label zuul -profile ocsp /etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux -profile ocsp /etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@kafka]", "parameters": "--- Systemd::Service[cfssl-ocspserve@kafka].orig\n+++ Systemd::Service[cfssl-ocspserve@kafka]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__wikikube_front_proxy\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"4d759acaf0fd7dd3abaa03dc4565aef6\",check_name=\"check_check_certificate_expiry_wikikube_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_wikikube_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Motd::Script[insetup::infrastructure_foundations_nftables]", "parameters": "--- Motd::Script[insetup::infrastructure_foundations_nftables].orig\n+++ Motd::Script[insetup::infrastructure_foundations_nftables]\n\n+    priority => 5\n+    ensure   => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_aux_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Unit[apache2-apache2-after-network-online-target]", "parameters": "--- Systemd::Unit[apache2-apache2-after-network-online-target].orig\n+++ Systemd::Unit[apache2-apache2-after-network-online-target]\n\n-    unit              => apache2\n-    override          => True\n-    ensure            => absent\n-    restart           => False\n-    override_filename => apache2-after-network-online-target\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Ferm::Conf[main]", "parameters": "--- Ferm::Conf[main].orig\n+++ Ferm::Conf[main]\n\n-    prio   => 02\n-    source => puppet:///modules/base/firewall/main-input-default-drop.conf\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_syslog\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"e3b9b989d5062ce2d267023dfe42fcd8\" --timeout 10 --check-command \"check_check_certificate_expiry_syslog\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_syslog command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n"}, {"resource": "Cfssl::Signer[cloud_wmnet_ca]", "parameters": "--- Cfssl::Signer[cloud_wmnet_ca].orig\n+++ Cfssl::Signer[cloud_wmnet_ca]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDrzCCAxKgAwIBAgIURAaLNJ85iLqv3Tqt4ylu7Dhe0o0wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjExMjEzMTg1NTAwWhcNMjYxMjEyMTg1NTAwWjB8\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRcwFQYDVQQDDA5jbG91ZF93bW5ldF9jYTCBmzAQBgcqhkjOPQIBBgUrgQQA\nIwOBhgAEAFsH4mfZKGu87WTpX9yabGE0+vO4UBQaN/IUGnjmscZTZ7761iAwuZcs\n33yjwzoX2W+R0IwAPJbagtB92uYPmA6eAUDV4WAuOml+AqAP0elVtW7i+T/Bm4qc\nSrlGCDsALgJ765YZCDS9OmzAm9rXbQXFmsxqrm9I3aPXIOWIww5+Zg1mo4IBDDCC\nAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\nFMavCWJlEuGLgOx5zgBdQCQ0Zxj7MB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGD\nkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5k\naXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBK\nBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwv\nV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYoAMIGGAkEQ\nXFKpUB99oxOp7uK3GztZblTr8DECjcwbJOXYfZLGyfzzNIKPMGPkBGNmGkP7Ie1G\nRSCNRsI1VR8/geUR0YUrpwJBRZWF4DZM3cga+6VB7pEv/7r/pQERs/ivzckNwDLi\n/LK1pbHc/MeNOdoy7TouLf1djsw40VYtGNT7/9FldHoWqsA=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/cloud_wmnet_ca\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/cloud_wmnet_ca\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => fake\n\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]", "content": "--- /etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem.orig\n+++ /etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem].orig\n+++ File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_dse.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_dse.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_dse.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@cassandra]']\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_front_proxy_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_cassandra]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-syslog]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-syslog].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-syslog]\n\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_etcd.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@discovery]']\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_discovery\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "parameters": "--- Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA].orig\n+++ Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_kafka]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_kafka].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_kafka]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"kafka\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Sudo::User[nrpe_certificate_check_cassandra]", "parameters": "--- Sudo::User[nrpe_certificate_check_cassandra].orig\n+++ Sudo::User[nrpe_certificate_check_cassandra]\n\n-    user       => nrpe_certificate_check_cassandra\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_mlserve_staging]", "parameters": "--- Monitoring::Service[check_certificate_expiry_mlserve_staging].orig\n+++ Monitoring::Service[check_certificate_expiry_mlserve_staging]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_mlserve_staging!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: mlserve_staging\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-kafka.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-kafka.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-kafka.timer]\n\n-    unit              => cfssl-ocsprefresh-kafka.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/signers/aux/cfssl.conf]", "content": "--- /etc/cfssl/signers/aux/cfssl.conf.orig\n+++ /etc/cfssl/signers/aux/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/aux\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/aux\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/aux/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/aux/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set WIKIKUBE_KUBEPODS_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:861:cabe::/64,\n+             2620:0:860:cabe::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_discovery]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_discovery].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_discovery]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"discovery\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]\n\n-    unit              => cfssl-ocsprefresh-wikikube_staging.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@aux.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@aux.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@aux.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (aux)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20050 \\\n-          -responses /etc/cfssl/ocsp/aux.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@aux.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@aux.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-debmonitor.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-debmonitor.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - debmonitor\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --responses-file /etc/cfssl/ocsp/debmonitor.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@debmonitor' debmonitor ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Ferm::Filter_log[filter-bootp]", "parameters": "--- Ferm::Filter_log[filter-bootp].orig\n+++ Ferm::Filter_log[filter-bootp]\n\n-    daddr  => 255.255.255.255\n-    dport  => 68\n-    ensure => present\n-    sport  => 67\n-    proto  => udp\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@kafka]']\n"}, {"resource": "Service[cfssl-ocsprefresh-dse.timer]", "parameters": "--- Service[cfssl-ocsprefresh-dse.timer].orig\n+++ Service[cfssl-ocsprefresh-dse.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/nftables/100_base_puppet.nft]", "content": "--- /etc/nftables/100_base_puppet.nft.orig\n+++ /etc/nftables/100_base_puppet.nft\n@@ -0,0 +1,45 @@\n+# SPDX-License-Identifier: Apache-2.0\n+table inet base {\n+\n+    # Include all Puppet-managed sets\n+    include \"/etc/nftables/sets/*.nft\"\n+\n+    chain prerouting {\n+        type filter hook prerouting priority -300;\n+\n+        # Include all Puppet-managed rules targetting prerouting chain\n+        include \"/etc/nftables/prerouting/*.nft\"\n+        # Include all Puppet-managed exceptions from connection tracking\n+        include \"/etc/nftables/notrack/*.nft\"\n+    }\n+\n+    chain input {\n+        type filter hook input priority 0 ; policy drop;\n+\n+        ct state related,established accept\n+        iifname \"lo\" accept\n+        pkttype multicast accept\n+        meta l4proto ipv6-icmp accept\n+        ip protocol icmp accept\n+\n+        # Include all Puppet-managed service definitions for incoming traffic\n+        include \"/etc/nftables/input/*.nft\"\n+    }\n+\n+    chain output {\n+        type filter hook output priority 0 ; policy accept;\n+\n+        # Include any Puppet-managed client definitions filtering outbound traffic\n+        include \"/etc/nftables/output/*.nft\"\n+    }\n+\n+    chain postrouting {\n+        type filter hook postrouting priority 0 ;\n+\n+        # Include any Puppet-managed custom rules to mark DSCP bits\n+        include \"/etc/nftables/postrouting/*.nft\"\n+        # Anything else mark as CS0 / default priority class\n+        ip dscp != cs0 ip dscp set cs0 counter\n+        ip6 dscp != cs0 ip6 dscp set cs0 counter\n+    }\n+}", "parameters": "--- File[/etc/nftables/100_base_puppet.nft].orig\n+++ File[/etc/nftables/100_base_puppet.nft]\n\n+    tag     => nft\n+    notify  => ['Service[nftables]']\n+    owner   => root\n+    ensure  => present\n+    group   => root\n+    mode    => 0444\n+    require => File[/etc/nftables/]\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n"}, {"resource": "Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => dse_front_proxy\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@dse_front_proxy]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@network_devices]']\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging/ca]", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging/ca].orig\n+++ File[/etc/cfssl/signers/wikikube_staging/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Sudo::User[nrpe_certificate_check_aux]", "parameters": "--- Sudo::User[nrpe_certificate_check_aux].orig\n+++ Sudo::User[nrpe_certificate_check_aux]\n\n-    user       => nrpe_certificate_check_aux\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_debmonitor.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[cfssl-multirootca]", "parameters": "--- Systemd::Unit[cfssl-multirootca].orig\n+++ Systemd::Unit[cfssl-multirootca]\n\n-    unit              => cfssl-multirootca\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-etcd]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-etcd].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-etcd]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-syslog-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-syslog-certificate-expiry --cert-path /etc/cfssl/signers/syslog/ca/syslog.pem --outfile /var/lib/prometheus/node.d/syslog_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_etcd.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Monitor[cfssl-multirootca]", "parameters": "--- Systemd::Monitor[cfssl-multirootca].orig\n+++ Systemd::Monitor[cfssl-multirootca]\n\n-    contact_group  => admins\n-    critical       => True\n-    retries        => 2\n-    check_interval => 10\n-    migration_task => T350694\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI\n-    ensure         => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --outfile /var/lib/prometheus/node.d/aux_front_proxy_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-aux_front_proxy-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[mlserve]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[mlserve].orig\n+++ Profile::Pki::Multirootca::Monitoring[mlserve]\n\n-    ca_file      => /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => mlserve\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-discovery-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-mlserve].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve/ca/mlserve.pem --responses-file /etc/cfssl/ocsp/mlserve.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve' mlserve \n-    description               => OCSP Refresh job - mlserve\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]", "parameters": "--- Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)].orig\n+++ Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]\n\n-    before      => ['Service[ferm]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Ocsp[discovery2026]", "parameters": "--- Cfssl::Ocsp[discovery2026].orig\n+++ Cfssl::Ocsp[discovery2026]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10010\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Nftables::Set[KAFKAMON_HOSTS]", "parameters": "--- Nftables::Set[KAFKAMON_HOSTS].orig\n+++ Nftables::Set[KAFKAMON_HOSTS]\n\n+    hosts  => ['10.64.32.11', '2620:0:861:103:10:64:32:11', '10.192.16.139', '2620:0:860:102:10:192:16:139']\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_apache-htcacheclean].orig\n+++ Logrotate::Conf[wmf_auto_restart_apache-htcacheclean]\n\n-    ensure => absent\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_staging\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__wikikube_staging\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"f389c556cebfcfc345b3d6802f320045\",check_name=\"check_check_certificate_expiry_wikikube_staging\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_staging\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_wikikube_staging))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-dse]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-dse].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-dse]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy]\n\n-    unit              => cfssl-ocspserve@mlserve_staging_front_proxy\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__aux_front_proxy\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"99cf4f8f014e8fd527800abcc213f494\",check_name=\"check_check_certificate_expiry_aux_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_aux_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_mlserve.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set KAFKAMON_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.32.11,\n+             10.192.16.139\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: mlserve_staging\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-etcd-certificate-expiry --cert-path /etc/cfssl/signers/etcd/ca/etcd.pem --outfile /var/lib/prometheus/node.d/etcd_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-etcd-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Service[cfssl-ocspserve@zuul]", "parameters": "--- Service[cfssl-ocspserve@zuul].orig\n+++ Service[cfssl-ocspserve@zuul]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --responses-file /etc/cfssl/ocsp/aux_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@aux_front_proxy' aux_front_proxy \n-    description               => OCSP Refresh job - aux_front_proxy\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Nftables::Set[CACHES]", "parameters": "--- Nftables::Set[CACHES].orig\n+++ Nftables::Set[CACHES]\n\n+    hosts  => ['10.64.0.79', '2620:0:861:101:10:64:0:79', '10.64.0.229', '2620:0:861:101:10:64:0:229', '10.64.0.14', '2620:0:861:101:10:64:0:14', '10.64.0.51', '2620:0:861:101:10:64:0:51', '10.64.16.241', '2620:0:861:102:10:64:16:241', '10.64.16.94', '2620:0:861:102:10:64:16:94', '10.64.16.95', '2620:0:861:102:10:64:16:95', '10.64.16.240', '2620:0:861:102:10:64:16:240', '10.64.32.14', '2620:0:861:103:10:64:32:14', '10.64.32.60', '2620:0:861:103:10:64:32:60', '10.64.32.15', '2620:0:861:103:10:64:32:15', '10.64.32.65', '2620:0:861:103:10:64:32:65', '10.64.48.16', '2620:0:861:107:10:64:48:16', '10.64.48.41', '2620:0:861:107:10:64:48:41', '10.64.48.27', '2620:0:861:107:10:64:48:27', '10.64.48.28', '2620:0:861:107:10:64:48:28', '10.192.23.26', '2620:0:860:113:10:192:23:26', '10.192.6.20', '2620:0:860:107:10:192:6:20', '10.192.12.35', '2620:0:860:10d:10:192:12:35', '10.192.14.25', '2620:0:860:10f:10:192:14:25', '10.192.4.22', '2620:0:860:100:10:192:4:22', '10.192.29.26', '2620:0:860:116:10:192:29:26', '10.192.30.29', '2620:0:860:119:10:192:30:29', '10.192.36.19', '2620:0:860:11b:10:192:36:19', '10.192.40.25', '2620:0:860:11f:10:192:40:25', '10.192.41.21', '2620:0:860:120:10:192:41:21', '10.192.56.3', '2620:0:860:12b:10:192:56:3', '10.192.56.4', '2620:0:860:12b:10:192:56:4', '10.192.57.3', '2620:0:860:12c:10:192:57:3', '10.192.58.2', '2620:0:860:12d:10:192:58:2', '10.192.58.3', '2620:0:860:12d:10:192:58:3', '10.192.59.2', '2620:0:860:12e:10:192:59:2', '10.80.0.14', '2a02:ec80:300:101:10:80:0:14', '10.80.1.11', '2a02:ec80:300:102:10:80:1:11', '10.80.0.13', '2a02:ec80:300:101:10:80:0:13', '10.80.1.9', '2a02:ec80:300:102:10:80:1:9', '10.80.0.12', '2a02:ec80:300:101:10:80:0:12', '10.80.1.7', '2a02:ec80:300:102:10:80:1:7', '10.80.0.11', '2a02:ec80:300:101:10:80:0:11', '10.80.1.6', '2a02:ec80:300:102:10:80:1:6', '10.80.0.10', '2a02:ec80:300:101:10:80:0:10', '10.80.1.5', '2a02:ec80:300:102:10:80:1:5', '10.80.0.8', '2a02:ec80:300:101:10:80:0:8', '10.80.1.4', '2a02:ec80:300:102:10:80:1:4', '10.80.0.7', '2a02:ec80:300:101:10:80:0:7', '10.80.1.3', '2a02:ec80:300:102:10:80:1:3', '10.80.0.6', '2a02:ec80:300:101:10:80:0:6', '10.80.1.2', '2a02:ec80:300:102:10:80:1:2', '10.128.0.19', '2620:0:863:101:10:128:0:19', '10.128.0.27', '2620:0:863:101:10:128:0:27', '10.128.0.22', '2620:0:863:101:10:128:0:22', '10.128.0.28', '2620:0:863:101:10:128:0:28', '10.128.0.25', '2620:0:863:101:10:128:0:25', '10.128.0.29', '2620:0:863:101:10:128:0:29', '10.128.0.26', '2620:0:863:101:10:128:0:26', '10.128.0.31', '2620:0:863:101:10:128:0:31', '10.128.0.14', '2620:0:863:101:10:128:0:14', '10.128.0.35', '2620:0:863:101:10:128:0:35', '10.128.0.21', '2620:0:863:101:10:128:0:21', '10.128.0.36', '2620:0:863:101:10:128:0:36', '10.128.0.24', '2620:0:863:101:10:128:0:24', '10.128.0.10', '2620:0:863:101:10:128:0:10', '10.128.0.37', '2620:0:863:101:10:128:0:37', '10.128.0.12', '2620:0:863:101:10:128:0:12', '10.132.0.17', '2001:df2:e500:101:10:132:0:17', '10.132.0.18', '2001:df2:e500:101:10:132:0:18', '10.132.0.19', '2001:df2:e500:101:10:132:0:19', '10.132.0.24', '2001:df2:e500:101:10:132:0:24', '10.132.0.29', '2001:df2:e500:101:10:132:0:29', '10.132.0.30', '2001:df2:e500:101:10:132:0:30', '10.132.0.34', '2001:df2:e500:101:10:132:0:34', '10.132.0.35', '2001:df2:e500:101:10:132:0:35', '10.132.0.36', '2001:df2:e500:101:10:132:0:36', '10.132.0.37', '2001:df2:e500:101:10:132:0:37', '10.132.0.38', '2001:df2:e500:101:10:132:0:38', '10.132.0.25', '2001:df2:e500:101:10:132:0:25', '10.132.0.26', '2001:df2:e500:101:10:132:0:26', '10.132.0.27', '2001:df2:e500:101:10:132:0:27', '10.132.0.28', '2001:df2:e500:101:10:132:0:28', '10.132.0.16', '2001:df2:e500:101:10:132:0:16', '10.136.0.6', '2a02:ec80:600:101:10:136:0:6', '10.136.1.6', '2a02:ec80:600:102:10:136:1:6', '10.136.0.7', '2a02:ec80:600:101:10:136:0:7', '10.136.1.7', '2a02:ec80:600:102:10:136:1:7', '10.136.0.8', '2a02:ec80:600:101:10:136:0:8', '10.136.1.8', '2a02:ec80:600:102:10:136:1:8', '10.136.0.9', '2a02:ec80:600:101:10:136:0:9', '10.136.1.9', '2a02:ec80:600:102:10:136:1:9', '10.136.0.10', '2a02:ec80:600:101:10:136:0:10', '10.136.1.10', '2a02:ec80:600:102:10:136:1:10', '10.136.0.11', '2a02:ec80:600:101:10:136:0:11', '10.136.1.11', '2a02:ec80:600:102:10:136:1:11', '10.136.0.12', '2a02:ec80:600:101:10:136:0:12', '10.136.1.12', '2a02:ec80:600:102:10:136:1:12', '10.136.0.13', '2a02:ec80:600:101:10:136:0:13', '10.136.1.13', '2a02:ec80:600:102:10:136:1:13', '10.140.0.3', '2a02:ec80:700:101:10:140:0:3', '10.140.1.4', '2a02:ec80:700:102:10:140:1:4', '10.140.0.4', '2a02:ec80:700:101:10:140:0:4', '10.140.1.5', '2a02:ec80:700:102:10:140:1:5', '10.140.0.5', '2a02:ec80:700:101:10:140:0:5', '10.140.1.6', '2a02:ec80:700:102:10:140:1:6', '10.140.0.6', '2a02:ec80:700:101:10:140:0:6', '10.140.1.7', '2a02:ec80:700:102:10:140:1:7', '10.140.0.7', '2a02:ec80:700:101:10:140:0:7', '10.140.1.8', '2a02:ec80:700:102:10:140:1:8', '10.140.0.8', '2a02:ec80:700:101:10:140:0:8', '10.140.1.9', '2a02:ec80:700:102:10:140:1:9', '10.140.0.9', '2a02:ec80:700:101:10:140:0:9', '10.140.1.10', '2a02:ec80:700:102:10:140:1:10', '10.140.0.10', '2a02:ec80:700:101:10:140:0:10', '10.140.1.11', '2a02:ec80:700:102:10:140:1:11']\n+    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery2026.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]\n\n-    unit              => cfssl-ocsprefresh-discovery2026.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-dse]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-dse.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-dse\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-dse\n-\n-/var/log/cfssl-ocsprefresh-dse/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-dse].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-dse]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-wikikube.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Cfssl::Signer[mlserve]", "parameters": "--- Cfssl::Signer[mlserve].orig\n+++ Cfssl::Signer[mlserve]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqTCCAwugAwIBAgIUC2E+U3FwNsKpcXq1D5KD3ILh08QwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB1\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRAwDgYDVQQDEwdtbHNlcnZlMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA\n4+yIcr5bDRYOqvzsS95b/CFOM84v7vZlxRXO9paOop7nSpVED1+upVrhfM69F4Rd\nhMDYeRBUiXxZsecByAdWu0AAEWeCZiL+QqMEJeoGML8iobA6rGa+5y2qePBUcV5m\n4u0sePHBq8CYXdIgPHo8bIho/A30Q/IhwEIln0OoSq1ZlcOjggEMMIIBCDAOBgNV\nHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUYMFEsH4H\nfAVzgmuJIW+M+s7UPVEwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYw\nVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVy\neS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRD\nMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVk\naWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQUW5mZclFy2C\n6VREX3v/LuAnzguojsBHnRSGXWR1TYoN8aBrtzC0w6KaC+5ka5VCByGmlMDY4GxF\nGLuM8bnvHf4FAkIBva6mukWZ7ZKbNSGakTVG3PeEvZs1b4xkq7+6RYjlv819FjLm\njPag2y90JiWcyA7gw4IZqc3BgFuT46K+AqsKzhY=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/mlserve\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/mlserve\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/mlserve/ca/mlserve-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-network_devices.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_apache2.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_apache2.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_apache2.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of wmf_auto_restart_apache2.service\n-\n-[Timer]\n-Unit=wmf_auto_restart_apache2.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 22:8:00\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_apache2.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_apache2.timer]\n\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-kafka-certificate-expiry --cert-path /etc/cfssl/signers/kafka/ca/kafka.pem --outfile /var/lib/prometheus/node.d/kafka_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-kafka-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "parameters": "--- Service[nrpe2nodexp-check_cfssl-multirootca_status.timer].orig\n+++ Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-etcd]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-etcd].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-etcd]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-etcd.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Motd::Message[pki::multirootca]", "parameters": "--- Motd::Message[pki::multirootca].orig\n+++ Motd::Message[pki::multirootca]\n\n-    priority => 5\n-    message  => pki1001 is a PKI server (pki::multirootca)\n-    ensure   => present\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/apache2/mods-available/status.conf]", "parameters": "--- File[/etc/apache2/mods-available/status.conf].orig\n+++ File[/etc/apache2/mods-available/status.conf]\n\n-    before  => Httpd::Mod_conf[status]\n-    owner   => root\n-    ensure  => absent\n-    group   => root\n-    require => Package[apache2]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_zuul]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_zuul].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_zuul]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"zuul\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_etcd]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_etcd].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_etcd]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-debmonitor.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-debmonitor\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-debmonitor\n-\n-/var/log/cfssl-ocsprefresh-debmonitor/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Ocsp[mlserve]", "parameters": "--- Cfssl::Ocsp[mlserve].orig\n+++ Cfssl::Ocsp[mlserve]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20030\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft\n@@ -0,0 +1,15 @@\n+# Autogenerated by puppet\n+set KAFKA_BROKERS_MAIN_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.192.5.9,\n+             10.192.22.6,\n+             10.192.32.4,\n+             10.192.48.33,\n+             10.192.48.35,\n+             10.64.0.101,\n+             10.64.16.30,\n+             10.64.32.45,\n+             10.64.48.37,\n+             10.64.152.5\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/kafka/cfssl.conf]", "content": "--- /etc/cfssl/signers/kafka/cfssl.conf.orig\n+++ /etc/cfssl/signers/kafka/cfssl.conf\n@@ -1,75 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/kafka\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/kafka\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"kafka_11\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/kafka/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/kafka/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_etcd\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"c834f873297e445663ead81279c0b928\" --timeout 10 --check-command \"check_check_certificate_expiry_etcd\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_etcd command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Exec[unmask_nftables.service]", "parameters": "--- Exec[unmask_nftables.service].orig\n+++ Exec[unmask_nftables.service]\n\n+    onlyif      => /bin/readlink -f /etc/systemd/system/nftables.service | grep -q /dev/null\n+    refreshonly => False\n+    command     => /bin/systemctl unmask nftables.service\n"}, {"resource": "Cfssl::Signer[debmonitor]", "parameters": "--- Cfssl::Signer[debmonitor].orig\n+++ Cfssl::Signer[debmonitor]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqzCCAw6gAwIBAgIUD8gl+8iTKG2ZJ9eRsZs5/C9/7ZMwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMzE0MTM0NTAwWhcNMjgwMzEyMTM0NTAwWjB4\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRMwEQYDVQQDEwpkZWJtb25pdG9yMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG\nAAQBNH4qwApzKzoZpcUF5+rzNhzi2ETF1ToNoWJ4XIJH/PmYzcXmDj41+b+4p4++\nM+ENQtHt6dfCVv0BmGr8XYTU3YUAQUiLhv/X41GLwCV4Nx5jsnpnlfyi2tfXY2b1\nWgpdkxBTQi79fWYWJFvuy7AFhP0ahKcKfauegEHf1zJ/j7pKyjSjggEMMIIBCDAO\nBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU35FY\nTrdI8tZ8bKAVj8qkrn5sp9QwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9p\nEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2Nv\ndmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1Ud\nHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtp\nbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYCQXXZh0fs\nXIlOkz1OPSSRBbEZ6zjvGEJvR6qPVpdkQ8IY+bwqe6J/wrhlAgWfTq7ODhEQYCnx\ny9Jdg7TfybUaOnmiAkEGKMoHIi/MXfzVrKicaCo4aHIL14vN3V4go08bIsMuIs7p\nEknA+x7QLKFunnrATNeeF6ETr+3u9/MUDWGW+fBqEw==\n-----END CERTIFICATE-----\n-    ca_file          => /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/debmonitor\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/debmonitor\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => ##### FAKE FOR PUPPET ######\n\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: zuul\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__zuul\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"373325faaa689f3e9b058d91d4eb6cdb\",check_name=\"check_check_certificate_expiry_zuul\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: zuul\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_zuul))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_aux\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    ensure => present\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Exec[Generate initial CRL for mlserve_front_proxy]", "parameters": "--- Exec[Generate initial CRL for mlserve_front_proxy].orig\n+++ Exec[Generate initial CRL for mlserve_front_proxy]\n\n-    creates => /srv/cfssl/crl/mlserve_front_proxy\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/mlserve_front_proxy\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[MLSERVE_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]\n\n+    hosts  => ['10.67.16.0/21', '2620:0:861:300::/64', '10.194.16.0/21', '2620:0:860:300::/64']\n+    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-mlserve_staging\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-mlserve_staging/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-discovery2026].orig\n+++ Systemd::Service[cfssl-ocsprefresh-discovery2026]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]", "content": "--- /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem.orig\n+++ /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrzCCAxKgAwIBAgIURAaLNJ85iLqv3Tqt4ylu7Dhe0o0wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjExMjEzMTg1NTAwWhcNMjYxMjEyMTg1NTAwWjB8\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRcwFQYDVQQDDA5jbG91ZF93bW5ldF9jYTCBmzAQBgcqhkjOPQIBBgUrgQQA\n-IwOBhgAEAFsH4mfZKGu87WTpX9yabGE0+vO4UBQaN/IUGnjmscZTZ7761iAwuZcs\n-33yjwzoX2W+R0IwAPJbagtB92uYPmA6eAUDV4WAuOml+AqAP0elVtW7i+T/Bm4qc\n-SrlGCDsALgJ765YZCDS9OmzAm9rXbQXFmsxqrm9I3aPXIOWIww5+Zg1mo4IBDDCC\n-AQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\n-FMavCWJlEuGLgOx5zgBdQCQ0Zxj7MB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGD\n-kdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5k\n-aXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBK\n-BgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwv\n-V2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYoAMIGGAkEQ\n-XFKpUB99oxOp7uK3GztZblTr8DECjcwbJOXYfZLGyfzzNIKPMGPkBGNmGkP7Ie1G\n-RSCNRsI1VR8/geUR0YUrpwJBRZWF4DZM3cga+6VB7pEv/7r/pQERs/ivzckNwDLi\n-/LK1pbHc/MeNOdoy7TouLf1djsw40VYtGNT7/9FldHoWqsA=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-mlserve]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-mlserve].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-mlserve]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-mlserve]\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-mlserve]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-mlserve].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-mlserve]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/zuul/ca]", "parameters": "--- File[/etc/cfssl/signers/zuul/ca].orig\n+++ File[/etc/cfssl/signers/zuul/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-mlserve.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-mlserve\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-mlserve\n-\n-/var/log/cfssl-ocsprefresh-mlserve/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_apache2]", "parameters": "--- Systemd::Timer[wmf_auto_restart_apache2].orig\n+++ Systemd::Timer[wmf_auto_restart_apache2]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => wmf_auto_restart_apache2.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 22:8:00'}]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca]", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-syslog]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-syslog].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-syslog]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Nftables::Set[STAGING_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[STAGING_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[STAGING_KUBEPODS_NETWORKS]\n\n+    hosts  => ['10.64.64.0/21', '2620:0:861:babe::/64', '10.192.64.0/21', '2620:0:860:babe::/64']\n+    ensure => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_puppet_rsa]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_puppet_rsa].orig\n+++ Nrpe::Check[check_check_certificate_expiry_puppet_rsa]\n\n-    before    => Monitoring::Service[check_certificate_expiry_puppet_rsa]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-cassandra].