{"host": "pki1001.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 4897, "only_in_self": ["Augeas[Apache2 logs]", "Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet]", "Cfssl::Cert[puppet_rsa__pki_discovery_wmnet]", "Cfssl::Config[aux]", "Cfssl::Config[aux_front_proxy]", "Cfssl::Config[cassandra]", "Cfssl::Config[cloud_wmnet_ca]", "Cfssl::Config[debmonitor]", "Cfssl::Config[discovery2026]", "Cfssl::Config[discovery]", "Cfssl::Config[dse]", "Cfssl::Config[dse_front_proxy]", "Cfssl::Config[etcd]", "Cfssl::Config[kafka]", "Cfssl::Config[mlserve]", "Cfssl::Config[mlserve_front_proxy]", "Cfssl::Config[mlserve_staging]", "Cfssl::Config[mlserve_staging_front_proxy]", "Cfssl::Config[network_devices]", "Cfssl::Config[puppet_rsa]", "Cfssl::Config[syslog]", "Cfssl::Config[wikikube]", "Cfssl::Config[wikikube_front_proxy]", "Cfssl::Config[wikikube_staging]", "Cfssl::Config[wikikube_staging_front_proxy]", "Cfssl::Config[zuul]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "Cfssl::Db[multirootca-db]", "Cfssl::Ocsp[Wikimedia_Internal_Root_CA]", "Cfssl::Ocsp[aux]", "Cfssl::Ocsp[aux_front_proxy]", "Cfssl::Ocsp[cassandra]", "Cfssl::Ocsp[cloud_wmnet_ca]", "Cfssl::Ocsp[debmonitor]", "Cfssl::Ocsp[discovery2026]", "Cfssl::Ocsp[discovery]", "Cfssl::Ocsp[dse]", "Cfssl::Ocsp[dse_front_proxy]", "Cfssl::Ocsp[etcd]", "Cfssl::Ocsp[kafka]", "Cfssl::Ocsp[mlserve]", "Cfssl::Ocsp[mlserve_front_proxy]", "Cfssl::Ocsp[mlserve_staging]", "Cfssl::Ocsp[mlserve_staging_front_proxy]", "Cfssl::Ocsp[network_devices]", "Cfssl::Ocsp[puppet_rsa]", "Cfssl::Ocsp[syslog]", "Cfssl::Ocsp[wikikube]", "Cfssl::Ocsp[wikikube_front_proxy]", "Cfssl::Ocsp[wikikube_staging]", "Cfssl::Ocsp[wikikube_staging_front_proxy]", "Cfssl::Ocsp[zuul]", "Cfssl::Signer[aux]", "Cfssl::Signer[aux_front_proxy]", "Cfssl::Signer[cassandra]", "Cfssl::Signer[cloud_wmnet_ca]", "Cfssl::Signer[debmonitor]", "Cfssl::Signer[discovery2026]", "Cfssl::Signer[discovery]", "Cfssl::Signer[dse]", "Cfssl::Signer[dse_front_proxy]", "Cfssl::Signer[etcd]", "Cfssl::Signer[kafka]", "Cfssl::Signer[mlserve]", "Cfssl::Signer[mlserve_front_proxy]", "Cfssl::Signer[mlserve_staging]", "Cfssl::Signer[mlserve_staging_front_proxy]", "Cfssl::Signer[network_devices]", "Cfssl::Signer[puppet_rsa]", "Cfssl::Signer[syslog]", "Cfssl::Signer[wikikube]", "Cfssl::Signer[wikikube_front_proxy]", "Cfssl::Signer[wikikube_staging]", "Cfssl::Signer[wikikube_staging_front_proxy]", "Cfssl::Signer[zuul]", "Class[Cfssl::Multirootca]", "Class[Httpd]", "Class[Profile::Pki::Multirootca]", "Class[Role::Pki::Multirootca]", "Class[Sslcert::Dhparam]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet]", "Exec[Generate initial CRL for aux]", "Exec[Generate initial CRL for aux_front_proxy]", "Exec[Generate initial CRL for cassandra]", "Exec[Generate initial CRL for cloud_wmnet_ca]", "Exec[Generate initial CRL for debmonitor]", "Exec[Generate initial CRL for discovery2026]", "Exec[Generate initial CRL for discovery]", "Exec[Generate initial CRL for dse]", "Exec[Generate initial CRL for dse_front_proxy]", "Exec[Generate initial CRL for etcd]", "Exec[Generate initial CRL for kafka]", "Exec[Generate initial CRL for mlserve]", "Exec[Generate initial CRL for mlserve_front_proxy]", "Exec[Generate initial CRL for mlserve_staging]", "Exec[Generate initial CRL for mlserve_staging_front_proxy]", "Exec[Generate initial CRL for network_devices]", "Exec[Generate initial CRL for puppet_rsa]", "Exec[Generate initial CRL for syslog]", "Exec[Generate initial CRL for wikikube]", "Exec[Generate initial CRL for wikikube_front_proxy]", "Exec[Generate initial CRL for wikikube_staging]", "Exec[Generate initial CRL for wikikube_staging_front_proxy]", "Exec[Generate initial CRL for zuul]", "Exec[apache2_test_config_and_restart]", "Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "Exec[ensure_present_mod_access_compat]", "Exec[ensure_present_mod_filter]", "Exec[ensure_present_mod_headers]", "Exec[ensure_present_mod_proxy_http]", "Exec[ensure_present_mod_ssl]", "Exec[ensure_present_mod_status]", "Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]", "Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]", "Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]", "Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]", "Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]", "Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]", "Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]", "Ferm::Service[csr_and_ocsp_responder]", "Ferm::Service[multirootca_tls_termination]", "Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "File[/etc/apache2/conf-available/00-defaults.conf]", "File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-available/50-server-status.conf]", "File[/etc/apache2/conf-available]", "File[/etc/apache2/conf-enabled/00-defaults.conf]", "File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-enabled/50-server-status.conf]", "File[/etc/apache2/conf-enabled]", "File[/etc/apache2/env-available]", "File[/etc/apache2/env-enabled]", "File[/etc/apache2/mods-available/status.conf]", "File[/etc/apache2/mods-enabled/status.conf]", "File[/etc/apache2/ports.conf]", "File[/etc/apache2/sites-available/00-dummy.conf]", "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-available]", "File[/etc/apache2/sites-enabled/00-dummy.conf]", "File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-enabled]", "File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/db.conf.json]", "File[/etc/cfssl/db.conf]", "File[/etc/cfssl/multiroot.conf]", "File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]", "File[/etc/cfssl/ocsp/aux.ocsp]", "File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/cassandra.ocsp]", "File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]", "File[/etc/cfssl/ocsp/debmonitor.ocsp]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/ocsp/discovery2026.ocsp]", "File[/etc/cfssl/ocsp/dse.ocsp]", "File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/etcd.ocsp]", "File[/etc/cfssl/ocsp/kafka.ocsp]", "File[/etc/cfssl/ocsp/mlserve.ocsp]", "File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/network_devices.ocsp]", "File[/etc/cfssl/ocsp/puppet_rsa.ocsp]", "File[/etc/cfssl/ocsp/syslog.ocsp]", "File[/etc/cfssl/ocsp/wikikube.ocsp]", "File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/zuul.ocsp]", "File[/etc/cfssl/signers/aux/ca/aux-key.pem]", "File[/etc/cfssl/signers/aux/ca/aux.pem]", "File[/etc/cfssl/signers/aux/ca]", "File[/etc/cfssl/signers/aux/cfssl.conf]", "File[/etc/cfssl/signers/aux]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca]", "File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/aux_front_proxy]", "File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]", "File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]", "File[/etc/cfssl/signers/cassandra/ca]", "File[/etc/cfssl/signers/cassandra/cfssl.conf]", "File[/etc/cfssl/signers/cassandra]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca]", "File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]", "File[/etc/cfssl/signers/cloud_wmnet_ca]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]", "File[/etc/cfssl/signers/debmonitor/ca]", "File[/etc/cfssl/signers/debmonitor/cfssl.conf]", "File[/etc/cfssl/signers/debmonitor]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]", "File[/etc/cfssl/signers/discovery2026/ca]", "File[/etc/cfssl/signers/discovery2026/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/signers/dse/ca/dse-key.pem]", "File[/etc/cfssl/signers/dse/ca/dse.pem]", "File[/etc/cfssl/signers/dse/ca]", "File[/etc/cfssl/signers/dse/cfssl.conf]", "File[/etc/cfssl/signers/dse]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca]", "File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/dse_front_proxy]", "File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]", "File[/etc/cfssl/signers/etcd/ca/etcd.pem]", "File[/etc/cfssl/signers/etcd/ca]", "File[/etc/cfssl/signers/etcd/cfssl.conf]", "File[/etc/cfssl/signers/etcd]", "File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]", "File[/etc/cfssl/signers/kafka/ca/kafka.pem]", "File[/etc/cfssl/signers/kafka/ca]", "File[/etc/cfssl/signers/kafka/cfssl.conf]", "File[/etc/cfssl/signers/kafka]", "File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]", "File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]", "File[/etc/cfssl/signers/mlserve/ca]", "File[/etc/cfssl/signers/mlserve/cfssl.conf]", "File[/etc/cfssl/signers/mlserve]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_front_proxy]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca]", "File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy]", "File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]", "File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]", "File[/etc/cfssl/signers/network_devices/ca]", "File[/etc/cfssl/signers/network_devices/cfssl.conf]", "File[/etc/cfssl/signers/network_devices]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca]", "File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]", "File[/etc/cfssl/signers/puppet_rsa]", "File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]", "File[/etc/cfssl/signers/syslog/ca/syslog.pem]", "File[/etc/cfssl/signers/syslog/ca]", "File[/etc/cfssl/signers/syslog/cfssl.conf]", "File[/etc/cfssl/signers/syslog]", "File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]", "File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]", "File[/etc/cfssl/signers/wikikube/ca]", "File[/etc/cfssl/signers/wikikube/cfssl.conf]", "File[/etc/cfssl/signers/wikikube]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_front_proxy]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca]", "File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy]", "File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]", "File[/etc/cfssl/signers/zuul/ca/zuul.pem]", "File[/etc/cfssl/signers/zuul/ca]", "File[/etc/cfssl/signers/zuul/cfssl.conf]", "File[/etc/cfssl/signers/zuul]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]", "File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "File[/etc/logrotate.d/cfssl-gc-expired-certs]", "File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]", "File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]", "File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]", "File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]", "File[/etc/logrotate.d/wmf_auto_restart_apache2]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]", "File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]", "File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]", "File[/etc/ssl/dhparam.pem]", "File[/etc/ssl/localcerts/multiroot_ca.pem]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]", "File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]", "File[/etc/sudoers.d/nrpe_certificate_check_aux]", "File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_cassandra]", "File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_dse]", "File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_etcd]", "File[/etc/sudoers.d/nrpe_certificate_check_kafka]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_network_devices]", "File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]", "File[/etc/sudoers.d/nrpe_certificate_check_syslog]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_zuul]", "File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]", "File[/etc/update-motd.d/05-pki--multirootca]", "File[/lib/systemd/system/cfssl-gc-expired-certs.service]", "File[/lib/systemd/system/cfssl-gc-expired-certs.timer]", "File[/lib/systemd/system/cfssl-multirootca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]", "File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]", "File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@etcd.service]", "File[/lib/systemd/system/cfssl-ocspserve@kafka.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]", "File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocspserve@syslog.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache2.service]", "File[/lib/systemd/system/wmf_auto_restart_apache2.timer]", "File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]", "File[/srv/cfssl/bundles/aux.pem]", "File[/srv/cfssl/bundles/aux_front_proxy.pem]", "File[/srv/cfssl/bundles/cassandra.pem]", "File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]", "File[/srv/cfssl/bundles/debmonitor.pem]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/srv/cfssl/bundles/discovery2026.pem]", "File[/srv/cfssl/bundles/dse.pem]", "File[/srv/cfssl/bundles/dse_front_proxy.pem]", "File[/srv/cfssl/bundles/etcd.pem]", "File[/srv/cfssl/bundles/kafka.pem]", "File[/srv/cfssl/bundles/mlserve.pem]", "File[/srv/cfssl/bundles/mlserve_front_proxy.pem]", "File[/srv/cfssl/bundles/mlserve_staging.pem]", "File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/network_devices.pem]", "File[/srv/cfssl/bundles/puppet_rsa.pem]", "File[/srv/cfssl/bundles/syslog.pem]", "File[/srv/cfssl/bundles/wikikube.pem]", "File[/srv/cfssl/bundles/wikikube_front_proxy.pem]", "File[/srv/cfssl/bundles/wikikube_staging.pem]", "File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/zuul.pem]", "File[/srv/cfssl/bundles]", "File[/srv/cfssl/crl]", "File[/srv/cfssl]", "File[/usr/local/bin/apache-status]", "File[/usr/local/bin/prometheus-check-aux-certificate-expiry]", "File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]", "File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]", "File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]", "File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/cfssl-certs]", "File[/usr/local/sbin/cfssl-ocsprefresh]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]", "File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]", "File[/var/log/cfssl-gc-expired-certs]", "File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/var/log/cfssl-ocsprefresh-aux]", "File[/var/log/cfssl-ocsprefresh-aux_front_proxy]", "File[/var/log/cfssl-ocsprefresh-cassandra]", "File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/var/log/cfssl-ocsprefresh-debmonitor]", "File[/var/log/cfssl-ocsprefresh-discovery2026]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/cfssl-ocsprefresh-dse]", "File[/var/log/cfssl-ocsprefresh-dse_front_proxy]", "File[/var/log/cfssl-ocsprefresh-etcd]", "File[/var/log/cfssl-ocsprefresh-kafka]", "File[/var/log/cfssl-ocsprefresh-mlserve]", "File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-network_devices]", "File[/var/log/cfssl-ocsprefresh-puppet_rsa]", "File[/var/log/cfssl-ocsprefresh-syslog]", "File[/var/log/cfssl-ocsprefresh-wikikube]", "File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-zuul]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/var/log/wmf_auto_restart_apache-htcacheclean]", "File[/var/log/wmf_auto_restart_apache2]", "File_line[auto_restart_file_presence_apache-htcacheclean]", "File_line[auto_restart_file_presence_apache2]", "File_line[load_env_enabled]", "Firewall::Service[csr_and_ocsp_responder]", "Firewall::Service[multirootca tls termination]", "Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods]", "Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port]", "Httpd::Conf[defaults]", "Httpd::Conf[dummy]", "Httpd::Conf[pki.discovery.wmnet]", "Httpd::Conf[server-status]", "Httpd::Mod_conf[access_compat]", "Httpd::Mod_conf[filter]", "Httpd::Mod_conf[headers]", "Httpd::Mod_conf[proxy_http]", "Httpd::Mod_conf[ssl]", "Httpd::Mod_conf[status]", "Httpd::Site[dummy]", "Httpd::Site[pki.discovery.wmnet]", "Logrotate::Conf[cfssl-gc-expired-certs]", "Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Logrotate::Conf[cfssl-ocsprefresh-aux]", "Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-cassandra]", "Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "Logrotate::Conf[cfssl-ocsprefresh-debmonitor]", "Logrotate::Conf[cfssl-ocsprefresh-discovery2026]", "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "Logrotate::Conf[cfssl-ocsprefresh-dse]", "Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-etcd]", "Logrotate::Conf[cfssl-ocsprefresh-kafka]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-network_devices]", "Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa]", "Logrotate::Conf[cfssl-ocsprefresh-syslog]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-zuul]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Logrotate::Conf[wmf_auto_restart_apache-htcacheclean]", "Logrotate::Conf[wmf_auto_restart_apache2]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul]", "Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status]", "Monitoring::Service[check_certificate_expiry_aux]", "Monitoring::Service[check_certificate_expiry_aux_front_proxy]", "Monitoring::Service[check_certificate_expiry_cassandra]", "Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]", "Monitoring::Service[check_certificate_expiry_debmonitor]", "Monitoring::Service[check_certificate_expiry_discovery2026]", "Monitoring::Service[check_certificate_expiry_discovery]", "Monitoring::Service[check_certificate_expiry_dse]", "Monitoring::Service[check_certificate_expiry_dse_front_proxy]", "Monitoring::Service[check_certificate_expiry_etcd]", "Monitoring::Service[check_certificate_expiry_kafka]", "Monitoring::Service[check_certificate_expiry_mlserve]", "Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]", "Monitoring::Service[check_certificate_expiry_mlserve_staging]", "Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]", "Monitoring::Service[check_certificate_expiry_network_devices]", "Monitoring::Service[check_certificate_expiry_puppet_rsa]", "Monitoring::Service[check_certificate_expiry_syslog]", "Monitoring::Service[check_certificate_expiry_wikikube]", "Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]", "Monitoring::Service[check_certificate_expiry_wikikube_staging]", "Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]", "Monitoring::Service[check_certificate_expiry_zuul]", "Monitoring::Service[check_cfssl-multirootca_status]", "Motd::Message[pki::multirootca]", "Motd::Script[pki::multirootca]", "Node[__node_regexp__pki10012.eqiad.]", "Nrpe::Check[check_check_certificate_expiry_aux]", "Nrpe::Check[check_check_certificate_expiry_aux_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_cassandra]", "Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca]", "Nrpe::Check[check_check_certificate_expiry_debmonitor]", "Nrpe::Check[check_check_certificate_expiry_discovery