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/cassandra/ca/cassandra.pem --responses-file /etc/cfssl/ocsp/cassandra.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@cassandra' cassandra \n-    description               => OCSP Refresh job - cassandra\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Nftables::File[base]", "parameters": "--- Nftables::File[base].orig\n+++ Nftables::File[base]\n\n+    order  => 100\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/etc/cfssl/ocsp/etcd.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/etcd.ocsp].orig\n+++ File[/etc/cfssl/ocsp/etcd.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-discovery2026\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-discovery2026/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[discovery2026]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[discovery2026].orig\n+++ Profile::Pki::Multirootca::Monitoring[discovery2026]\n\n-    ca_file      => /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => discovery2026\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@aux]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@aux].orig\n+++ Systemd::Unit[cfssl-ocspserve@aux]\n\n-    unit              => cfssl-ocspserve@aux\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-syslog.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-syslog.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-syslog.service]\n\n-    unit              => cfssl-ocsprefresh-syslog.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-aux-certificate-expiry --cert-path /etc/cfssl/signers/aux/ca/aux.pem --outfile /var/lib/prometheus/node.d/aux_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-aux-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@syslog]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@syslog].orig\n+++ Systemd::Unit[cfssl-ocspserve@syslog]\n\n-    unit              => cfssl-ocspserve@syslog\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nftables/main.nft]", "parameters": "--- File[/etc/nftables/main.nft].orig\n+++ File[/etc/nftables/main.nft]\n\n+    notify  => Service[nftables]\n+    owner   => root\n+    ensure  => present\n+    group   => root\n+    source  => puppet:///modules/nftables/main.nft\n+    require => File[/etc/nftables]\n"}, {"resource": "File[/etc/nftables/sets/INTERNAL_ipv4.nft]", "content": "--- /etc/nftables/sets/INTERNAL_ipv4.nft.orig\n+++ /etc/nftables/sets/INTERNAL_ipv4.nft\n@@ -0,0 +1,8 @@\n+# Autogenerated by puppet\n+set INTERNAL_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.0.0.0/8\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/INTERNAL_ipv4.nft].orig\n+++ File[/etc/nftables/sets/INTERNAL_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/apache2/sites-enabled/00-dummy.conf]", "parameters": "--- File[/etc/apache2/sites-enabled/00-dummy.conf].orig\n+++ File[/etc/apache2/sites-enabled/00-dummy.conf]\n\n-    target => /etc/apache2/sites-available/00-dummy.conf\n-    owner  => root\n-    notify => Service[apache2]\n-    group  => root\n-    ensure => link\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_mlserve\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Class[Cfssl::Multirootca]", "parameters": "--- Class[Cfssl::Multirootca].orig\n+++ Class[Cfssl::Multirootca]\n\n-    monitoring_critical => True\n-    enable_monitoring   => True\n-    host                => 127.0.0.1\n-    port                => 8888\n-    ensure              => present\n-    signers             => {'debmonitor': {'private': '/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem', 'certificate': '/etc/cfssl/signers/debmonitor/ca/debmonitor.pem', 'config': '/etc/cfssl/signers/debmonitor/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery': {'private': '/etc/cfssl/signers/discovery/ca/discovery-key.pem', 'certificate': '/etc/cfssl/signers/discovery/ca/discovery.pem', 'config': '/etc/cfssl/signers/discovery/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'kafka': {'private': '/etc/cfssl/signers/kafka/ca/kafka-key.pem', 'certificate': '/etc/cfssl/signers/kafka/ca/kafka.pem', 'config': '/etc/cfssl/signers/kafka/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cloud_wmnet_ca': {'private': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem', 'certificate': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem', 'config': '/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'etcd': {'private': '/etc/cfssl/signers/etcd/ca/etcd-key.pem', 'certificate': '/etc/cfssl/signers/etcd/ca/etcd.pem', 'config': '/etc/cfssl/signers/etcd/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cassandra': {'private': '/etc/cfssl/signers/cassandra/ca/cassandra-key.pem', 'certificate': '/etc/cfssl/signers/cassandra/ca/cassandra.pem', 'config': '/etc/cfssl/signers/cassandra/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'syslog': {'private': '/etc/cfssl/signers/syslog/ca/syslog-key.pem', 'certificate': '/etc/cfssl/signers/syslog/ca/syslog.pem', 'config': '/etc/cfssl/signers/syslog/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'puppet_rsa': {'private': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem', 'certificate': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem', 'config': '/etc/cfssl/signers/puppet_rsa/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'zuul': {'private': '/etc/cfssl/signers/zuul/ca/zuul-key.pem', 'certificate': '/etc/cfssl/signers/zuul/ca/zuul.pem', 'config': '/etc/cfssl/signers/zuul/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery2026': {'private': '/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem', 'certificate': '/etc/cfssl/signers/discovery2026/ca/discovery2026.pem', 'config': '/etc/cfssl/signers/discovery2026/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube': {'private': '/etc/cfssl/signers/wikikube/ca/wikikube-key.pem', 'certificate': '/etc/cfssl/signers/wikikube/ca/wikikube.pem', 'config': '/etc/cfssl/signers/wikikube/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_front_proxy': {'private': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging': {'private': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem', 'config': '/etc/cfssl/signers/wikikube_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging_front_proxy': {'private': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve': {'private': '/etc/cfssl/signers/mlserve/ca/mlserve-key.pem', 'certificate': '/etc/cfssl/signers/mlserve/ca/mlserve.pem', 'config': '/etc/cfssl/signers/mlserve/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_front_proxy': {'private': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging': {'private': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem', 'config': '/etc/cfssl/signers/mlserve_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging_front_proxy': {'private': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux': {'private': '/etc/cfssl/signers/aux/ca/aux-key.pem', 'certificate': '/etc/cfssl/signers/aux/ca/aux.pem', 'config': '/etc/cfssl/signers/aux/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux_front_proxy': {'private': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem', 'config': '/etc/cfssl/signers/aux_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse': {'private': '/etc/cfssl/signers/dse/ca/dse-key.pem', 'certificate': '/etc/cfssl/signers/dse/ca/dse.pem', 'config': '/etc/cfssl/signers/dse/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse_front_proxy': {'private': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem', 'config': '/etc/cfssl/signers/dse_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'network_devices': {'private': '/etc/cfssl/signers/network_devices/ca/network_devices-key.pem', 'certificate': '/etc/cfssl/signers/network_devices/ca/network_devices.pem', 'config': '/etc/cfssl/signers/network_devices/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}}\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_apache2.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_apache2.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_apache2.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Auto restart job: apache2\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/wmf-auto-restart -s apache2", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_apache2.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_apache2.service]\n\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@etcd]']\n"}, {"resource": "Nftables::Set[INTERNAL]", "parameters": "--- Nftables::Set[INTERNAL].orig\n+++ Nftables::Set[INTERNAL]\n\n+    hosts  => ['10.0.0.0/8', '2620:0:860:100::/56', '2620:0:861:100::/56', '2620:0:863:100::/56', '2a02:ec80:300:100::/56', '2a02:ec80:600:100::/56', '2a02:ec80:700:100::/56', '2001:df2:e500:100::/56', '2a02:ec80:ff00:100::/56']\n+    ensure => present\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_kafka]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_kafka].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_kafka]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-dse]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-dse].orig\n+++ Systemd::Service[cfssl-ocsprefresh-dse]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-dse.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Cfssl::Signer[mlserve_front_proxy]", "parameters": "--- Cfssl::Signer[mlserve_front_proxy].orig\n+++ Cfssl::Signer[mlserve_front_proxy]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDtzCCAxigAwIBAgIUIw4+rszPiPmnvGoMBfrD29oWNKcwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\ngTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\naW9uczEcMBoGA1UEAwwTbWxzZXJ2ZV9mcm9udF9wcm94eTCBmzAQBgcqhkjOPQIB\nBgUrgQQAIwOBhgAEATdxtFPSx+kYYz4a6PyKfBi000SHiFxHSQqS71Bs13jbumD2\nh6uPdTyD3dT79AdxQVzoer7inVQZM1vz5ZioLN0mAVH9OdSm8NLPpy9CAjT/2puk\n6PZWtowGmcoOkXeZeZDIUOYam0f4udjmot9TDQPF07pSqABlhz1ejSC3AKOJDym+\no4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD\nVR0OBBYEFDoU1EzaIZxR2ktTe35M8ILp07mdMB8GA1UdIwQYMBaAFDutonHmNL0b\n/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDov\nL3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\ndF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5l\ndC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwA\nMIGIAkIBsRpAWU0SxP3lwtUrriS8Dtal1vh2vfBMUzvx8hzjHGSYCg3xlG2cfnXN\nlFIhsQaWUmiJFZg8m+rCdYNkUMsdpeACQgCCHUls+Tf5Kcc756qs2iC2JSf2yd2U\nEM7VAJqZRVG9HrCUnzDLJT7bIQswE6i/O1zNhKjYV9xgd6LW+XCF0cVB7A==\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/mlserve_front_proxy\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/mlserve_front_proxy\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@cloud_wmnet_ca]']\n"}, {"resource": "Httpd::Conf[dummy]", "parameters": "--- Httpd::Conf[dummy].orig\n+++ Httpd::Conf[dummy]\n\n-    priority  => 0\n-    conf_type => sites\n-    source    => puppet:///modules/httpd/dummy.conf\n-    ensure    => present\n"}, {"resource": "File[/etc/update-motd.d/05-pki--multirootca]", "content": "--- /etc/update-motd.d/05-pki--multirootca.orig\n+++ /etc/update-motd.d/05-pki--multirootca\n@@ -1,2 +0,0 @@\n-#!/bin/sh\n-printf \"%s\\n\" \"pki1001 is a PKI server (pki::multirootca)\"", "parameters": "--- File[/etc/update-motd.d/05-pki--multirootca].orig\n+++ File[/etc/update-motd.d/05-pki--multirootca]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[network_devices]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[network_devices].orig\n+++ Profile::Pki::Multirootca::Monitoring[network_devices]\n\n-    ca_file      => /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => network_devices\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: puppet_rsa\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nftables::Set[LINK_LOCAL]", "parameters": "--- Nftables::Set[LINK_LOCAL].orig\n+++ Nftables::Set[LINK_LOCAL]\n\n+    hosts  => ['169.254.0.0/16', 'fe80::/10']\n+    ensure => present\n"}, {"resource": "File[/etc/apache2/env-enabled]", "parameters": "--- File[/etc/apache2/env-enabled].orig\n+++ File[/etc/apache2/env-enabled]\n\n-    owner   => root\n-    group   => root\n-    mode    => 0755\n-    require => Package[apache2]\n-    recurse => True\n-    purge   => True\n-    notify  => Service[apache2]\n-    ensure  => directory\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - dse_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --responses-file /etc/cfssl/ocsp/dse_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@dse_front_proxy' dse_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"4d759acaf0fd7dd3abaa03dc4565aef6\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set AUX_KUBEPODS_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:861:305::/64,\n+             2620:0:860:305::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Ferm::Service[full_monitoring_metrics_access_tcp]", "parameters": "--- Ferm::Service[full_monitoring_metrics_access_tcp].orig\n+++ Ferm::Service[full_monitoring_metrics_access_tcp]\n\n-    unrestricted_access => False\n-    port_range          => [1, 65535]\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    ensure              => present\n-    srange              => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet', '208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-network_devices-certificate-expiry --cert-path /etc/cfssl/signers/network_devices/ca/network_devices.pem --outfile /var/lib/prometheus/node.d/network_devices_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-network_devices-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_dse command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_dse\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"4384c5ebc49e03dbe331e279fac3f393\" --timeout 10 --check-command \"check_check_certificate_expiry_dse\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/INSTALL_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/INSTALL_HOSTS_ipv4.nft\n@@ -0,0 +1,12 @@\n+# Autogenerated by puppet\n+set INSTALL_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 208.80.154.134,\n+             208.80.153.70,\n+             185.15.59.101,\n+             198.35.26.98,\n+             103.102.166.11,\n+             185.15.58.7,\n+             195.200.68.100\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_wikikube\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_mlserve_staging].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_mlserve_staging]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"mlserve_staging\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"pki::multirootca\",cluster=\"pki\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_nftables\",cluster=\"insetup\"} 1.0"}, {"resource": "File[/etc/cfssl/ocsp/discovery2026.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/discovery2026.ocsp].orig\n+++ File[/etc/cfssl/ocsp/discovery2026.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_etcd]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_etcd].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_etcd]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"etcd\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/etc/apache2/conf-enabled/50-server-status.conf]", "parameters": "--- File[/etc/apache2/conf-enabled/50-server-status.conf].orig\n+++ File[/etc/apache2/conf-enabled/50-server-status.conf]\n\n-    target => /etc/apache2/conf-available/50-server-status.conf\n-    owner  => root\n-    notify => Service[apache2]\n-    group  => root\n-    ensure => link\n"}, {"resource": "File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]", "parameters": "--- File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf].orig\n+++ File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]\n\n-    target => /etc/apache2/sites-available/50-pki-discovery-wmnet.conf\n-    owner  => root\n-    notify => Service[apache2]\n-    group  => root\n-    ensure => link\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_kafka!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: kafka\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-syslog.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-syslog.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - syslog\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/syslog/ca/syslog.pem --responses-file /etc/cfssl/ocsp/syslog.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@syslog' syslog ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@debmonitor]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@debmonitor].orig\n+++ Systemd::Unit[cfssl-ocspserve@debmonitor]\n\n-    unit              => cfssl-ocspserve@debmonitor\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[apache2_test_config_and_restart]", "parameters": "--- Exec[apache2_test_config_and_restart].orig\n+++ Exec[apache2_test_config_and_restart]\n\n-    onlyif      => /usr/sbin/apache2ctl configtest\n-    before      => Service[apache2]\n-    refreshonly => True\n-    command     => /usr/sbin/service apache2 restart\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-aux.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n-    nagios_group          => pki_eqiad\n+    nagios_group          => insetup_eqiad\n@@\n-    cluster               => pki\n+    cluster               => insetup\n@@\n-    notifications_enabled => True\n+    notifications_enabled => False\n"}, {"resource": "File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "parameters": "--- File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf].orig\n+++ File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]\n\n-    target => /etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf\n-    owner  => root\n-    notify => Service[apache2]\n-    group  => root\n-    ensure => link\n"}, {"resource": "Nrpe::Monitor_service[check_cfssl-multirootca_status]", "parameters": "--- Nrpe::Monitor_service[check_cfssl-multirootca_status].orig\n+++ Nrpe::Monitor_service[check_cfssl-multirootca_status]\n\n-    contact_group               => admins\n-    nrpe_command                => /usr/local/lib/nagios/plugins/check_systemd_unit_status cfssl-multirootca\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => True\n-    description                 => Check unit status of cfssl-multirootca\n-    retries                     => 2\n-    check_interval              => 10\n-    migration_task              => T350694\n-    timeout                     => 10\n-    ensure                      => present\n-    retry_interval              => 1\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-discovery2026].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-discovery2026]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-discovery2026.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[puppet_rsa]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[puppet_rsa].orig\n+++ Profile::Pki::Multirootca::Monitoring[puppet_rsa]\n\n-    ca_file      => /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => puppet_rsa\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_zuul\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-zuul.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-zuul\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-zuul\n-\n-/var/log/cfssl-ocsprefresh-zuul/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-zuul].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_discovery.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Motd::Message[insetup::infrastructure_foundations_nftables]", "parameters": "--- Motd::Message[insetup::infrastructure_foundations_nftables].orig\n+++ Motd::Message[insetup::infrastructure_foundations_nftables]\n\n+    priority => 5\n+    message  => pki1001 is a Host being setup by Infrastructure Foundations SREs with ntables (insetup::infrastructure_foundations_nftables)\n+    ensure   => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: cassandra\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__cassandra\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"f5e260f525c48c963fb2e6c86a0d5d63\",check_name=\"check_check_certificate_expiry_cassandra\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: cassandra\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_cassandra))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nftables::Set[ZOOKEEPER_HOSTS_MAIN]", "parameters": "--- Nftables::Set[ZOOKEEPER_HOSTS_MAIN].orig\n+++ Nftables::Set[ZOOKEEPER_HOSTS_MAIN]\n\n+    hosts  => ['10.64.0.207', '2620:0:861:101:10:64:0:207', '10.64.16.110', '2620:0:861:102:10:64:16:110', '10.64.48.154', '2620:0:861:107:10:64:48:154', '10.192.16.45', '2620:0:860:102:10:192:16:45', '10.192.32.52', '2620:0:860:103:10:192:32:52', '10.192.48.59', '2620:0:860:104:10:192:48:59']\n+    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"9d6dd05c8e5e1bb294462d932b24bd1a\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Cfssl::Ocsp[cassandra]", "parameters": "--- Cfssl::Ocsp[cassandra].orig\n+++ Cfssl::Ocsp[cassandra]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10006\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-dse.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-dse.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-dse.service]\n\n-    unit              => cfssl-ocsprefresh-dse.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-aux]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-aux].orig\n+++ Systemd::Service[cfssl-ocsprefresh-aux]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-aux.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "File_line[auto_restart_file_presence_ulogd2]", "parameters": "--- File_line[auto_restart_file_presence_ulogd2].orig\n+++ File_line[auto_restart_file_presence_ulogd2]\n\n-    path    => /etc/debdeploy-client/autorestarts.conf\n-    line    => ulogd2\n-    ensure  => present\n-    require => File[/etc/debdeploy-client/autorestarts.conf]\n"}, {"resource": "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa -profile ocsp /etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-kafka]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-kafka].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-kafka]\n\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-kafka\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-kafka/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_discovery.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Service[nftables]", "parameters": "--- Service[nftables].orig\n+++ Service[nftables]\n\n+    hasrestart => True\n+    enable     => True\n+    ensure     => running\n+    restart    => /usr/bin/systemctl reload nftables\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[cassandra]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[cassandra].orig\n+++ Profile::Pki::Multirootca::Monitoring[cassandra]\n\n-    ca_file      => /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => cassandra\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__discovery\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"38e4dbcfd07ed60daf5bb89397abbe29\",check_name=\"check_check_certificate_expiry_discovery\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_discovery))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_network_devices.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_network_devices.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - aux_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --responses-file /etc/cfssl/ocsp/aux_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@aux_front_proxy' aux_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor]", "parameters": "--- File[/etc/cfssl/signers/debmonitor].orig\n+++ File[/etc/cfssl/signers/debmonitor]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_etcd]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_etcd].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_etcd]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set STAGING_KUBEPODS_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.64.64.0/21,\n+             10.192.64.0/21\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-aux_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-aux_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa]", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa].orig\n+++ File[/etc/cfssl/signers/puppet_rsa]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]\n\n-    owner  => root\n-    source => puppet:///modules/profile/pki/intermediates/puppet_rsa-cert.pem\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change].orig\n+++ Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]\n\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa  /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet\n\n-    subscribe   => File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]\n-    notify      => ['Service[apache2]']\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    require     => Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n"}, {"resource": "Ferm::Rule[log-everything]", "parameters": "--- Ferm::Rule[log-everything].orig\n+++ Ferm::Rule[log-everything]\n\n-    table  => filter\n-    chain  => INPUT\n-    ensure => present\n-    domain => (ip ip6)\n-    prio   => 98\n-    desc   => \n-    rule   => NFLOG mod limit limit 1/second limit-burst 5 nflog-prefix \"[fw-in-drop]\";\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/signers/syslog]", "parameters": "--- File[/etc/cfssl/signers/syslog].orig\n+++ File[/etc/cfssl/signers/syslog]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_wikikube]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set MLSERVE_KUBEPODS_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:861:300::/64,\n+             2620:0:860:300::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft\n@@ -0,0 +1,20 @@\n+# Autogenerated by puppet\n+set CLOUD_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2a02:ec80:a000:100::/64,\n+             2a02:ec80:a000:1::/64,\n+             2a02:ec80:a000:201::/64,\n+             2a02:ec80:a000:202::/64,\n+             2a02:ec80:a000:203::/64,\n+             2a02:ec80:a000:204::/64,\n+             2a02:ec80:a000:2ff::/64,\n+             2a02:ec80:a000:4000::/64,\n+             2a02:ec80:a100:100::/64,\n+             2a02:ec80:a100:1::/64,\n+             2a02:ec80:a100:205::/64,\n+             2a02:ec80:a100:2ff::/64,\n+             2a02:ec80:a100:4000::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@dse.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@dse.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@dse.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (dse)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20061 \\\n-          -responses /etc/cfssl/ocsp/dse.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@dse.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@dse.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-mlserve.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@mlserve]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@mlserve].orig\n+++ Systemd::Unit[cfssl-ocspserve@mlserve]\n\n-    unit              => cfssl-ocspserve@mlserve\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_debmonitor]", "parameters": "--- Sudo::User[nrpe_certificate_check_debmonitor].orig\n+++ Sudo::User[nrpe_certificate_check_debmonitor]\n\n-    user       => nrpe_certificate_check_debmonitor\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nftables::Set[KAFKA_BROKERS_JUMBO]", "parameters": "--- Nftables::Set[KAFKA_BROKERS_JUMBO].orig\n+++ Nftables::Set[KAFKA_BROKERS_JUMBO]\n\n+    hosts  => ['10.64.130.10', '2620:0:861:109:10:64:130:10', '10.64.131.16', '2620:0:861:10a:10:64:131:16', '10.64.132.21', '2620:0:861:10b:10:64:132:21', '10.64.134.9', '2620:0:861:10d:10:64:134:9', '10.64.135.16', '2620:0:861:10e:10:64:135:16', '10.64.136.11', '2620:0:861:10f:10:64:136:11', '10.64.154.15', '2620:0:861:122:10:64:154:15', '10.64.160.16', '2620:0:861:128:10:64:160:16', '10.64.0.126', '2620:0:861:101:10:64:0:126']\n+    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_wikikube\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"d2a76a31e44e204e2d4788a2698d0e6c\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/etc/cfssl/ocsp/zuul.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/zuul.ocsp].orig\n+++ File[/etc/cfssl/ocsp/zuul.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_discovery2026]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_discovery2026].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_discovery2026]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"discovery2026\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-etcd.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-etcd.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - etcd\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/etcd/ca/etcd.pem --responses-file /etc/cfssl/ocsp/etcd.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@etcd' etcd ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Package[ulogd2]", "parameters": "--- Package[ulogd2].orig\n+++ Package[ulogd2]\n\n-    ensure   => installed\n-    provider => apt\n"}, {"resource": "Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => syslog\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-syslog]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@syslog]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_wikikube_staging].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_wikikube_staging]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"wikikube_staging\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-aux.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-aux.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-aux.service]\n\n-    unit              => cfssl-ocsprefresh-aux.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-aux]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-aux].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-aux]\n\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-aux]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-aux].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-aux]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-aux]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_kafka.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@discovery]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@discovery].orig\n+++ Systemd::Unit[cfssl-ocspserve@discovery]\n\n-    unit              => cfssl-ocspserve@discovery\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-syslog-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/kafka]", "parameters": "--- File[/etc/cfssl/signers/kafka].orig\n+++ File[/etc/cfssl/signers/kafka]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]", "content": "--- /etc/cfssl/signers/cassandra/ca/cassandra-key.pem.orig\n+++ /etc/cfssl/signers/cassandra/ca/cassandra-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem].orig\n+++ File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]\n\n-    unit              => cfssl-ocsprefresh-aux_front_proxy.