2026]", "Nrpe::Check[check_check_certificate_expiry_discovery]", "Nrpe::Check[check_check_certificate_expiry_dse]", "Nrpe::Check[check_check_certificate_expiry_dse_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_etcd]", "Nrpe::Check[check_check_certificate_expiry_kafka]", "Nrpe::Check[check_check_certificate_expiry_mlserve]", "Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_mlserve_staging]", "Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_network_devices]", "Nrpe::Check[check_check_certificate_expiry_puppet_rsa]", "Nrpe::Check[check_check_certificate_expiry_syslog]", "Nrpe::Check[check_check_certificate_expiry_wikikube]", "Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_wikikube_staging]", "Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_zuul]", "Nrpe::Check[check_check_cfssl-multirootca_status]", "Nrpe::Monitor_service[check_certificate_expiry_aux]", "Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_cassandra]", "Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca]", "Nrpe::Monitor_service[check_certificate_expiry_debmonitor]", "Nrpe::Monitor_service[check_certificate_expiry_discovery2026]", "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "Nrpe::Monitor_service[check_certificate_expiry_dse]", "Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_etcd]", "Nrpe::Monitor_service[check_certificate_expiry_kafka]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_network_devices]", "Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa]", "Nrpe::Monitor_service[check_certificate_expiry_syslog]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_zuul]", "Nrpe::Monitor_service[check_cfssl-multirootca_status]", "Nrpe::Plugin[check_systemd_unit_status]", "Package[apache2]", "Package[links]", "Package[python3-cryptography]", "Package[python3-pymysql]", "Profile::Auto_restarts::Service[apache-htcacheclean]", "Profile::Auto_restarts::Service[apache2]", "Profile::Pki::Multirootca::Monitoring[aux]", "Profile::Pki::Multirootca::Monitoring[aux_front_proxy]", "Profile::Pki::Multirootca::Monitoring[cassandra]", "Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca]", "Profile::Pki::Multirootca::Monitoring[debmonitor]", "Profile::Pki::Multirootca::Monitoring[discovery2026]", "Profile::Pki::Multirootca::Monitoring[discovery]", "Profile::Pki::Multirootca::Monitoring[dse]", "Profile::Pki::Multirootca::Monitoring[dse_front_proxy]", "Profile::Pki::Multirootca::Monitoring[etcd]", "Profile::Pki::Multirootca::Monitoring[kafka]", "Profile::Pki::Multirootca::Monitoring[mlserve]", "Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy]", "Profile::Pki::Multirootca::Monitoring[mlserve_staging]", "Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy]", "Profile::Pki::Multirootca::Monitoring[network_devices]", "Profile::Pki::Multirootca::Monitoring[puppet_rsa]", "Profile::Pki::Multirootca::Monitoring[syslog]", "Profile::Pki::Multirootca::Monitoring[wikikube]", "Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy]", "Profile::Pki::Multirootca::Monitoring[wikikube_staging]", "Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy]", "Profile::Pki::Multirootca::Monitoring[zuul]", "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90]", "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494]", "Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63]", "Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e]", "Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393]", "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba]", "Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928]", "Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951]", "Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011]", "Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb]", "Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9]", "Prometheus::Blackbox::Check::Http[PKI_aux]", "Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_cassandra]", "Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca]", "Prometheus::Blackbox::Check::Http[PKI_debmonitor]", "Prometheus::Blackbox::Check::Http[PKI_discovery2026]", "Prometheus::Blackbox::Check::Http[PKI_discovery]", "Prometheus::Blackbox::Check::Http[PKI_dse]", "Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_etcd]", "Prometheus::Blackbox::Check::Http[PKI_kafka]", "Prometheus::Blackbox::Check::Http[PKI_mlserve]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_network_devices]", "Prometheus::Blackbox::Check::Http[PKI_puppet_rsa]", "Prometheus::Blackbox::Check::Http[PKI_syslog]", "Prometheus::Blackbox::Check::Http[PKI_wikikube]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_zuul]", "Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry]", "Rsyslog::Conf[cfssl-gc-expired-certs]", "Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Rsyslog::Conf[cfssl-ocsprefresh-aux]", "Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-cassandra]", "Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "Rsyslog::Conf[cfssl-ocsprefresh-debmonitor]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery2026]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "Rsyslog::Conf[cfssl-ocsprefresh-dse]", "Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-etcd]", "Rsyslog::Conf[cfssl-ocsprefresh-kafka]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-network_devices]", "Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa]", "Rsyslog::Conf[cfssl-ocsprefresh-syslog]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-zuul]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul]", "Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean]", "Rsyslog::Conf[wmf_auto_restart_apache2]", "Service[apache-htcacheclean]", "Service[apache2]", "Service[cfssl-gc-expired-certs.timer]", "Service[cfssl-multirootca]", "Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Service[cfssl-ocsprefresh-aux.timer]", "Service[cfssl-ocsprefresh-aux_front_proxy.timer]", "Service[cfssl-ocsprefresh-cassandra.timer]", "Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Service[cfssl-ocsprefresh-debmonitor.timer]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocsprefresh-discovery2026.timer]", "Service[cfssl-ocsprefresh-dse.timer]", "Service[cfssl-ocsprefresh-dse_front_proxy.timer]", "Service[cfssl-ocsprefresh-etcd.timer]", "Service[cfssl-ocsprefresh-kafka.timer]", "Service[cfssl-ocsprefresh-mlserve.timer]", "Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Service[cfssl-ocsprefresh-mlserve_staging.timer]", "Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-network_devices.timer]", "Service[cfssl-ocsprefresh-puppet_rsa.timer]", "Service[cfssl-ocsprefresh-syslog.timer]", "Service[cfssl-ocsprefresh-wikikube.timer]", "Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Service[cfssl-ocsprefresh-wikikube_staging.timer]", "Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-zuul.timer]", "Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Service[cfssl-ocspserve@aux]", "Service[cfssl-ocspserve@aux_front_proxy]", "Service[cfssl-ocspserve@cassandra]", "Service[cfssl-ocspserve@cloud_wmnet_ca]", "Service[cfssl-ocspserve@debmonitor]", "Service[cfssl-ocspserve@discovery2026]", "Service[cfssl-ocspserve@discovery]", "Service[cfssl-ocspserve@dse]", "Service[cfssl-ocspserve@dse_front_proxy]", "Service[cfssl-ocspserve@etcd]", "Service[cfssl-ocspserve@kafka]", "Service[cfssl-ocspserve@mlserve]", "Service[cfssl-ocspserve@mlserve_front_proxy]", "Service[cfssl-ocspserve@mlserve_staging]", "Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Service[cfssl-ocspserve@network_devices]", "Service[cfssl-ocspserve@puppet_rsa]", "Service[cfssl-ocspserve@syslog]", "Service[cfssl-ocspserve@wikikube]", "Service[cfssl-ocspserve@wikikube_front_proxy]", "Service[cfssl-ocspserve@wikikube_staging]", "Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Service[cfssl-ocspserve@zuul]", "Service[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Service[wmf_auto_restart_apache-htcacheclean.timer]", "Service[wmf_auto_restart_apache2.timer]", "Sudo::User[nrpe-check_check_certificate_expiry_aux]", "Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_cassandra]", "Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "Sudo::User[nrpe-check_check_certificate_expiry_debmonitor]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery2026]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "Sudo::User[nrpe-check_check_certificate_expiry_dse]", "Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_etcd]", "Sudo::User[nrpe-check_check_certificate_expiry_kafka]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_network_devices]", "Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa]", "Sudo::User[nrpe-check_check_certificate_expiry_syslog]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_zuul]", "Sudo::User[nrpe-check_check_cfssl-multirootca_status]", "Sudo::User[nrpe_certificate_check_aux]", "Sudo::User[nrpe_certificate_check_aux_front_proxy]", "Sudo::User[nrpe_certificate_check_cassandra]", "Sudo::User[nrpe_certificate_check_cloud_wmnet_ca]", "Sudo::User[nrpe_certificate_check_debmonitor]", "Sudo::User[nrpe_certificate_check_discovery2026]", "Sudo::User[nrpe_certificate_check_discovery]", "Sudo::User[nrpe_certificate_check_dse]", "Sudo::User[nrpe_certificate_check_dse_front_proxy]", "Sudo::User[nrpe_certificate_check_etcd]", "Sudo::User[nrpe_certificate_check_kafka]", "Sudo::User[nrpe_certificate_check_mlserve]", "Sudo::User[nrpe_certificate_check_mlserve_front_proxy]", "Sudo::User[nrpe_certificate_check_mlserve_staging]", "Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy]", "Sudo::User[nrpe_certificate_check_network_devices]", "Sudo::User[nrpe_certificate_check_puppet_rsa]", "Sudo::User[nrpe_certificate_check_syslog]", "Sudo::User[nrpe_certificate_check_wikikube]", "Sudo::User[nrpe_certificate_check_wikikube_front_proxy]", "Sudo::User[nrpe_certificate_check_wikikube_staging]", "Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy]", "Sudo::User[nrpe_certificate_check_zuul]", "Systemd::Monitor[cfssl-multirootca]", "Systemd::Override[apache2-after-network-online-target]", "Systemd::Service[cfssl-gc-expired-certs]", "Systemd::Service[cfssl-multirootca]", "Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Service[cfssl-ocsprefresh-aux]", "Systemd::Service[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-cassandra]", "Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Service[cfssl-ocsprefresh-debmonitor]", "Systemd::Service[cfssl-ocsprefresh-discovery2026]", "Systemd::Service[cfssl-ocsprefresh-discovery]", "Systemd::Service[cfssl-ocsprefresh-dse]", "Systemd::Service[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-etcd]", "Systemd::Service[cfssl-ocsprefresh-kafka]", "Systemd::Service[cfssl-ocsprefresh-mlserve]", "Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-network_devices]", "Systemd::Service[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Service[cfssl-ocsprefresh-syslog]", "Systemd::Service[cfssl-ocsprefresh-wikikube]", "Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-zuul]", "Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Systemd::Service[cfssl-ocspserve@aux]", "Systemd::Service[cfssl-ocspserve@aux_front_proxy]", "Systemd::Service[cfssl-ocspserve@cassandra]", "Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca]", "Systemd::Service[cfssl-ocspserve@debmonitor]", "Systemd::Service[cfssl-ocspserve@discovery2026]", "Systemd::Service[cfssl-ocspserve@discovery]", "Systemd::Service[cfssl-ocspserve@dse]", "Systemd::Service[cfssl-ocspserve@dse_front_proxy]", "Systemd::Service[cfssl-ocspserve@etcd]", "Systemd::Service[cfssl-ocspserve@kafka]", "Systemd::Service[cfssl-ocspserve@mlserve]", "Systemd::Service[cfssl-ocspserve@mlserve_front_proxy]", "Systemd::Service[cfssl-ocspserve@mlserve_staging]", "Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Systemd::Service[cfssl-ocspserve@network_devices]", "Systemd::Service[cfssl-ocspserve@puppet_rsa]", "Systemd::Service[cfssl-ocspserve@syslog]", "Systemd::Service[cfssl-ocspserve@wikikube]", "Systemd::Service[cfssl-ocspserve@wikikube_front_proxy]", "Systemd::Service[cfssl-ocspserve@wikikube_staging]", "Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Systemd::Service[cfssl-ocspserve@zuul]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Service[wmf_auto_restart_apache-htcacheclean]", "Systemd::Service[wmf_auto_restart_apache2]", "Systemd::Syslog[cfssl-gc-expired-certs]", "Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Syslog[cfssl-ocsprefresh-aux]", "Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-cassandra]", "Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Syslog[cfssl-ocsprefresh-debmonitor]", "Systemd::Syslog[cfssl-ocsprefresh-discovery2026]", "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "Systemd::Syslog[cfssl-ocsprefresh-dse]", "Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-etcd]", "Systemd::Syslog[cfssl-ocsprefresh-kafka]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-network_devices]", "Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Syslog[cfssl-ocsprefresh-syslog]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-zuul]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Syslog[wmf_auto_restart_apache-htcacheclean]", "Systemd::Syslog[wmf_auto_restart_apache2]", "Systemd::Timer::Job[cfssl-gc-expired-certs]", "Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Timer::Job[cfssl-ocsprefresh-aux]", "Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]", "Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "Systemd::Timer::Job[cfssl-ocsprefresh-dse]", "Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-etcd]", "Systemd::Timer::Job[cfssl-ocsprefresh-kafka]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]", "Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Timer::Job[cfssl-ocsprefresh-syslog]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-zuul]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean]", "Systemd::Timer::Job[wmf_auto_restart_apache2]", "Systemd::Timer[cfssl-gc-expired-certs]", "Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Timer[cfssl-ocsprefresh-aux]", "Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-cassandra]", "Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Timer[cfssl-ocsprefresh-debmonitor]", "Systemd::Timer[cfssl-ocsprefresh-discovery2026]", "Systemd::Timer[cfssl-ocsprefresh-discovery]", "Systemd::Timer[cfssl-ocsprefresh-dse]", "Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-etcd]", "Systemd::Timer[cfssl-ocsprefresh-kafka]", "Systemd::Timer[cfssl-ocsprefresh-mlserve]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-network_devices]", "Systemd::Timer[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Timer[cfssl-ocsprefresh-syslog]", "Systemd::Timer[cfssl-ocsprefresh-wikikube]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-zuul]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Timer[wmf_auto_restart_apache-htcacheclean]", "Systemd::Timer[wmf_auto_restart_apache2]", "Systemd::Unit[apache2-apache2-after-network-online-target]", "Systemd::Unit[cfssl-gc-expired-certs.service]", "Systemd::Unit[cfssl-gc-expired-certs.timer]", "Systemd::Unit[cfssl-multirootca]", "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Systemd::Unit[cfssl-ocsprefresh-aux.service]", "Systemd::Unit[cfssl-ocsprefresh-aux.timer]", "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-cassandra.service]", "Systemd::Unit[cfssl-ocsprefresh-cassandra.timer]", "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]", "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]", "Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer]", "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer]", "Systemd::Unit[cfssl-ocsprefresh-dse.service]", "Systemd::Unit[cfssl-ocsprefresh-dse.timer]", "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-etcd.service]", "Systemd::Unit[cfssl-ocsprefresh-etcd.timer]", "Systemd::Unit[cfssl-ocsprefresh-kafka.service]", "Systemd::Unit[cfssl-ocsprefresh-kafka.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-network_devices.service]", "Systemd::Unit[cfssl-ocsprefresh-network_devices.timer]", "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]", "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer]", "Systemd::Unit[cfssl-ocsprefresh-syslog.service]", "Systemd::Unit[cfssl-ocsprefresh-syslog.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-zuul.service]", "Systemd::Unit[cfssl-ocsprefresh-zuul.timer]", "Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Systemd::Unit[cfssl-ocspserve@aux]", "Systemd::Unit[cfssl-ocspserve@aux_front_proxy]", "Systemd::Unit[cfssl-ocspserve@cassandra]", "Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca]", "Systemd::Unit[cfssl-ocspserve@debmonitor]", "Systemd::Unit[cfssl-ocspserve@discovery2026]", "Systemd::Unit[cfssl-ocspserve@discovery]", "Systemd::Unit[cfssl-ocspserve@dse]", "Systemd::Unit[cfssl-ocspserve@dse_front_proxy]", "Systemd::Unit[cfssl-ocspserve@etcd]", "Systemd::Unit[cfssl-ocspserve@kafka]", "Systemd::Unit[cfssl-ocspserve@mlserve]", "Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy]", "Systemd::Unit[cfssl-ocspserve@mlserve_staging]", "Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy]", "Systemd::Unit[cfssl-ocspserve@network_devices]", "Systemd::Unit[cfssl-ocspserve@puppet_rsa]", "Systemd::Unit[cfssl-ocspserve@syslog]", "Systemd::Unit[cfssl-ocspserve@wikikube]", "Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy]", "Systemd::Unit[cfssl-ocspserve@wikikube_staging]", "Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy]", "Systemd::Unit[cfssl-ocspserve@zuul]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]", "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]", "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer]", "Systemd::Unit[wmf_auto_restart_apache2.service]", "Systemd::Unit[wmf_auto_restart_apache2.timer]"], "only_in_other": ["Class[Role::Insetup::Infrastructure_foundations_ferm]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]", "Motd::Message[insetup::infrastructure_foundations_ferm]", "Motd::Script[insetup::infrastructure_foundations_ferm]", "Node[__node_regexp__pki1001.eqiad.]"], "resource_diffs": [{"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-discovery2026].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-discovery2026]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-discovery2026]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Cfssl::Ocsp[mlserve_staging_front_proxy]", "parameters": "--- Cfssl::Ocsp[mlserve_staging_front_proxy].orig\n+++ Cfssl::Ocsp[mlserve_staging_front_proxy]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20041\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_discovery2026.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/wmf_auto_restart_apache2]", "parameters": "--- File[/var/log/wmf_auto_restart_apache2].orig\n+++ File[/var/log/wmf_auto_restart_apache2]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-zuul-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/aux/ca/aux.pem]", "content": "--- /etc/cfssl/signers/aux/ca/aux.pem.orig\n+++ /etc/cfssl/signers/aux/ca/aux.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpjCCAwegAwIBAgIUB83dKT9lbMGOLf38Jx6fmsSa714wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjBx\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQwwCgYDVQQDEwNhdXgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADhzJSO\n-h264ltJ1CVADYcfi1rIxQOY3gtAsxonZ6CWNueKg0vjvDeL32l+NZ3f2yj2CIzl5\n-sa6sZjXmwAKziuuvCAHmsZDY5gzgBdwhZ6UeGAbwlLMgQajwRvCA2RUMuH8iAd6o\n-QcfZyHQFb0zl9mCHYNkjLT4jpwrL4Lx/DGbmkE/ulqOCAQwwggEIMA4GA1UdDwEB\n-/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSPVQ8kSyOIH5l4\n-1mVGCudJoaowtTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\n-BgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\n-bmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\n-oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\n-bnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCALJuWafVNInsE4Q8\n-tEHYHqhweF6bEArm7d3dqqTjKHuOcrmhXo4rgX5VsXHtI3qq9XGHoik6JUSwgftV\n-Sr+GWrIZAkIAuqmJ5vv2LgFcJWvYDkIPH9HXB9rIwAUHPFJ/iX2Ig9By+ss8nJbU\n-A3Ml/4NKRsXZwwyScmowVWQHfMpv53BsBv8=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/aux/ca/aux.pem].orig\n+++ File[/etc/cfssl/signers/aux/ca/aux.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa -profile ocsp /etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-aux]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-aux].orig\n+++ File[/var/log/cfssl-ocsprefresh-aux]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Nrpe::Plugin[check_systemd_unit_status]", "parameters": "--- Nrpe::Plugin[check_systemd_unit_status].orig\n+++ Nrpe::Plugin[check_systemd_unit_status]\n\n-    source => puppet:///modules/systemd/check_systemd_unit_status\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_dse]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Service[apache-htcacheclean]", "parameters": "--- Service[apache-htcacheclean].orig\n+++ Service[apache-htcacheclean]\n\n-    ensure => stopped\n-    enable => False\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_aux]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_aux].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_aux]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem']\n-    user       => nagios\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - mlserve_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --responses-file /etc/cfssl/ocsp/mlserve_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_front_proxy' mlserve_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube -profile ocsp /etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@dse.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@dse.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@dse.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (dse)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20061 \\\n-          -responses /etc/cfssl/ocsp/dse.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@dse.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@dse.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-wikikube]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-wikikube].orig\n+++ File[/var/log/cfssl-ocsprefresh-wikikube]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (aux_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20051 \\\n-          -responses /etc/cfssl/ocsp/aux_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]']\n"}, {"resource": "Package[python3-cryptography]", "parameters": "--- Package[python3-cryptography].orig\n+++ Package[python3-cryptography]\n\n-    provider => apt\n-    ensure   => installed\n"}, {"resource": "File_line[load_env_enabled]", "parameters": "--- File_line[load_env_enabled].orig\n+++ File_line[load_env_enabled]\n\n-    line    => for f in /etc/apache2/env-enabled/*.sh; do [ -r \"$f\" ] && . \"$f\" >&2; done || true\n-    match   => env-enabled\n-    path    => /etc/apache2/envvars\n-    require => Package[apache2]\n"}, {"resource": "Exec[Generate initial CRL for wikikube]", "parameters": "--- Exec[Generate initial CRL for wikikube].orig\n+++ Exec[Generate initial CRL for wikikube]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/wikikube\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/wikikube/ca/wikikube.pem /etc/cfssl/signers/wikikube/ca/wikikube-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/wikikube\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor]", "parameters": "--- File[/etc/cfssl/signers/debmonitor].orig\n+++ File[/etc/cfssl/signers/debmonitor]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Httpd::Conf[pki.discovery.wmnet]", "parameters": "--- Httpd::Conf[pki.discovery.wmnet].orig\n+++ Httpd::Conf[pki.discovery.wmnet]\n\n-    conf_type => sites\n-    ensure    => present\n-    priority  => 50\n"}, {"resource": "Cfssl::Config[mlserve_staging]", "parameters": "--- Cfssl::Config[mlserve_staging].orig\n+++ Cfssl::Config[mlserve_staging]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/mlserve_staging\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/mlserve_staging/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    default_expiry      => 72h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/mlserve_staging\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_dse.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_dse\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@wikikube.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@wikikube.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (wikikube)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20010 \\\n-          -responses /etc/cfssl/ocsp/wikikube.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@wikikube.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]\n"}, {"resource": "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery2026 -profile ocsp /etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery2026.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-discovery2026.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_debmonitor]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_debmonitor].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_debmonitor]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem']\n-    user       => nagios\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_discovery))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"38e4dbcfd07ed60daf5bb89397abbe29\",check_name=\"check_check_certificate_expiry_discovery\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__discovery\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_dse]", "parameters": "--- Sudo::User[nrpe_certificate_check_dse].orig\n+++ Sudo::User[nrpe_certificate_check_dse]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_dse\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "content": "--- /etc/cfssl/signers/discovery/ca/discovery-key.pem.orig\n+++ /etc/cfssl/signers/discovery/ca/discovery-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/discovery/ca/discovery-key.pem].orig\n+++ File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-mlserve_staging.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging]", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging].orig\n+++ File[/etc/cfssl/signers/wikikube_staging]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Sudo::User[nrpe_certificate_check_mlserve_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_mlserve_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_mlserve_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_mlserve_front_proxy\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "File[/etc/apache2/env-enabled]", "parameters": "--- File[/etc/apache2/env-enabled].orig\n+++ File[/etc/apache2/env-enabled]\n\n-    owner   => root\n-    recurse => True\n-    purge   => True\n-    mode    => 0755\n-    require => Package[apache2]\n-    ensure  => directory\n-    group   => root\n-    notify  => Service[apache2]\n"}, {"resource": "Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label etcd -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet\n\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label debmonitor -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_cassandra]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-dse-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-puppet_rsa.timer]']\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - wikikube_staging\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --responses-file /etc/cfssl/ocsp/wikikube_staging.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_staging' wikikube_staging \n"}, {"resource": "File[/etc/cfssl/signers/zuul]", "parameters": "--- File[/etc/cfssl/signers/zuul].orig\n+++ File[/etc/cfssl/signers/zuul]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-debmonitor].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-debmonitor]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-debmonitor.service\n"}, {"resource": "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label etcd -profile ocsp /etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet\n\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-cassandra.timer]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_mlserve_staging_front_proxy!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    check_interval         => 1\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    intermediate => mlserve_front_proxy\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-etcd.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-etcd.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-etcd.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-etcd.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Systemd::Timer[wmf_auto_restart_apache-htcacheclean].orig\n+++ Systemd::Timer[wmf_auto_restart_apache-htcacheclean]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 3:51:00'}]\n-    unit_name          => wmf_auto_restart_apache-htcacheclean.service\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[etcd]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[etcd].orig\n+++ Profile::Pki::Multirootca::Monitoring[etcd]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/etcd/ca/etcd.pem\n-    intermediate => etcd\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_wikikube_staging_front_proxy!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    check_interval         => 1\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]", "content": "--- /etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem.orig\n+++ /etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem].orig\n+++ File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/dse_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-dse_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --outfile /var/lib/prometheus/node.d/dse_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]\n"}, {"resource": "File[/etc/cfssl/signers/syslog/ca/syslog.pem]", "content": "--- /etc/cfssl/signers/syslog/ca/syslog.pem.orig\n+++ /etc/cfssl/signers/syslog/ca/syslog.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqTCCAwqgAwIBAgIUI5/ixOCtnw8ZXV6xWw6RVC/D6rwwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwOTI4MTAzNzAwWhcNMjgwOTI2MTAzNzAwWjB0\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ8wDQYDVQQDEwZzeXNsb2cwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABL\n-CaZwsDnVcBhApShaeA1j8/9w4S2re0Zmjx7GTeBXiJcKF0dAhgAQRCMrGtWEimmQ\n-W94s5015H1MknO61lLOY+wDAFYkq98rZF2aRRILm1w/5iRkqTDiBECBVE15jrPzD\n-q4zZCQ5V5ellWhzfGfPMxFOogIm1sqZsqZvB7zZaCSOrbaOCAQwwggEIMA4GA1Ud\n-DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRvwMc33QVQ\n-qaT1dZmUUtkBeYiyzjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBW\n-BggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5\n-LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMw\n-QTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRp\n-YV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAUtK7APyQamN\n-8DYOBCd1wJQ1DbYlzcQOcupJns2RKKcxFp1evo2GQjDA15TN1OXtA+pvK/liCAEh\n-p828+NcE6fPMAkIBN/Yjhvy0lrtVzshqckUEciShFhbDU0QZOHuzIXCVjdskzQfu\n-as4ZMO15kIv0MZUJ6V9aKEE6nqzi9QXifjuoY54=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/syslog/ca/syslog.pem].orig\n+++ File[/etc/cfssl/signers/syslog/ca/syslog.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_etcd\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/signers/aux]", "parameters": "--- File[/etc/cfssl/signers/aux].orig\n+++ File[/etc/cfssl/signers/aux]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Cfssl::Ocsp[dse_front_proxy]", "parameters": "--- Cfssl::Ocsp[dse_front_proxy].orig\n+++ Cfssl::Ocsp[dse_front_proxy]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20062\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n"}, {"resource": "Class[Cfssl::Multirootca]", "parameters": "--- Class[Cfssl::Multirootca].orig\n+++ Class[Cfssl::Multirootca]\n\n-    host                => 127.0.0.1\n-    enable_monitoring   => True\n-    monitoring_critical => True\n-    ensure              => present\n-    port                => 8888\n-    signers             => {'debmonitor': {'private': '/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem', 'certificate': '/etc/cfssl/signers/debmonitor/ca/debmonitor.pem', 'config': '/etc/cfssl/signers/debmonitor/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery': {'private': '/etc/cfssl/signers/discovery/ca/discovery-key.pem', 'certificate': '/etc/cfssl/signers/discovery/ca/discovery.pem', 'config': '/etc/cfssl/signers/discovery/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'kafka': {'private': '/etc/cfssl/signers/kafka/ca/kafka-key.pem', 'certificate': '/etc/cfssl/signers/kafka/ca/kafka.pem', 'config': '/etc/cfssl/signers/kafka/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cloud_wmnet_ca': {'private': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem', 'certificate': '/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem', 'config': '/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'etcd': {'private': '/etc/cfssl/signers/etcd/ca/etcd-key.pem', 'certificate': '/etc/cfssl/signers/etcd/ca/etcd.pem', 'config': '/etc/cfssl/signers/etcd/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'cassandra': {'private': '/etc/cfssl/signers/cassandra/ca/cassandra-key.pem', 'certificate': '/etc/cfssl/signers/cassandra/ca/cassandra.pem', 'config': '/etc/cfssl/signers/cassandra/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'syslog': {'private': '/etc/cfssl/signers/syslog/ca/syslog-key.pem', 'certificate': '/etc/cfssl/signers/syslog/ca/syslog.pem', 'config': '/etc/cfssl/signers/syslog/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'puppet_rsa': {'private': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem', 'certificate': '/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem', 'config': '/etc/cfssl/signers/puppet_rsa/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'zuul': {'private': '/etc/cfssl/signers/zuul/ca/zuul-key.pem', 'certificate': '/etc/cfssl/signers/zuul/ca/zuul.pem', 'config': '/etc/cfssl/signers/zuul/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'discovery2026': {'private': '/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem', 'certificate': '/etc/cfssl/signers/discovery2026/ca/discovery2026.pem', 'config': '/etc/cfssl/signers/discovery2026/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube': {'private': '/etc/cfssl/signers/wikikube/ca/wikikube-key.pem', 'certificate': '/etc/cfssl/signers/wikikube/ca/wikikube.pem', 'config': '/etc/cfssl/signers/wikikube/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_front_proxy': {'private': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging': {'private': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem', 'config': '/etc/cfssl/signers/wikikube_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'wikikube_staging_front_proxy': {'private': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve': {'private': '/etc/cfssl/signers/mlserve/ca/mlserve-key.pem', 'certificate': '/etc/cfssl/signers/mlserve/ca/mlserve.pem', 'config': '/etc/cfssl/signers/mlserve/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_front_proxy': {'private': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging': {'private': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem', 'config': '/etc/cfssl/signers/mlserve_staging/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'mlserve_staging_front_proxy': {'private': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem', 'config': '/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux': {'private': '/etc/cfssl/signers/aux/ca/aux-key.pem', 'certificate': '/etc/cfssl/signers/aux/ca/aux.pem', 'config': '/etc/cfssl/signers/aux/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'aux_front_proxy': {'private': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem', 'config': '/etc/cfssl/signers/aux_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse': {'private': '/etc/cfssl/signers/dse/ca/dse-key.pem', 'certificate': '/etc/cfssl/signers/dse/ca/dse.pem', 'config': '/etc/cfssl/signers/dse/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'dse_front_proxy': {'private': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem', 'certificate': '/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem', 'config': '/etc/cfssl/signers/dse_front_proxy/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}, 'network_devices': {'private': '/etc/cfssl/signers/network_devices/ca/network_devices-key.pem', 'certificate': '/etc/cfssl/signers/network_devices/ca/network_devices.pem', 'config': '/etc/cfssl/signers/network_devices/cfssl.conf', 'dbconfig': '/etc/cfssl/db.conf', 'nets': ['127.0.0.1/32']}}\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Cfssl::Config[dse_front_proxy]", "parameters": "--- Cfssl::Config[dse_front_proxy].orig\n+++ Cfssl::Config[dse_front_proxy]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/dse_front_proxy\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/dse_front_proxy/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/dse_front_proxy\n"}, {"resource": "Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet\n\n"}, {"resource": "Sudo::User[nrpe_certificate_check_zuul]", "parameters": "--- Sudo::User[nrpe_certificate_check_zuul].orig\n+++ Sudo::User[nrpe_certificate_check_zuul]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_zuul\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-mlserve\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-mlserve/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-mlserve.