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => zuul\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-zuul]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@zuul]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Service[cfssl-ocspserve@aux]", "parameters": "--- Service[cfssl-ocspserve@aux].orig\n+++ Service[cfssl-ocspserve@aux]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Class[Profile::Puppet::Agent]", "parameters": "--- Class[Profile::Puppet::Agent].orig\n+++ Class[Profile::Puppet::Agent]\n\n@@\n-    dns_alt_names => ['pki.discovery.wmnet']\n+    dns_alt_names => []\n"}, {"resource": "File[/etc/nftables/sets/CACHES_ipv6.nft]", "content": "--- /etc/nftables/sets/CACHES_ipv6.nft.orig\n+++ /etc/nftables/sets/CACHES_ipv6.nft\n@@ -0,0 +1,117 @@\n+# Autogenerated by puppet\n+set CACHES_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:101:10:64:0:79,\n+             2620:0:861:101:10:64:0:229,\n+             2620:0:861:101:10:64:0:14,\n+             2620:0:861:101:10:64:0:51,\n+             2620:0:861:102:10:64:16:241,\n+             2620:0:861:102:10:64:16:94,\n+             2620:0:861:102:10:64:16:95,\n+             2620:0:861:102:10:64:16:240,\n+             2620:0:861:103:10:64:32:14,\n+             2620:0:861:103:10:64:32:60,\n+             2620:0:861:103:10:64:32:15,\n+             2620:0:861:103:10:64:32:65,\n+             2620:0:861:107:10:64:48:16,\n+             2620:0:861:107:10:64:48:41,\n+             2620:0:861:107:10:64:48:27,\n+             2620:0:861:107:10:64:48:28,\n+             2620:0:860:113:10:192:23:26,\n+             2620:0:860:107:10:192:6:20,\n+             2620:0:860:10d:10:192:12:35,\n+             2620:0:860:10f:10:192:14:25,\n+             2620:0:860:100:10:192:4:22,\n+             2620:0:860:116:10:192:29:26,\n+             2620:0:860:119:10:192:30:29,\n+             2620:0:860:11b:10:192:36:19,\n+             2620:0:860:11f:10:192:40:25,\n+             2620:0:860:120:10:192:41:21,\n+             2620:0:860:12b:10:192:56:3,\n+             2620:0:860:12b:10:192:56:4,\n+             2620:0:860:12c:10:192:57:3,\n+             2620:0:860:12d:10:192:58:2,\n+             2620:0:860:12d:10:192:58:3,\n+             2620:0:860:12e:10:192:59:2,\n+             2a02:ec80:300:101:10:80:0:14,\n+             2a02:ec80:300:102:10:80:1:11,\n+             2a02:ec80:300:101:10:80:0:13,\n+             2a02:ec80:300:102:10:80:1:9,\n+             2a02:ec80:300:101:10:80:0:12,\n+             2a02:ec80:300:102:10:80:1:7,\n+             2a02:ec80:300:101:10:80:0:11,\n+             2a02:ec80:300:102:10:80:1:6,\n+             2a02:ec80:300:101:10:80:0:10,\n+             2a02:ec80:300:102:10:80:1:5,\n+             2a02:ec80:300:101:10:80:0:8,\n+             2a02:ec80:300:102:10:80:1:4,\n+             2a02:ec80:300:101:10:80:0:7,\n+             2a02:ec80:300:102:10:80:1:3,\n+             2a02:ec80:300:101:10:80:0:6,\n+             2a02:ec80:300:102:10:80:1:2,\n+             2620:0:863:101:10:128:0:19,\n+             2620:0:863:101:10:128:0:27,\n+             2620:0:863:101:10:128:0:22,\n+             2620:0:863:101:10:128:0:28,\n+             2620:0:863:101:10:128:0:25,\n+             2620:0:863:101:10:128:0:29,\n+             2620:0:863:101:10:128:0:26,\n+             2620:0:863:101:10:128:0:31,\n+             2620:0:863:101:10:128:0:14,\n+             2620:0:863:101:10:128:0:35,\n+             2620:0:863:101:10:128:0:21,\n+             2620:0:863:101:10:128:0:36,\n+             2620:0:863:101:10:128:0:24,\n+             2620:0:863:101:10:128:0:10,\n+             2620:0:863:101:10:128:0:37,\n+             2620:0:863:101:10:128:0:12,\n+             2001:df2:e500:101:10:132:0:17,\n+             2001:df2:e500:101:10:132:0:18,\n+             2001:df2:e500:101:10:132:0:19,\n+             2001:df2:e500:101:10:132:0:24,\n+             2001:df2:e500:101:10:132:0:29,\n+             2001:df2:e500:101:10:132:0:30,\n+             2001:df2:e500:101:10:132:0:34,\n+             2001:df2:e500:101:10:132:0:35,\n+             2001:df2:e500:101:10:132:0:36,\n+             2001:df2:e500:101:10:132:0:37,\n+             2001:df2:e500:101:10:132:0:38,\n+             2001:df2:e500:101:10:132:0:25,\n+             2001:df2:e500:101:10:132:0:26,\n+             2001:df2:e500:101:10:132:0:27,\n+             2001:df2:e500:101:10:132:0:28,\n+             2001:df2:e500:101:10:132:0:16,\n+             2a02:ec80:600:101:10:136:0:6,\n+             2a02:ec80:600:102:10:136:1:6,\n+             2a02:ec80:600:101:10:136:0:7,\n+             2a02:ec80:600:102:10:136:1:7,\n+             2a02:ec80:600:101:10:136:0:8,\n+             2a02:ec80:600:102:10:136:1:8,\n+             2a02:ec80:600:101:10:136:0:9,\n+             2a02:ec80:600:102:10:136:1:9,\n+             2a02:ec80:600:101:10:136:0:10,\n+             2a02:ec80:600:102:10:136:1:10,\n+             2a02:ec80:600:101:10:136:0:11,\n+             2a02:ec80:600:102:10:136:1:11,\n+             2a02:ec80:600:101:10:136:0:12,\n+             2a02:ec80:600:102:10:136:1:12,\n+             2a02:ec80:600:101:10:136:0:13,\n+             2a02:ec80:600:102:10:136:1:13,\n+             2a02:ec80:700:101:10:140:0:3,\n+             2a02:ec80:700:102:10:140:1:4,\n+             2a02:ec80:700:101:10:140:0:4,\n+             2a02:ec80:700:102:10:140:1:5,\n+             2a02:ec80:700:101:10:140:0:5,\n+             2a02:ec80:700:102:10:140:1:6,\n+             2a02:ec80:700:101:10:140:0:6,\n+             2a02:ec80:700:102:10:140:1:7,\n+             2a02:ec80:700:101:10:140:0:7,\n+             2a02:ec80:700:102:10:140:1:8,\n+             2a02:ec80:700:101:10:140:0:8,\n+             2a02:ec80:700:102:10:140:1:9,\n+             2a02:ec80:700:101:10:140:0:9,\n+             2a02:ec80:700:102:10:140:1:10,\n+             2a02:ec80:700:101:10:140:0:10,\n+             2a02:ec80:700:102:10:140:1:11\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CACHES_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CACHES_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_aux]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_aux].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_aux]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-syslog]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-syslog].orig\n+++ File[/var/log/cfssl-ocsprefresh-syslog]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_syslog.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-wikikube\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-wikikube/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_network_devices\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/nftables/forward]", "parameters": "--- File[/etc/nftables/forward].orig\n+++ File[/etc/nftables/forward]\n\n+    recurse => True\n+    purge   => True\n+    owner   => root\n+    group   => root\n+    ensure  => directory\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca]\n\n-    before    => Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@mlserve_staging.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@mlserve_staging.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (mlserve_staging)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20040 \\\n-          -responses /etc/cfssl/ocsp/mlserve_staging.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set DSE_KUBEPODS_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.67.24.0/21,\n+             10.192.96.0/21\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_aux]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_aux].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_aux]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"aux\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/lib/systemd/system/cfssl-multirootca.service]", "content": "--- /lib/systemd/system/cfssl-multirootca.service.orig\n+++ /lib/systemd/system/cfssl-multirootca.service\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL MultiRootCA\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/blob/master/doc/cmd/multiroot.txt\n-\n-[Service]\n-ExecStart=/usr/bin/multirootca \\\n-          -a \"127.0.0.1:8888\" \\\n-          -roots /etc/cfssl/multiroot.conf \n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-multirootca.service].orig\n+++ File[/lib/systemd/system/cfssl-multirootca.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft\n@@ -0,0 +1,15 @@\n+# Autogenerated by puppet\n+set KAFKA_BROKERS_MAIN_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:860:106:10:192:5:9,\n+             2620:0:860:112:10:192:22:6,\n+             2620:0:860:103:10:192:32:4,\n+             2620:0:860:104:10:192:48:33,\n+             2620:0:860:104:10:192:48:35,\n+             2620:0:861:101:10:64:0:101,\n+             2620:0:861:102:10:64:16:30,\n+             2620:0:861:103:10:64:32:45,\n+             2620:0:861:107:10:64:48:37,\n+             2620:0:861:120:10:64:152:5\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-mlserve-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-mlserve-certificate-expiry --cert-path /etc/cfssl/signers/mlserve/ca/mlserve.pem --outfile /var/lib/prometheus/node.d/mlserve_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocsprefresh-wikikube_staging.timer]", "parameters": "--- Service[cfssl-ocsprefresh-wikikube_staging.timer].orig\n+++ Service[cfssl-ocsprefresh-wikikube_staging.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-kafka-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_dse_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_dse_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"2560f4f577ba169af651cf96bd5dc1ba\" --timeout 10 --check-command \"check_check_certificate_expiry_dse_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Nftables::Set[AUX_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[AUX_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[AUX_KUBEPODS_NETWORKS]\n\n+    hosts  => ['10.67.80.0/21', '2620:0:861:305::/64', '10.194.80.0/21', '2620:0:860:305::/64']\n+    ensure => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_aux]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_aux].orig\n+++ Nrpe::Check[check_check_certificate_expiry_aux]\n\n-    before    => Monitoring::Service[check_certificate_expiry_aux]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "content": "--- /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr.orig\n+++ /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr\n@@ -1,14 +0,0 @@\n-{\n-  \"CN\": \"pki.discovery.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\",\n-    \"pki.discovery.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Nftables::Set[DSE_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[DSE_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[DSE_KUBEPODS_NETWORKS]\n\n+    hosts  => ['10.67.24.0/21', '2620:0:861:302::/64', '10.192.96.0/21', '2620:0:860:308::/64']\n+    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft\n@@ -0,0 +1,10 @@\n+# Autogenerated by puppet\n+set DRUID_PUBLIC_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.131.9,\n+             10.64.132.12,\n+             10.64.135.9,\n+             10.64.32.101,\n+             10.64.48.185\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@zuul]", "parameters": "--- Systemd::Service[cfssl-ocspserve@zuul].orig\n+++ Systemd::Service[cfssl-ocspserve@zuul]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    ensure => present\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[apache2]', 'Package[links]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[python3-pymysql]', 'Package[python3-cryptography]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[apache-htcacheclean]", "parameters": "--- Service[apache-htcacheclean].orig\n+++ Service[apache-htcacheclean]\n\n-    enable => False\n-    ensure => stopped\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - wikikube_staging\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --responses-file /etc/cfssl/ocsp/wikikube_staging.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_staging' wikikube_staging ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/apache2/sites-available/00-dummy.conf]", "parameters": "--- File[/etc/apache2/sites-available/00-dummy.conf].orig\n+++ File[/etc/apache2/sites-available/00-dummy.conf]\n\n-    notify => Service[apache2]\n-    owner  => root\n-    source => puppet:///modules/httpd/dummy.conf\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy]\n\n-    ca_file      => /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => wikikube_staging_front_proxy\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/signers/dse/ca/dse-key.pem]", "parameters": "--- File[/etc/cfssl/signers/dse/ca/dse-key.pem].orig\n+++ File[/etc/cfssl/signers/dse/ca/dse-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-zuul-certificate-expiry --cert-path /etc/cfssl/signers/zuul/ca/zuul.pem --outfile /var/lib/prometheus/node.d/zuul_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-wikikube_front_proxy.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n"}, {"resource": "Httpd::Site[dummy]", "parameters": "--- Httpd::Site[dummy].orig\n+++ Httpd::Site[dummy]\n\n-    priority => 0\n-    source   => puppet:///modules/httpd/dummy.conf\n-    ensure   => present\n"}, {"resource": "File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]", "content": "--- /etc/cfssl/signers/etcd/ca/etcd-key.pem.orig\n+++ /etc/cfssl/signers/etcd/ca/etcd-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/etcd/ca/etcd-key.pem].orig\n+++ File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_syslog]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_syslog].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_syslog]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: syslog\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_dse_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[update_alternative_iptables]", "parameters": "--- Exec[update_alternative_iptables].orig\n+++ Exec[update_alternative_iptables]\n\n-    command => /usr/bin/update-alternatives --force --set iptables /usr/sbin/iptables-legacy\n-    unless  => /usr/bin/update-alternatives --query iptables | /bin/grep 'Value: /usr/sbin/iptables-legacy'\n"}, {"resource": "Systemd::Syslog[ulogd]", "parameters": "--- Systemd::Syslog[ulogd].orig\n+++ Systemd::Syslog[ulogd]\n\n-    force_stop             => True\n-    readable_by            => user\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status].orig\n+++ Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status]\n\n-    accuracy           => 15sec\n-    splay              => 300\n-    unit_name          => nrpe2nodexp-check_cfssl-multirootca_status.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_dse.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@discovery2026]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@discovery2026].orig\n+++ Systemd::Unit[cfssl-ocspserve@discovery2026]\n\n-    unit              => cfssl-ocspserve@discovery2026\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Sudo::User[nrpe_certificate_check_discovery]", "parameters": "--- Sudo::User[nrpe_certificate_check_discovery].orig\n+++ Sudo::User[nrpe_certificate_check_discovery]\n\n-    user       => nrpe_certificate_check_discovery\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/srv/cfssl/bundles/cassandra.pem]", "content": "--- /srv/cfssl/bundles/cassandra.pem.orig\n+++ /srv/cfssl/bundles/cassandra.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqjCCAw2gAwIBAgIUN8PPoG0JeyUfDWKQhN0B2AOw4G8wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjE5MTI1MDAwWhcNMjgwNjE3MTI1MDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwljYXNzYW5kcmEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BABpd+xtElegZM2bsg1caGxmHV5hs7l7qxmKFS3oSAu1jo1+N/uSppDtSWZzG+8C\n-zjIrytBMxBWhNqsOw9msEWhbBAEYESw1oKj+APqOlCafGdXQI1ZvMafexxTqDNN1\n-CA2gq4ivn82r2Ya3LLqwICxK3MlcmGuLwR5amxiLchok3cZ3X6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQBN6m6\n-eyaSV8l2Il/bwcfpWTmplDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GKADCBhgJBRhCSOg5L\n-+EuYGdsW8T9S/tXzYURZpnQItn2nYjM6ky1nxqG6F+V2WsiijiPpEQxr7QUvfZhf\n-D2zhB5BS8ynWCpYCQRGo4eZuUHyRMNqg/ZDljT1dqr09n0wQhszrJ4eCmebLVsDm\n-B6AM3pPRygYo0REwxHbpTBAIt26zjGiKiFQqUjwa\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/cassandra.pem].orig\n+++ File[/srv/cfssl/bundles/cassandra.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - wikikube_staging_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --responses-file /etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_staging_front_proxy' wikikube_staging_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/dse/cfssl.conf]", "content": "--- /etc/cfssl/signers/dse/cfssl.conf.orig\n+++ /etc/cfssl/signers/dse/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/dse\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/dse\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/dse/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/dse/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-mlserve_staging].orig\n+++ File[/var/log/cfssl-ocsprefresh-mlserve_staging]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@network_devices]", "parameters": "--- Systemd::Service[cfssl-ocspserve@network_devices].orig\n+++ Systemd::Service[cfssl-ocspserve@network_devices]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]\n\n-    unit              => cfssl-ocsprefresh-mlserve_staging.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]", "content": "--- /etc/cfssl/signers/network_devices/ca/network_devices.pem.orig\n+++ /etc/cfssl/signers/network_devices/ca/network_devices.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUS2pUBD1erPOX2W9m08l4NjcjbVYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNzE0MTAxODAwWhcNMjgwNzEyMTAxODAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9uZXR3b3JrX2RldmljZXMwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABABVWARjDjpjG7IlggP4BkOm5hanZXdtYYzUb1CsmHvpBA4W6s8CjzHp\n-QlZoBzaMi6SSO5Q7v9rAuymjLctweVRy7gAkNU3jjQXZPjRKaW/ofZlUhDyhgyCS\n-WNr9LBjYklAnMM3yz3J6EG9aHehHbV11lq24AQDrZ4bEtNzGHMQyU9ufZ6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBRmY7aPPiOyhsjgXpDtumx9X/wcGzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-ARWhtt4Mi0I8j+6LUC+ZJfTnhYkEWSXa6nhttbzNPLzHuBTnj42WE8a2oQW2Mv5w\n-mzRdtJGsstcrgGwGt5FyLP6WAkIAxYlEt4MHqohD9adWY1IsnX4qWBYRw4tXrx0T\n-tF1M2n2K7ww/zCL9HkBoWVe249y+ctpGqqgw0ROMnMN6Q2Zg8ic=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/network_devices/ca/network_devices.pem].orig\n+++ File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]", "content": "--- /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem.orig\n+++ /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n@@ -1,30 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIFNDCCBJagAwIBAgIUOR+ZAFtrzLKYphDIGMa9eF6O0LIwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjIwMTIwNTAwWhcNMjgwNjE4MTIwNTAwWjB4\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRMwEQYDVQQDDApwdXBwZXRfcnNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n-MIICCgKCAgEA4urK5Og7RVGoXg6KzYywzaXyRROuj0Kauc7n/BgCWvsKv9Ll4f/p\n-lbVGOSln3akzhBlJwmVTGrgCmWQVxMF2agKAR+R1aV2Wc+yEfofUbW1oRgBCelMQ\n-Xutw0cApO+lzjHNtduffeIEVBjwLcEG/OdaUa2CGFGLG/dHox7o8AZgkH7SFJyby\n-z/rzip+szHpMThhjs0PKx91VS1srb7Q1jE1OlB7ydhX+gLRWTjwxOp1ITFXjNobk\n-i16jcP3YYgCvj8qwWMcYmtI7iExSeFdptv3fmajBeoi1o52LUWKUrslwtNa/emaB\n-FBGRZfu8ap+BWWpYYarI4mOCyvetw/6FZ2LnuWy5cNA3GoALB5xfLpO3twYnrveP\n-BnxULp4Q8szITB/bjPBMkd8FG8Frpe3eZNKNHG9xjJGdS1Bxhq7Zgfy09V1RJCym\n-AJSWERHRrxjEnRCDd7HUAhfaDCygeooe4wGRR5bG8WqOpkQDtYPP3yfk5NBhcJpW\n-mXTRFTFkuslEL/2bwa9EPIOAKAINDeJOCHqJMQd6EXwTP2LabWU3oI+sfeBdCoSd\n-Rn+q2Z0kSLu8fqXsgPgvdgyWjfPkQnyLAz9rdsal2x4x9SilDkov+l6Q9DXGGoYO\n-GGOHHFCFhM9CS02zFGLe1JbqiHPuYuIkEnGjGJyCqdIB8Rz0JxdypEcCAwEAAaOC\n-AQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud\n-DgQWBBRrq/ZHBKl8OZGQrQCiUq4GRc86YDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yA\n-vzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9w\n-a2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3Rf\n-Q0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQv\n-Y3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCB\n-hwJBJHrjuBvyK8Sv40xCW/TrVtOCIVaXfjwsKau9lkmt/6purO/xkppZDMajueYw\n-9koKhj6SvliOpiwgypfOKP7nbsACQgFAnawARDYCoOQ8pQDoqpRkPBBScMOTMPFu\n-xTekxW2V7POn9dn6uavLJz/wha+sNgAnYT4wHWkRJzbUk+1H3Hb3NA==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem].orig\n+++ File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-wikikube_staging-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[mlserve_staging]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[mlserve_staging].orig\n+++ Profile::Pki::Multirootca::Monitoring[mlserve_staging]\n\n-    ca_file      => /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => mlserve_staging\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy]\n\n-    unit              => cfssl-ocspserve@wikikube_staging_front_proxy\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_mlserve_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_network_devices]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_network_devices].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_network_devices]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_mlserve]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_mlserve].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_mlserve]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: mlserve\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocspserve@dse_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@dse_front_proxy].orig\n+++ Service[cfssl-ocspserve@dse_front_proxy]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]\n\n-    unit              => cfssl-ocsprefresh-mlserve_front_proxy.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocspserve@wikikube_staging]", "parameters": "--- Service[cfssl-ocspserve@wikikube_staging].orig\n+++ Service[cfssl-ocspserve@wikikube_staging]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of wmf_auto_restart_apache-htcacheclean.service\n-\n-[Timer]\n-Unit=wmf_auto_restart_apache-htcacheclean.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 3:51:00\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]\n\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-dse-certificate-expiry --cert-path /etc/cfssl/signers/dse/ca/dse.pem --outfile /var/lib/prometheus/node.d/dse_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-dse-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy]\n\n-    ca_file      => /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => mlserve_front_proxy\n"}, {"resource": "File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_zuul.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_zuul.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-dse_front_proxy.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Cfssl::Ocsp[debmonitor]", "parameters": "--- Cfssl::Ocsp[debmonitor].orig\n+++ Cfssl::Ocsp[debmonitor]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10001\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Sudo::User[nrpe_certificate_check_kafka]", "parameters": "--- Sudo::User[nrpe_certificate_check_kafka].orig\n+++ Sudo::User[nrpe_certificate_check_kafka]\n\n-    user       => nrpe_certificate_check_kafka\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Cfssl::Signer[wikikube_staging_front_proxy]", "parameters": "--- Cfssl::Signer[wikikube_staging_front_proxy].orig\n+++ Cfssl::Signer[wikikube_staging_front_proxy]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDwDCCAyGgAwIBAgIUJT4TJHFy4qcc2DDVjG00p9VDOcIwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\nijELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\naW9uczElMCMGA1UEAwwcd2lraWt1YmVfc3RhZ2luZ19mcm9udF9wcm94eTCBmzAQ\nBgcqhkjOPQIBBgUrgQQAIwOBhgAEAQkWDUaTmBFtrLcFLkOP5LV+kGQdr0TIYAMX\nFR7UbUmysish4+UlH7C2vcugX/XmmIoh2asGRkfb0kjTQUUjqDmmANYQARMmx/V4\nj87yMi11K3IxBh2Ei7KJzvXD5yhg/rQa1TVcdvZ1GHBL1QvBU5x2L95G+Exi1amQ\ndC4vktygtdo8o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\nAf8CAQEwHQYDVR0OBBYEFANI4okfmz36Vpe1jEq4tkgKl5HzMB8GA1UdIwQYMBaA\nFDutonHmNL0b/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcw\nAYY6aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50\nZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2Nv\ndmVyeS53bW5ldC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZI\nzj0EAwQDgYwAMIGIAkIBuKBFQ/g6puAs+HK7+bE4eiatpN7eotPUTNbVuxN4+rEO\nE6JEpXslb/Ad0rVDvEOmXGSH9EdqjCNJs0Qv5kFnqZQCQgCPyFWGoBUxDcWLjOEL\n2a1pt4joI2BUut3NtLOBgPeaI/5qqPoLFbxn/1DMBmZLlsoNhnrg99F5LgvQVEAA\n/3y5tw==\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 72h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/wikikube_staging_front_proxy\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/wikikube_staging_front_proxy\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => test\n\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_front_proxy_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-mlserve_front_proxy-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_discovery command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_discovery\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"38e4dbcfd07ed60daf5bb89397abbe29\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft\n@@ -0,0 +1,10 @@\n+# Autogenerated by puppet\n+set DRUID_PUBLIC_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:10a:10:64:131:9,\n+             2620:0:861:10b:10:64:132:12,\n+             2620:0:861:10e:10:64:135:9,\n+             2620:0:861:103:10:64:32:101,\n+             2620:0:861:107:10:64:48:185\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_debmonitor]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_debmonitor].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_debmonitor]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-network_devices]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-network_devices].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-network_devices]\n\n-    ensure => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_aux.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_aux.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_aux.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - mlserve_staging\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --responses-file /etc/cfssl/ocsp/mlserve_staging.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_staging' mlserve_staging ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux -profile ocsp /etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-mlserve_staging_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "parameters": "--- Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer].orig\n+++ Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-zuul\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-zuul/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_kafka.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Cfssl::Config[network_devices]", "parameters": "--- Cfssl::Config[network_devices].orig\n+++ Cfssl::Config[network_devices]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/network_devices\n-    path                => /etc/cfssl/signers/network_devices/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 8760h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/network_devices\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_discovery2026.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_apache2.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_apache2.service].orig\n+++ Systemd::Unit[wmf_auto_restart_apache2.service]\n\n-    unit              => wmf_auto_restart_apache2.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_discovery2026.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_discovery2026.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp].orig\n+++ File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/cfssl/signers/aux/ca/aux-key.pem]", "content": "--- /etc/cfssl/signers/aux/ca/aux-key.pem.orig\n+++ /etc/cfssl/signers/aux/ca/aux-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/aux/ca/aux-key.pem].orig\n+++ File[/etc/cfssl/signers/aux/ca/aux-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Nftables::Set[ANALYTICS_NETWORKS]", "parameters": "--- Nftables::Set[ANALYTICS_NETWORKS].orig\n+++ Nftables::Set[ANALYTICS_NETWORKS]\n\n+    hosts  => ['10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.153.0/24', '10.64.155.0/24', '10.64.157.0/24', '10.64.159.0/24', '10.64.161.0/24', '10.64.163.0/24', '10.64.165.0/24', '10.64.167.0/24', '10.64.170.0/24', '10.64.172.0/24', '10.64.174.0/24', '10.64.176.0/24', '10.64.178.0/24', '10.64.180.0/24', '10.64.182.0/24', '10.64.184.0/24', '10.64.186.0/24', '10.64.188.0/24', '10.64.190.0/24', '10.64.21.0/24', '10.64.36.0/24', '10.64.5.0/24', '10.64.53.0/24', '2620:0:861:100::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:108::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:11a::/64', '2620:0:861:121::/64', '2620:0:861:123::/64', '2620:0:861:125::/64', '2620:0:861:127::/64', '2620:0:861:129::/64', '2620:0:861:12b::/64', '2620:0:861:12d::/64', '2620:0:861:12f::/64', '2620:0:861:132::/64', '2620:0:861:134::/64', '2620:0:861:136::/64', '2620:0:861:138::/64', '2620:0:861:13a::/64', '2620:0:861:13c::/64', '2620:0:861:13e::/64', '2620:0:861:141::/64', '2620:0:861:143::/64', '2620:0:861:145::/64']\n+    ensure => present\n"}, {"resource": "Systemd::Service[wmf_auto_restart_ulogd2]", "parameters": "--- Systemd::Service[wmf_auto_restart_ulogd2].orig\n+++ Systemd::Service[wmf_auto_restart_ulogd2]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[wmf_auto_restart_ulogd2.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_aux!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: aux\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_mlserve_staging\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"7cff186656c3cabbca85b5b57d0c8679\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_staging\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_staging command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Sudo::User[nrpe_certificate_check_etcd]", "parameters": "--- Sudo::User[nrpe_certificate_check_etcd].orig\n+++ Sudo::User[nrpe_certificate_check_etcd]\n\n-    user       => nrpe_certificate_check_etcd\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    ensure => present\n"}, {"resource": "Nftables::Set[MONITORING_HOSTS]", "parameters": "--- Nftables::Set[MONITORING_HOSTS].orig\n+++ Nftables::Set[MONITORING_HOSTS]\n\n+    hosts  => ['208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n+    ensure => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --outfile /var/lib/prometheus/node.d/dse_front_proxy_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]", "content": "--- /etc/cfssl/signers/mlserve/ca/mlserve-key.pem.orig\n+++ /etc/cfssl/signers/mlserve/ca/mlserve-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem].orig\n+++ File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-cassandra.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-cassandra.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - cassandra\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/cassandra/ca/cassandra.pem --responses-file /etc/cfssl/ocsp/cassandra.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@cassandra' cassandra ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer]\n\n-    unit              => cfssl-ocsprefresh-dse_front_proxy.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Nftables::Service[full-monitoring-metrics-access-udp]", "parameters": "--- Nftables::Service[full-monitoring-metrics-access-udp].orig\n+++ Nftables::Service[full-monitoring-metrics-access-udp]\n\n+    unrestricted_access => False\n+    port_range          => [1, 65535]\n+    prio                => 10\n+    desc                => \n+    proto               => udp\n+    src_ips             => ['10.64.0.82', '10.64.16.62', '10.64.32.85', '10.64.48.171', '208.80.153.42', '208.80.154.78', '2620:0:860:2:208:80:153:42', '2620:0:861:101:10:64:0:82', '2620:0:861:102:10:64:16:62', '2620:0:861:103:10:64:32:85', '2620:0:861:107:10:64:48:171', '2620:0:861:3:208:80:154:78']\n+    notrack             => False\n+    ensure              => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA\n-\n-/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging -profile ocsp /etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_mlserve_staging_front_proxy!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Httpd::Conf[server-status]", "parameters": "--- Httpd::Conf[server-status].orig\n+++ Httpd::Conf[server-status]\n\n-    conf_type => conf\n-    ensure    => present\n-    priority  => 50\n-    source    => puppet:///modules/httpd/status.conf\n-    require   => Httpd::Mod_conf[status]\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n"}, {"resource": "File[/etc/ferm/conf.d/10_multirootca_tls_termination]", "content": "--- /etc/ferm/conf.d/10_multirootca_tls_termination.orig\n+++ /etc/ferm/conf.d/10_multirootca_tls_termination\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 443, $DOMAIN_NETWORKS);\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_multirootca_tls_termination].orig\n+++ File[/etc/ferm/conf.d/10_multirootca_tls_termination]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-etcd-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-etcd-certificate-expiry --cert-path /etc/cfssl/signers/etcd/ca/etcd.pem --outfile /var/lib/prometheus/node.d/etcd_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/srv/cfssl/bundles/mlserve_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/mlserve_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/mlserve_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDtzCCAxigAwIBAgIUIw4+rszPiPmnvGoMBfrD29oWNKcwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\n-gTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEcMBoGA1UEAwwTbWxzZXJ2ZV9mcm9udF9wcm94eTCBmzAQBgcqhkjOPQIB\n-BgUrgQQAIwOBhgAEATdxtFPSx+kYYz4a6PyKfBi000SHiFxHSQqS71Bs13jbumD2\n-h6uPdTyD3dT79AdxQVzoer7inVQZM1vz5ZioLN0mAVH9OdSm8NLPpy9CAjT/2puk\n-6PZWtowGmcoOkXeZeZDIUOYam0f4udjmot9TDQPF07pSqABlhz1ejSC3AKOJDym+\n-o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD\n-VR0OBBYEFDoU1EzaIZxR2ktTe35M8ILp07mdMB8GA1UdIwQYMBaAFDutonHmNL0b\n-/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDov\n-L3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\n-dF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5l\n-dC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwA\n-MIGIAkIBsRpAWU0SxP3lwtUrriS8Dtal1vh2vfBMUzvx8hzjHGSYCg3xlG2cfnXN\n-lFIhsQaWUmiJFZg8m+rCdYNkUMsdpeACQgCCHUls+Tf5Kcc756qs2iC2JSf2yd2U\n-EM7VAJqZRVG9HrCUnzDLJT7bIQswE6i/O1zNhKjYV9xgd6LW+XCF0cVB7A==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/mlserve_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/mlserve_front_proxy.