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-mlserve\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-mlserve\n-\n-/var/log/cfssl-ocsprefresh-mlserve/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Cfssl::Signer[aux_front_proxy]", "parameters": "--- Cfssl::Signer[aux_front_proxy].orig\n+++ Cfssl::Signer[aux_front_proxy]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsjCCAxOgAwIBAgIUcL3aZt8/kOKuFw8g90SCOk9VZSYwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjB9\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRgwFgYDVQQDDA9hdXhfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\nACMDgYYABAFQamNeMXOM8jZDTMiL/0Cgk641Tps3tMBQ6f1OD7fqLh7JGWZXSWIE\n9v25H6dgcqSIWAlvBkbHQUPU51GmXigXtwCW1bYWFZc+MTjXFo2LBUJVUIxh2mh3\npNZYlgVZXP7a0l3zt2u5vegKRuJ6l0ELtjCJjo/TNYo/BA28XrzCL45HO6OCAQww\nggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\nBBQv7ovDzaQTat1sfWJFkZ+n8+aGSTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\ng5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\nZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\nSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\nL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\nAZ7oTip5kp2Yt9BABNEqYi6GjwpXZvmZOgd6So8UA76jP8duYicuOoNvpoHdEy58\nZOGpo0lqqIzB8xQcvzvmX7uiAkIAxHVKylOLCoPsUXaZVfUGhNavXXwrbIHTQXDo\nHEHmc9lIMh9hO5z4vPMEbMkSRuAskcT1K/ydEqp4xI191jnovUg=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/aux_front_proxy\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/aux_front_proxy\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_etcd.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_etcd.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-dse]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-dse].orig\n+++ Systemd::Service[cfssl-ocsprefresh-dse]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-dse.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (mlserve_staging_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20041 \\\n-          -responses /etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]\n"}, {"resource": "Service[cfssl-ocspserve@discovery2026]", "parameters": "--- Service[cfssl-ocspserve@discovery2026].orig\n+++ Service[cfssl-ocspserve@discovery2026]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => puppet_rsa\n-    notify          => Service[cfssl-ocspserve@puppet_rsa]\n-    profile         => ocsp\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_mlserve_staging!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: mlserve_staging\n-    check_interval         => 1\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n"}, {"resource": "File[/etc/cfssl/signers/wikikube/cfssl.conf]", "content": "--- /etc/cfssl/signers/wikikube/cfssl.conf.orig\n+++ /etc/cfssl/signers/wikikube/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/wikikube\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/wikikube\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/wikikube/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/wikikube/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-syslog]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-syslog].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-syslog]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/cfssl/signers/network_devices]", "parameters": "--- File[/etc/cfssl/signers/network_devices].orig\n+++ File[/etc/cfssl/signers/network_devices]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Cfssl::Signer[etcd]", "parameters": "--- Cfssl::Signer[etcd].orig\n+++ Cfssl::Signer[etcd]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDpzCCAwigAwIBAgIUOk3cFWirYBfYaO6q8zyqfEHxwVEwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIwODEwMTAzODAwWhcNMjcwODA5MTAzODAwWjBy\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQ0wCwYDVQQDEwRldGNkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAgtdp\n7nZHIAQhEm2IlJ7AzfGjWIGGzKzCfnBQ8d+euPiOZ3ccv1YXfx0f+WmV35vuEmA/\nZSw/6iJrKBnYsZAR6U0ByUUqg6nUYg4P47Sc/kMTWmVIgRuNhmrgavCK+qRQdnZs\nN/OOGTgFNG0icty63dUF4NZz80HxHSrPQYaNxZ9ydY2jggEMMIIBCDAOBgNVHQ8B\nAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUtvZYHyYnZHZP\nZLIB5kqPcVOVI9owHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\nKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\nbW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\nP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\nSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgEgYyeOREniK9JC\n4hvIiuv9D7mVVXzX5/s8GuhTbRadqZr41ulpHT53lFcbt+xhAsyqMxXPhgT/OyMQ\njkXuEh5oBQJCAM22xLZpt2XwKCp0opgXlC5fm5+YjKba2COlr43q78I2la57aYdp\nUF7sFgBRFVx7FNY7CASuZMYsW+4wltPTXVau\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/etcd\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => ##### FAKE FOR PUPPET ######\n\n-    ca_file          => /etc/cfssl/signers/etcd/ca/etcd.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/etcd/ca/etcd-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/etcd\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]']\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@syslog]", "parameters": "--- Systemd::Service[cfssl-ocspserve@syslog].orig\n+++ Systemd::Service[cfssl-ocspserve@syslog]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-dse]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => dse\n-    notify          => Service[cfssl-ocspserve@dse]\n-    profile         => ocsp\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_debmonitor]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_debmonitor].orig\n+++ Nrpe::Check[check_check_certificate_expiry_debmonitor]\n\n-    before    => Monitoring::Service[check_certificate_expiry_debmonitor]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Httpd::Site[pki.discovery.wmnet]", "parameters": "--- Httpd::Site[pki.discovery.wmnet].orig\n+++ Httpd::Site[pki.discovery.wmnet]\n\n-    ensure   => present\n-    priority => 50\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Unit[cfssl-multirootca]", "parameters": "--- Systemd::Unit[cfssl-multirootca].orig\n+++ Systemd::Unit[cfssl-multirootca]\n\n-    override          => False\n-    unit              => cfssl-multirootca\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[cfssl-gc-expired-certs.timer]", "parameters": "--- Service[cfssl-gc-expired-certs.timer].orig\n+++ Service[cfssl-gc-expired-certs.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]", "content": "--- /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem.orig\n+++ /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem\n@@ -1 +0,0 @@\n-fake", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_discovery\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-mlserve_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Sudo::User[nrpe_certificate_check_kafka]", "parameters": "--- Sudo::User[nrpe_certificate_check_kafka].orig\n+++ Sudo::User[nrpe_certificate_check_kafka]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_kafka\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]\n\n-    mode    => 0740\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n-    recurse => True\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca]", "parameters": "--- File[/etc/cfssl/signers/discovery/ca].orig\n+++ File[/etc/cfssl/signers/discovery/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[aux]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[aux].orig\n+++ Profile::Pki::Multirootca::Monitoring[aux]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/aux/ca/aux.pem\n-    intermediate => aux\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@wikikube_staging]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocspserve@network_devices]", "parameters": "--- Service[cfssl-ocspserve@network_devices].orig\n+++ Service[cfssl-ocspserve@network_devices]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Cfssl::Config[wikikube_staging_front_proxy]", "parameters": "--- Cfssl::Config[wikikube_staging_front_proxy].orig\n+++ Cfssl::Config[wikikube_staging_front_proxy]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/wikikube_staging_front_proxy\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 72h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/wikikube_staging_front_proxy\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_aux]", "parameters": "--- Monitoring::Service[check_certificate_expiry_aux].orig\n+++ Monitoring::Service[check_certificate_expiry_aux]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_aux!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: aux\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => mlserve\n-    notify          => Service[cfssl-ocspserve@mlserve]\n-    profile         => ocsp\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]", "content": "--- /etc/cfssl/signers/wikikube_staging/cfssl.conf.orig\n+++ /etc/cfssl/signers/wikikube_staging/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"72h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/wikikube_staging\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/wikikube_staging\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"72h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"72h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem']\n-    user       => nagios\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Sudo::User[nrpe_certificate_check_discovery]", "parameters": "--- Sudo::User[nrpe_certificate_check_discovery].orig\n+++ Sudo::User[nrpe_certificate_check_discovery]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_discovery\n"}, {"resource": "File[/etc/apache2/ports.conf]", "parameters": "--- File[/etc/apache2/ports.conf].orig\n+++ File[/etc/apache2/ports.conf]\n\n-    require => Package[apache2]\n-    source  => puppet:///modules/httpd/default-ports.conf\n-    ensure  => file\n-    owner   => root\n-    group   => root\n-    notify  => Service[apache2]\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean].orig\n+++ Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean]\n\n-    mode     => 0444\n-    require  => File[/var/log/wmf_auto_restart_apache-htcacheclean]\n-    ensure   => absent\n-    priority => 40\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_aux_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_aux_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_aux_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_aux_front_proxy]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_kafka]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_kafka].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_kafka]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"kafka\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-syslog]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-syslog].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-syslog]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-syslog.service\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_aux_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_aux_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_aux_front_proxy]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_aux_front_proxy!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]", "content": "--- /etc/cfssl/signers/debmonitor/ca/debmonitor.pem.orig\n+++ /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqzCCAw6gAwIBAgIUD8gl+8iTKG2ZJ9eRsZs5/C9/7ZMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMzE0MTM0NTAwWhcNMjgwMzEyMTM0NTAwWjB4\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRMwEQYDVQQDEwpkZWJtb25pdG9yMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG\n-AAQBNH4qwApzKzoZpcUF5+rzNhzi2ETF1ToNoWJ4XIJH/PmYzcXmDj41+b+4p4++\n-M+ENQtHt6dfCVv0BmGr8XYTU3YUAQUiLhv/X41GLwCV4Nx5jsnpnlfyi2tfXY2b1\n-WgpdkxBTQi79fWYWJFvuy7AFhP0ahKcKfauegEHf1zJ/j7pKyjSjggEMMIIBCDAO\n-BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU35FY\n-TrdI8tZ8bKAVj8qkrn5sp9QwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9p\n-EzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2Nv\n-dmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1Ud\n-HwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtp\n-bWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYCQXXZh0fs\n-XIlOkz1OPSSRBbEZ6zjvGEJvR6qPVpdkQ8IY+bwqe6J/wrhlAgWfTq7ODhEQYCnx\n-y9Jdg7TfybUaOnmiAkEGKMoHIi/MXfzVrKicaCo4aHIL14vN3V4go08bIsMuIs7p\n-EknA+x7QLKFunnrATNeeF6ETr+3u9/MUDWGW+fBqEw==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem].orig\n+++ File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_puppet_rsa command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_puppet_rsa\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"c1b324b3d8ac107f8d7483b4017f5edf\" --timeout 10 --check-command \"check_check_certificate_expiry_puppet_rsa\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Profile::Auto_restarts::Service[apache2]", "parameters": "--- Profile::Auto_restarts::Service[apache2].orig\n+++ Profile::Auto_restarts::Service[apache2]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - aux_front_proxy\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --responses-file /etc/cfssl/ocsp/aux_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@aux_front_proxy' aux_front_proxy \n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_wikikube\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/srv/cfssl/bundles/zuul.pem]", "content": "--- /srv/cfssl/bundles/zuul.pem.orig\n+++ /srv/cfssl/bundles/zuul.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpzCCAwigAwIBAgIUMIxkteGnxVGRNFWjJZ+eXPnOeM8wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjUwODIwMTg1NTAwWhcNMzAwODE5MTg1NTAwWjBy\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ0wCwYDVQQDEwR6dXVsMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBNx/m\n-dSpc4EWI68Y36PVvDkvyqlJ6pA4sEXQCrNOM+0jSACRM8Shwqr7uC/JmuP8GIdK3\n-g+SgxQOjF9pfelX2OpAB6leOfgHXhFtzJquX261tKsxQm74cszycF9YTiWDKVq0V\n-g7bFNgf4NcC7NxGfN4SuA58I7dQWJxSWdzTJNQsF2uijggEMMIIBCDAOBgNVHQ8B\n-Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUqyQEoVfbsJqL\n-jr5RyZovCpWdRZUwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\n-KwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\n-bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\n-P6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\n-SW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgER9R3mwAtzYcIh\n-HAnL2SiHTXBpqitQp6Ce+7nYFP0qyu+Ggkx2bu86bl32lGmvA6ecTKXDiyXW5pMW\n-atmKn0wAegJCAaU9pfWuLIgsVqzB2zvDWMR2HgBMa6MO7dRlG2VUoLvR16NF9cln\n-XjNzIqPRxUpiD5TNC4+p9BoT+RRXEDUeRufH\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/zuul.pem].orig\n+++ File[/srv/cfssl/bundles/zuul.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 ssh].orig\n+++ Monitoring::Exported_nagios_service[pki1001 ssh]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]']\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-puppet_rsa\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-puppet_rsa/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-wikikube_staging]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-network_devices.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-network_devices.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-network_devices.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-network_devices.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]\n"}, {"resource": "File_line[auto_restart_file_presence_apache2]", "parameters": "--- File_line[auto_restart_file_presence_apache2].orig\n+++ File_line[auto_restart_file_presence_apache2]\n\n-    line    => apache2\n-    require => File[/etc/debdeploy-client/autorestarts.conf]\n-    path    => /etc/debdeploy-client/autorestarts.conf\n-    ensure  => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-Wikimedia_Internal_Root_CA\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-etcd]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-etcd].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-etcd]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-etcd.service\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Systemd::Service[cfssl-ocsprefresh-puppet_rsa]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_dse]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_dse].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_dse]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: dse\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_cloud_wmnet_ca]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-wikikube_staging\n-\n-/var/log/cfssl-ocsprefresh-wikikube_staging/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[dse]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[dse].orig\n+++ Profile::Pki::Multirootca::Monitoring[dse]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/dse/ca/dse.pem\n-    intermediate => dse\n"}, {"resource": "File[/etc/cfssl/ocsp/dse.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/dse.ocsp].orig\n+++ File[/etc/cfssl/ocsp/dse.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_discovery2026]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_discovery2026].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_discovery2026]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"discovery2026\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@network_devices]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@network_devices].orig\n+++ Systemd::Unit[cfssl-ocspserve@network_devices]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@network_devices\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-mlserve_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_debmonitor.service\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-kafka]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-kafka].