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: kafka\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__kafka\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"22922fd6bc2d570e018cbe5ccd8d1727\",check_name=\"check_check_certificate_expiry_kafka\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: kafka\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_kafka))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "Systemd::Timer::Job[cfssl-gc-expired-certs]", "parameters": "--- Systemd::Timer::Job[cfssl-gc-expired-certs].orig\n+++ Systemd::Timer::Job[cfssl-gc-expired-certs]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-certs clean\n-    description               => Delete expired Certificates from the cfssl DB\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': 'hourly'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Cfssl::Config[mlserve_front_proxy]", "parameters": "--- Cfssl::Config[mlserve_front_proxy].orig\n+++ Cfssl::Config[mlserve_front_proxy]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/mlserve_front_proxy\n-    path                => /etc/cfssl/signers/mlserve_front_proxy/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/mlserve_front_proxy\n"}, {"resource": "Nrpe::Plugin[check_systemd_unit_status]", "parameters": "--- Nrpe::Plugin[check_systemd_unit_status].orig\n+++ Nrpe::Plugin[check_systemd_unit_status]\n\n-    source => puppet:///modules/systemd/check_systemd_unit_status\n-    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Exec[ensure_present_mod_ssl]", "parameters": "--- Exec[ensure_present_mod_ssl].orig\n+++ Exec[ensure_present_mod_ssl]\n\n-    creates => /etc/apache2/mods-enabled/ssl.load\n-    command => /usr/sbin/a2enmod ssl\n-    notify  => Service[apache2]\n-    require => Package[apache2]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_aux command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_aux\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"f7dfe9e2cd77303dfae7ae11c5c56d90\" --timeout 10 --check-command \"check_check_certificate_expiry_aux\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/ferm/conf.d/98_log-everything]", "content": "--- /etc/ferm/conf.d/98_log-everything.orig\n+++ /etc/ferm/conf.d/98_log-everything\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# 98_log-everything: \n-\n-domain (ip ip6) {\n-\ttable filter {\n-\t\tchain INPUT {\n-\t\t\tNFLOG mod limit limit 1/second limit-burst 5 nflog-prefix \"[fw-in-drop]\";\n-\t\t}\n-\t}\n-}", "parameters": "--- File[/etc/ferm/conf.d/98_log-everything].orig\n+++ File[/etc/ferm/conf.d/98_log-everything]\n\n-    tag     => ferm\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n"}, {"resource": "Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => kafka\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-kafka]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@kafka]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft\n@@ -0,0 +1,38 @@\n+# Autogenerated by puppet\n+set ANALYTICS_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2620:0:861:100::/64,\n+             2620:0:861:104::/64,\n+             2620:0:861:105::/64,\n+             2620:0:861:106::/64,\n+             2620:0:861:108::/64,\n+             2620:0:861:110::/64,\n+             2620:0:861:111::/64,\n+             2620:0:861:112::/64,\n+             2620:0:861:114::/64,\n+             2620:0:861:115::/64,\n+             2620:0:861:116::/64,\n+             2620:0:861:117::/64,\n+             2620:0:861:11a::/64,\n+             2620:0:861:121::/64,\n+             2620:0:861:123::/64,\n+             2620:0:861:125::/64,\n+             2620:0:861:127::/64,\n+             2620:0:861:129::/64,\n+             2620:0:861:12b::/64,\n+             2620:0:861:12d::/64,\n+             2620:0:861:12f::/64,\n+             2620:0:861:132::/64,\n+             2620:0:861:134::/64,\n+             2620:0:861:136::/64,\n+             2620:0:861:138::/64,\n+             2620:0:861:13a::/64,\n+             2620:0:861:13c::/64,\n+             2620:0:861:13e::/64,\n+             2620:0:861:141::/64,\n+             2620:0:861:143::/64,\n+             2620:0:861:145::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-discovery2026-certificate-expiry --cert-path /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --outfile /var/lib/prometheus/node.d/discovery2026_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-discovery2026-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_front_proxy_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-mlserve_staging_front_proxy-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status].orig\n+++ Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_dse_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/etcd]", "parameters": "--- File[/etc/cfssl/signers/etcd].orig\n+++ File[/etc/cfssl/signers/etcd]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Cfssl::Ocsp[network_devices]", "parameters": "--- Cfssl::Ocsp[network_devices].orig\n+++ Cfssl::Ocsp[network_devices]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20063\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/nftables/notrack]", "parameters": "--- File[/etc/nftables/notrack].orig\n+++ File[/etc/nftables/notrack]\n\n+    recurse => True\n+    purge   => True\n+    owner   => root\n+    group   => root\n+    ensure  => directory\n"}, {"resource": "Cfssl::Ocsp[mlserve_staging_front_proxy]", "parameters": "--- Cfssl::Ocsp[mlserve_staging_front_proxy].orig\n+++ Cfssl::Ocsp[mlserve_staging_front_proxy]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20041\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Systemd::Service[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Systemd::Service[wmf_auto_restart_apache-htcacheclean].orig\n+++ Systemd::Service[wmf_auto_restart_apache-htcacheclean]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label syslog -profile ocsp /etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/ocsp/kafka.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/kafka.ocsp].orig\n+++ File[/etc/cfssl/ocsp/kafka.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Exec[Generate initial CRL for aux]", "parameters": "--- Exec[Generate initial CRL for aux].orig\n+++ Exec[Generate initial CRL for aux]\n\n-    creates => /srv/cfssl/crl/aux\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/aux/ca/aux.pem /etc/cfssl/signers/aux/ca/aux-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/aux\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --responses-file /etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_staging_front_proxy' mlserve_staging_front_proxy \n-    description               => OCSP Refresh job - mlserve_staging_front_proxy\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-wikikube_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Profile::Auto_restarts::Service[ulogd2]", "parameters": "--- Profile::Auto_restarts::Service[ulogd2].orig\n+++ Profile::Auto_restarts::Service[ulogd2]\n\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft\n@@ -0,0 +1,9 @@\n+# Autogenerated by puppet\n+set WIKIKUBE_KUBEPODS_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 10.67.128.0/17,\n+             10.194.128.0/17\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-dse]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-dse].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-dse]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/dse/ca/dse.pem --responses-file /etc/cfssl/ocsp/dse.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@dse' dse \n-    description               => OCSP Refresh job - dse\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Nftables::Set[CUMIN_MASTERS]", "parameters": "--- Nftables::Set[CUMIN_MASTERS].orig\n+++ Nftables::Set[CUMIN_MASTERS]\n\n+    hosts  => ['10.64.16.154', '2620:0:861:102:10:64:16:154', '10.192.32.49', '2620:0:860:103:10:192:32:49']\n+    ensure => present\n"}, {"resource": "File[/usr/local/bin/apache-status]", "parameters": "--- File[/usr/local/bin/apache-status].orig\n+++ File[/usr/local/bin/apache-status]\n\n-    mode   => 0555\n-    group  => root\n-    source => puppet:///modules/httpd/apache-status\n-    owner  => root\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_etcd]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_etcd].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_etcd]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: etcd\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Cfssl::Signer[aux]", "parameters": "--- Cfssl::Signer[aux].orig\n+++ Cfssl::Signer[aux]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDpjCCAwegAwIBAgIUB83dKT9lbMGOLf38Jx6fmsSa714wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjBx\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQwwCgYDVQQDEwNhdXgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADhzJSO\nh264ltJ1CVADYcfi1rIxQOY3gtAsxonZ6CWNueKg0vjvDeL32l+NZ3f2yj2CIzl5\nsa6sZjXmwAKziuuvCAHmsZDY5gzgBdwhZ6UeGAbwlLMgQajwRvCA2RUMuH8iAd6o\nQcfZyHQFb0zl9mCHYNkjLT4jpwrL4Lx/DGbmkE/ulqOCAQwwggEIMA4GA1UdDwEB\n/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSPVQ8kSyOIH5l4\n1mVGCudJoaowtTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\nBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\nbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\noD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\nbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCALJuWafVNInsE4Q8\ntEHYHqhweF6bEArm7d3dqqTjKHuOcrmhXo4rgX5VsXHtI3qq9XGHoik6JUSwgftV\nSr+GWrIZAkIAuqmJ5vv2LgFcJWvYDkIPH9HXB9rIwAUHPFJ/iX2Ig9By+ss8nJbU\nA3Ml/4NKRsXZwwyScmowVWQHfMpv53BsBv8=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/aux/ca/aux.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/aux\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/aux\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/aux/ca/aux-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "File[/etc/cfssl/signers/mlserve/ca]", "parameters": "--- File[/etc/cfssl/signers/mlserve/ca].orig\n+++ File[/etc/cfssl/signers/mlserve/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/dse_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/dse_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/dse_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/dse_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-debmonitor].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-debmonitor]\n\n-    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_ulogd2]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_ulogd2].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_ulogd2]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    require                   => File[/usr/local/sbin/wmf-auto-restart]\n-    success_exit_status       => []\n-    command                   => /usr/local/sbin/wmf-auto-restart -s ulogd2\n-    description               => Auto restart job: ulogd2\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 5:37:00'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "parameters": "--- Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods].orig\n+++ Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods]\n\n-    src_sets            => ['WIKIKUBE_KUBEPODS_NETWORKS', 'STAGING_KUBEPODS_NETWORKS', 'MLSERVE_KUBEPODS_NETWORKS', 'MLSTAGE_KUBEPODS_NETWORKS', 'DSE_KUBEPODS_NETWORKS', 'AUX_KUBEPODS_NETWORKS']\n-    unrestricted_access => False\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    ensure              => present\n-    port                => 8443\n"}, {"resource": "File[/etc/apache2/conf-available]", "parameters": "--- File[/etc/apache2/conf-available].orig\n+++ File[/etc/apache2/conf-available]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0755\n-    require => Package[apache2]\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_debmonitor\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Cfssl::Signer[etcd]", "parameters": "--- Cfssl::Signer[etcd].orig\n+++ Cfssl::Signer[etcd]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDpzCCAwigAwIBAgIUOk3cFWirYBfYaO6q8zyqfEHxwVEwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIwODEwMTAzODAwWhcNMjcwODA5MTAzODAwWjBy\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQ0wCwYDVQQDEwRldGNkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAgtdp\n7nZHIAQhEm2IlJ7AzfGjWIGGzKzCfnBQ8d+euPiOZ3ccv1YXfx0f+WmV35vuEmA/\nZSw/6iJrKBnYsZAR6U0ByUUqg6nUYg4P47Sc/kMTWmVIgRuNhmrgavCK+qRQdnZs\nN/OOGTgFNG0icty63dUF4NZz80HxHSrPQYaNxZ9ydY2jggEMMIIBCDAOBgNVHQ8B\nAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUtvZYHyYnZHZP\nZLIB5kqPcVOVI9owHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\nKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\nbW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\nP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\nSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgEgYyeOREniK9JC\n4hvIiuv9D7mVVXzX5/s8GuhTbRadqZr41ulpHT53lFcbt+xhAsyqMxXPhgT/OyMQ\njkXuEh5oBQJCAM22xLZpt2XwKCp0opgXlC5fm5+YjKba2COlr43q78I2la57aYdp\nUF7sFgBRFVx7FNY7CASuZMYsW+4wltPTXVau\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/etcd/ca/etcd.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/etcd\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/etcd\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/etcd/ca/etcd-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => ##### FAKE FOR PUPPET ######\n\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]\n\n-    unit              => cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_discovery2026 command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_discovery2026\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"bf2e3510cb63e5f05f545e816bab4edf\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery2026\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Ferm::Conf[defs]", "parameters": "--- Ferm::Conf[defs].orig\n+++ Ferm::Conf[defs]\n\n-    prio   => 00\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Cfssl::Config[dse]", "parameters": "--- Cfssl::Config[dse].orig\n+++ Cfssl::Config[dse]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/dse\n-    path                => /etc/cfssl/signers/dse/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/dse\n"}, {"resource": "File[/etc/cfssl/signers/etcd/ca]", "parameters": "--- File[/etc/cfssl/signers/etcd/ca].orig\n+++ File[/etc/cfssl/signers/etcd/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_wikikube_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_wikikube_front_proxy!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-syslog-certificate-expiry --cert-path /etc/cfssl/signers/syslog/ca/syslog.pem --outfile /var/lib/prometheus/node.d/syslog_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@etcd]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@etcd].orig\n+++ Systemd::Unit[cfssl-ocspserve@etcd]\n\n-    unit              => cfssl-ocspserve@etcd\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@wikikube]']\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@network_devices]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@network_devices].orig\n+++ Systemd::Unit[cfssl-ocspserve@network_devices]\n\n-    unit              => cfssl-ocspserve@network_devices\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n-    nagios_group          => pki_eqiad\n+    nagios_group          => insetup_eqiad\n@@\n-    cluster               => pki\n+    cluster               => insetup\n@@\n-    notifications_enabled => True\n+    notifications_enabled => False\n"}, {"resource": "File[/etc/ferm/functions.conf]", "parameters": "--- File[/etc/ferm/functions.conf].orig\n+++ File[/etc/ferm/functions.conf]\n\n-    notify  => Service[ferm]\n-    owner   => root\n-    ensure  => file\n-    source  => puppet:///modules/ferm/functions.conf\n-    group   => root\n-    mode    => 0400\n-    require => Package[ferm]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_staging_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"e515778a769f523fb98a7f642670e011\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_staging_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-zuul]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-zuul].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-zuul]\n\n-    ensure => present\n"}, {"resource": "Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging]\n\n-    ensure => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem\n@@ -1 +0,0 @@\n-test", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-mlserve\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-mlserve/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --outfile /var/lib/prometheus/node.d/aux_front_proxy_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse -profile ocsp /etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_cfssl-multirootca_status]=/usr/local/lib/nagios/plugins/check_systemd_unit_status cfssl-multirootca", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Httpd::Conf[defaults]", "parameters": "--- Httpd::Conf[defaults].orig\n+++ Httpd::Conf[defaults]\n\n-    priority  => 0\n-    conf_type => conf\n-    source    => puppet:///modules/httpd/defaults.conf\n-    ensure    => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@mlserve_front_proxy]']\n"}, {"resource": "File[/etc/nftables/postrouting]", "parameters": "--- File[/etc/nftables/postrouting].orig\n+++ File[/etc/nftables/postrouting]\n\n+    recurse => True\n+    purge   => True\n+    owner   => root\n+    group   => root\n+    ensure  => directory\n"}, {"resource": "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery2026 -profile ocsp /etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set DEPLOYMENT_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:102:10:64:16:93,\n+             2620:0:860:103:10:192:32:7\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-wikikube]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-wikikube].orig\n+++ Systemd::Service[cfssl-ocsprefresh-wikikube]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-wikikube.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate initial CRL for debmonitor]", "parameters": "--- Exec[Generate initial CRL for debmonitor].orig\n+++ Exec[Generate initial CRL for debmonitor]\n\n-    creates => /srv/cfssl/crl/debmonitor\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/debmonitor/ca/debmonitor.pem /etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/debmonitor\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_cassandra\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_syslog]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_cloud_wmnet_ca!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_aux.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/cfssl/signers/dse/ca/dse.pem]", "content": "--- /etc/cfssl/signers/dse/ca/dse.pem.orig\n+++ /etc/cfssl/signers/dse/ca/dse.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpTCCAwegAwIBAgIUb4Tdc/LBMz08oj3vXm9vyvVoa8kwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjBx\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQwwCgYDVQQDEwNkc2UwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEKIsRi\n-rMZazQ75DhhEGhtUEr3248uYpcVNJ3Mp/1IdsIkgdy3vU97D4x+FWvbcITOzw9xz\n-apIVnwWIAU7hei4jEwCAIr3llako75gtbD7Xvq9y6UDUcp/LOGBkmGMBktL2Q9qz\n-Dgc4AgI29X2/hGBuYEglW2Qhpnbu0+q+7Xi/eKSG3aOCAQwwggEIMA4GA1UdDwEB\n-/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSp3KLmcR8APKuf\n-wQNUAmw4ugiWrzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\n-BgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\n-bmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\n-oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\n-bnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCBhwJCAYGa4oeqY5OQzJhU\n-JqhW7Wn0V5dXQ3F0LJKbf70afe5Xx/jkMKMXv6cpUoCgq6OW5CzFHvwyYGDYc3Uy\n-Dj63k3tQAkFP3CHPBJahbaziMXpat5mFpYeRit/bScad+W+ysdXe4wLSRK3skzhU\n-pOp2n7NgGJQbM1fWuRcBPMQLEZVFsbo04A==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/dse/ca/dse.pem].orig\n+++ File[/etc/cfssl/signers/dse/ca/dse.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: puppet_rsa\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__puppet_rsa\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"c1b324b3d8ac107f8d7483b4017f5edf\",check_name=\"check_check_certificate_expiry_puppet_rsa\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: puppet_rsa\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_puppet_rsa))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_staging command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_mlserve_staging\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"7cff186656c3cabbca85b5b57d0c8679\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_staging\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => mlserve\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@mlserve]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@mlserve_staging_front_proxy].orig\n+++ Service[cfssl-ocspserve@mlserve_staging_front_proxy]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-aux-certificate-expiry --cert-path /etc/cfssl/signers/aux/ca/aux.pem --outfile /var/lib/prometheus/node.d/aux_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cloud_wmnet_ca -profile ocsp /etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Cfssl::Signer[network_devices]", "parameters": "--- Cfssl::Signer[network_devices].orig\n+++ Cfssl::Signer[network_devices]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsjCCAxOgAwIBAgIUS2pUBD1erPOX2W9m08l4NjcjbVYwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwNzE0MTAxODAwWhcNMjgwNzEyMTAxODAwWjB9\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRgwFgYDVQQDDA9uZXR3b3JrX2RldmljZXMwgZswEAYHKoZIzj0CAQYFK4EE\nACMDgYYABABVWARjDjpjG7IlggP4BkOm5hanZXdtYYzUb1CsmHvpBA4W6s8CjzHp\nQlZoBzaMi6SSO5Q7v9rAuymjLctweVRy7gAkNU3jjQXZPjRKaW/ofZlUhDyhgyCS\nWNr9LBjYklAnMM3yz3J6EG9aHehHbV11lq24AQDrZ4bEtNzGHMQyU9ufZ6OCAQww\nggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\nBBRmY7aPPiOyhsjgXpDtumx9X/wcGzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\ng5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\nZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\nSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\nL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\nARWhtt4Mi0I8j+6LUC+ZJfTnhYkEWSXa6nhttbzNPLzHuBTnj42WE8a2oQW2Mv5w\nmzRdtJGsstcrgGwGt5FyLP6WAkIAxYlEt4MHqohD9adWY1IsnX4qWBYRw4tXrx0T\ntF1M2n2K7ww/zCL9HkBoWVe249y+ctpGqqgw0ROMnMN6Q2Zg8ic=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 8760h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/network_devices\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/network_devices\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/network_devices/ca/network_devices-key.pem\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => fake key\n\n"}, {"resource": "Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]", "parameters": "--- Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)].orig\n+++ Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]", "parameters": "--- Exec[renew certificate - puppet_rsa__pki_discovery_wmnet].orig\n+++ Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]\n\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa  /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet\n\n-    notify      => ['Service[apache2]']\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert puppet_rsa__pki_discovery_wmnet]\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_syslog\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_staging command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_wikikube_staging\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"f389c556cebfcfc345b3d6802f320045\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_staging\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Service[cfssl-ocspserve@discovery]", "parameters": "--- Service[cfssl-ocspserve@discovery].orig\n+++ Service[cfssl-ocspserve@discovery]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "File[/etc/cfssl/signers/kafka/ca]", "parameters": "--- File[/etc/cfssl/signers/kafka/ca].orig\n+++ File[/etc/cfssl/signers/kafka/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/cfssl/signers/cassandra]", "parameters": "--- File[/etc/cfssl/signers/cassandra].orig\n+++ File[/etc/cfssl/signers/cassandra]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Httpd::Site[pki.discovery.wmnet]", "parameters": "--- Httpd::Site[pki.discovery.wmnet].orig\n+++ Httpd::Site[pki.discovery.wmnet]\n\n-    priority => 50\n-    ensure   => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[debmonitor]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[debmonitor].orig\n+++ Profile::Pki::Multirootca::Monitoring[debmonitor]\n\n-    ca_file      => /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => debmonitor\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-check-nft]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-check-nft].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-check-nft]\n\n+    priority => 40\n+    mode     => 0444\n+    ensure   => present\n+    require  => File[/var/log/prometheus-node-textfile-check-nft]\n"}, {"resource": "File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-zuul-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-mlserve_staging\n-\n-/var/log/cfssl-ocsprefresh-mlserve_staging/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft\n@@ -0,0 +1,15 @@\n+# Autogenerated by puppet\n+set KAFKA_BROKERS_LOGGING_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:102:10:64:16:205,\n+             2620:0:861:10c:10:64:133:11,\n+             2620:0:861:13d:10:64:183:12,\n+             2620:0:861:10a:10:64:131:13,\n+             2620:0:861:10e:10:64:135:13,\n+             2620:0:860:113:10:192:23:29,\n+             2620:0:860:10c:10:192:11:28,\n+             2620:0:860:105:10:192:26:22,\n+             2620:0:860:10c:10:192:11:27,\n+             2620:0:860:11e:10:192:39:25\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/mlserve/cfssl.conf]", "content": "--- /etc/cfssl/signers/mlserve/cfssl.conf.orig\n+++ /etc/cfssl/signers/mlserve/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/mlserve\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/mlserve\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/mlserve/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/mlserve/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label syslog -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]\n"}, {"resource": "File[/srv/cfssl/bundles/debmonitor.pem]", "content": "--- /srv/cfssl/bundles/debmonitor.pem.orig\n+++ /srv/cfssl/bundles/debmonitor.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqzCCAw6gAwIBAgIUD8gl+8iTKG2ZJ9eRsZs5/C9/7ZMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMzE0MTM0NTAwWhcNMjgwMzEyMTM0NTAwWjB4\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRMwEQYDVQQDEwpkZWJtb25pdG9yMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG\n-AAQBNH4qwApzKzoZpcUF5+rzNhzi2ETF1ToNoWJ4XIJH/PmYzcXmDj41+b+4p4++\n-M+ENQtHt6dfCVv0BmGr8XYTU3YUAQUiLhv/X41GLwCV4Nx5jsnpnlfyi2tfXY2b1\n-WgpdkxBTQi79fWYWJFvuy7AFhP0ahKcKfauegEHf1zJ/j7pKyjSjggEMMIIBCDAO\n-BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU35FY\n-TrdI8tZ8bKAVj8qkrn5sp9QwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9p\n-EzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2Nv\n-dmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1Ud\n-HwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtp\n-bWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYCQXXZh0fs\n-XIlOkz1OPSSRBbEZ6zjvGEJvR6qPVpdkQ8IY+bwqe6J/wrhlAgWfTq7ODhEQYCnx\n-y9Jdg7TfybUaOnmiAkEGKMoHIi/MXfzVrKicaCo4aHIL14vN3V4go08bIsMuIs7p\n-EknA+x7QLKFunnrATNeeF6ETr+3u9/MUDWGW+fBqEw==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/debmonitor.pem].orig\n+++ File[/srv/cfssl/bundles/debmonitor.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_network_devices.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_aux.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_aux\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_apache-htcacheclean].orig\n+++ Systemd::Syslog[wmf_auto_restart_apache-htcacheclean]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => absent\n"}, {"resource": "Exec[Generate initial CRL for puppet_rsa]", "parameters": "--- Exec[Generate initial CRL for puppet_rsa].orig\n+++ Exec[Generate initial CRL for puppet_rsa]\n\n-    creates => /srv/cfssl/crl/puppet_rsa\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/puppet_rsa\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer]\n\n-    unit              => cfssl-ocsprefresh-wikikube_staging.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-ferm_active]", "parameters": "--- Systemd::Timer[nrpe2nodexp-ferm_active].orig\n+++ Systemd::Timer[nrpe2nodexp-ferm_active]\n\n-    accuracy           => 15sec\n-    splay              => 600\n-    unit_name          => nrpe2nodexp-ferm_active.service\n-    ensure             => present\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '10min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-syslog]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-syslog].orig\n+++ Systemd::Service[cfssl-ocsprefresh-syslog]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-syslog.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Cfssl::Ocsp[mlserve_staging]", "parameters": "--- Cfssl::Ocsp[mlserve_staging].orig\n+++ Cfssl::Ocsp[mlserve_staging]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20040\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Cfssl::Signer[dse_front_proxy]", "parameters": "--- Cfssl::Signer[dse_front_proxy].orig\n+++ Cfssl::Signer[dse_front_proxy]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsjCCAxOgAwIBAgIUBGeKXglKnoXGyRgWodaHSfz0z/gwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjB9\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRgwFgYDVQQDDA9kc2VfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\nACMDgYYABAGUNx07sN1MWk3DzjEFh3pfYaQVrqo1tWFQjf7URfwqfyZY81Tqt6yl\ny/zj3DpvtOmvyI5jPH91yPBaFho0/SpP6wFkBIyE8/Ik2b80slPKuzstrYgBlYsG\n+Fxop4CYWjLItOy1Ut82aYr76hNm0goEma9ETjgE4nfBEU3vi77QO/B9E6OCAQww\nggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\nBBQPHxMmkuy8EqO+Wz7TmM1MfmcXDDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\ng5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\nZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\nSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\nL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\nAO3JNb9OyC3JQ3mmkgt+Db3NMgLArYlvcYd8Nd5uWEXm6d6NfUPDN5XBGkjly1B7\nN18vKQYxlZzX2wgYqaK9LYs9AkIBch3vTND/M2T78Hhp5YoodasCdLDcpMJ1Qn3T\nfI0Lwjt7W50T0FMle6CwZkI+ZrxRzqvic19IUSTDDqwiOFgLhqM=\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/dse_front_proxy\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/dse_front_proxy\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => \n"}, {"resource": "Alternatives::Select[ip6tables]", "parameters": "--- Alternatives::Select[ip6tables].orig\n+++ Alternatives::Select[ip6tables]\n\n-    path    => /usr/sbin/ip6tables-legacy\n-    require => Package[iptables]\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label zuul -profile ocsp /etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/cfssl/db.conf]", "content": "--- /etc/cfssl/db.conf.orig\n+++ /etc/cfssl/db.conf\n@@ -1 +0,0 @@\n-{\"driver\":\"mysql\",\"data_source\":\"pki:changeme@tcp(m1-master.eqiad.wmnet:3306)/pki?parseTime=true&tls=skip-verify\"}", "parameters": "--- File[/etc/cfssl/db.conf].orig\n+++ File[/etc/cfssl/db.conf]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    ensure    => file\n-    group     => root\n-    mode      => 0440\n-    require   => ['Package[golang-cfssl]']\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"4d759acaf0fd7dd3abaa03dc4565aef6\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_front_proxy\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_front_proxy command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse]\n\n-    notification_period    => 24x7\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    servicegroups          => pki_eqiad\n-    notifications_enabled  => 1\n-    check_interval         => 1\n-    max_check_attempts     => 3\n-    retry_interval         => 1\n-    contact_groups         => admins\n-    active_checks_enabled  => 1\n-    passive_checks_enabled => 1\n-    check_period           => 24x7\n-    is_volatile            => 0\n-    notification_interval  => 0\n-    check_command          => nrpe_check!check_check_certificate_expiry_dse!10\n-    host_name              => pki1001\n-    service_description    => Check to ensure the signer certificate is valid CA: dse\n-    notification_options   => c,r,f\n-    ensure                 => present\n-    check_freshness        => 0\n"}, {"resource": "Nftables::Set[MGMT_NETWORKS]", "parameters": "--- Nftables::Set[MGMT_NETWORKS].orig\n+++ Nftables::Set[MGMT_NETWORKS]\n\n+    hosts  => ['10.65.0.0/16', '10.128.128.0/17', '10.193.0.0/16', '10.80.128.0/17', '10.132.128.0/17', '10.136.128.0/17', '10.140.128.0/17']\n+    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_puppet_rsa\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/etc/cfssl/ocsp/discovery.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/discovery.ocsp].orig\n+++ File[/etc/cfssl/ocsp/discovery.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_discovery2026\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"bf2e3510cb63e5f05f545e816bab4edf\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery2026\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_discovery2026 command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => absent\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]\n\n-    unit              => nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-dse]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-dse].orig\n+++ File[/var/log/cfssl-ocsprefresh-dse]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nftables::Service[ssh-from-bastion]", "parameters": "--- Nftables::Service[ssh-from-bastion].orig\n+++ Nftables::Service[ssh-from-bastion]\n\n+    unrestricted_access => False\n+    prio                => 10\n+    desc                => \n+    proto               => tcp\n+    src_ips             => ['103.102.166.103', '185.15.58.6', '185.15.59.99', '195.200.68.99', '198.35.26.104', '2001:df2:e500:3:103:102:166:103', '208.80.153.110', '208.80.154.7', '2620:0:860:4:208:80:153:110', '2620:0:861:1:208:80:154:7', '2620:0:863:3:198:35:26:104', '2a02:ec80:300:3:185:15:59:99', '2a02:ec80:600:1:185:15:58:6', '2a02:ec80:700:3:195:200:68:99']\n+    notrack             => False\n+    ensure              => present\n+    port                => 22\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-apache2.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-apache2.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"wmf_auto_restart_apache2\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/wmf_auto_restart_apache2/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --outfile /var/lib/prometheus/node.d/dse_front_proxy_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-dse_front_proxy-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@discovery.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@discovery.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (discovery)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10002 \\\n-          -responses /etc/cfssl/ocsp/discovery.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@discovery.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@discovery.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/wikikube/cfssl.conf]", "content": "--- /etc/cfssl/signers/wikikube/cfssl.conf.orig\n+++ /etc/cfssl/signers/wikikube/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/wikikube\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/wikikube\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/wikikube/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/wikikube/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "File[/etc/cfssl/signers/cassandra/ca]", "parameters": "--- File[/etc/cfssl/signers/cassandra/ca].orig\n+++ File[/etc/cfssl/signers/cassandra/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/cfssl/ocsp/cassandra.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/cassandra.ocsp].orig\n+++ File[/etc/cfssl/ocsp/cassandra.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-discovery2026].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-discovery2026]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-discovery2026]\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@puppet_rsa]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@puppet_rsa].orig\n+++ Systemd::Unit[cfssl-ocspserve@puppet_rsa]\n\n-    unit              => cfssl-ocspserve@puppet_rsa\n-    override          => False\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-discovery2026]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-discovery2026].orig\n+++ File[/var/log/cfssl-ocsprefresh-discovery2026]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "File[/etc/cfssl/signers/network_devices/cfssl.conf]", "content": "--- /etc/cfssl/signers/network_devices/cfssl.conf.orig\n+++ /etc/cfssl/signers/network_devices/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"8760h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/network_devices\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/network_devices\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/network_devices/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/network_devices/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging -profile ocsp /etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Service[cfssl-multirootca]", "parameters": "--- Service[cfssl-multirootca].orig\n+++ Service[cfssl-multirootca]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_kafka.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_kafka.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Package[iptables]", "parameters": "--- Package[iptables].orig\n+++ Package[iptables]\n\n@@\n-    ensure => installed\n+    ensure => absent\n"}, {"resource": "Cfssl::Config[wikikube_staging]", "parameters": "--- Cfssl::Config[wikikube_staging].orig\n+++ Cfssl::Config[wikikube_staging]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/wikikube_staging\n-    path                => /etc/cfssl/signers/wikikube_staging/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 72h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/wikikube_staging\n"}, {"resource": "Cfssl::Config[wikikube_staging_front_proxy]", "parameters": "--- Cfssl::Config[wikikube_staging_front_proxy].orig\n+++ Cfssl::Config[wikikube_staging_front_proxy]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/wikikube_staging_front_proxy\n-    path                => /etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 72h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/wikikube_staging_front_proxy\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_discovery.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_discovery.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa -profile ocsp /etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__mlserve_staging_front_proxy\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"b194b5b9b6c9d6e05b9eed8dcfcc40cf\",check_name=\"check_check_certificate_expiry_mlserve_staging_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_mlserve_staging_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-zuul.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-zuul.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - zuul\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/zuul/ca/zuul.pem --responses-file /etc/cfssl/ocsp/zuul.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@zuul' zuul ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-debmonitor].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-debmonitor]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-debmonitor.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/MONITORING_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/MONITORING_HOSTS_ipv6.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set MONITORING_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:3:208:80:154:78,\n+             2620:0:860:2:208:80:153:42\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]", "content": "--- /etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem.orig\n+++ /etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem].orig\n+++ File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]\n\n-    unit              => cfssl-ocsprefresh-wikikube_front_proxy.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"mlserve_staging_front_proxy\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-wikikube_staging]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-wikikube_staging.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Service[cfssl-ocspserve@discovery2026]", "parameters": "--- Service[cfssl-ocspserve@discovery2026].orig\n+++ Service[cfssl-ocspserve@discovery2026]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-cloud_wmnet_ca\n-\n-/var/log/cfssl-ocsprefresh-cloud_wmnet_ca/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"9d6dd05c8e5e1bb294462d932b24bd1a\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_front_proxy\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_front_proxy command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa/ca]", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa/ca].orig\n+++ File[/etc/cfssl/signers/puppet_rsa/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@mlserve.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@mlserve.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (mlserve)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20030 \\\n-          -responses /etc/cfssl/ocsp/mlserve.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@mlserve.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube -profile ocsp /etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-check-nft.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-check-nft.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-check-nft.service]\n\n+    unit              => prometheus-node-textfile-check-nft.service\n+    override          => False\n+    ensure            => present\n+    restart           => False\n+    override_filename => puppet-override.conf\n+    require           => ['Class[Systemd]']\n"}, {"resource": "Service[cfssl-ocsprefresh-cassandra.timer]", "parameters": "--- Service[cfssl-ocsprefresh-cassandra.timer].orig\n+++ Service[cfssl-ocsprefresh-cassandra.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_wikikube]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_wikikube].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_wikikube]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"wikikube\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - cloud_wmnet_ca\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --responses-file /etc/cfssl/ocsp/cloud_wmnet_ca.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@cloud_wmnet_ca' cloud_wmnet_ca ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-cassandra]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-cassandra].orig\n+++ Systemd::Service[cfssl-ocsprefresh-cassandra]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-cassandra.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Unit[nftables]", "parameters": "--- Systemd::Unit[nftables].orig\n+++ Systemd::Unit[nftables]\n\n+    unit              => nftables\n+    override          => True\n+    ensure            => present\n+    restart           => False\n+    override_filename => puppet-override.conf\n+    require           => ['Class[Systemd]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]\n\n-    unit              => nrpe2nodexp-check_cfssl-multirootca_status.service\n-    override          => False\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Monitoring::Service[check_cfssl-multirootca_status]", "parameters": "--- Monitoring::Service[check_cfssl-multirootca_status].orig\n+++ Monitoring::Service[check_cfssl-multirootca_status]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI\n-    check_command  => nrpe_check!check_check_cfssl-multirootca_status!10\n-    critical       => True\n-    description    => Check unit status of cfssl-multirootca\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 2\n-    check_interval => 10\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@discovery2026.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@discovery2026.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (discovery2026)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10010 \\\n-          -responses /etc/cfssl/ocsp/discovery2026.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]\n\n-    recurse => True\n-    owner   => root\n-    group   => root\n-    mode    => 0740\n-    ensure  => directory\n"}, {"resource": "File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]", "content": "--- /etc/cfssl/signers/wikikube/ca/wikikube-key.pem.orig\n+++ /etc/cfssl/signers/wikikube/ca/wikikube-key.pem\n@@ -1 +0,0 @@\n-test", "parameters": "--- File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem].orig\n+++ File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]\n\n-    show_diff => False\n-    notify    => Service[cfssl-multirootca]\n-    owner     => root\n-    group     => root\n-    mode      => 0400\n-    ensure    => file\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_syslog command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_syslog\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"e3b9b989d5062ce2d267023dfe42fcd8\" --timeout 10 --check-command \"check_check_certificate_expiry_syslog\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port]", "parameters": "--- Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port].orig\n+++ Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port]\n\n-    priority  => 50\n-    conf_type => conf\n-    ensure    => present\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-debmonitor].orig\n+++ Systemd::Service[cfssl-ocsprefresh-debmonitor]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/MONITORING_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/MONITORING_HOSTS_ipv4.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set MONITORING_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 208.80.154.78,\n+             208.80.153.42\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-zuul-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_debmonitor]", "parameters": "--- Monitoring::Service[check_certificate_expiry_debmonitor].orig\n+++ Monitoring::Service[check_certificate_expiry_debmonitor]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_debmonitor!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: debmonitor\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-mlserve_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-debmonitor.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-debmonitor.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_mlserve_staging]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_mlserve_staging].orig\n+++ Nrpe::Check[check_check_certificate_expiry_mlserve_staging]\n\n-    before    => Monitoring::Service[check_certificate_expiry_mlserve_staging]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-wikikube_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-wikikube_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"dse_front_proxy\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]\n\n-    unit              => prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/var/log/wmf_auto_restart_ulogd2]", "parameters": "--- File[/var/log/wmf_auto_restart_ulogd2].orig\n+++ File[/var/log/wmf_auto_restart_ulogd2]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Cfssl::Config[mlserve]", "parameters": "--- Cfssl::Config[mlserve].orig\n+++ Cfssl::Config[mlserve]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/mlserve\n-    path                => /etc/cfssl/signers/mlserve/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/mlserve\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@cassandra.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@cassandra.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (cassandra)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10006 \\\n-          -responses /etc/cfssl/ocsp/cassandra.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@cassandra.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9]", "parameters": "--- Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9].orig\n+++ Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check unit status of cfssl-multirootca #page\n-    alert_name         => nrpe_Check_unit_status_of_cfssl_multirootca\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"52832284a5fb8b8ea6f55bb6271912c9\",check_name=\"check_check_cfssl-multirootca_status\", status=\"CRITICAL\", severity=\"page\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check unit status of cfssl-multirootca\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_cfssl-multirootca_status))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI\n-    instance           => ops\n-    ensure             => absent\n-    for                => 11m\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-etcd]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-etcd].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-etcd]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-etcd]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "Service[cfssl-ocsprefresh-discovery.timer]", "parameters": "--- Service[cfssl-ocsprefresh-discovery.timer].orig\n+++ Service[cfssl-ocsprefresh-discovery.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-etcd]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-etcd].orig\n+++ Systemd::Service[cfssl-ocsprefresh-etcd]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-etcd.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@discovery2026]", "parameters": "--- Systemd::Service[cfssl-ocspserve@discovery2026].orig\n+++ Systemd::Service[cfssl-ocspserve@discovery2026]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/var/log/wmf_auto_restart_apache-htcacheclean]", "parameters": "--- File[/var/log/wmf_auto_restart_apache-htcacheclean].orig\n+++ File[/var/log/wmf_auto_restart_apache-htcacheclean]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Cfssl::Signer[zuul]", "parameters": "--- Cfssl::Signer[zuul].orig\n+++ Cfssl::Signer[zuul]\n\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDpzCCAwigAwIBAgIUMIxkteGnxVGRNFWjJZ+eXPnOeM8wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjUwODIwMTg1NTAwWhcNMzAwODE5MTg1NTAwWjBy\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQ0wCwYDVQQDEwR6dXVsMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBNx/m\ndSpc4EWI68Y36PVvDkvyqlJ6pA4sEXQCrNOM+0jSACRM8Shwqr7uC/JmuP8GIdK3\ng+SgxQOjF9pfelX2OpAB6leOfgHXhFtzJquX261tKsxQm74cszycF9YTiWDKVq0V\ng7bFNgf4NcC7NxGfN4SuA58I7dQWJxSWdzTJNQsF2uijggEMMIIBCDAOBgNVHQ8B\nAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUqyQEoVfbsJqL\njr5RyZovCpWdRZUwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\nKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\nbW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\nP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\nSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgER9R3mwAtzYcIh\nHAnL2SiHTXBpqitQp6Ce+7nYFP0qyu+Ggkx2bu86bl32lGmvA6ecTKXDiyXW5pMW\natmKn0wAegJCAaU9pfWuLIgsVqzB2zvDWMR2HgBMa6MO7dRlG2VUoLvR16NF9cln\nXjNzIqPRxUpiD5TNC4+p9BoT+RRXEDUeRufH\n-----END CERTIFICATE-----\n\n-    ca_file          => /etc/cfssl/signers/zuul/ca/zuul.pem\n-    listen_addr      => pki1001.eqiad.wmnet\n-    listen_port      => 8888\n-    manage_db        => False\n-    manage_services  => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    serve_service    => cfssl-multirootca\n-    default_expiry   => 672h\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    db_driver        => sqlite3\n-    default_crl_url  => http://pki.discovery.wmnet/crl/zuul\n-    log_level        => info\n-    db_name          => cfssl\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/zuul\n-    db_conf_file     => /etc/cfssl/db.conf\n-    ca_key_file      => /etc/cfssl/signers/zuul/ca/zuul-key.pem\n-    default_usages   => ['server auth', 'client auth']\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    serve_ensure     => absent\n-    db_host          => localhost\n-    default_auth_key => default_auth\n-    ca_key_content   => nosecret\n\n"}, {"resource": "Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => debmonitor\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@debmonitor]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]\n\n-    user                      => nagios\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_discovery\n-    splay                     => 60\n-    send_mail                 => False\n-    group                     => prometheus-node-exporter\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"38e4dbcfd07ed60daf5bb89397abbe29\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery\"\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_discovery command.\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    logging_enabled           => False\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => True\n-    ignore_errors             => True\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => absent\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cloud_wmnet_ca -profile ocsp /etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Cfssl::Ocsp[aux_front_proxy]", "parameters": "--- Cfssl::Ocsp[aux_front_proxy].orig\n+++ Cfssl::Ocsp[aux_front_proxy]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20051\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_ulogd2]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_ulogd2].orig\n+++ Logrotate::Conf[wmf_auto_restart_ulogd2]\n\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-wikikube.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-wikikube.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@aux]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]\n\n-    unit              => cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_cfssl-multirootca_status.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_cfssl-multirootca_status.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=5min\n-OnActiveSec=1s\n-RandomizedDelaySec=300\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-network_devices-certificate-expiry --cert-path /etc/cfssl/signers/network_devices/ca/network_devices.pem --outfile /var/lib/prometheus/node.d/network_devices_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]\n\n+    before      => ['Service[prometheus-node-textfile-check-nft.timer]']\n+    refreshonly => True\n+    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Config[cassandra]", "parameters": "--- Cfssl::Config[cassandra].orig\n+++ Cfssl::Config[cassandra]\n\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/cassandra\n-    path                => /etc/cfssl/signers/cassandra/cfssl.conf\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    remotes             => {}\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    notify              => Service[cfssl-multirootca]\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    ensure              => present\n-    default_crl_url     => http://pki.discovery.wmnet/crl/cassandra\n"}, {"resource": "Cfssl::Ocsp[wikikube_front_proxy]", "parameters": "--- Cfssl::Ocsp[wikikube_front_proxy].orig\n+++ Cfssl::Ocsp[wikikube_front_proxy]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 20011\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@mlserve_staging]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n"}, {"resource": "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set DEPLOYMENT_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.16.93,\n+             10.192.32.7\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-ocspserve@discovery2026]']\n"}, {"resource": "Service[cfssl-ocspserve@wikikube_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@wikikube_front_proxy].orig\n+++ Service[cfssl-ocspserve@wikikube_front_proxy]\n\n-    enable => True\n-    ensure => running\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n\n-    ensure      => present\n-    hosts       => []\n-    names       => []\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-discovery2026.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-discovery2026.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Firewall::Service[multirootca tls termination]", "parameters": "--- Firewall::Service[multirootca tls termination].orig\n+++ Firewall::Service[multirootca tls termination]\n\n-    src_sets            => ['DOMAIN_NETWORKS']\n-    unrestricted_access => False\n-    prio                => 10\n-    desc                => \n-    proto               => tcp\n-    notrack             => False\n-    ensure              => present\n-    port                => 443\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging]\n\n-    ensure => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry --cert-path /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --outfile /var/lib/prometheus/node.d/cloud_wmnet_ca_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n-    role_description => PKI server\n+    role_description => Host being setup by Infrastructure Foundations SREs with ntables\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]\n\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]\n\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]']\n-    enable   => False\n-    ensure   => stopped\n-    provider => systemd\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Cfssl::Ocsp[zuul]", "parameters": "--- Cfssl::Ocsp[zuul].orig\n+++ Cfssl::Ocsp[zuul]\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    ca_file            => /etc/cfssl/signers/zuul/ca/zuul.pem\n-    listen_addr        => 127.0.0.1\n-    listen_port        => 10009\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    ocsprefresh_update => True\n-    log_level          => info\n-    db_driver          => mysql\n-    refresh_interval   => 96h\n"}, {"resource": "Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => discovery\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-discovery]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@discovery]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_kafka]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_kafka].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_kafka]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-aux.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-aux.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - aux\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/aux/ca/aux.pem --responses-file /etc/cfssl/ocsp/aux.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@aux' aux ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-aux.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Package[links]", "parameters": "--- Package[links].orig\n+++ Package[links]\n\n-    ensure   => installed\n-    provider => apt\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]\n\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    owner        => root\n-    ensure       => present\n-    group        => root\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-etcd\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-etcd/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/aux_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/aux_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/aux_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/aux_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011]\n\n-    dashboard          => TODO\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__wikikube_staging_front_proxy\n-    severity           => info\n-    group              => nrpechecks\n-    team               => observability\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"e515778a769f523fb98a7f642670e011\",check_name=\"check_check_certificate_expiry_wikikube_staging_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    def_label_whitelst => ['team', 'severity']\n-    site               => eqiad\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_wikikube_staging_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    instance           => ops\n-    ensure             => absent\n-    for                => 3m\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_zuul command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_zuul\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"373325faaa689f3e9b058d91d4eb6cdb\" --timeout 10 --check-command \"check_check_certificate_expiry_zuul\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]", "content": "--- /etc/cfssl/signers/cassandra/ca/cassandra.pem.orig\n+++ /etc/cfssl/signers/cassandra/ca/cassandra.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqjCCAw2gAwIBAgIUN8PPoG0JeyUfDWKQhN0B2AOw4G8wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjE5MTI1MDAwWhcNMjgwNjE3MTI1MDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwljYXNzYW5kcmEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BABpd+xtElegZM2bsg1caGxmHV5hs7l7qxmKFS3oSAu1jo1+N/uSppDtSWZzG+8C\n-zjIrytBMxBWhNqsOw9msEWhbBAEYESw1oKj+APqOlCafGdXQI1ZvMafexxTqDNN1\n-CA2gq4ivn82r2Ya3LLqwICxK3MlcmGuLwR5amxiLchok3cZ3X6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQBN6m6\n-eyaSV8l2Il/bwcfpWTmplDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GKADCBhgJBRhCSOg5L\n-+EuYGdsW8T9S/tXzYURZpnQItn2nYjM6ky1nxqG6F+V2WsiijiPpEQxr7QUvfZhf\n-D2zhB5BS8ynWCpYCQRGo4eZuUHyRMNqg/ZDljT1dqr09n0wQhszrJ4eCmebLVsDm\n-B6AM3pPRygYo0REwxHbpTBAIt26zjGiKiFQqUjwa\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/cassandra/ca/cassandra.pem].orig\n+++ File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Exec[Generate initial CRL for kafka]", "parameters": "--- Exec[Generate initial CRL for kafka].orig\n+++ Exec[Generate initial CRL for kafka]\n\n-    creates => /srv/cfssl/crl/kafka\n-    path    => ['/usr/bin']\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/kafka/ca/kafka.pem /etc/cfssl/signers/kafka/ca/kafka-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/kafka\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-etcd-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-syslog-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-mlserve_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-mlserve_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-check-nft.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-check-nft.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-check-nft.timer]\n\n+    unit              => prometheus-node-textfile-check-nft.timer\n+    override          => False\n+    ensure            => present\n+    restart           => False\n+    override_filename => puppet-override.conf\n+    require           => ['Class[Systemd]']\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_discovery]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_discovery].orig\n+++ Nrpe::Check[check_check_certificate_expiry_discovery]\n\n-    before    => Monitoring::Service[check_certificate_expiry_discovery]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)].orig\n+++ Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    notify      => ['Service[cfssl-multirootca]']\n"}, {"resource": "Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem -checkend 952200\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet\n\n-    require     => Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-etcd-certificate-expiry --cert-path /etc/cfssl/signers/etcd/ca/etcd.pem --outfile /var/lib/prometheus/node.d/etcd_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-network_devices.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-network_devices.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-network_devices.timer]\n\n-    unit              => cfssl-ocsprefresh-network_devices.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_wikikube]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_wikikube].