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-kafka]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Cfssl::Signer[puppet_rsa]", "parameters": "--- Cfssl::Signer[puppet_rsa].orig\n+++ Cfssl::Signer[puppet_rsa]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIFNDCCBJagAwIBAgIUOR+ZAFtrzLKYphDIGMa9eF6O0LIwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjIwMTIwNTAwWhcNMjgwNjE4MTIwNTAwWjB4\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRMwEQYDVQQDDApwdXBwZXRfcnNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\nMIICCgKCAgEA4urK5Og7RVGoXg6KzYywzaXyRROuj0Kauc7n/BgCWvsKv9Ll4f/p\nlbVGOSln3akzhBlJwmVTGrgCmWQVxMF2agKAR+R1aV2Wc+yEfofUbW1oRgBCelMQ\nXutw0cApO+lzjHNtduffeIEVBjwLcEG/OdaUa2CGFGLG/dHox7o8AZgkH7SFJyby\nz/rzip+szHpMThhjs0PKx91VS1srb7Q1jE1OlB7ydhX+gLRWTjwxOp1ITFXjNobk\ni16jcP3YYgCvj8qwWMcYmtI7iExSeFdptv3fmajBeoi1o52LUWKUrslwtNa/emaB\nFBGRZfu8ap+BWWpYYarI4mOCyvetw/6FZ2LnuWy5cNA3GoALB5xfLpO3twYnrveP\nBnxULp4Q8szITB/bjPBMkd8FG8Frpe3eZNKNHG9xjJGdS1Bxhq7Zgfy09V1RJCym\nAJSWERHRrxjEnRCDd7HUAhfaDCygeooe4wGRR5bG8WqOpkQDtYPP3yfk5NBhcJpW\nmXTRFTFkuslEL/2bwa9EPIOAKAINDeJOCHqJMQd6EXwTP2LabWU3oI+sfeBdCoSd\nRn+q2Z0kSLu8fqXsgPgvdgyWjfPkQnyLAz9rdsal2x4x9SilDkov+l6Q9DXGGoYO\nGGOHHFCFhM9CS02zFGLe1JbqiHPuYuIkEnGjGJyCqdIB8Rz0JxdypEcCAwEAAaOC\nAQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud\nDgQWBBRrq/ZHBKl8OZGQrQCiUq4GRc86YDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yA\nvzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9w\na2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3Rf\nQ0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQv\nY3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCB\nhwJBJHrjuBvyK8Sv40xCW/TrVtOCIVaXfjwsKau9lkmt/6purO/xkppZDMajueYw\n9koKhj6SvliOpiwgypfOKP7nbsACQgFAnawARDYCoOQ8pQDoqpRkPBBScMOTMPFu\nxTekxW2V7POn9dn6uavLJz/wha+sNgAnYT4wHWkRJzbUk+1H3Hb3NA==\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/puppet_rsa\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    ca_key_file      => /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/puppet_rsa\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_etcd]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_etcd].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_etcd]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux -profile ocsp /etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet\n\n"}, {"resource": "Cfssl::Signer[discovery2026]", "parameters": "--- Cfssl::Signer[discovery2026].orig\n+++ Cfssl::Signer[discovery2026]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDrzCCAxGgAwIBAgIUa46nWae1FhV+WZzdsRMJchzTP54wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjYwNDIwMTUzNjAwWhcNMzEwNDE5MTUzNjAwWjB7\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRYwFAYDVQQDEw1kaXNjb3ZlcnkyMDI2MIGbMBAGByqGSM49AgEGBSuBBAAj\nA4GGAAQBNeE+xxvbq00KO92aWhHFTLosZBkXul9ufZINtOUd90TXpQnJvpEv7kK8\nHQpufac9Dez+MBhLzQXoTY+ElhRCsQQBwlu+rIeqpbJEh87DQ2RTfzhTJmlm/9de\n1fiM38/51DacwYS/vW0psN/lKSoM7cX/Paw6Qg7pBUmUGCq2vE9wDbmjggEMMIIB\nCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU\nSXZcMeXrgnEYbZ3z1m8j/+8XmugwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR\n0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRp\nc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoG\nA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9X\naWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQgD4\nUGn506FGvacDvYS6t8JEMo6YH7jxK8dKeiZNEnhG5FSjA4Lt2BCz85sOBczxSD9h\nb9wLCxy5wOpifRePlyrZQgJBNKUXBImWpyoHmt6hNOA6X7+FmGl0tD5tLnbeuPx7\naTlv8rfJ0d7JdsZXx+7M6YcsmxMgZCKUh4UMYu/WcczIq30=\n-----END CERTIFICATE-----\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/discovery2026\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => ##### FAKE FOR PUPPET ######\n\n-    ca_file          => /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n-    ca_key_file      => /etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/discovery2026\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_wikikube_staging!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: wikikube_staging\n-    check_interval         => 1\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/kafka/cfssl.conf]", "content": "--- /etc/cfssl/signers/kafka/cfssl.conf.orig\n+++ /etc/cfssl/signers/kafka/cfssl.conf\n@@ -1,75 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/kafka\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/kafka\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"kafka_11\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/kafka/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/kafka/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_puppet_rsa\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@aux]", "parameters": "--- Systemd::Service[cfssl-ocspserve@aux].orig\n+++ Systemd::Service[cfssl-ocspserve@aux]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@debmonitor]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@debmonitor].orig\n+++ Systemd::Unit[cfssl-ocspserve@debmonitor]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@debmonitor\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@discovery2026]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@discovery2026].orig\n+++ Systemd::Unit[cfssl-ocspserve@discovery2026]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@discovery2026\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-discovery2026].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-discovery2026]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-dse_front_proxy.service\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]\n\n-    owner   => root\n-    require => Package[nagios-nrpe-server]\n-    group   => root\n-    ensure  => absent\n"}, {"resource": "Httpd::Conf[server-status]", "parameters": "--- Httpd::Conf[server-status].orig\n+++ Httpd::Conf[server-status]\n\n-    require   => Httpd::Mod_conf[status]\n-    source    => puppet:///modules/httpd/status.conf\n-    priority  => 50\n-    ensure    => present\n-    conf_type => conf\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_network_devices.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-syslog.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-syslog.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-syslog.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-syslog.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-aux_front_proxy.timer]']\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@dse]", "parameters": "--- Systemd::Service[cfssl-ocspserve@dse].orig\n+++ Systemd::Service[cfssl-ocspserve@dse]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_staging command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_wikikube_staging\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"f389c556cebfcfc345b3d6802f320045\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_staging\"\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-discovery-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[aux_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[aux_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[aux_front_proxy]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    intermediate => aux_front_proxy\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Sudo::User[nrpe_certificate_check_cassandra]", "parameters": "--- Sudo::User[nrpe_certificate_check_cassandra].orig\n+++ Sudo::User[nrpe_certificate_check_cassandra]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_cassandra\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry --cert-path /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --outfile /var/lib/prometheus/node.d/cloud_wmnet_ca_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-dse]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-dse].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-dse]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_aux command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_aux\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"f7dfe9e2cd77303dfae7ae11c5c56d90\" --timeout 10 --check-command \"check_check_certificate_expiry_aux\"\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_mlserve_staging_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"b194b5b9b6c9d6e05b9eed8dcfcc40cf\",check_name=\"check_check_certificate_expiry_mlserve_staging_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__mlserve_staging_front_proxy\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/etc/cfssl/signers/mlserve/ca]", "parameters": "--- File[/etc/cfssl/signers/mlserve/ca].orig\n+++ File[/etc/cfssl/signers/mlserve/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Exec[Generate initial CRL for dse]", "parameters": "--- Exec[Generate initial CRL for dse].orig\n+++ Exec[Generate initial CRL for dse]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/dse\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/dse/ca/dse.pem /etc/cfssl/signers/dse/ca/dse-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/dse\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_cfssl-multirootca_status]=/usr/local/lib/nagios/plugins/check_systemd_unit_status cfssl-multirootca", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - dse_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --responses-file /etc/cfssl/ocsp/dse_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@dse_front_proxy' dse_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]\n"}, {"resource": "File[/etc/cfssl/ocsp/aux.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/aux.ocsp].orig\n+++ File[/etc/cfssl/ocsp/aux.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_zuul]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_zuul].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_zuul]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem']\n-    user       => nagios\n"}, {"resource": "File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]", "content": "--- /etc/cfssl/signers/wikikube/ca/wikikube.pem.orig\n+++ /etc/cfssl/signers/wikikube/ca/wikikube.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqzCCAwygAwIBAgIUWXrkQs5GEdgVcV7/XAEZOXQLYlowCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB2\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMREwDwYDVQQDEwh3aWtpa3ViZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAE\n-AX4fMTh3NrBZlCMop5eKr6F/RXTefrSSdu6DE39OOKTTdYM3TxK8tPmTDm9EE+XT\n-4rO+VHuaIVVirgB2JQtla8oZAZb60Pw8v9BlJ1JLLK9vpWA9Vce7DKmMNxIWK9GA\n-YIUQufjHVD2eibYJsK54NGkBe3frhPhwayIvzJ3gGO34GRaRo4IBDDCCAQgwDgYD\n-VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAaU1Sae\n-B9+FDd+SrIADU8yIo+xJMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2\n-MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zl\n-cnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8E\n-QzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1l\n-ZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBFZVjRbh3\n-GaouRaz9IPef3q+9s+TleKGby7nJQ6z71M3rpJIsHr9lncr/9GPq5v5cHDYOHmgK\n-GBupTY7FNMwL8aACQgCgoDP6PO23Dw6tuswLIbeY+o5l3K8R5L3RS1DO59OXXV2f\n-9FmoJNLgGXgP87rOkFW1fn9/QcvX85zD0urkq8gNjg==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/wikikube/ca/wikikube.pem].orig\n+++ File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-cassandra]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-cassandra].orig\n+++ Systemd::Service[cfssl-ocsprefresh-cassandra]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-cassandra.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_cassandra]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_cassandra].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_cassandra]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: cassandra\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-wikikube.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-wikikube.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@cassandra]", "parameters": "--- Systemd::Service[cfssl-ocspserve@cassandra].orig\n+++ Systemd::Service[cfssl-ocspserve@cassandra]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Cfssl::Signer[wikikube_staging_front_proxy]", "parameters": "--- Cfssl::Signer[wikikube_staging_front_proxy].orig\n+++ Cfssl::Signer[wikikube_staging_front_proxy]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDwDCCAyGgAwIBAgIUJT4TJHFy4qcc2DDVjG00p9VDOcIwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\nijELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\naW9uczElMCMGA1UEAwwcd2lraWt1YmVfc3RhZ2luZ19mcm9udF9wcm94eTCBmzAQ\nBgcqhkjOPQIBBgUrgQQAIwOBhgAEAQkWDUaTmBFtrLcFLkOP5LV+kGQdr0TIYAMX\nFR7UbUmysish4+UlH7C2vcugX/XmmIoh2asGRkfb0kjTQUUjqDmmANYQARMmx/V4\nj87yMi11K3IxBh2Ei7KJzvXD5yhg/rQa1TVcdvZ1GHBL1QvBU5x2L95G+Exi1amQ\ndC4vktygtdo8o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\nAf8CAQEwHQYDVR0OBBYEFANI4okfmz36Vpe1jEq4tkgKl5HzMB8GA1UdIwQYMBaA\nFDutonHmNL0b/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcw\nAYY6aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50\nZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2Nv\ndmVyeS53bW5ldC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZI\nzj0EAwQDgYwAMIGIAkIBuKBFQ/g6puAs+HK7+bE4eiatpN7eotPUTNbVuxN4+rEO\nE6JEpXslb/Ad0rVDvEOmXGSH9EdqjCNJs0Qv5kFnqZQCQgCPyFWGoBUxDcWLjOEL\n2a1pt4joI2BUut3NtLOBgPeaI/5qqPoLFbxn/1DMBmZLlsoNhnrg99F5LgvQVEAA\n/3y5tw==\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/wikikube_staging_front_proxy\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => test\n\n-    ca_file          => /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 72h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/wikikube_staging_front_proxy\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "File[/etc/cfssl/ocsp/mlserve.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/mlserve.ocsp].orig\n+++ File[/etc/cfssl/ocsp/mlserve.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"wikikube_staging_front_proxy\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]']\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[debmonitor]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[debmonitor].orig\n+++ Profile::Pki::Multirootca::Monitoring[debmonitor]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    intermediate => debmonitor\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_cassandra]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_cassandra].orig\n+++ Nrpe::Check[check_check_certificate_expiry_cassandra]\n\n-    before    => Monitoring::Service[check_certificate_expiry_cassandra]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[puppet_rsa]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[puppet_rsa].orig\n+++ Profile::Pki::Multirootca::Monitoring[puppet_rsa]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    intermediate => puppet_rsa\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]']\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_dse_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"2560f4f577ba169af651cf96bd5dc1ba\",check_name=\"check_check_certificate_expiry_dse_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__dse_front_proxy\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - wikikube_staging_front_proxy\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --responses-file /etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_staging_front_proxy' wikikube_staging_front_proxy \n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]']\n"}, {"resource": "Cfssl::Signer[cassandra]", "parameters": "--- Cfssl::Signer[cassandra].orig\n+++ Cfssl::Signer[cassandra]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqjCCAw2gAwIBAgIUN8PPoG0JeyUfDWKQhN0B2AOw4G8wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjE5MTI1MDAwWhcNMjgwNjE3MTI1MDAwWjB3\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRIwEAYDVQQDEwljYXNzYW5kcmEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\nBABpd+xtElegZM2bsg1caGxmHV5hs7l7qxmKFS3oSAu1jo1+N/uSppDtSWZzG+8C\nzjIrytBMxBWhNqsOw9msEWhbBAEYESw1oKj+APqOlCafGdXQI1ZvMafexxTqDNN1\nCA2gq4ivn82r2Ya3LLqwICxK3MlcmGuLwR5amxiLchok3cZ3X6OCAQwwggEIMA4G\nA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQBN6m6\neyaSV8l2Il/bwcfpWTmplDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\nNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\nZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\nBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\nZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GKADCBhgJBRhCSOg5L\n+EuYGdsW8T9S/tXzYURZpnQItn2nYjM6ky1nxqG6F+V2WsiijiPpEQxr7QUvfZhf\nD2zhB5BS8ynWCpYCQRGo4eZuUHyRMNqg/ZDljT1dqr09n0wQhszrJ4eCmebLVsDm\nB6AM3pPRygYo0REwxHbpTBAIt26zjGiKiFQqUjwa\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/cassandra\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/cassandra/ca/cassandra-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/cassandra\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_dse.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-discovery]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging]", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging].orig\n+++ File[/etc/cfssl/signers/mlserve_staging]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]']\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_zuul.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-cloud_wmnet_ca.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-cloud_wmnet_ca.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-etcd]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-etcd].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-etcd]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - etcd\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/etcd/ca/etcd.pem --responses-file /etc/cfssl/ocsp/etcd.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@etcd' etcd \n"}, {"resource": "File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "content": "--- /etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf.orig\n+++ /etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf\n@@ -1 +0,0 @@\n-Listen 8443", "parameters": "--- File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf].orig\n+++ File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cloud_wmnet_ca -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet\n\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-dse_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-dse_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-mlserve_staging\n-\n-/var/log/cfssl-ocsprefresh-mlserve_staging/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_discovery.