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_wikikube]\n\n-    contact_group               => admins\n-    sudo_user                   => root\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: wikikube\n-    retries                     => 3\n-    check_interval              => 1\n-    migration_task              => T350694\n-    retry_interval              => 1\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    alertmanager_team           => observability\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    timeout                     => 10\n-    ensure                      => present\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve -profile ocsp /etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet\n\n-    subscribe   => File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-kafka.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-kafka.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-kafka.service]\n\n-    unit              => cfssl-ocsprefresh-kafka.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@puppet_rsa]", "parameters": "--- Systemd::Service[cfssl-ocspserve@puppet_rsa].orig\n+++ Systemd::Service[cfssl-ocspserve@puppet_rsa]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-wikikube_staging_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => absent\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_discovery]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_apache2.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_apache2.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_apache2.timer]\n\n-    unit              => wmf_auto_restart_apache2.timer\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cassandra -profile ocsp /etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy]\n\n-    ca_file      => /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => mlserve_staging_front_proxy\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_etcd.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-wikikube_staging].orig\n+++ File[/var/log/cfssl-ocsprefresh-wikikube_staging]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => cfssl-ocsprefresh-mlserve_front_proxy.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]\n\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n-    override          => False\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n-    require           => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-etcd.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-etcd.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-etcd.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-etcd.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]\n\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"72h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/mlserve_staging_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/mlserve_staging_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]\n\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    mode      => 0440\n-    ensure    => present\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_aux_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_aux_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_aux_front_proxy]\n\n-    contact_group  => admins\n-    host           => pki1001\n-    passive        => False\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    check_command  => nrpe_check!check_check_certificate_expiry_aux_front_proxy!10\n-    critical       => False\n-    description    => Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    config_dir     => /etc/nagios\n-    freshness      => 36000\n-    retries        => 3\n-    check_interval => 1\n-    migration_task => T350694\n-    ensure         => present\n-    retry_interval => 1\n"}, {"resource": "File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/wikikube_staging_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/wikikube_staging_front_proxy.pem\n@@ -1,23 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDwDCCAyGgAwIBAgIUJT4TJHFy4qcc2DDVjG00p9VDOcIwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\n-ijELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczElMCMGA1UEAwwcd2lraWt1YmVfc3RhZ2luZ19mcm9udF9wcm94eTCBmzAQ\n-BgcqhkjOPQIBBgUrgQQAIwOBhgAEAQkWDUaTmBFtrLcFLkOP5LV+kGQdr0TIYAMX\n-FR7UbUmysish4+UlH7C2vcugX/XmmIoh2asGRkfb0kjTQUUjqDmmANYQARMmx/V4\n-j87yMi11K3IxBh2Ei7KJzvXD5yhg/rQa1TVcdvZ1GHBL1QvBU5x2L95G+Exi1amQ\n-dC4vktygtdo8o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\n-Af8CAQEwHQYDVR0OBBYEFANI4okfmz36Vpe1jEq4tkgKl5HzMB8GA1UdIwQYMBaA\n-FDutonHmNL0b/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcw\n-AYY6aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50\n-ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2Nv\n-dmVyeS53bW5ldC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZI\n-zj0EAwQDgYwAMIGIAkIBuKBFQ/g6puAs+HK7+bE4eiatpN7eotPUTNbVuxN4+rEO\n-E6JEpXslb/Ad0rVDvEOmXGSH9EdqjCNJs0Qv5kFnqZQCQgCPyFWGoBUxDcWLjOEL\n-2a1pt4joI2BUut3NtLOBgPeaI/5qqPoLFbxn/1DMBmZLlsoNhnrg99F5LgvQVEAA\n-/3y5tw==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    force_stop             => True\n-    readable_by            => all\n-    owner                  => root\n-    base_dir               => /var/log\n-    group                  => root\n-    programname_comparison => startswith\n-    log_filename           => syslog.log\n-    ensure                 => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => dse\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-dse]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@dse]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_mlserve.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_mlserve.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]\n\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => absent\n"}, {"resource": "Exec[ensure_present_mod_proxy_http]", "parameters": "--- Exec[ensure_present_mod_proxy_http].orig\n+++ Exec[ensure_present_mod_proxy_http]\n\n-    creates => /etc/apache2/mods-enabled/proxy_http.load\n-    command => /usr/sbin/a2enmod proxy_http\n-    notify  => Service[apache2]\n-    require => Package[apache2]\n"}, {"resource": "Httpd::Conf[pki.discovery.wmnet]", "parameters": "--- Httpd::Conf[pki.discovery.wmnet].orig\n+++ Httpd::Conf[pki.discovery.wmnet]\n\n-    priority  => 50\n-    conf_type => sites\n-    ensure    => present\n"}, {"resource": "File[/srv/cfssl/bundles/wikikube_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/wikikube_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/wikikube_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDuDCCAxmgAwIBAgIUCqmj+2MwaOqLPb5TPXkbkF/PGkUwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\n-gjELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEdMBsGA1UEAwwUd2lraWt1YmVfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0C\n-AQYFK4EEACMDgYYABAAUuXSlLM/Sq6jmsr6/+aqYnBNDoelW5+uJ8kWFyR/9xaFf\n-hmvvui358ZLmOym6cA1tpoA1+PVZ1sVOE++GDsWQ3QDAG2kk8o0QxpXsCXLWBmJZ\n-92Z/pIO7Fc65qe6XDnuZLEaqbb6VWkqQPI15cL9AhJ8HgNbaoaxrT51MfCrHEteP\n-raOCAQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0G\n-A1UdDgQWBBTlGjpQ7L1N14lCjcKcI/4LLNraBjAfBgNVHSMEGDAWgBQ7raJx5jS9\n-G/yAvzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6\n-Ly9wa2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jv\n-b3RfQ0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21u\n-ZXQvY3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GM\n-ADCBiAJCAYT0XLJdjumemn8jpqv058zb+c+3zb+05EhNcj15wcjRUq8SU+c2+H8a\n-hzfph97+CVSvGaV6Cf7phTSEBDPk9+T4AkIBdOmzIcRH+K9UcDzvdxqerOiXJaBC\n-0Bgbg9dOhcd6d0j3CObOuIp760FFQLSli2ocG3WLkfNsXlL1/3+VL+yarNo=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/wikikube_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/wikikube_front_proxy.pem]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]", "content": "--- /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem.orig\n+++ /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n@@ -1,23 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDwDCCAyGgAwIBAgIUJT4TJHFy4qcc2DDVjG00p9VDOcIwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\n-ijELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczElMCMGA1UEAwwcd2lraWt1YmVfc3RhZ2luZ19mcm9udF9wcm94eTCBmzAQ\n-BgcqhkjOPQIBBgUrgQQAIwOBhgAEAQkWDUaTmBFtrLcFLkOP5LV+kGQdr0TIYAMX\n-FR7UbUmysish4+UlH7C2vcugX/XmmIoh2asGRkfb0kjTQUUjqDmmANYQARMmx/V4\n-j87yMi11K3IxBh2Ei7KJzvXD5yhg/rQa1TVcdvZ1GHBL1QvBU5x2L95G+Exi1amQ\n-dC4vktygtdo8o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\n-Af8CAQEwHQYDVR0OBBYEFANI4okfmz36Vpe1jEq4tkgKl5HzMB8GA1UdIwQYMBaA\n-FDutonHmNL0b/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcw\n-AYY6aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50\n-ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2Nv\n-dmVyeS53bW5ldC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZI\n-zj0EAwQDgYwAMIGIAkIBuKBFQ/g6puAs+HK7+bE4eiatpN7eotPUTNbVuxN4+rEO\n-E6JEpXslb/Ad0rVDvEOmXGSH9EdqjCNJs0Qv5kFnqZQCQgCPyFWGoBUxDcWLjOEL\n-2a1pt4joI2BUut3NtLOBgPeaI/5qqPoLFbxn/1DMBmZLlsoNhnrg99F5LgvQVEAA\n-/3y5tw==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]\n\n-    notify => Service[cfssl-multirootca]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => file\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_dse]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_dse].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_dse]\n\n-    severity                => critical\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    alert_after             => 2m\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ip4                     => 10.64.0.10\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    status_matches          => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    certificate_expiry_days => 10\n-    force_tls               => False\n-    team                    => sre\n-    header_not_matches      => []\n-    instance_label          => pki1001\n-    method                  => POST\n-    req_headers             => {}\n-    prometheus_instance     => ops\n-    body_raw                => {\"label\":\"dse\"}\n-    header_matches          => []\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    site                    => eqiad\n-    use_client_auth         => True\n-    port                    => 443\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    follow_redirects        => False\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    path                    => /api/v1/cfssl/info\n-    insecure_tls            => False\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    body_regex_not_matches  => []\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-ferm_active]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-ferm_active].orig\n+++ Rsyslog::Conf[nrpe2nodexp-ferm_active]\n\n-    priority => 25\n-    mode     => 0444\n-    ensure   => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry]\n\n-    user           => root\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    environment    => {}\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    run_cmd        => /usr/local/bin/prometheus-check-wikikube-certificate-expiry --cert-path /etc/cfssl/signers/wikikube/ca/wikikube.pem --outfile /var/lib/prometheus/node.d/wikikube_intermediate.prom\n-    extra_packages => []\n-    interval       => daily\n-    ensure         => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-discovery2026.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-discovery2026\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-discovery2026\n-\n-/var/log/cfssl-ocsprefresh-discovery2026/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0400\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ocsp/debmonitor.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/debmonitor.ocsp].orig\n+++ File[/etc/cfssl/ocsp/debmonitor.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-mlserve]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-mlserve].orig\n+++ Systemd::Service[cfssl-ocsprefresh-mlserve]\n\n-    unit_type                => timer\n-    monitoring_enabled       => False\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-mlserve.service]\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => False\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "File[/etc/ssl/localcerts/multiroot_ca.pem]", "parameters": "--- File[/etc/ssl/localcerts/multiroot_ca.pem].orig\n+++ File[/etc/ssl/localcerts/multiroot_ca.pem]\n\n-    notify => Service[apache2]\n-    owner  => root\n-    source => puppet:///modules/profile/pki/production/client_auth_CA.pem\n-    group  => root\n-    mode   => 0440\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]\n\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_cassandra]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_cassandra].orig\n+++ Nrpe::Check[check_check_certificate_expiry_cassandra]\n\n-    before    => Monitoring::Service[check_certificate_expiry_cassandra]\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    ensure    => present\n-    sudo_user => root\n"}, {"resource": "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft\n@@ -0,0 +1,183 @@\n+# Autogenerated by puppet\n+set PRODUCTION_NETWORKS_ipv6 {\n+    type ipv6_addr\n+    flags interval\n+    auto-merge\n+    elements = { 2001:df2:e500:101::/64,\n+             2001:df2:e500:103::/64,\n+             2001:df2:e500:1::/64,\n+             2001:df2:e500:3::/64,\n+             2001:df2:e500:ed1a::/64,\n+             2620:0:860:100::/64,\n+             2620:0:860:101::/64,\n+             2620:0:860:102::/64,\n+             2620:0:860:103::/64,\n+             2620:0:860:104::/64,\n+             2620:0:860:105::/64,\n+             2620:0:860:106::/64,\n+             2620:0:860:107::/64,\n+             2620:0:860:108::/64,\n+             2620:0:860:109::/64,\n+             2620:0:860:10a::/64,\n+             2620:0:860:10b::/64,\n+             2620:0:860:10c::/64,\n+             2620:0:860:10d::/64,\n+             2620:0:860:10e::/64,\n+             2620:0:860:10f::/64,\n+             2620:0:860:110::/64,\n+             2620:0:860:111::/64,\n+             2620:0:860:112::/64,\n+             2620:0:860:113::/64,\n+             2620:0:860:114::/64,\n+             2620:0:860:115::/64,\n+             2620:0:860:116::/64,\n+             2620:0:860:118::/64,\n+             2620:0:860:119::/64,\n+             2620:0:860:11a::/64,\n+             2620:0:860:11b::/64,\n+             2620:0:860:11c::/64,\n+             2620:0:860:11d::/64,\n+             2620:0:860:11e::/64,\n+             2620:0:860:11f::/64,\n+             2620:0:860:120::/64,\n+             2620:0:860:121::/64,\n+             2620:0:860:122::/64,\n+             2620:0:860:123::/64,\n+             2620:0:860:124::/64,\n+             2620:0:860:125::/64,\n+             2620:0:860:126::/64,\n+             2620:0:860:127::/64,\n+             2620:0:860:12b::/64,\n+             2620:0:860:12c::/64,\n+             2620:0:860:12d::/64,\n+             2620:0:860:12e::/64,\n+             2620:0:860:140::/64,\n+             2620:0:860:1::/64,\n+             2620:0:860:2::/64,\n+             2620:0:860:300::/64,\n+             2620:0:860:301::/64,\n+             2620:0:860:302::/64,\n+             2620:0:860:303::/64,\n+             2620:0:860:304::/64,\n+             2620:0:860:305::/64,\n+             2620:0:860:307::/64,\n+             2620:0:860:308::/64,\n+             2620:0:860:3::/64,\n+             2620:0:860:4::/64,\n+             2620:0:860:5::/64,\n+             2620:0:860:babe::/64,\n+             2620:0:860:babf::/64,\n+             2620:0:860:cabe::/64,\n+             2620:0:860:cabf::/64,\n+             2620:0:860:ed1a::/64,\n+             2620:0:861:100::/64,\n+             2620:0:861:101::/64,\n+             2620:0:861:102::/64,\n+             2620:0:861:103::/64,\n+             2620:0:861:104::/64,\n+             2620:0:861:105::/64,\n+             2620:0:861:106::/64,\n+             2620:0:861:107::/64,\n+             2620:0:861:108::/64,\n+             2620:0:861:109::/64,\n+             2620:0:861:10a::/64,\n+             2620:0:861:10b::/64,\n+             2620:0:861:10c::/64,\n+             2620:0:861:10d::/64,\n+             2620:0:861:10e::/64,\n+             2620:0:861:10f::/64,\n+             2620:0:861:110::/64,\n+             2620:0:861:111::/64,\n+             2620:0:861:112::/64,\n+             2620:0:861:113::/64,\n+             2620:0:861:114::/64,\n+             2620:0:861:115::/64,\n+             2620:0:861:116::/64,\n+             2620:0:861:117::/64,\n+             2620:0:861:118::/64,\n+             2620:0:861:119::/64,\n+             2620:0:861:11a::/64,\n+             2620:0:861:11c::/64,\n+             2620:0:861:11d::/64,\n+             2620:0:861:11e::/64,\n+             2620:0:861:11f::/64,\n+             2620:0:861:120::/64,\n+             2620:0:861:121::/64,\n+             2620:0:861:122::/64,\n+             2620:0:861:123::/64,\n+             2620:0:861:124::/64,\n+             2620:0:861:125::/64,\n+             2620:0:861:126::/64,\n+             2620:0:861:127::/64,\n+             2620:0:861:128::/64,\n+             2620:0:861:129::/64,\n+             2620:0:861:12a::/64,\n+             2620:0:861:12b::/64,\n+             2620:0:861:12c::/64,\n+             2620:0:861:12d::/64,\n+             2620:0:861:12e::/64,\n+             2620:0:861:12f::/64,\n+             2620:0:861:131::/64,\n+             2620:0:861:132::/64,\n+             2620:0:861:133::/64,\n+             2620:0:861:134::/64,\n+             2620:0:861:135::/64,\n+             2620:0:861:136::/64,\n+             2620:0:861:137::/64,\n+             2620:0:861:138::/64,\n+             2620:0:861:139::/64,\n+             2620:0:861:13a::/64,\n+             2620:0:861:13b::/64,\n+             2620:0:861:13c::/64,\n+             2620:0:861:13d::/64,\n+             2620:0:861:13e::/64,\n+             2620:0:861:13f::/64,\n+             2620:0:861:140::/64,\n+             2620:0:861:141::/64,\n+             2620:0:861:142::/64,\n+             2620:0:861:143::/64,\n+             2620:0:861:144::/64,\n+             2620:0:861:145::/64,\n+             2620:0:861:1::/64,\n+             2620:0:861:2::/64,\n+             2620:0:861:300::/64,\n+             2620:0:861:301::/116,\n+             2620:0:861:302::/64,\n+             2620:0:861:303::/116,\n+             2620:0:861:304::/116,\n+             2620:0:861:305::/64,\n+             2620:0:861:3::/64,\n+             2620:0:861:4::/64,\n+             2620:0:861:babe::/64,\n+             2620:0:861:babf::/116,\n+             2620:0:861:cabe::/64,\n+             2620:0:861:cabf::/116,\n+             2620:0:861:ed1a::/64,\n+             2620:0:863:101::/64,\n+             2620:0:863:102::/64,\n+             2620:0:863:103::/64,\n+             2620:0:863:1::/64,\n+             2620:0:863:2::/64,\n+             2620:0:863:3::/64,\n+             2620:0:863:ed1a::/64,\n+             2a02:ec80:300:101::/64,\n+             2a02:ec80:300:102::/64,\n+             2a02:ec80:300:103::/64,\n+             2a02:ec80:300:1::/64,\n+             2a02:ec80:300:2::/64,\n+             2a02:ec80:300:3::/64,\n+             2a02:ec80:300:ed1a::/64,\n+             2a02:ec80:600:101::/64,\n+             2a02:ec80:600:102::/64,\n+             2a02:ec80:600:1::/64,\n+             2a02:ec80:600:2::/64,\n+             2a02:ec80:600:ed1a::/64,\n+             2a02:ec80:700:101::/64,\n+             2a02:ec80:700:102::/64,\n+             2a02:ec80:700:103::/64,\n+             2a02:ec80:700:1::/64,\n+             2a02:ec80:700:2::/64,\n+             2a02:ec80:700:3::/64,\n+             2a02:ec80:700:ed1a::/64\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-discovery-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]\n\n-    owner  => root\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    group  => root\n-    mode   => 0555\n-    ensure => present\n"}, {"resource": "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft\n@@ -0,0 +1,7 @@\n+# Autogenerated by puppet\n+set KAFKAMON_HOSTS_ipv6 {\n+    type ipv6_addr\n+    elements = { 2620:0:861:103:10:64:32:11,\n+             2620:0:860:102:10:192:16:139\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-mlserve_staging_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[prometheus-node-textfile-check-nft.timer]", "parameters": "--- Service[prometheus-node-textfile-check-nft.timer].orig\n+++ Service[prometheus-node-textfile-check-nft.timer]\n\n+    enable   => True\n+    ensure   => running\n+    provider => systemd\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-kafka]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-kafka].orig\n+++ File[/var/log/cfssl-ocsprefresh-kafka]\n\n-    owner  => root\n-    force  => True\n-    backup => False\n-    group  => root\n-    mode   => 0755\n-    ensure => directory\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-mlserve]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-mlserve].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-mlserve]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/wikikube/ca]", "parameters": "--- File[/etc/cfssl/signers/wikikube/ca].orig\n+++ File[/etc/cfssl/signers/wikikube/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "File[/etc/apache2/conf-available/50-server-status.conf]", "parameters": "--- File[/etc/apache2/conf-available/50-server-status.conf].orig\n+++ File[/etc/apache2/conf-available/50-server-status.conf]\n\n-    notify => Service[apache2]\n-    owner  => root\n-    source => puppet:///modules/httpd/status.conf\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[cfssl-gc-expired-certs]", "parameters": "--- Logrotate::Conf[cfssl-gc-expired-certs].orig\n+++ Logrotate::Conf[cfssl-gc-expired-certs]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ocsp/dse.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/dse.ocsp].orig\n+++ File[/etc/cfssl/ocsp/dse.ocsp]\n\n-    group  => root\n-    ensure => file\n-    owner  => root\n"}, {"resource": "File[/etc/cfssl/signers/wikikube]", "parameters": "--- File[/etc/cfssl/signers/wikikube].orig\n+++ File[/etc/cfssl/signers/wikikube]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet\n+set ZOOKEEPER_FLINK_HOSTS_ipv4 {\n+    type ipv4_addr\n+    elements = { 10.64.16.9,\n+             10.64.0.8,\n+             10.64.32.41,\n+             10.192.16.227,\n+             10.192.32.179,\n+             10.192.48.219\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_network_devices]", "parameters": "--- Sudo::User[nrpe_certificate_check_network_devices].orig\n+++ Sudo::User[nrpe_certificate_check_network_devices]\n\n-    user       => nrpe_certificate_check_network_devices\n-    privileges => []\n-    ensure     => absent\n-    require    => ['Class[Sudo]']\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft\n@@ -0,0 +1,12 @@\n+# Autogenerated by puppet\n+set CLOUD_PRIVATE_NETWORKS_ipv4 {\n+    type ipv4_addr\n+    flags interval\n+    auto-merge\n+    elements = { 172.20.1.0/24,\n+             172.20.2.0/24,\n+             172.20.3.0/24,\n+             172.20.4.0/24,\n+             172.20.5.0/24\n+    }\n+}", "parameters": "--- File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]\n\n+    tag    => nft\n+    notify => ['Service[nftables]']\n+    owner  => root\n+    group  => root\n+    mode   => 0444\n+    ensure => present\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026]\n\n-    accuracy           => 15sec\n-    splay              => 60\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_discovery2026.service\n-    ensure             => absent\n-    fixed_random_delay => True\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_ulogd2]", "content": "--- /etc/logrotate.d/wmf_auto_restart_ulogd2.orig\n+++ /etc/logrotate.d/wmf_auto_restart_ulogd2\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for wmf_auto_restart_ulogd2\n-\n-/var/log/wmf_auto_restart_ulogd2/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_ulogd2].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_ulogd2]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]\n\n-    before      => ['Service[cfssl-ocsprefresh-aux_front_proxy.timer]']\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]\n\n-    group  => root\n-    ensure => absent\n-    owner  => root\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_aux_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]\n\n-    tag     => nrpe::check\n-    notify  => Service[nagios-nrpe-server]\n-    owner   => root\n-    ensure  => present\n-    group   => root\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    user                      => root\n-    logfile_group             => root\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    success_exit_status       => []\n-    command                   => /usr/local/bin/prometheus-check-debmonitor-certificate-expiry --cert-path /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --outfile /var/lib/prometheus/node.d/debmonitor_intermediate.prom\n-    description               => Systemd timer to gather node metrics for prometheus-check-debmonitor-certificate-expiry\n-    syslog_force_stop         => True\n-    monitoring_contact_groups => admins\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    logging_enabled           => True\n-    syslog_match_startswith   => True\n-    logfile_name              => syslog.log\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    environment               => {}\n-    private_tmp               => False\n-    monitoring_enabled        => False\n-    fixed_random_delay        => False\n-    ignore_errors             => False\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    logfile_basedir           => /var/log\n-    ensure                    => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-wikikube.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-wikikube\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-wikikube\n-\n-/var/log/cfssl-ocsprefresh-wikikube/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]\n\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet]\n\n-    auto_renew      => True\n-    renew_seconds   => 952200\n-    profile         => ocsp\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    hosts           => []\n-    group           => root\n-    mode            => 0740\n-    common_name     => pki1001.eqiad.wmnet\n-    label           => network_devices\n-    names           => []\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    owner           => root\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    notify          => Service[cfssl-ocspserve@network_devices]\n-    provide_chain   => False\n-    notify_services => []\n-    ensure          => present\n-    before_services => []\n"}, {"resource": "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n"}, {"resource": "File[/etc/rsyslog.d/40-ulogd.conf]", "content": "--- /etc/rsyslog.d/40-ulogd.conf.orig\n+++ /etc/rsyslog.d/40-ulogd.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"ulogd\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/ulogd/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0600\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-ulogd.conf].orig\n+++ File[/etc/rsyslog.d/40-ulogd.conf]\n\n-    notify => Service[rsyslog]\n-    owner  => root\n-    group  => root\n-    mode   => 0444\n-    ensure => present\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]\n\n-    enable   => True\n-    ensure   => running\n-    provider => systemd\n"}, {"resource": "Class[Puppet::Agent]", "parameters": "--- Class[Puppet::Agent].orig\n+++ Class[Puppet::Agent]\n\n@@\n-    dns_alt_names => ['pki.discovery.wmnet']\n+    dns_alt_names => []\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]\n\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[zuul]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[zuul].orig\n+++ Profile::Pki::Multirootca::Monitoring[zuul]\n\n-    ca_file      => /etc/cfssl/signers/zuul/ca/zuul.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => zuul\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    priority => 40\n-    mode     => 0444\n-    ensure   => present\n-    require  => File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[aux_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[aux_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[aux_front_proxy]\n\n-    ca_file      => /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    intermediate => aux_front_proxy\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@cassandra]", "parameters": "--- Systemd::Service[cfssl-ocspserve@cassandra].orig\n+++ Systemd::Service[cfssl-ocspserve@cassandra]\n\n-    unit_type                => service\n-    monitoring_enabled       => False\n-    monitoring_critical      => False\n-    override                 => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    restart                  => True\n-    migration_task           => T407130\n-    ensure                   => present\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_cassandra]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_cassandra].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_cassandra]\n\n-    user       => nagios\n-    tag        => nrpe::check\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem']\n-    ensure     => present\n-    require    => ['Class[Sudo]']\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    accuracy           => 15sec\n-    splay              => 0\n-    unit_name          => prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n-    ensure             => present\n-    fixed_random_delay => False\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor/ca]", "parameters": "--- File[/etc/cfssl/signers/debmonitor/ca].orig\n+++ File[/etc/cfssl/signers/debmonitor/ca]\n\n-    owner   => root\n-    ensure  => directory\n-    group   => root\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n"}, {"resource": "Httpd::Mod_conf[filter]", "parameters": "--- Httpd::Mod_conf[filter].orig\n+++ Httpd::Mod_conf[filter]\n\n-    mod      => filter\n-    loadfile => filter.load\n-    ensure   => present\n"}], "perc_changed": "98.04%"}, "core": {"total": 4897, "only_in_self": ["Augeas[Apache2 logs]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet]", "Exec[Generate initial CRL for aux]", "Exec[Generate initial CRL for aux_front_proxy]", "Exec[Generate initial CRL for cassandra]", "Exec[Generate initial CRL for cloud_wmnet_ca]", "Exec[Generate initial CRL for debmonitor]", "Exec[Generate initial CRL for discovery2026]", "Exec[Generate initial CRL for discovery]", "Exec[Generate initial CRL for dse]", "Exec[Generate initial CRL for dse_front_proxy]", "Exec[Generate initial CRL for etcd]", "Exec[Generate initial CRL for kafka]", "Exec[Generate initial CRL for mlserve]", "Exec[Generate initial CRL for mlserve_front_proxy]", "Exec[Generate initial CRL for mlserve_staging]", "Exec[Generate initial CRL for mlserve_staging_front_proxy]", "Exec[Generate initial CRL for network_devices]", "Exec[Generate initial CRL for puppet_rsa]", "Exec[Generate initial CRL for syslog]", "Exec[Generate initial CRL for wikikube]", "Exec[Generate initial CRL for wikikube_front_proxy]", "Exec[Generate initial CRL for wikikube_staging]", "Exec[Generate initial CRL for wikikube_staging_front_proxy]", "Exec[Generate initial CRL for zuul]", "Exec[apache2_test_config_and_restart]", "Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "Exec[ensure_present_mod_access_compat]", "Exec[ensure_present_mod_filter]", "Exec[ensure_present_mod_headers]", "Exec[ensure_present_mod_proxy_http]", "Exec[ensure_present_mod_ssl]", "Exec[ensure_present_mod_status]", "Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]", "Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]", "Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]", "Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]", "Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]", "Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]", "Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]", "Exec[update_alternative_ip6tables]", "Exec[update_alternative_iptables]", "File[/etc/apache2/conf-available/00-defaults.conf]", "File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-available/50-server-status.conf]", "File[/etc/apache2/conf-available]", "File[/etc/apache2/conf-enabled/00-defaults.conf]", "File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-enabled/50-server-status.conf]", "File[/etc/apache2/conf-enabled]", "File[/etc/apache2/env-available]", "File[/etc/apache2/env-enabled]", "File[/etc/apache2/mods-available/status.conf]", "File[/etc/apache2/mods-enabled/status.conf]", "File[/etc/apache2/ports.conf]", "File[/etc/apache2/sites-available/00-dummy.conf]", "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-available]", "File[/etc/apache2/sites-enabled/00-dummy.conf]", "File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-enabled]", "File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/db.conf.json]", "File[/etc/cfssl/db.conf]", "File[/etc/cfssl/multiroot.conf]", "File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]", "File[/etc/cfssl/ocsp/aux.ocsp]", "File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/cassandra.ocsp]", "File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]", "File[/etc/cfssl/ocsp/debmonitor.ocsp]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/ocsp/discovery2026.ocsp]", "File[/etc/cfssl/ocsp/dse.ocsp]", "File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/etcd.ocsp]", "File[/etc/cfssl/ocsp/kafka.ocsp]", "File[/etc/cfssl/ocsp/mlserve.ocsp]", "File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/network_devices.ocsp]", "File[/etc/cfssl/ocsp/puppet_rsa.ocsp]", "File[/etc/cfssl/ocsp/syslog.ocsp]", "File[/etc/cfssl/ocsp/wikikube.ocsp]", "File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/zuul.ocsp]", "File[/etc/cfssl/signers/aux/ca/aux-key.pem]", "File[/etc/cfssl/signers/aux/ca/aux.pem]", "File[/etc/cfssl/signers/aux/ca]", "File[/etc/cfssl/signers/aux/cfssl.conf]", "File[/etc/cfssl/signers/aux]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca]", "File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/aux_front_proxy]", "File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]", "File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]", "File[/etc/cfssl/signers/cassandra/ca]", "File[/etc/cfssl/signers/cassandra/cfssl.conf]", "File[/etc/cfssl/signers/cassandra]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca]", "File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]", "File[/etc/cfssl/signers/cloud_wmnet_ca]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]", "File[/etc/cfssl/signers/debmonitor/ca]", "File[/etc/cfssl/signers/debmonitor/cfssl.conf]", "File[/etc/cfssl/signers/debmonitor]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]", "File[/etc/cfssl/signers/discovery2026/ca]", "File[/etc/cfssl/signers/discovery2026/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/signers/dse/ca/dse-key.pem]", "File[/etc/cfssl/signers/dse/ca/dse.pem]", "File[/etc/cfssl/signers/dse/ca]", "File[/etc/cfssl/signers/dse/cfssl.conf]", "File[/etc/cfssl/signers/dse]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca]", "File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/dse_front_proxy]", "File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]", "File[/etc/cfssl/signers/etcd/ca/etcd.pem]", "File[/etc/cfssl/signers/etcd/ca]", "File[/etc/cfssl/signers/etcd/cfssl.conf]", "File[/etc/cfssl/signers/etcd]", "File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]", "File[/etc/cfssl/signers/kafka/ca/kafka.pem]", "File[/etc/cfssl/signers/kafka/ca]", "File[/etc/cfssl/signers/kafka/cfssl.conf]", "File[/etc/cfssl/signers/kafka]", "File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]", "File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]", "File[/etc/cfssl/signers/mlserve/ca]", "File[/etc/cfssl/signers/mlserve/cfssl.conf]", "File[/etc/cfssl/signers/mlserve]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_front_proxy]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca]", "File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy]", "File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]", "File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]", "File[/etc/cfssl/signers/network_devices/ca]", "File[/etc/cfssl/signers/network_devices/cfssl.conf]", "File[/etc/cfssl/signers/network_devices]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca]", "File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]", "File[/etc/cfssl/signers/puppet_rsa]", "File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]", "File[/etc/cfssl/signers/syslog/ca/syslog.pem]", "File[/etc/cfssl/signers/syslog/ca]", "File[/etc/cfssl/signers/syslog/cfssl.conf]", "File[/etc/cfssl/signers/syslog]", "File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]", "File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]", "File[/etc/cfssl/signers/wikikube/ca]", "File[/etc/cfssl/signers/wikikube/cfssl.conf]", "File[/etc/cfssl/signers/wikikube]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_front_proxy]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca]", "File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy]", "File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]", "File[/etc/cfssl/signers/zuul/ca/zuul.pem]", "File[/etc/cfssl/signers/zuul/ca]", "File[/etc/cfssl/signers/zuul/cfssl.conf]", "File[/etc/cfssl/signers/zuul]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]", "File[/etc/default/ferm]", "File[/etc/ferm/conf.d/00_defs]", "File[/etc/ferm/conf.d/01_drop-blocked-nets]", "File[/etc/ferm/conf.d/02_main]", "File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "File[/etc/ferm/conf.d/10_ssh_from_bastion]", "File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]", "File[/etc/ferm/conf.d/98_filter_log_filter-bootp]", "File[/etc/ferm/conf.d/98_log-everything]", "File[/etc/ferm/conf.d/99_dscp-default]", "File[/etc/ferm/conf.d]", "File[/etc/ferm/ferm.conf]", "File[/etc/ferm/functions.conf]", "File[/etc/logrotate.d/cfssl-gc-expired-certs]", "File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]", "File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]", "File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]", "File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/etc/logrotate.d/ulogd]", "File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]", "File[/etc/logrotate.d/wmf_auto_restart_apache2]", "File[/etc/logrotate.d/wmf_auto_restart_ulogd2]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]", "File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]", "File[/etc/nagios/nrpe.d/check_ferm_active.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]", "File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-ulogd.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]", "File[/etc/ssl/dhparam.pem]", "File[/etc/ssl/localcerts/multiroot_ca.pem]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]", "File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]", "File[/etc/sudoers.d/nrpe-check_ferm_active]", "File[/etc/sudoers.d/nrpe_certificate_check_aux]", "File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_cassandra]", "File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_dse]", "File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_etcd]", "File[/etc/sudoers.d/nrpe_certificate_check_kafka]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_network_devices]", "File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]", "File[/etc/sudoers.d/nrpe_certificate_check_syslog]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_zuul]", "File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]", "File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]", "File[/etc/systemd/system/ferm.service.d]", "File[/etc/ulogd.conf]", "File[/etc/update-motd.d/05-pki--multirootca]", "File[/lib/systemd/system/cfssl-gc-expired-certs.service]", "File[/lib/systemd/system/cfssl-gc-expired-certs.timer]", "File[/lib/systemd/system/cfssl-multirootca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]", "File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]", "File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@etcd.service]", "File[/lib/systemd/system/cfssl-ocspserve@kafka.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]", "File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocspserve@syslog.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache2.service]", "File[/lib/systemd/system/wmf_auto_restart_apache2.timer]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]", "File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]", "File[/srv/cfssl/bundles/aux.pem]", "File[/srv/cfssl/bundles/aux_front_proxy.pem]", "File[/srv/cfssl/bundles/cassandra.pem]", "File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]", "File[/srv/cfssl/bundles/debmonitor.pem]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/srv/cfssl/bundles/discovery2026.pem]", "File[/srv/cfssl/bundles/dse.pem]", "File[/srv/cfssl/bundles/dse_front_proxy.pem]", "File[/srv/cfssl/bundles/etcd.pem]", "File[/srv/cfssl/bundles/kafka.pem]", "File[/srv/cfssl/bundles/mlserve.pem]", "File[/srv/cfssl/bundles/mlserve_front_proxy.pem]", "File[/srv/cfssl/bundles/mlserve_staging.pem]", "File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/network_devices.pem]", "File[/srv/cfssl/bundles/puppet_rsa.pem]", "File[/srv/cfssl/bundles/syslog.pem]", "File[/srv/cfssl/bundles/wikikube.pem]", "File[/srv/cfssl/bundles/wikikube_front_proxy.pem]", "File[/srv/cfssl/bundles/wikikube_staging.pem]", "File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/zuul.pem]", "File[/srv/cfssl/bundles]", "File[/srv/cfssl/crl]", "File[/srv/cfssl]", "File[/usr/local/bin/apache-status]", "File[/usr/local/bin/prometheus-check-aux-certificate-expiry]", "File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]", "File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]", "File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]", "File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]", "File[/usr/local/lib/nagios/plugins/check_ferm]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/cfssl-certs]", "File[/usr/local/sbin/cfssl-ocsprefresh]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]", "File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]", "File[/var/log/cfssl-gc-expired-certs]", "File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/var/log/cfssl-ocsprefresh-aux]", "File[/var/log/cfssl-ocsprefresh-aux_front_proxy]", "File[/var/log/cfssl-ocsprefresh-cassandra]", "File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/var/log/cfssl-ocsprefresh-debmonitor]", "File[/var/log/cfssl-ocsprefresh-discovery2026]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/cfssl-ocsprefresh-dse]", "File[/var/log/cfssl-ocsprefresh-dse_front_proxy]", "File[/var/log/cfssl-ocsprefresh-etcd]", "File[/var/log/cfssl-ocsprefresh-kafka]", "File[/var/log/cfssl-ocsprefresh-mlserve]", "File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-network_devices]", "File[/var/log/cfssl-ocsprefresh-puppet_rsa]", "File[/var/log/cfssl-ocsprefresh-syslog]", "File[/var/log/cfssl-ocsprefresh-wikikube]", "File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-zuul]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/var/log/ulogd]", "File[/var/log/wmf_auto_restart_apache-htcacheclean]", "File[/var/log/wmf_auto_restart_apache2]", "File[/var/log/wmf_auto_restart_ulogd2]", "File_line[auto_restart_file_presence_apache-htcacheclean]", "File_line[auto_restart_file_presence_apache2]", "File_line[auto_restart_file_presence_ulogd2]", "File_line[load_env_enabled]", "Node[__node_regexp__pki10012.eqiad.]", "Package[apache2]", "Package[links]", "Package[python3-cryptography]", "Package[python3-pymysql]", "Package[ulogd2]", "Service[apache-htcacheclean]", "Service[apache2]", "Service[cfssl-gc-expired-certs.timer]", "Service[cfssl-multirootca]", "Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Service[cfssl-ocsprefresh-aux.timer]", "Service[cfssl-ocsprefresh-aux_front_proxy.timer]", "Service[cfssl-ocsprefresh-cassandra.timer]", "Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Service[cfssl-ocsprefresh-debmonitor.timer]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocsprefresh-discovery2026.timer]", "Service[cfssl-ocsprefresh-dse.timer]", "Service[cfssl-ocsprefresh-dse_front_proxy.timer]", "Service[cfssl-ocsprefresh-etcd.timer]", "Service[cfssl-ocsprefresh-kafka.timer]", "Service[cfssl-ocsprefresh-mlserve.timer]", "Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Service[cfssl-ocsprefresh-mlserve_staging.timer]", "Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-network_devices.timer]", "Service[cfssl-ocsprefresh-puppet_rsa.timer]", "Service[cfssl-ocsprefresh-syslog.timer]", "Service[cfssl-ocsprefresh-wikikube.timer]", "Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Service[cfssl-ocsprefresh-wikikube_staging.timer]", "Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-zuul.timer]", "Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Service[cfssl-ocspserve@aux]", "Service[cfssl-ocspserve@aux_front_proxy]", "Service[cfssl-ocspserve@cassandra]", "Service[cfssl-ocspserve@cloud_wmnet_ca]", "Service[cfssl-ocspserve@debmonitor]", "Service[cfssl-ocspserve@discovery2026]", "Service[cfssl-ocspserve@discovery]", "Service[cfssl-ocspserve@dse]", "Service[cfssl-ocspserve@dse_front_proxy]", "Service[cfssl-ocspserve@etcd]", "Service[cfssl-ocspserve@kafka]", "Service[cfssl-ocspserve@mlserve]", "Service[cfssl-ocspserve@mlserve_front_proxy]", "Service[cfssl-ocspserve@mlserve_staging]", "Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Service[cfssl-ocspserve@network_devices]", "Service[cfssl-ocspserve@puppet_rsa]", "Service[cfssl-ocspserve@syslog]", "Service[cfssl-ocspserve@wikikube]", "Service[cfssl-ocspserve@wikikube_front_proxy]", "Service[cfssl-ocspserve@wikikube_staging]", "Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Service[cfssl-ocspserve@zuul]", "Service[ferm]", "Service[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Service[nrpe2nodexp-ferm_active.timer]", "Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Service[ulogd2]", "Service[wmf_auto_restart_apache-htcacheclean.timer]", "Service[wmf_auto_restart_apache2.timer]", "Service[wmf_auto_restart_ulogd2.timer]"], "only_in_other": ["Exec[systemd daemon-reload for nftables.service (nftables)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]", "Exec[unmask_nftables.service]", "File[/etc/logrotate.d/prometheus-node-textfile-check-nft]", "File[/etc/nftables.conf]", "File[/etc/nftables/100_base_puppet.nft]", "File[/etc/nftables/]", "File[/etc/nftables/forward]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]", "File[/etc/nftables/input/10_ssh-from-bastion.nft]", "File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]", "File[/etc/nftables/input]", "File[/etc/nftables/main.nft]", "File[/etc/nftables/notrack]", "File[/etc/nftables/output]", "File[/etc/nftables/postrouting]", "File[/etc/nftables/prerouting]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/CACHES_ipv4.nft]", "File[/etc/nftables/sets/CACHES_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/INTERNAL_ipv4.nft]", "File[/etc/nftables/sets/INTERNAL_ipv6.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]", "File[/etc/nftables/sets]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]", "File[/etc/systemd/system/nftables.service.d/puppet-override.conf]", "File[/etc/systemd/system/nftables.service.d]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]", "File[/usr/local/bin/check-nft]", "File[/var/log/prometheus-node-textfile-check-nft]", "Node[__node_regexp__pki1001.eqiad.]", "Package[nftables]", "Service[nftables]", "Service[prometheus-node-textfile-check-nft.timer]"], "resource_diffs": [{"resource": "File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]", "parameters": "--- File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml].orig\n+++ File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "File[/etc/ferm]", "parameters": "--- File[/etc/ferm].orig\n+++ File[/etc/ferm]\n\n@@\n-    ensure => directory\n+    ensure => absent\n"}, {"resource": "File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]", "parameters": "--- File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl].orig\n+++ File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "File[/usr/local/sbin/ferm-status]", "parameters": "--- File[/usr/local/sbin/ferm-status].orig\n+++ File[/usr/local/sbin/ferm-status]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"pki::multirootca\",cluster=\"pki\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_nftables\",cluster=\"insetup\"} 1.0"}, {"resource": "Concat_fragment[main]", "content": "--- main.orig\n+++ main\n@@ -14,7 +14,6 @@\n [agent]\n use_srv_records = true\n srv_domain = eqiad.wmnet\n-dns_alt_names = pki.discovery.wmnet\n daemonize = false\n http_connect_timeout = 60\n http_read_timeout = 960"}, {"resource": "File[/etc/modules-load.d/conntrack.conf]", "parameters": "--- File[/etc/modules-load.d/conntrack.conf].orig\n+++ File[/etc/modules-load.d/conntrack.conf]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::pki::multirootca:\n+role::insetup::infrastructure_foundations_nftables:\n - Infrastructure Foundations"}, {"resource": "Package[ferm]", "parameters": "--- Package[ferm].orig\n+++ Package[ferm]\n\n@@\n-    ensure => installed\n+    ensure => purged\n"}, {"resource": "Package[iptables]", "parameters": "--- Package[iptables].orig\n+++ Package[iptables]\n\n@@\n-    ensure => installed\n+    ensure => absent\n"}], "perc_changed": "26.87%"}, "main": {"total": 4897, "only_in_self": ["Alternatives::Select[ip6tables]", "Alternatives::Select[iptables]", "Augeas[Apache2 logs]", "Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet]", "Cfssl::Cert[puppet_rsa__pki_discovery_wmnet]", "Cfssl::Config[aux]", "Cfssl::Config[aux_front_proxy]", "Cfssl::Config[cassandra]", "Cfssl::Config[cloud_wmnet_ca]", "Cfssl::Config[debmonitor]", "Cfssl::Config[discovery2026]", "Cfssl::Config[discovery]", "Cfssl::Config[dse]", "Cfssl::Config[dse_front_proxy]", "Cfssl::Config[etcd]", "Cfssl::Config[kafka]", "Cfssl::Config[mlserve]", "Cfssl::Config[mlserve_front_proxy]", "Cfssl::Config[mlserve_staging]", "Cfssl::Config[mlserve_staging_front_proxy]", "Cfssl::Config[network_devices]", "Cfssl::Config[puppet_rsa]", "Cfssl::Config[syslog]", "Cfssl::Config[wikikube]", "Cfssl::Config[wikikube_front_proxy]", "Cfssl::Config[wikikube_staging]", "Cfssl::Config[wikikube_staging_front_proxy]", "Cfssl::Config[zuul]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "Cfssl::Db[multirootca-db]", "Cfssl::Ocsp[Wikimedia_Internal_Root_CA]", "Cfssl::Ocsp[aux]", "Cfssl::Ocsp[aux_front_proxy]", "Cfssl::Ocsp[cassandra]", "Cfssl::Ocsp[cloud_wmnet_ca]", "Cfssl::Ocsp[debmonitor]", "Cfssl::Ocsp[discovery2026]", "Cfssl::Ocsp[discovery]", "Cfssl::Ocsp[dse]", "Cfssl::Ocsp[dse_front_proxy]", "Cfssl::Ocsp[etcd]", "Cfssl::Ocsp[kafka]", "Cfssl::Ocsp[mlserve]", "Cfssl::Ocsp[mlserve_front_proxy]", "Cfssl::Ocsp[mlserve_staging]", "Cfssl::Ocsp[mlserve_staging_front_proxy]", "Cfssl::Ocsp[network_devices]", "Cfssl::Ocsp[puppet_rsa]", "Cfssl::Ocsp[syslog]", "Cfssl::Ocsp[wikikube]", "Cfssl::Ocsp[wikikube_front_proxy]", "Cfssl::Ocsp[wikikube_staging]", "Cfssl::Ocsp[wikikube_staging_front_proxy]", "Cfssl::Ocsp[zuul]", "Cfssl::Signer[aux]", "Cfssl::Signer[aux_front_proxy]", "Cfssl::Signer[cassandra]", "Cfssl::Signer[cloud_wmnet_ca]", "Cfssl::Signer[debmonitor]", "Cfssl::Signer[discovery2026]", "Cfssl::Signer[discovery]", "Cfssl::Signer[dse]", "Cfssl::Signer[dse_front_proxy]", "Cfssl::Signer[etcd]", "Cfssl::Signer[kafka]", "Cfssl::Signer[mlserve]", "Cfssl::Signer[mlserve_front_proxy]", "Cfssl::Signer[mlserve_staging]", "Cfssl::Signer[mlserve_staging_front_proxy]", "Cfssl::Signer[network_devices]", "Cfssl::Signer[puppet_rsa]", "Cfssl::Signer[syslog]", "Cfssl::Signer[wikikube]", "Cfssl::Signer[wikikube_front_proxy]", "Cfssl::Signer[wikikube_staging]", "Cfssl::Signer[wikikube_staging_front_proxy]", "Cfssl::Signer[zuul]", "Class[Cfssl::Multirootca]", "Class[Httpd]", "Class[Profile::Firewall::Log::Ferm]", "Class[Profile::Pki::Multirootca]", "Class[Role::Pki::Multirootca]", "Class[Sslcert::Dhparam]", "Class[Ulogd]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet]", "Exec[Generate initial CRL for aux]", "Exec[Generate initial CRL for aux_front_proxy]", "Exec[Generate initial CRL for cassandra]", "Exec[Generate initial CRL for cloud_wmnet_ca]", "Exec[Generate initial CRL for debmonitor]", "Exec[Generate initial CRL for discovery2026]", "Exec[Generate initial CRL for discovery]", "Exec[Generate initial CRL for dse]", "Exec[Generate initial CRL for dse_front_proxy]", "Exec[Generate initial CRL for etcd]", "Exec[Generate initial CRL for kafka]", "Exec[Generate initial CRL for mlserve]", "Exec[Generate initial CRL for mlserve_front_proxy]", "Exec[Generate initial CRL for mlserve_staging]", "Exec[Generate initial CRL for mlserve_staging_front_proxy]", "Exec[Generate initial CRL for network_devices]", "Exec[Generate initial CRL for puppet_rsa]", "Exec[Generate initial CRL for syslog]", "Exec[Generate initial CRL for wikikube]", "Exec[Generate initial CRL for wikikube_front_proxy]", "Exec[Generate initial CRL for wikikube_staging]", "Exec[Generate initial CRL for wikikube_staging_front_proxy]", "Exec[Generate initial CRL for zuul]", "Exec[apache2_test_config_and_restart]", "Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "Exec[ensure_present_mod_access_compat]", "Exec[ensure_present_mod_filter]", "Exec[ensure_present_mod_headers]", "Exec[ensure_present_mod_proxy_http]", "Exec[ensure_present_mod_ssl]", "Exec[ensure_present_mod_status]", "Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]", "Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]", "Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]", "Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]", "Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]", "Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]", "Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]", "Exec[update_alternative_ip6tables]", "Exec[update_alternative_iptables]", "Ferm::Conf[defs]", "Ferm::Conf[main]", "Ferm::Filter_log[filter-bootp]", "Ferm::Rule[drop-blocked-nets]", "Ferm::Rule[dscp-default]", "Ferm::Rule[filter_log_filter-bootp]", "Ferm::Rule[log-everything]", "Ferm::Service[csr_and_ocsp_responder]", "Ferm::Service[full_monitoring_metrics_access_tcp]", "Ferm::Service[full_monitoring_metrics_access_udp]", "Ferm::Service[multirootca_tls_termination]", "Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "Ferm::Service[ssh_from_bastion]", "Ferm::Service[ssh_from_cumin_masters]", "File[/etc/apache2/conf-available/00-defaults.conf]", "File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-available/50-server-status.conf]", "File[/etc/apache2/conf-available]", "File[/etc/apache2/conf-enabled/00-defaults.conf]", "File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-enabled/50-server-status.conf]", "File[/etc/apache2/conf-enabled]", "File[/etc/apache2/env-available]", "File[/etc/apache2/env-enabled]", "File[/etc/apache2/mods-available/status.conf]", "File[/etc/apache2/mods-enabled/status.conf]", "File[/etc/apache2/ports.conf]", "File[/etc/apache2/sites-available/00-dummy.conf]", "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-available]", "File[/etc/apache2/sites-enabled/00-dummy.conf]", "File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-enabled]", "File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/db.conf.json]", "File[/etc/cfssl/db.conf]", "File[/etc/cfssl/multiroot.conf]", "File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]", "File[/etc/cfssl/ocsp/aux.ocsp]", "File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/cassandra.ocsp]", "File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]", "File[/etc/cfssl/ocsp/debmonitor.ocsp]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/ocsp/discovery2026.ocsp]", "File[/etc/cfssl/ocsp/dse.ocsp]", "File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/etcd.ocsp]", "File[/etc/cfssl/ocsp/kafka.ocsp]", "File[/etc/cfssl/ocsp/mlserve.ocsp]", "File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/network_devices.ocsp]", "File[/etc/cfssl/ocsp/puppet_rsa.ocsp]", "File[/etc/cfssl/ocsp/syslog.ocsp]", "File[/etc/cfssl/ocsp/wikikube.ocsp]", "File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/zuul.ocsp]", "File[/etc/cfssl/signers/aux/ca/aux-key.pem]", "File[/etc/cfssl/signers/aux/ca/aux.pem]", "File[/etc/cfssl/signers/aux/ca]", "File[/etc/cfssl/signers/aux/cfssl.conf]", "File[/etc/cfssl/signers/aux]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca]", "File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/aux_front_proxy]", "File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]", "File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]", "File[/etc/cfssl/signers/cassandra/ca]", "File[/etc/cfssl/signers/cassandra/cfssl.conf]", "File[/etc/cfssl/signers/cassandra]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca]", "File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]", "File[/etc/cfssl/signers/cloud_wmnet_ca]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]", "File[/etc/cfssl/signers/debmonitor/ca]", "File[/etc/cfssl/signers/debmonitor/cfssl.conf]", "File[/etc/cfssl/signers/debmonitor]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]", "File[/etc/cfssl/signers/discovery2026/ca]", "File[/etc/cfssl/signers/discovery2026/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/signers/dse/ca/dse-key.pem]", "File[/etc/cfssl/signers/dse/ca/dse.pem]", "File[/etc/cfssl/signers/dse/ca]", "File[/etc/cfssl/signers/dse/cfssl.conf]", "File[/etc/cfssl/signers/dse]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca]", "File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/dse_front_proxy]", "File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]", "File[/etc/cfssl/signers/etcd/ca/etcd.pem]", "File[/etc/cfssl/signers/etcd/ca]", "File[/etc/cfssl/signers/etcd/cfssl.conf]", "File[/etc/cfssl/signers/etcd]", "File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]", "File[/etc/cfssl/signers/kafka/ca/kafka.pem]", "File[/etc/cfssl/signers/kafka/ca]", "File[/etc/cfssl/signers/kafka/cfssl.conf]", "File[/etc/cfssl/signers/kafka]", "File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]", "File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]", "File[/etc/cfssl/signers/mlserve/ca]", "File[/etc/cfssl/signers/mlserve/cfssl.conf]", "File[/etc/cfssl/signers/mlserve]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_front_proxy]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca]", "File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy]", "File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]", "File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]", "File[/etc/cfssl/signers/network_devices/ca]", "File[/etc/cfssl/signers/network_devices/cfssl.conf]", "File[/etc/cfssl/signers/network_devices]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca]", "File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]", "File[/etc/cfssl/signers/puppet_rsa]", "File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]", "File[/etc/cfssl/signers/syslog/ca/syslog.pem]", "File[/etc/cfssl/signers/syslog/ca]", "File[/etc/cfssl/signers/syslog/cfssl.conf]", "File[/etc/cfssl/signers/syslog]", "File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]", "File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]", "File[/etc/cfssl/signers/wikikube/ca]", "File[/etc/cfssl/signers/wikikube/cfssl.conf]", "File[/etc/cfssl/signers/wikikube]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_front_proxy]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca]", "File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy]", "File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]", "File[/etc/cfssl/signers/zuul/ca/zuul.pem]", "File[/etc/cfssl/signers/zuul/ca]", "File[/etc/cfssl/signers/zuul/cfssl.conf]", "File[/etc/cfssl/signers/zuul]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]", "File[/etc/default/ferm]", "File[/etc/ferm/conf.d/00_defs]", "File[/etc/ferm/conf.d/01_drop-blocked-nets]", "File[/etc/ferm/conf.d/02_main]", "File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "File[/etc/ferm/conf.d/10_ssh_from_bastion]", "File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]", "File[/etc/ferm/conf.d/98_filter_log_filter-bootp]", "File[/etc/ferm/conf.d/98_log-everything]", "File[/etc/ferm/conf.d/99_dscp-default]", "File[/etc/ferm/conf.d]", "File[/etc/ferm/ferm.conf]", "File[/etc/ferm/functions.conf]", "File[/etc/logrotate.d/cfssl-gc-expired-certs]", "File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]", "File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]", "File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]", "File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/etc/logrotate.d/ulogd]", "File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]", "File[/etc/logrotate.d/wmf_auto_restart_apache2]", "File[/etc/logrotate.d/wmf_auto_restart_ulogd2]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]", "File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]", "File[/etc/nagios/nrpe.d/check_ferm_active.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]", "File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-ulogd.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]", "File[/etc/ssl/dhparam.pem]", "File[/etc/ssl/localcerts/multiroot_ca.pem]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]", "File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]", "File[/etc/sudoers.d/nrpe-check_ferm_active]", "File[/etc/sudoers.d/nrpe_certificate_check_aux]", "File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_cassandra]", "File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_dse]", "File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_etcd]", "File[/etc/sudoers.d/nrpe_certificate_check_kafka]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_network_devices]", "File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]", "File[/etc/sudoers.d/nrpe_certificate_check_syslog]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_zuul]", "File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]", "File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]", "File[/etc/systemd/system/ferm.service.d]", "File[/etc/ulogd.conf]", "File[/etc/update-motd.d/05-pki--multirootca]", "File[/lib/systemd/system/cfssl-gc-expired-certs.service]", "File[/lib/systemd/system/cfssl-gc-expired-certs.timer]", "File[/lib/systemd/system/cfssl-multirootca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]", "File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]", "File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@etcd.service]", "File[/lib/systemd/system/cfssl-ocspserve@kafka.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]", "File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocspserve@syslog.