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - wikikube_front_proxy\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --responses-file /etc/cfssl/ocsp/wikikube_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_front_proxy' wikikube_front_proxy \n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_wikikube_staging))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_staging\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_staging\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"f389c556cebfcfc345b3d6802f320045\",check_name=\"check_check_certificate_expiry_wikikube_staging\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__wikikube_staging\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@dse]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@dse].orig\n+++ Systemd::Unit[cfssl-ocspserve@dse]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@dse\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-cassandra-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-cassandra-certificate-expiry --cert-path /etc/cfssl/signers/cassandra/ca/cassandra.pem --outfile /var/lib/prometheus/node.d/cassandra_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[cfssl-ocsprefresh-kafka.timer]", "parameters": "--- Service[cfssl-ocsprefresh-kafka.timer].orig\n+++ Service[cfssl-ocsprefresh-kafka.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Rsyslog::Conf[cfssl-gc-expired-certs]", "parameters": "--- Rsyslog::Conf[cfssl-gc-expired-certs].orig\n+++ Rsyslog::Conf[cfssl-gc-expired-certs]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-gc-expired-certs]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/cfssl/ocsp/syslog.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/syslog.ocsp].orig\n+++ File[/etc/cfssl/ocsp/syslog.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-kafka]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-kafka].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-kafka]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-kafka.service\n"}, {"resource": "Service[cfssl-ocsprefresh-debmonitor.timer]", "parameters": "--- Service[cfssl-ocsprefresh-debmonitor.timer].orig\n+++ Service[cfssl-ocsprefresh-debmonitor.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa/ca]", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa/ca].orig\n+++ File[/etc/cfssl/signers/puppet_rsa/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_front_proxy_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Exec[ensure_present_mod_filter]", "parameters": "--- Exec[ensure_present_mod_filter].orig\n+++ Exec[ensure_present_mod_filter]\n\n-    require => Package[apache2]\n-    creates => /etc/apache2/mods-enabled/filter.load\n-    notify  => Service[apache2]\n-    command => /usr/sbin/a2enmod filter\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-dse_front_proxy.timer]']\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@network_devices]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "parameters": "--- Service[nrpe2nodexp-check_cfssl-multirootca_status.timer].orig\n+++ Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]']\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-etcd-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@dse_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@dse_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@dse_front_proxy]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@dse_front_proxy\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet\n\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[Generate initial CRL for cloud_wmnet_ca]", "parameters": "--- Exec[Generate initial CRL for cloud_wmnet_ca].orig\n+++ Exec[Generate initial CRL for cloud_wmnet_ca]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/cloud_wmnet_ca\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/cloud_wmnet_ca\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_syslog.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_syslog.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[Generate initial CRL for discovery]", "parameters": "--- Exec[Generate initial CRL for discovery].orig\n+++ Exec[Generate initial CRL for discovery]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/discovery\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/discovery/ca/discovery.pem /etc/cfssl/signers/discovery/ca/discovery-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/discovery\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[dse_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[dse_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[dse_front_proxy]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    intermediate => dse_front_proxy\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - cloud_wmnet_ca\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --responses-file /etc/cfssl/ocsp/cloud_wmnet_ca.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@cloud_wmnet_ca' cloud_wmnet_ca ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]\n"}, {"resource": "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]", "parameters": "--- Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh].orig\n+++ Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]\n\n-    subscribe   => File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n-    refreshonly => True\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    notify      => ['Service[apache2]']\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa  /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet\n\n"}, {"resource": "File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]", "content": "--- /etc/cfssl/signers/syslog/ca/syslog-key.pem.orig\n+++ /etc/cfssl/signers/syslog/ca/syslog-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/syslog/ca/syslog-key.pem].orig\n+++ File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_etcd.service\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]']\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_syslog]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_syslog].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_syslog]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"syslog\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]", "parameters": "--- Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)].orig\n+++ Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-network_devices.timer]']\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_network_devices\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_dse\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_network_devices.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_network_devices.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@kafka]", "parameters": "--- Systemd::Service[cfssl-ocspserve@kafka].orig\n+++ Systemd::Service[cfssl-ocspserve@kafka]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-etcd.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-etcd.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-etcd.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-etcd.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/ocsp/zuul.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/zuul.ocsp].orig\n+++ File[/etc/cfssl/ocsp/zuul.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label syslog -profile ocsp /etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_puppet_rsa command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_puppet_rsa\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"c1b324b3d8ac107f8d7483b4017f5edf\" --timeout 10 --check-command \"check_check_certificate_expiry_puppet_rsa\"\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]", "content": "--- /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem.orig\n+++ /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDuDCCAxmgAwIBAgIUCqmj+2MwaOqLPb5TPXkbkF/PGkUwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\n-gjELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEdMBsGA1UEAwwUd2lraWt1YmVfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0C\n-AQYFK4EEACMDgYYABAAUuXSlLM/Sq6jmsr6/+aqYnBNDoelW5+uJ8kWFyR/9xaFf\n-hmvvui358ZLmOym6cA1tpoA1+PVZ1sVOE++GDsWQ3QDAG2kk8o0QxpXsCXLWBmJZ\n-92Z/pIO7Fc65qe6XDnuZLEaqbb6VWkqQPI15cL9AhJ8HgNbaoaxrT51MfCrHEteP\n-raOCAQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0G\n-A1UdDgQWBBTlGjpQ7L1N14lCjcKcI/4LLNraBjAfBgNVHSMEGDAWgBQ7raJx5jS9\n-G/yAvzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6\n-Ly9wa2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jv\n-b3RfQ0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21u\n-ZXQvY3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GM\n-ADCBiAJCAYT0XLJdjumemn8jpqv058zb+c+3zb+05EhNcj15wcjRUq8SU+c2+H8a\n-hzfph97+CVSvGaV6Cf7phTSEBDPk9+T4AkIBdOmzIcRH+K9UcDzvdxqerOiXJaBC\n-0Bgbg9dOhcd6d0j3CObOuIp760FFQLSli2ocG3WLkfNsXlL1/3+VL+yarNo=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/lib/systemd/system/cfssl-multirootca.service]", "content": "--- /lib/systemd/system/cfssl-multirootca.service.orig\n+++ /lib/systemd/system/cfssl-multirootca.service\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL MultiRootCA\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/blob/master/doc/cmd/multiroot.txt\n-\n-[Service]\n-ExecStart=/usr/bin/multirootca \\\n-          -a \"127.0.0.1:8888\" \\\n-          -roots /etc/cfssl/multiroot.conf \n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-multirootca.service].orig\n+++ File[/lib/systemd/system/cfssl-multirootca.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]\n"}, {"resource": "Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_mlserve_staging_front_proxy\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@dse]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]", "content": "--- /etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem.orig\n+++ /etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem].orig\n+++ File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Exec[Generate initial CRL for wikikube_front_proxy]", "parameters": "--- Exec[Generate initial CRL for wikikube_front_proxy].orig\n+++ Exec[Generate initial CRL for wikikube_front_proxy]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/wikikube_front_proxy\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/wikikube_front_proxy\n"}, {"resource": "Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_wikikube_staging_front_proxy\n"}, {"resource": "File[/etc/apache2/mods-enabled/status.conf]", "parameters": "--- File[/etc/apache2/mods-enabled/status.conf].orig\n+++ File[/etc/apache2/mods-enabled/status.conf]\n\n-    require => Package[apache2]\n-    ensure  => absent\n-    before  => Httpd::Mod_conf[status]\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_mlserve_staging]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_aux.service\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-discovery2026.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-syslog-certificate-expiry --cert-path /etc/cfssl/signers/syslog/ca/syslog.pem --outfile /var/lib/prometheus/node.d/syslog_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_mlserve_staging))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_staging\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_staging\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"7cff186656c3cabbca85b5b57d0c8679\",check_name=\"check_check_certificate_expiry_mlserve_staging\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__mlserve_staging\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_mlserve]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_cassandra.service\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_aux]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_aux].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_aux]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n-    notifications_enabled => True\n+    notifications_enabled => False\n@@\n-    cluster               => pki\n+    cluster               => insetup\n@@\n-    nagios_group          => pki_eqiad\n+    nagios_group          => insetup_eqiad\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_puppet_rsa]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/etc/apache2/conf-available]", "parameters": "--- File[/etc/apache2/conf-available].orig\n+++ File[/etc/apache2/conf-available]\n\n-    mode    => 0755\n-    require => Package[apache2]\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n"}, {"resource": "File[/etc/cfssl/ocsp/cassandra.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/cassandra.ocsp].orig\n+++ File[/etc/cfssl/ocsp/cassandra.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[wikikube]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[wikikube].orig\n+++ Profile::Pki::Multirootca::Monitoring[wikikube]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    intermediate => wikikube\n"}, {"resource": "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n"}, {"resource": "Cfssl::Config[syslog]", "parameters": "--- Cfssl::Config[syslog].orig\n+++ Cfssl::Config[syslog]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/syslog\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/syslog/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/syslog\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor/cfssl.conf]", "content": "--- /etc/cfssl/signers/debmonitor/cfssl.conf.orig\n+++ /etc/cfssl/signers/debmonitor/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/debmonitor\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/debmonitor\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/debmonitor/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/debmonitor/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Service[cfssl-ocspserve@syslog]", "parameters": "--- Service[cfssl-ocspserve@syslog].orig\n+++ Service[cfssl-ocspserve@syslog]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@wikikube_staging_front_proxy].orig\n+++ Service[cfssl-ocspserve@wikikube_staging_front_proxy]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@puppet_rsa]", "parameters": "--- Systemd::Service[cfssl-ocspserve@puppet_rsa].orig\n+++ Systemd::Service[cfssl-ocspserve@puppet_rsa]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_staging_front_proxy command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"b194b5b9b6c9d6e05b9eed8dcfcc40cf\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_staging_front_proxy\"\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_debmonitor!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: debmonitor\n-    check_interval         => 1\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-zuul\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-zuul/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label debmonitor -profile ocsp /etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet\n\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-syslog]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-syslog].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-syslog]\n\n-    ensure => present\n"}, {"resource": "Motd::Script[pki::multirootca]", "parameters": "--- Motd::Script[pki::multirootca].orig\n+++ Motd::Script[pki::multirootca]\n\n-    ensure   => present\n-    priority => 5\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/cfssl/signers/mlserve/cfssl.conf]", "content": "--- /etc/cfssl/signers/mlserve/cfssl.conf.orig\n+++ /etc/cfssl/signers/mlserve/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/mlserve\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/mlserve\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/mlserve/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/mlserve/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    intermediate => wikikube_staging_front_proxy\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"4d759acaf0fd7dd3abaa03dc4565aef6\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@wikikube_staging_front_proxy\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-kafka-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_cassandra!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: cassandra\n-    check_interval         => 1\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_syslog!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: syslog\n-    check_interval         => 1\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Service[cfssl-ocspserve@zuul]", "parameters": "--- Service[cfssl-ocspserve@zuul].orig\n+++ Service[cfssl-ocspserve@zuul]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_network_devices]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_network_devices].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_network_devices]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"network_devices\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => wikikube_front_proxy\n-    notify          => Service[cfssl-ocspserve@wikikube_front_proxy]\n-    profile         => ocsp\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_zuul]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA\n-\n-/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_cassandra\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/usr/local/bin/apache-status]", "parameters": "--- File[/usr/local/bin/apache-status].orig\n+++ File[/usr/local/bin/apache-status]\n\n-    mode   => 0555\n-    owner  => root\n-    source => puppet:///modules/httpd/apache-status\n-    group  => root\n"}, {"resource": "Systemd::Service[cfssl-multirootca]", "parameters": "--- Systemd::Service[cfssl-multirootca].orig\n+++ Systemd::Service[cfssl-multirootca]\n\n-    override                 => False\n-    unit_type                => service\n-    migration_task           => T350694\n-    monitoring_critical      => True\n-    restart                  => True\n-    ensure                   => present\n-    service_params           => {}\n-    monitoring_notes_url     => https://wikitech.wikimedia.org/wiki/PKI\n-    monitoring_enabled       => True\n-    monitoring_contact_group => admins\n"}, {"resource": "File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp].orig\n+++ File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n"}, {"resource": "Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => mlserve_staging\n-    notify          => Service[cfssl-ocspserve@mlserve_staging]\n-    profile         => ocsp\n"}, {"resource": "Systemd::Unit[apache2-apache2-after-network-online-target]", "parameters": "--- Systemd::Unit[apache2-apache2-after-network-online-target].orig\n+++ Systemd::Unit[apache2-apache2-after-network-online-target]\n\n-    override          => True\n-    unit              => apache2\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => apache2-after-network-online-target\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n"}, {"resource": "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label zuul -profile ocsp /etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet\n\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - mlserve_staging\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --responses-file /etc/cfssl/ocsp/mlserve_staging.