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache2.service]", "File[/lib/systemd/system/wmf_auto_restart_apache2.timer]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]", "File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]", "File[/srv/cfssl/bundles/aux.pem]", "File[/srv/cfssl/bundles/aux_front_proxy.pem]", "File[/srv/cfssl/bundles/cassandra.pem]", "File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]", "File[/srv/cfssl/bundles/debmonitor.pem]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/srv/cfssl/bundles/discovery2026.pem]", "File[/srv/cfssl/bundles/dse.pem]", "File[/srv/cfssl/bundles/dse_front_proxy.pem]", "File[/srv/cfssl/bundles/etcd.pem]", "File[/srv/cfssl/bundles/kafka.pem]", "File[/srv/cfssl/bundles/mlserve.pem]", "File[/srv/cfssl/bundles/mlserve_front_proxy.pem]", "File[/srv/cfssl/bundles/mlserve_staging.pem]", "File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/network_devices.pem]", "File[/srv/cfssl/bundles/puppet_rsa.pem]", "File[/srv/cfssl/bundles/syslog.pem]", "File[/srv/cfssl/bundles/wikikube.pem]", "File[/srv/cfssl/bundles/wikikube_front_proxy.pem]", "File[/srv/cfssl/bundles/wikikube_staging.pem]", "File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/zuul.pem]", "File[/srv/cfssl/bundles]", "File[/srv/cfssl/crl]", "File[/srv/cfssl]", "File[/usr/local/bin/apache-status]", "File[/usr/local/bin/prometheus-check-aux-certificate-expiry]", "File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]", "File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]", "File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]", "File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]", "File[/usr/local/lib/nagios/plugins/check_ferm]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/cfssl-certs]", "File[/usr/local/sbin/cfssl-ocsprefresh]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]", "File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]", "File[/var/log/cfssl-gc-expired-certs]", "File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/var/log/cfssl-ocsprefresh-aux]", "File[/var/log/cfssl-ocsprefresh-aux_front_proxy]", "File[/var/log/cfssl-ocsprefresh-cassandra]", "File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/var/log/cfssl-ocsprefresh-debmonitor]", "File[/var/log/cfssl-ocsprefresh-discovery2026]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/cfssl-ocsprefresh-dse]", "File[/var/log/cfssl-ocsprefresh-dse_front_proxy]", "File[/var/log/cfssl-ocsprefresh-etcd]", "File[/var/log/cfssl-ocsprefresh-kafka]", "File[/var/log/cfssl-ocsprefresh-mlserve]", "File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-network_devices]", "File[/var/log/cfssl-ocsprefresh-puppet_rsa]", "File[/var/log/cfssl-ocsprefresh-syslog]", "File[/var/log/cfssl-ocsprefresh-wikikube]", "File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-zuul]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/var/log/ulogd]", "File[/var/log/wmf_auto_restart_apache-htcacheclean]", "File[/var/log/wmf_auto_restart_apache2]", "File[/var/log/wmf_auto_restart_ulogd2]", "File_line[auto_restart_file_presence_apache-htcacheclean]", "File_line[auto_restart_file_presence_apache2]", "File_line[auto_restart_file_presence_ulogd2]", "File_line[load_env_enabled]", "Firewall::Service[csr_and_ocsp_responder]", "Firewall::Service[multirootca tls termination]", "Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods]", "Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port]", "Httpd::Conf[defaults]", "Httpd::Conf[dummy]", "Httpd::Conf[pki.discovery.wmnet]", "Httpd::Conf[server-status]", "Httpd::Mod_conf[access_compat]", "Httpd::Mod_conf[filter]", "Httpd::Mod_conf[headers]", "Httpd::Mod_conf[proxy_http]", "Httpd::Mod_conf[ssl]", "Httpd::Mod_conf[status]", "Httpd::Site[dummy]", "Httpd::Site[pki.discovery.wmnet]", "Logrotate::Conf[cfssl-gc-expired-certs]", "Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Logrotate::Conf[cfssl-ocsprefresh-aux]", "Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-cassandra]", "Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "Logrotate::Conf[cfssl-ocsprefresh-debmonitor]", "Logrotate::Conf[cfssl-ocsprefresh-discovery2026]", "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "Logrotate::Conf[cfssl-ocsprefresh-dse]", "Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-etcd]", "Logrotate::Conf[cfssl-ocsprefresh-kafka]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-network_devices]", "Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa]", "Logrotate::Conf[cfssl-ocsprefresh-syslog]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-zuul]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Logrotate::Conf[ulogd]", "Logrotate::Conf[wmf_auto_restart_apache-htcacheclean]", "Logrotate::Conf[wmf_auto_restart_apache2]", "Logrotate::Conf[wmf_auto_restart_ulogd2]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul]", "Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status]", "Monitoring::Exported_nagios_service[pki1001 ferm_active]", "Monitoring::Service[check_certificate_expiry_aux]", "Monitoring::Service[check_certificate_expiry_aux_front_proxy]", "Monitoring::Service[check_certificate_expiry_cassandra]", "Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]", "Monitoring::Service[check_certificate_expiry_debmonitor]", "Monitoring::Service[check_certificate_expiry_discovery2026]", "Monitoring::Service[check_certificate_expiry_discovery]", "Monitoring::Service[check_certificate_expiry_dse]", "Monitoring::Service[check_certificate_expiry_dse_front_proxy]", "Monitoring::Service[check_certificate_expiry_etcd]", "Monitoring::Service[check_certificate_expiry_kafka]", "Monitoring::Service[check_certificate_expiry_mlserve]", "Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]", "Monitoring::Service[check_certificate_expiry_mlserve_staging]", "Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]", "Monitoring::Service[check_certificate_expiry_network_devices]", "Monitoring::Service[check_certificate_expiry_puppet_rsa]", "Monitoring::Service[check_certificate_expiry_syslog]", "Monitoring::Service[check_certificate_expiry_wikikube]", "Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]", "Monitoring::Service[check_certificate_expiry_wikikube_staging]", "Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]", "Monitoring::Service[check_certificate_expiry_zuul]", "Monitoring::Service[check_cfssl-multirootca_status]", "Monitoring::Service[ferm_active]", "Motd::Message[pki::multirootca]", "Motd::Script[pki::multirootca]", "Node[__node_regexp__pki10012.eqiad.]", "Nrpe::Check[check_check_certificate_expiry_aux]", "Nrpe::Check[check_check_certificate_expiry_aux_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_cassandra]", "Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca]", "Nrpe::Check[check_check_certificate_expiry_debmonitor]", "Nrpe::Check[check_check_certificate_expiry_discovery2026]", "Nrpe::Check[check_check_certificate_expiry_discovery]", "Nrpe::Check[check_check_certificate_expiry_dse]", "Nrpe::Check[check_check_certificate_expiry_dse_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_etcd]", "Nrpe::Check[check_check_certificate_expiry_kafka]", "Nrpe::Check[check_check_certificate_expiry_mlserve]", "Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_mlserve_staging]", "Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_network_devices]", "Nrpe::Check[check_check_certificate_expiry_puppet_rsa]", "Nrpe::Check[check_check_certificate_expiry_syslog]", "Nrpe::Check[check_check_certificate_expiry_wikikube]", "Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_wikikube_staging]", "Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_zuul]", "Nrpe::Check[check_check_cfssl-multirootca_status]", "Nrpe::Check[check_ferm_active]", "Nrpe::Monitor_service[check_certificate_expiry_aux]", "Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_cassandra]", "Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca]", "Nrpe::Monitor_service[check_certificate_expiry_debmonitor]", "Nrpe::Monitor_service[check_certificate_expiry_discovery2026]", "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "Nrpe::Monitor_service[check_certificate_expiry_dse]", "Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_etcd]", "Nrpe::Monitor_service[check_certificate_expiry_kafka]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_network_devices]", "Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa]", "Nrpe::Monitor_service[check_certificate_expiry_syslog]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_zuul]", "Nrpe::Monitor_service[check_cfssl-multirootca_status]", "Nrpe::Monitor_service[ferm_active]", "Nrpe::Plugin[check_ferm]", "Nrpe::Plugin[check_systemd_unit_status]", "Package[apache2]", "Package[links]", "Package[python3-cryptography]", "Package[python3-pymysql]", "Package[ulogd2]", "Profile::Auto_restarts::Service[apache-htcacheclean]", "Profile::Auto_restarts::Service[apache2]", "Profile::Auto_restarts::Service[ulogd2]", "Profile::Pki::Multirootca::Monitoring[aux]", "Profile::Pki::Multirootca::Monitoring[aux_front_proxy]", "Profile::Pki::Multirootca::Monitoring[cassandra]", "Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca]", "Profile::Pki::Multirootca::Monitoring[debmonitor]", "Profile::Pki::Multirootca::Monitoring[discovery2026]", "Profile::Pki::Multirootca::Monitoring[discovery]", "Profile::Pki::Multirootca::Monitoring[dse]", "Profile::Pki::Multirootca::Monitoring[dse_front_proxy]", "Profile::Pki::Multirootca::Monitoring[etcd]", "Profile::Pki::Multirootca::Monitoring[kafka]", "Profile::Pki::Multirootca::Monitoring[mlserve]", "Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy]", "Profile::Pki::Multirootca::Monitoring[mlserve_staging]", "Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy]", "Profile::Pki::Multirootca::Monitoring[network_devices]", "Profile::Pki::Multirootca::Monitoring[puppet_rsa]", "Profile::Pki::Multirootca::Monitoring[syslog]", "Profile::Pki::Multirootca::Monitoring[wikikube]", "Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy]", "Profile::Pki::Multirootca::Monitoring[wikikube_staging]", "Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy]", "Profile::Pki::Multirootca::Monitoring[zuul]", "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90]", "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494]", "Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63]", "Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e]", "Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393]", "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba]", "Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928]", "Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951]", "Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011]", "Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb]", "Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9]", "Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]", "Prometheus::Blackbox::Check::Http[PKI_aux]", "Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_cassandra]", "Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca]", "Prometheus::Blackbox::Check::Http[PKI_debmonitor]", "Prometheus::Blackbox::Check::Http[PKI_discovery2026]", "Prometheus::Blackbox::Check::Http[PKI_discovery]", "Prometheus::Blackbox::Check::Http[PKI_dse]", "Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_etcd]", "Prometheus::Blackbox::Check::Http[PKI_kafka]", "Prometheus::Blackbox::Check::Http[PKI_mlserve]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_network_devices]", "Prometheus::Blackbox::Check::Http[PKI_puppet_rsa]", "Prometheus::Blackbox::Check::Http[PKI_syslog]", "Prometheus::Blackbox::Check::Http[PKI_wikikube]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_zuul]", "Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry]", "Rsyslog::Conf[cfssl-gc-expired-certs]", "Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Rsyslog::Conf[cfssl-ocsprefresh-aux]", "Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-cassandra]", "Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "Rsyslog::Conf[cfssl-ocsprefresh-debmonitor]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery2026]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "Rsyslog::Conf[cfssl-ocsprefresh-dse]", "Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-etcd]", "Rsyslog::Conf[cfssl-ocsprefresh-kafka]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-network_devices]", "Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa]", "Rsyslog::Conf[cfssl-ocsprefresh-syslog]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-zuul]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul]", "Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status]", "Rsyslog::Conf[nrpe2nodexp-ferm_active]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Rsyslog::Conf[ulogd]", "Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean]", "Rsyslog::Conf[wmf_auto_restart_apache2]", "Rsyslog::Conf[wmf_auto_restart_ulogd2]", "Service[apache-htcacheclean]", "Service[apache2]", "Service[cfssl-gc-expired-certs.timer]", "Service[cfssl-multirootca]", "Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Service[cfssl-ocsprefresh-aux.timer]", "Service[cfssl-ocsprefresh-aux_front_proxy.timer]", "Service[cfssl-ocsprefresh-cassandra.timer]", "Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Service[cfssl-ocsprefresh-debmonitor.timer]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocsprefresh-discovery2026.timer]", "Service[cfssl-ocsprefresh-dse.timer]", "Service[cfssl-ocsprefresh-dse_front_proxy.timer]", "Service[cfssl-ocsprefresh-etcd.timer]", "Service[cfssl-ocsprefresh-kafka.timer]", "Service[cfssl-ocsprefresh-mlserve.timer]", "Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Service[cfssl-ocsprefresh-mlserve_staging.timer]", "Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-network_devices.timer]", "Service[cfssl-ocsprefresh-puppet_rsa.timer]", "Service[cfssl-ocsprefresh-syslog.timer]", "Service[cfssl-ocsprefresh-wikikube.timer]", "Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Service[cfssl-ocsprefresh-wikikube_staging.timer]", "Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-zuul.timer]", "Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Service[cfssl-ocspserve@aux]", "Service[cfssl-ocspserve@aux_front_proxy]", "Service[cfssl-ocspserve@cassandra]", "Service[cfssl-ocspserve@cloud_wmnet_ca]", "Service[cfssl-ocspserve@debmonitor]", "Service[cfssl-ocspserve@discovery2026]", "Service[cfssl-ocspserve@discovery]", "Service[cfssl-ocspserve@dse]", "Service[cfssl-ocspserve@dse_front_proxy]", "Service[cfssl-ocspserve@etcd]", "Service[cfssl-ocspserve@kafka]", "Service[cfssl-ocspserve@mlserve]", "Service[cfssl-ocspserve@mlserve_front_proxy]", "Service[cfssl-ocspserve@mlserve_staging]", "Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Service[cfssl-ocspserve@network_devices]", "Service[cfssl-ocspserve@puppet_rsa]", "Service[cfssl-ocspserve@syslog]", "Service[cfssl-ocspserve@wikikube]", "Service[cfssl-ocspserve@wikikube_front_proxy]", "Service[cfssl-ocspserve@wikikube_staging]", "Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Service[cfssl-ocspserve@zuul]", "Service[ferm]", "Service[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Service[nrpe2nodexp-ferm_active.timer]", "Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Service[ulogd2]", "Service[wmf_auto_restart_apache-htcacheclean.timer]", "Service[wmf_auto_restart_apache2.timer]", "Service[wmf_auto_restart_ulogd2.timer]", "Sudo::User[nrpe-check_check_certificate_expiry_aux]", "Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_cassandra]", "Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "Sudo::User[nrpe-check_check_certificate_expiry_debmonitor]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery2026]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "Sudo::User[nrpe-check_check_certificate_expiry_dse]", "Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_etcd]", "Sudo::User[nrpe-check_check_certificate_expiry_kafka]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_network_devices]", "Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa]", "Sudo::User[nrpe-check_check_certificate_expiry_syslog]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_zuul]", "Sudo::User[nrpe-check_check_cfssl-multirootca_status]", "Sudo::User[nrpe-check_ferm_active]", "Sudo::User[nrpe_certificate_check_aux]", "Sudo::User[nrpe_certificate_check_aux_front_proxy]", "Sudo::User[nrpe_certificate_check_cassandra]", "Sudo::User[nrpe_certificate_check_cloud_wmnet_ca]", "Sudo::User[nrpe_certificate_check_debmonitor]", "Sudo::User[nrpe_certificate_check_discovery2026]", "Sudo::User[nrpe_certificate_check_discovery]", "Sudo::User[nrpe_certificate_check_dse]", "Sudo::User[nrpe_certificate_check_dse_front_proxy]", "Sudo::User[nrpe_certificate_check_etcd]", "Sudo::User[nrpe_certificate_check_kafka]", "Sudo::User[nrpe_certificate_check_mlserve]", "Sudo::User[nrpe_certificate_check_mlserve_front_proxy]", "Sudo::User[nrpe_certificate_check_mlserve_staging]", "Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy]", "Sudo::User[nrpe_certificate_check_network_devices]", "Sudo::User[nrpe_certificate_check_puppet_rsa]", "Sudo::User[nrpe_certificate_check_syslog]", "Sudo::User[nrpe_certificate_check_wikikube]", "Sudo::User[nrpe_certificate_check_wikikube_front_proxy]", "Sudo::User[nrpe_certificate_check_wikikube_staging]", "Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy]", "Sudo::User[nrpe_certificate_check_zuul]", "Systemd::Monitor[cfssl-multirootca]", "Systemd::Override[apache2-after-network-online-target]", "Systemd::Override[ferm-service-status-restart]", "Systemd::Service[cfssl-gc-expired-certs]", "Systemd::Service[cfssl-multirootca]", "Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Service[cfssl-ocsprefresh-aux]", "Systemd::Service[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-cassandra]", "Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Service[cfssl-ocsprefresh-debmonitor]", "Systemd::Service[cfssl-ocsprefresh-discovery2026]", "Systemd::Service[cfssl-ocsprefresh-discovery]", "Systemd::Service[cfssl-ocsprefresh-dse]", "Systemd::Service[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-etcd]", "Systemd::Service[cfssl-ocsprefresh-kafka]", "Systemd::Service[cfssl-ocsprefresh-mlserve]", "Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-network_devices]", "Systemd::Service[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Service[cfssl-ocsprefresh-syslog]", "Systemd::Service[cfssl-ocsprefresh-wikikube]", "Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-zuul]", "Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Systemd::Service[cfssl-ocspserve@aux]", "Systemd::Service[cfssl-ocspserve@aux_front_proxy]", "Systemd::Service[cfssl-ocspserve@cassandra]", "Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca]", "Systemd::Service[cfssl-ocspserve@debmonitor]", "Systemd::Service[cfssl-ocspserve@discovery2026]", "Systemd::Service[cfssl-ocspserve@discovery]", "Systemd::Service[cfssl-ocspserve@dse]", "Systemd::Service[cfssl-ocspserve@dse_front_proxy]", "Systemd::Service[cfssl-ocspserve@etcd]", "Systemd::Service[cfssl-ocspserve@kafka]", "Systemd::Service[cfssl-ocspserve@mlserve]", "Systemd::Service[cfssl-ocspserve@mlserve_front_proxy]", "Systemd::Service[cfssl-ocspserve@mlserve_staging]", "Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Systemd::Service[cfssl-ocspserve@network_devices]", "Systemd::Service[cfssl-ocspserve@puppet_rsa]", "Systemd::Service[cfssl-ocspserve@syslog]", "Systemd::Service[cfssl-ocspserve@wikikube]", "Systemd::Service[cfssl-ocspserve@wikikube_front_proxy]", "Systemd::Service[cfssl-ocspserve@wikikube_staging]", "Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Systemd::Service[cfssl-ocspserve@zuul]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Service[nrpe2nodexp-ferm_active]", "Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Service[wmf_auto_restart_apache-htcacheclean]", "Systemd::Service[wmf_auto_restart_apache2]", "Systemd::Service[wmf_auto_restart_ulogd2]", "Systemd::Syslog[cfssl-gc-expired-certs]", "Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Syslog[cfssl-ocsprefresh-aux]", "Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-cassandra]", "Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Syslog[cfssl-ocsprefresh-debmonitor]", "Systemd::Syslog[cfssl-ocsprefresh-discovery2026]", "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "Systemd::Syslog[cfssl-ocsprefresh-dse]", "Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-etcd]", "Systemd::Syslog[cfssl-ocsprefresh-kafka]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-network_devices]", "Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Syslog[cfssl-ocsprefresh-syslog]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-zuul]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Syslog[ulogd]", "Systemd::Syslog[wmf_auto_restart_apache-htcacheclean]", "Systemd::Syslog[wmf_auto_restart_apache2]", "Systemd::Syslog[wmf_auto_restart_ulogd2]", "Systemd::Timer::Job[cfssl-gc-expired-certs]", "Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Timer::Job[cfssl-ocsprefresh-aux]", "Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]", "Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "Systemd::Timer::Job[cfssl-ocsprefresh-dse]", "Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-etcd]", "Systemd::Timer::Job[cfssl-ocsprefresh-kafka]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]", "Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Timer::Job[cfssl-ocsprefresh-syslog]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-zuul]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Timer::Job[nrpe2nodexp-ferm_active]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean]", "Systemd::Timer::Job[wmf_auto_restart_apache2]", "Systemd::Timer::Job[wmf_auto_restart_ulogd2]", "Systemd::Timer[cfssl-gc-expired-certs]", "Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Timer[cfssl-ocsprefresh-aux]", "Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-cassandra]", "Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Timer[cfssl-ocsprefresh-debmonitor]", "Systemd::Timer[cfssl-ocsprefresh-discovery2026]", "Systemd::Timer[cfssl-ocsprefresh-discovery]", "Systemd::Timer[cfssl-ocsprefresh-dse]", "Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-etcd]", "Systemd::Timer[cfssl-ocsprefresh-kafka]", "Systemd::Timer[cfssl-ocsprefresh-mlserve]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-network_devices]", "Systemd::Timer[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Timer[cfssl-ocsprefresh-syslog]", "Systemd::Timer[cfssl-ocsprefresh-wikikube]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-zuul]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Timer[nrpe2nodexp-ferm_active]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Timer[wmf_auto_restart_apache-htcacheclean]", "Systemd::Timer[wmf_auto_restart_apache2]", "Systemd::Timer[wmf_auto_restart_ulogd2]", "Systemd::Unit[apache2-apache2-after-network-online-target]", "Systemd::Unit[cfssl-gc-expired-certs.service]", "Systemd::Unit[cfssl-gc-expired-certs.timer]", "Systemd::Unit[cfssl-multirootca]", "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Systemd::Unit[cfssl-ocsprefresh-aux.service]", "Systemd::Unit[cfssl-ocsprefresh-aux.timer]", "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-cassandra.service]", "Systemd::Unit[cfssl-ocsprefresh-cassandra.timer]", "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]", "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]", "Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer]", "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer]", "Systemd::Unit[cfssl-ocsprefresh-dse.service]", "Systemd::Unit[cfssl-ocsprefresh-dse.timer]", "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-etcd.service]", "Systemd::Unit[cfssl-ocsprefresh-etcd.timer]", "Systemd::Unit[cfssl-ocsprefresh-kafka.service]", "Systemd::Unit[cfssl-ocsprefresh-kafka.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-network_devices.service]", "Systemd::Unit[cfssl-ocsprefresh-network_devices.timer]", "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]", "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer]", "Systemd::Unit[cfssl-ocsprefresh-syslog.service]", "Systemd::Unit[cfssl-ocsprefresh-syslog.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-zuul.service]", "Systemd::Unit[cfssl-ocsprefresh-zuul.timer]", "Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Systemd::Unit[cfssl-ocspserve@aux]", "Systemd::Unit[cfssl-ocspserve@aux_front_proxy]", "Systemd::Unit[cfssl-ocspserve@cassandra]", "Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca]", "Systemd::Unit[cfssl-ocspserve@debmonitor]", "Systemd::Unit[cfssl-ocspserve@discovery2026]", "Systemd::Unit[cfssl-ocspserve@discovery]", "Systemd::Unit[cfssl-ocspserve@dse]", "Systemd::Unit[cfssl-ocspserve@dse_front_proxy]", "Systemd::Unit[cfssl-ocspserve@etcd]", "Systemd::Unit[cfssl-ocspserve@kafka]", "Systemd::Unit[cfssl-ocspserve@mlserve]", "Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy]", "Systemd::Unit[cfssl-ocspserve@mlserve_staging]", "Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy]", "Systemd::Unit[cfssl-ocspserve@network_devices]", "Systemd::Unit[cfssl-ocspserve@puppet_rsa]", "Systemd::Unit[cfssl-ocspserve@syslog]", "Systemd::Unit[cfssl-ocspserve@wikikube]", "Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy]", "Systemd::Unit[cfssl-ocspserve@wikikube_staging]", "Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy]", "Systemd::Unit[cfssl-ocspserve@zuul]", "Systemd::Unit[ferm-ferm-service-status-restart]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]", "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Systemd::Unit[nrpe2nodexp-ferm_active.service]", "Systemd::Unit[nrpe2nodexp-ferm_active.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]", "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer]", "Systemd::Unit[wmf_auto_restart_apache2.service]", "Systemd::Unit[wmf_auto_restart_apache2.timer]", "Systemd::Unit[wmf_auto_restart_ulogd2.service]", "Systemd::Unit[wmf_auto_restart_ulogd2.timer]"], "only_in_other": ["Class[Nftables]", "Class[Profile::Firewall::Nftables_base_sets]", "Class[Role::Insetup::Infrastructure_foundations_nftables]", "Exec[systemd daemon-reload for nftables.service (nftables)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]", "Exec[unmask_nftables.service]", "File[/etc/logrotate.d/prometheus-node-textfile-check-nft]", "File[/etc/nftables.conf]", "File[/etc/nftables/100_base_puppet.nft]", "File[/etc/nftables/]", "File[/etc/nftables/forward]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]", "File[/etc/nftables/input/10_ssh-from-bastion.nft]", "File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]", "File[/etc/nftables/input]", "File[/etc/nftables/main.nft]", "File[/etc/nftables/notrack]", "File[/etc/nftables/output]", "File[/etc/nftables/postrouting]", "File[/etc/nftables/prerouting]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/CACHES_ipv4.nft]", "File[/etc/nftables/sets/CACHES_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/INTERNAL_ipv4.nft]", "File[/etc/nftables/sets/INTERNAL_ipv6.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]", "File[/etc/nftables/sets]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]", "File[/etc/systemd/system/nftables.service.d/puppet-override.conf]", "File[/etc/systemd/system/nftables.service.d]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]", "File[/usr/local/bin/check-nft]", "File[/var/log/prometheus-node-textfile-check-nft]", "Logrotate::Conf[prometheus-node-textfile-check-nft]", "Motd::Message[insetup::infrastructure_foundations_nftables]", "Motd::Script[insetup::infrastructure_foundations_nftables]", "Nftables::File[base]", "Nftables::Service[full-monitoring-metrics-access-tcp]", "Nftables::Service[full-monitoring-metrics-access-udp]", "Nftables::Service[ssh-from-bastion]", "Nftables::Service[ssh-from-cumin-masters]", "Nftables::Set[ANALYTICS_NETWORKS]", "Nftables::Set[AUX_KUBEPODS_NETWORKS]", "Nftables::Set[BASTION_HOSTS]", "Nftables::Set[CACHES]", "Nftables::Set[CLOUD_NETWORKS]", "Nftables::Set[CLOUD_NETWORKS_PUBLIC]", "Nftables::Set[CLOUD_PRIVATE_NETWORKS]", "Nftables::Set[CUMIN_MASTERS]", "Nftables::Set[DEPLOYMENT_HOSTS]", "Nftables::Set[DOMAIN_NETWORKS]", "Nftables::Set[DRUID_PUBLIC_HOSTS]", "Nftables::Set[DSE_KUBEPODS_NETWORKS]", "Nftables::Set[FRACK_NETWORKS]", "Nftables::Set[INSTALL_HOSTS]", "Nftables::Set[INTERNAL]", "Nftables::Set[KAFKAMON_HOSTS]", "Nftables::Set[KAFKA_BROKERS_JUMBO]", "Nftables::Set[KAFKA_BROKERS_LOGGING]", "Nftables::Set[KAFKA_BROKERS_MAIN]", "Nftables::Set[LABSTORE_HOSTS]", "Nftables::Set[LABS_NETWORKS]", "Nftables::Set[LINK_LOCAL]", "Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]", "Nftables::Set[MGMT_NETWORKS]", "Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]", "Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]", "Nftables::Set[MONITORING_HOSTS]", "Nftables::Set[MW_APPSERVER_NETWORKS]", "Nftables::Set[MYSQL_ROOT_CLIENTS]", "Nftables::Set[NETWORK_INFRA]", "Nftables::Set[PRODUCTION_NETWORKS]", "Nftables::Set[PROMETHEUS_HOSTS]", "Nftables::Set[SANDBOX_NETWORKS]", "Nftables::Set[STAGING_KUBEPODS_NETWORKS]", "Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]", "Nftables::Set[ZOOKEEPER_FLINK_HOSTS]", "Nftables::Set[ZOOKEEPER_HOSTS_MAIN]", "Node[__node_regexp__pki1001.eqiad.]", "Package[nftables]", "Prometheus::Node_textfile[check-nft]", "Rsyslog::Conf[prometheus-node-textfile-check-nft]", "Service[nftables]", "Service[prometheus-node-textfile-check-nft.timer]", "Systemd::Service[nftables]", "Systemd::Service[prometheus-node-textfile-check-nft]", "Systemd::Syslog[prometheus-node-textfile-check-nft]", "Systemd::Timer::Job[prometheus-node-textfile-check-nft]", "Systemd::Timer[prometheus-node-textfile-check-nft]", "Systemd::Unit[nftables]", "Systemd::Unit[prometheus-node-textfile-check-nft.service]", "Systemd::Unit[prometheus-node-textfile-check-nft.timer]", "Systemd::Unmask[nftables.service]"], "resource_diffs": [{"resource": "Class[Profile::Firewall]", "parameters": "--- Class[Profile::Firewall].orig\n+++ Class[Profile::Firewall]\n\n@@\n-    provider => ferm\n+    provider => nftables\n"}, {"resource": "Concat::Fragment[main]"}, {"resource": "File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]", "parameters": "--- File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml].orig\n+++ File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 ssh].orig\n+++ Monitoring::Exported_nagios_service[pki1001 ssh]\n\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n"}, {"resource": "Confd::File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- Confd::File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ Confd::File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "File[/etc/ferm]", "parameters": "--- File[/etc/ferm].orig\n+++ File[/etc/ferm]\n\n@@\n-    ensure => directory\n+    ensure => absent\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]", "parameters": "--- File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl].orig\n+++ File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "Monitoring::Exported_nagios_host[pki1001]", "parameters": "--- Monitoring::Exported_nagios_host[pki1001].orig\n+++ Monitoring::Exported_nagios_host[pki1001]\n\n@@\n-    hostgroups            => pki_eqiad,asw2-a-eqiad\n+    hostgroups            => insetup_eqiad,asw2-a-eqiad\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n"}, {"resource": "File[/usr/local/sbin/ferm-status]", "parameters": "--- File[/usr/local/sbin/ferm-status].orig\n+++ File[/usr/local/sbin/ferm-status]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 disk_space].orig\n+++ Monitoring::Exported_nagios_service[pki1001 disk_space]\n\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"pki::multirootca\",cluster=\"pki\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_nftables\",cluster=\"insetup\"} 1.0"}, {"resource": "Concat_fragment[main]", "content": "--- main.orig\n+++ main\n@@ -14,7 +14,6 @@\n [agent]\n use_srv_records = true\n srv_domain = eqiad.wmnet\n-dns_alt_names = pki.discovery.wmnet\n daemonize = false\n http_connect_timeout = 60\n http_read_timeout = 960"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n-    nagios_group          => pki_eqiad\n+    nagios_group          => insetup_eqiad\n@@\n-    cluster               => pki\n+    cluster               => insetup\n@@\n-    notifications_enabled => True\n+    notifications_enabled => False\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "File[/etc/modules-load.d/conntrack.conf]", "parameters": "--- File[/etc/modules-load.d/conntrack.conf].orig\n+++ File[/etc/modules-load.d/conntrack.conf]\n\n@@\n-    ensure => file\n+    ensure => absent\n"}, {"resource": "Class[Profile::Puppet::Agent]", "parameters": "--- Class[Profile::Puppet::Agent].orig\n+++ Class[Profile::Puppet::Agent]\n\n@@\n-    dns_alt_names => ['pki.discovery.wmnet']\n+    dns_alt_names => []\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[apache2]', 'Package[links]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[python3-pymysql]', 'Package[python3-cryptography]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::pki::multirootca:\n+role::insetup::infrastructure_foundations_nftables:\n - Infrastructure Foundations"}, {"resource": "Package[ferm]", "parameters": "--- Package[ferm].orig\n+++ Package[ferm]\n\n@@\n-    ensure => installed\n+    ensure => purged\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n-    nagios_group          => pki_eqiad\n+    nagios_group          => insetup_eqiad\n@@\n-    cluster               => pki\n+    cluster               => insetup\n@@\n-    notifications_enabled => True\n+    notifications_enabled => False\n"}, {"resource": "Class[Firewall]", "parameters": "--- Class[Firewall].orig\n+++ Class[Firewall]\n\n@@\n-    provider => ferm\n+    provider => nftables\n"}, {"resource": "Package[iptables]", "parameters": "--- Package[iptables].orig\n+++ Package[iptables]\n\n@@\n-    ensure => installed\n+    ensure => absent\n"}, {"resource": "Class[Ferm]", "parameters": "--- Class[Ferm].orig\n+++ Class[Ferm]\n\n@@\n-    ensure => present\n+    ensure => absent\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[apache2]', 'Package[links]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[python3-pymysql]', 'Package[python3-cryptography]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n-    role_description => PKI server\n+    role_description => Host being setup by Infrastructure Foundations SREs with ntables\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 raid_md].orig\n+++ Monitoring::Exported_nagios_service[pki1001 raid_md]\n\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n"}, {"resource": "Class[Puppet::Agent]", "parameters": "--- Class[Puppet::Agent].orig\n+++ Class[Puppet::Agent]\n\n@@\n-    dns_alt_names => ['pki.discovery.wmnet']\n+    dns_alt_names => []\n"}], "perc_changed": "49.40%"}}}