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_staging' mlserve_staging ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_discovery].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_discovery]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem']\n-    user       => nagios\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-mlserve-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-mlserve-certificate-expiry --cert-path /etc/cfssl/signers/mlserve/ca/mlserve.pem --outfile /var/lib/prometheus/node.d/mlserve_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_dse_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-mlserve_staging-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]\n"}, {"resource": "Cfssl::Signer[mlserve_staging]", "parameters": "--- Cfssl::Signer[mlserve_staging].orig\n+++ Cfssl::Signer[mlserve_staging]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsjCCAxOgAwIBAgIUHWrqd3I2VME7z6A5M3brKa5UlOgwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB9\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRgwFgYDVQQDDA9tbHNlcnZlX3N0YWdpbmcwgZswEAYHKoZIzj0CAQYFK4EE\nACMDgYYABAAu0g2dBBEAH2iUfZLPv+mA+1srb6S3bdVyH/kRk+QZDoOMnM0H8Edn\nV+dakFKXnwl+w+qsOsWj1NP2FlOm3bTglwCIxFAzX5XaDfqWa74L1tIqDH6kx+bX\nyxnuGWT/U1cv8rIHFap7ccH3h5YxPQfHy73KRTWxPln6ByswgxekotwnCKOCAQww\nggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\nBBSRzdapYuh57Gp5MstVlUJNJ+6zTzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\ng5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\nZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\nSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\nL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\nAY8VuLFo6MpcfxrDG8Junk8mESfQTMRbfeZM6WpHqKYBTESkpeV8HIdTYliFDAMX\nJqE94+xbPVaTS8DZ0xiXz4SjAkIBEIIXA4nOdLYbX/MvdKWr7aDunH8n1oO3K/op\n7NktfJd5CXuECxdSonHOb7PFW5lbpCtZrLxFzhB2Hlp1TBWHX84=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/mlserve_staging\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    ca_key_file      => /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 72h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/mlserve_staging\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_cloud_wmnet_ca command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"f87f54115f2f782169eed72541c30a1e\" --timeout 10 --check-command \"check_check_certificate_expiry_cloud_wmnet_ca\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_wikikube]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_wikikube].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_wikikube]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"wikikube\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Cfssl::Ocsp[network_devices]", "parameters": "--- Cfssl::Ocsp[network_devices].orig\n+++ Cfssl::Ocsp[network_devices]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20063\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]", "content": "--- /etc/cfssl/signers/cassandra/ca/cassandra.pem.orig\n+++ /etc/cfssl/signers/cassandra/ca/cassandra.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqjCCAw2gAwIBAgIUN8PPoG0JeyUfDWKQhN0B2AOw4G8wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjE5MTI1MDAwWhcNMjgwNjE3MTI1MDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwljYXNzYW5kcmEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BABpd+xtElegZM2bsg1caGxmHV5hs7l7qxmKFS3oSAu1jo1+N/uSppDtSWZzG+8C\n-zjIrytBMxBWhNqsOw9msEWhbBAEYESw1oKj+APqOlCafGdXQI1ZvMafexxTqDNN1\n-CA2gq4ivn82r2Ya3LLqwICxK3MlcmGuLwR5amxiLchok3cZ3X6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQBN6m6\n-eyaSV8l2Il/bwcfpWTmplDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GKADCBhgJBRhCSOg5L\n-+EuYGdsW8T9S/tXzYURZpnQItn2nYjM6ky1nxqG6F+V2WsiijiPpEQxr7QUvfZhf\n-D2zhB5BS8ynWCpYCQRGo4eZuUHyRMNqg/ZDljT1dqr09n0wQhszrJ4eCmebLVsDm\n-B6AM3pPRygYo0REwxHbpTBAIt26zjGiKiFQqUjwa\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/cassandra/ca/cassandra.pem].orig\n+++ File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - mlserve_staging\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --responses-file /etc/cfssl/ocsp/mlserve_staging.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_staging' mlserve_staging \n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_network_devices]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/etc/cfssl/signers/etcd/ca]", "parameters": "--- File[/etc/cfssl/signers/etcd/ca].orig\n+++ File[/etc/cfssl/signers/etcd/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@discovery2026]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-cassandra]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-cassandra].orig\n+++ File[/var/log/cfssl-ocsprefresh-cassandra]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Ferm::Service[multirootca_tls_termination]", "parameters": "--- Ferm::Service[multirootca_tls_termination].orig\n+++ Ferm::Service[multirootca_tls_termination]\n\n-    desc                => \n-    prio                => 10\n-    unrestricted_access => False\n-    src_sets            => ['DOMAIN_NETWORKS']\n-    proto               => tcp\n-    port                => 443\n-    ensure              => present\n-    notrack             => False\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-mlserve_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_syslog.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]']\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-debmonitor.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-debmonitor\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-debmonitor\n-\n-/var/log/cfssl-ocsprefresh-debmonitor/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_etcd.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-aux_front_proxy.service\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_etcd!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: etcd\n-    check_interval         => 1\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => wikikube_staging_front_proxy\n-    notify          => Service[cfssl-ocspserve@wikikube_staging_front_proxy]\n-    profile         => ocsp\n"}, {"resource": "Cfssl::Config[kafka]", "parameters": "--- Cfssl::Config[kafka].orig\n+++ Cfssl::Config[kafka]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/kafka\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/kafka/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'kafka_11': {'expiry': '8760h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/kafka\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-wikikube_staging_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-gc-expired-certs.timer]", "content": "--- /lib/systemd/system/cfssl-gc-expired-certs.timer.orig\n+++ /lib/systemd/system/cfssl-gc-expired-certs.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-gc-expired-certs.service\n-\n-[Timer]\n-Unit=cfssl-gc-expired-certs.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=hourly\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-gc-expired-certs.timer].orig\n+++ File[/lib/systemd/system/cfssl-gc-expired-certs.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem']\n-    user       => nagios\n"}, {"resource": "Nrpe::Monitor_service[check_cfssl-multirootca_status]", "parameters": "--- Nrpe::Monitor_service[check_cfssl-multirootca_status].orig\n+++ Nrpe::Monitor_service[check_cfssl-multirootca_status]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI\n-    description                 => Check unit status of cfssl-multirootca\n-    nrpe2nodexp_parse_perf_data => False\n-    alertmanager_team           => observability\n-    nrpe_command                => /usr/local/lib/nagios/plugins/check_systemd_unit_status cfssl-multirootca\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    critical                    => True\n-    retries                     => 2\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 10\n"}, {"resource": "Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => cloud_wmnet_ca\n-    notify          => Service[cfssl-ocspserve@cloud_wmnet_ca]\n-    profile         => ocsp\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: puppet_rsa\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@debmonitor.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@debmonitor.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (debmonitor)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10001 \\\n-          -responses /etc/cfssl/ocsp/debmonitor.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]\n"}, {"resource": "Cfssl::Signer[discovery]", "parameters": "--- Cfssl::Signer[discovery].orig\n+++ Cfssl::Signer[discovery]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\nBAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\nwyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\nA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\nNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\nZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\nBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\nZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\nq+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\nZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/discovery\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => ##### FAKE FOR PUPPET ######\n\n-    ca_file          => /etc/cfssl/signers/discovery/ca/discovery.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n-    ca_key_file      => /etc/cfssl/signers/discovery/ca/discovery-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/discovery\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/cfssl/db.conf.json]", "content": "--- /etc/cfssl/db.conf.json.orig\n+++ /etc/cfssl/db.conf.json\n@@ -1,12 +0,0 @@\n-{\n-  \"host\": \"m1-master.eqiad.wmnet\",\n-  \"port\": 3306,\n-  \"user\": \"pki\",\n-  \"password\": \"changeme\",\n-  \"db\": \"pki\",\n-  \"charset\": \"utf8mb4\",\n-  \"ssl\": {\n-    \"ca\": \"/etc/ssl/certs/wmf-ca-certificates.crt\",\n-    \"check_hostname\": false\n-  }\n-}", "parameters": "--- File[/etc/cfssl/db.conf.json].orig\n+++ File[/etc/cfssl/db.conf.json]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026/ca]", "parameters": "--- File[/etc/cfssl/signers/discovery2026/ca].orig\n+++ File[/etc/cfssl/signers/discovery2026/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-etcd]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-etcd].orig\n+++ File[/var/log/cfssl-ocsprefresh-etcd]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Service[cfssl-ocspserve@aux]", "parameters": "--- Service[cfssl-ocspserve@aux].orig\n+++ Service[cfssl-ocspserve@aux]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-zuul]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-zuul].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-zuul]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - zuul\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/zuul/ca/zuul.pem --responses-file /etc/cfssl/ocsp/zuul.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@zuul' zuul \n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_debmonitor]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_debmonitor].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_debmonitor]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: debmonitor\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/srv/cfssl/bundles]", "parameters": "--- File[/srv/cfssl/bundles].orig\n+++ File[/srv/cfssl/bundles]\n\n-    owner  => root\n-    group  => root\n-    ensure => directory\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_kafka\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-syslog.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-syslog\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-syslog\n-\n-/var/log/cfssl-ocsprefresh-syslog/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-syslog].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-wikikube_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/apache2/env-available]", "parameters": "--- File[/etc/apache2/env-available].orig\n+++ File[/etc/apache2/env-available]\n\n-    mode    => 0755\n-    require => Package[apache2]\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_debmonitor.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_debmonitor.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-wikikube]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-wikikube].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-wikikube]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-wikikube]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-aux]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-aux].orig\n+++ Systemd::Service[cfssl-ocsprefresh-aux]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-aux.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-mlserve]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-mlserve].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-mlserve]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Cfssl::Config[debmonitor]", "parameters": "--- Cfssl::Config[debmonitor].orig\n+++ Cfssl::Config[debmonitor]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/debmonitor\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/debmonitor/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/debmonitor\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]\n"}, {"resource": "File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_kafka command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_kafka\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"22922fd6bc2d570e018cbe5ccd8d1727\" --timeout 10 --check-command \"check_check_certificate_expiry_kafka\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_discovery2026]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_discovery2026].orig\n+++ Nrpe::Check[check_check_certificate_expiry_discovery2026]\n\n-    before    => Monitoring::Service[check_certificate_expiry_discovery2026]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@cassandra]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Nrpe::Check[check_check_cfssl-multirootca_status]", "parameters": "--- Nrpe::Check[check_check_cfssl-multirootca_status].orig\n+++ Nrpe::Check[check_check_cfssl-multirootca_status]\n\n-    command => /usr/local/lib/nagios/plugins/check_systemd_unit_status cfssl-multirootca\n-    ensure  => present\n-    before  => Monitoring::Service[check_cfssl-multirootca_status]\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-network_devices]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-network_devices].orig\n+++ Systemd::Service[cfssl-ocsprefresh-network_devices]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-network_devices.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]']\n"}, {"resource": "File[/etc/apache2/conf-enabled]", "parameters": "--- File[/etc/apache2/conf-enabled].orig\n+++ File[/etc/apache2/conf-enabled]\n\n-    owner   => root\n-    recurse => True\n-    purge   => True\n-    mode    => 0755\n-    require => Package[apache2]\n-    ensure  => directory\n-    group   => root\n-    notify  => Service[apache2]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_dse))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: dse\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: dse\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"4384c5ebc49e03dbe331e279fac3f393\",check_name=\"check_check_certificate_expiry_dse\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__dse\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-cloud_wmnet_ca.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa]", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa].orig\n+++ File[/etc/cfssl/signers/puppet_rsa]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse -profile ocsp /etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet\n\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-aux-certificate-expiry --cert-path /etc/cfssl/signers/aux/ca/aux.pem --outfile /var/lib/prometheus/node.d/aux_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_wikikube_staging_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@discovery]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@discovery].orig\n+++ Systemd::Unit[cfssl-ocspserve@discovery]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@discovery\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Cfssl::Config[mlserve_staging_front_proxy]", "parameters": "--- Cfssl::Config[mlserve_staging_front_proxy].orig\n+++ Cfssl::Config[mlserve_staging_front_proxy]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/mlserve_staging_front_proxy\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 72h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/mlserve_staging_front_proxy\n"}, {"resource": "File[/etc/cfssl/ocsp/debmonitor.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/debmonitor.ocsp].orig\n+++ File[/etc/cfssl/ocsp/debmonitor.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-mlserve_staging]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-mlserve_staging.service\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem\n@@ -1 +0,0 @@\n-test", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-discovery.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/dse_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/dse_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/dse_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/dse_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_mlserve]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_mlserve].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_mlserve]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: mlserve\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-network_devices]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-network_devices].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-network_devices]\n\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_wikikube]", "parameters": "--- Monitoring::Service[check_certificate_expiry_wikikube].orig\n+++ Monitoring::Service[check_certificate_expiry_wikikube]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_wikikube!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: wikikube\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_staging_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"b194b5b9b6c9d6e05b9eed8dcfcc40cf\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_staging_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Service[cfssl-ocspserve@kafka]", "parameters": "--- Service[cfssl-ocspserve@kafka].orig\n+++ Service[cfssl-ocspserve@kafka]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_debmonitor]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/dse/ca/dse.pem]", "content": "--- /etc/cfssl/signers/dse/ca/dse.pem.orig\n+++ /etc/cfssl/signers/dse/ca/dse.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpTCCAwegAwIBAgIUb4Tdc/LBMz08oj3vXm9vyvVoa8kwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjBx\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQwwCgYDVQQDEwNkc2UwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEKIsRi\n-rMZazQ75DhhEGhtUEr3248uYpcVNJ3Mp/1IdsIkgdy3vU97D4x+FWvbcITOzw9xz\n-apIVnwWIAU7hei4jEwCAIr3llako75gtbD7Xvq9y6UDUcp/LOGBkmGMBktL2Q9qz\n-Dgc4AgI29X2/hGBuYEglW2Qhpnbu0+q+7Xi/eKSG3aOCAQwwggEIMA4GA1UdDwEB\n-/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSp3KLmcR8APKuf\n-wQNUAmw4ugiWrzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\n-BgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\n-bmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\n-oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\n-bnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCBhwJCAYGa4oeqY5OQzJhU\n-JqhW7Wn0V5dXQ3F0LJKbf70afe5Xx/jkMKMXv6cpUoCgq6OW5CzFHvwyYGDYc3Uy\n-Dj63k3tQAkFP3CHPBJahbaziMXpat5mFpYeRit/bScad+W+ysdXe4wLSRK3skzhU\n-pOp2n7NgGJQbM1fWuRcBPMQLEZVFsbo04A==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/dse/ca/dse.pem].orig\n+++ File[/etc/cfssl/signers/dse/ca/dse.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/debmonitor/ca/debmonitor.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Cfssl::Signer[zuul]", "parameters": "--- Cfssl::Signer[zuul].orig\n+++ Cfssl::Signer[zuul]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDpzCCAwigAwIBAgIUMIxkteGnxVGRNFWjJZ+eXPnOeM8wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjUwODIwMTg1NTAwWhcNMzAwODE5MTg1NTAwWjBy\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQ0wCwYDVQQDEwR6dXVsMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBNx/m\ndSpc4EWI68Y36PVvDkvyqlJ6pA4sEXQCrNOM+0jSACRM8Shwqr7uC/JmuP8GIdK3\ng+SgxQOjF9pfelX2OpAB6leOfgHXhFtzJquX261tKsxQm74cszycF9YTiWDKVq0V\ng7bFNgf4NcC7NxGfN4SuA58I7dQWJxSWdzTJNQsF2uijggEMMIIBCDAOBgNVHQ8B\nAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUqyQEoVfbsJqL\njr5RyZovCpWdRZUwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\nKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\nbW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\nP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\nSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgER9R3mwAtzYcIh\nHAnL2SiHTXBpqitQp6Ce+7nYFP0qyu+Ggkx2bu86bl32lGmvA6ecTKXDiyXW5pMW\natmKn0wAegJCAaU9pfWuLIgsVqzB2zvDWMR2HgBMa6MO7dRlG2VUoLvR16NF9cln\nXjNzIqPRxUpiD5TNC4+p9BoT+RRXEDUeRufH\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/zuul\n-    db_host          => localhost\n-    default_usages   => ['server auth', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/zuul/ca/zuul.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/zuul/ca/zuul-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/zuul\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_mlserve]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_mlserve].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_mlserve]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"mlserve\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem\n@@ -1 +0,0 @@\n-test", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-cassandra.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-cassandra\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-cassandra\n-\n-/var/log/cfssl-ocsprefresh-cassandra/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]']\n"}, {"resource": "Cfssl::Signer[wikikube_front_proxy]", "parameters": "--- Cfssl::Signer[wikikube_front_proxy].orig\n+++ Cfssl::Signer[wikikube_front_proxy]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDuDCCAxmgAwIBAgIUCqmj+2MwaOqLPb5TPXkbkF/PGkUwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\ngjELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\naW9uczEdMBsGA1UEAwwUd2lraWt1YmVfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0C\nAQYFK4EEACMDgYYABAAUuXSlLM/Sq6jmsr6/+aqYnBNDoelW5+uJ8kWFyR/9xaFf\nhmvvui358ZLmOym6cA1tpoA1+PVZ1sVOE++GDsWQ3QDAG2kk8o0QxpXsCXLWBmJZ\n92Z/pIO7Fc65qe6XDnuZLEaqbb6VWkqQPI15cL9AhJ8HgNbaoaxrT51MfCrHEteP\nraOCAQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0G\nA1UdDgQWBBTlGjpQ7L1N14lCjcKcI/4LLNraBjAfBgNVHSMEGDAWgBQ7raJx5jS9\nG/yAvzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6\nLy9wa2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jv\nb3RfQ0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21u\nZXQvY3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GM\nADCBiAJCAYT0XLJdjumemn8jpqv058zb+c+3zb+05EhNcj15wcjRUq8SU+c2+H8a\nhzfph97+CVSvGaV6Cf7phTSEBDPk9+T4AkIBdOmzIcRH+K9UcDzvdxqerOiXJaBC\n0Bgbg9dOhcd6d0j3CObOuIp760FFQLSli2ocG3WLkfNsXlL1/3+VL+yarNo=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/wikikube_front_proxy\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => test\n\n-    ca_file          => /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/wikikube_front_proxy\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]", "content": "--- /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem.orig\n+++ /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n@@ -1,23 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDvjCCAyCgAwIBAgIUV8ha2UdjViI49Xr/fZzbY4YPZdYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\n-iTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEkMCIGA1UEAwwbbWxzZXJ2ZV9zdGFnaW5nX2Zyb250X3Byb3h5MIGbMBAG\n-ByqGSM49AgEGBSuBBAAjA4GGAAQAyrMiWBRjOWCaMXsvXC0wS6VzHyLLGFT8BpM9\n-EhYcloDfNnb8no2+YXrBzj4+lAg3D3dq53q+hyHko3+YsVVF/qABa55syWkYtxDB\n-xy5FNq6Iq/s2E3vO2YpQifWXlaSZvvuZCGhhTPDOp/zdI/kKdco9Jehsu6CdyElj\n-lCgJTZupZCmjggEMMIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB\n-/wIBATAdBgNVHQ4EFgQUj5l8xt65hr4t5yj8xKYmUsKwk9YwHwYDVR0jBBgwFoAU\n-O62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAB\n-hjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRl\n-cm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjO\n-PQQDBAOBiwAwgYcCQgD24XA2cP2pFwE3onWEosbFqDEaFwD5kNg7eSOkncJIceFU\n-bCX1f6VOYSv6UbiEQV0EwS0d34EawydbLcqXqfHgpgJBJJjdNhpjAcwyRt1+unRc\n-dYn6ys1ZElRXMld7NUq+nCInX5cVk8uPeSev6IxIJc2eyBCb4jtjvE3TAQ2RHvT9\n-sBI=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Exec[ensure_present_mod_ssl]", "parameters": "--- Exec[ensure_present_mod_ssl].orig\n+++ Exec[ensure_present_mod_ssl]\n\n-    require => Package[apache2]\n-    creates => /etc/apache2/mods-enabled/ssl.load\n-    notify  => Service[apache2]\n-    command => /usr/sbin/a2enmod ssl\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_kafka]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_kafka].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_kafka]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: kafka\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-cassandra\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-cassandra/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_etcd.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery2026.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery2026.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - discovery2026\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --responses-file /etc/cfssl/ocsp/discovery2026.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery2026' discovery2026 ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cloud_wmnet_ca -profile ocsp /etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet\n\n"}, {"resource": "Cfssl::Signer[wikikube_staging]", "parameters": "--- Cfssl::Signer[wikikube_staging].orig\n+++ Cfssl::Signer[wikikube_staging]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsTCCAxSgAwIBAgIUKJGxrsUkuGnKTwrJIdYlm1ZK6uMwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB+\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRkwFwYDVQQDDBB3aWtpa3ViZV9zdGFnaW5nMIGbMBAGByqGSM49AgEGBSuB\nBAAjA4GGAAQBJQPiRDYxLnr33KdzugCHk21yjDhyRHMrAIJ0qGmasdcMNZpK9P9u\n6ISJRfTC73WiKOSSWBuJAhsdK2Y7hIoUOikAexL5MOVOFAK8MtWXx6j7MmuuPGnC\nMIyIk1pqxzoacZWJ8uJe/WGw/Udd/RPxAfsxN8loKKT0+zs3WzGw63saO6yjggEM\nMIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4E\nFgQU8bcT1hszDpGqcobdFXNOugsbu0MwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81\ncYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtp\nLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NB\nMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2Ny\nbC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYC\nQTKbWZ4u9V6ei9rgB4XXyyVEzIZMgVCdwuytcmqEaB9ZavqjYsdrgTOsgcy2Jw1C\nid1Sw/9g5YpcZBLaXh52CuNVAkFnnXo7+fe5kgOs2vTIsbIG4huh6ftI/8bmIdr2\n9FHm9FXlmSIDWQIn7Fq4TFLVmiatI/TdiGK+n3oT/st73jwn1A==\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/wikikube_staging\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => test\n\n-    ca_file          => /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    ca_key_file      => /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 72h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/wikikube_staging\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]", "content": "--- /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem.orig\n+++ /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsTCCAxSgAwIBAgIUKJGxrsUkuGnKTwrJIdYlm1ZK6uMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB+\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRkwFwYDVQQDDBB3aWtpa3ViZV9zdGFnaW5nMIGbMBAGByqGSM49AgEGBSuB\n-BAAjA4GGAAQBJQPiRDYxLnr33KdzugCHk21yjDhyRHMrAIJ0qGmasdcMNZpK9P9u\n-6ISJRfTC73WiKOSSWBuJAhsdK2Y7hIoUOikAexL5MOVOFAK8MtWXx6j7MmuuPGnC\n-MIyIk1pqxzoacZWJ8uJe/WGw/Udd/RPxAfsxN8loKKT0+zs3WzGw63saO6yjggEM\n-MIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4E\n-FgQU8bcT1hszDpGqcobdFXNOugsbu0MwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81\n-cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtp\n-LmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NB\n-MEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2Ny\n-bC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYC\n-QTKbWZ4u9V6ei9rgB4XXyyVEzIZMgVCdwuytcmqEaB9ZavqjYsdrgTOsgcy2Jw1C\n-id1Sw/9g5YpcZBLaXh52CuNVAkFnnXo7+fe5kgOs2vTIsbIG4huh6ftI/8bmIdr2\n-9FHm9FXlmSIDWQIn7Fq4TFLVmiatI/TdiGK+n3oT/st73jwn1A==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@debmonitor]", "parameters": "--- Systemd::Service[cfssl-ocspserve@debmonitor].orig\n+++ Systemd::Service[cfssl-ocspserve@debmonitor]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "File[/etc/cfssl/signers/kafka/ca]", "parameters": "--- File[/etc/cfssl/signers/kafka/ca].orig\n+++ File[/etc/cfssl/signers/kafka/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label syslog -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa -profile ocsp /etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-dse.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-dse.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-dse.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-dse.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]", "content": "--- /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem.orig\n+++ /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUBGeKXglKnoXGyRgWodaHSfz0z/gwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9kc2VfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAGUNx07sN1MWk3DzjEFh3pfYaQVrqo1tWFQjf7URfwqfyZY81Tqt6yl\n-y/zj3DpvtOmvyI5jPH91yPBaFho0/SpP6wFkBIyE8/Ik2b80slPKuzstrYgBlYsG\n-+Fxop4CYWjLItOy1Ut82aYr76hNm0goEma9ETjgE4nfBEU3vi77QO/B9E6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBQPHxMmkuy8EqO+Wz7TmM1MfmcXDDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AO3JNb9OyC3JQ3mmkgt+Db3NMgLArYlvcYd8Nd5uWEXm6d6NfUPDN5XBGkjly1B7\n-N18vKQYxlZzX2wgYqaK9LYs9AkIBch3vTND/M2T78Hhp5YoodasCdLDcpMJ1Qn3T\n-fI0Lwjt7W50T0FMle6CwZkI+ZrxRzqvic19IUSTDDqwiOFgLhqM=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]", "content": "--- /etc/cfssl/signers/mlserve/ca/mlserve-key.pem.orig\n+++ /etc/cfssl/signers/mlserve/ca/mlserve-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem].orig\n+++ File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-wikikube.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "parameters": "--- File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf].orig\n+++ File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]\n\n-    target => /etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf\n-    ensure => link\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-etcd-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-etcd-certificate-expiry --cert-path /etc/cfssl/signers/etcd/ca/etcd.pem --outfile /var/lib/prometheus/node.d/etcd_intermediate.prom\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]", "content": "--- /etc/logrotate.d/wmf_auto_restart_apache-htcacheclean.orig\n+++ /etc/logrotate.d/wmf_auto_restart_apache-htcacheclean\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for wmf_auto_restart_apache-htcacheclean\n-\n-/var/log/wmf_auto_restart_apache-htcacheclean/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@wikikube_front_proxy]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_kafka.service\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-wikikube].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - wikikube\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube/ca/wikikube.pem --responses-file /etc/cfssl/ocsp/wikikube.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube' wikikube \n"}, {"resource": "Service[apache2]", "parameters": "--- Service[apache2].orig\n+++ Service[apache2]\n\n-    hasrestart => True\n-    require    => Package[apache2]\n-    restart    => systemctl reload apache2\n-    enable     => True\n-    ensure     => running\n-    before     => ['Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]']\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy]\n\n-    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_wikikube_staging_front_proxy!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-wikikube_staging_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/wikikube_staging_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/wikikube_staging_front_proxy.pem\n@@ -1,23 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDwDCCAyGgAwIBAgIUJT4TJHFy4qcc2DDVjG00p9VDOcIwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\n-ijELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczElMCMGA1UEAwwcd2lraWt1YmVfc3RhZ2luZ19mcm9udF9wcm94eTCBmzAQ\n-BgcqhkjOPQIBBgUrgQQAIwOBhgAEAQkWDUaTmBFtrLcFLkOP5LV+kGQdr0TIYAMX\n-FR7UbUmysish4+UlH7C2vcugX/XmmIoh2asGRkfb0kjTQUUjqDmmANYQARMmx/V4\n-j87yMi11K3IxBh2Ei7KJzvXD5yhg/rQa1TVcdvZ1GHBL1QvBU5x2L95G+Exi1amQ\n-dC4vktygtdo8o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\n-Af8CAQEwHQYDVR0OBBYEFANI4okfmz36Vpe1jEq4tkgKl5HzMB8GA1UdIwQYMBaA\n-FDutonHmNL0b/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcw\n-AYY6aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50\n-ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2Nv\n-dmVyeS53bW5ldC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZI\n-zj0EAwQDgYwAMIGIAkIBuKBFQ/g6puAs+HK7+bE4eiatpN7eotPUTNbVuxN4+rEO\n-E6JEpXslb/Ad0rVDvEOmXGSH9EdqjCNJs0Qv5kFnqZQCQgCPyFWGoBUxDcWLjOEL\n-2a1pt4joI2BUut3NtLOBgPeaI/5qqPoLFbxn/1DMBmZLlsoNhnrg99F5LgvQVEAA\n-/3y5tw==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[Generate initial CRL for debmonitor]", "parameters": "--- Exec[Generate initial CRL for debmonitor].orig\n+++ Exec[Generate initial CRL for debmonitor]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/debmonitor\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/debmonitor/ca/debmonitor.pem /etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/debmonitor\n"}, {"resource": "File[/srv/cfssl/bundles/mlserve_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/mlserve_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/mlserve_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDtzCCAxigAwIBAgIUIw4+rszPiPmnvGoMBfrD29oWNKcwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\n-gTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEcMBoGA1UEAwwTbWxzZXJ2ZV9mcm9udF9wcm94eTCBmzAQBgcqhkjOPQIB\n-BgUrgQQAIwOBhgAEATdxtFPSx+kYYz4a6PyKfBi000SHiFxHSQqS71Bs13jbumD2\n-h6uPdTyD3dT79AdxQVzoer7inVQZM1vz5ZioLN0mAVH9OdSm8NLPpy9CAjT/2puk\n-6PZWtowGmcoOkXeZeZDIUOYam0f4udjmot9TDQPF07pSqABlhz1ejSC3AKOJDym+\n-o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD\n-VR0OBBYEFDoU1EzaIZxR2ktTe35M8ILp07mdMB8GA1UdIwQYMBaAFDutonHmNL0b\n-/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDov\n-L3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\n-dF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5l\n-dC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwA\n-MIGIAkIBsRpAWU0SxP3lwtUrriS8Dtal1vh2vfBMUzvx8hzjHGSYCg3xlG2cfnXN\n-lFIhsQaWUmiJFZg8m+rCdYNkUMsdpeACQgCCHUls+Tf5Kcc756qs2iC2JSf2yd2U\n-EM7VAJqZRVG9HrCUnzDLJT7bIQswE6i/O1zNhKjYV9xgd6LW+XCF0cVB7A==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/mlserve_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/mlserve_front_proxy.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Firewall::Service[multirootca tls termination]", "parameters": "--- Firewall::Service[multirootca tls termination].orig\n+++ Firewall::Service[multirootca tls termination]\n\n-    desc                => \n-    prio                => 10\n-    unrestricted_access => False\n-    src_sets            => ['DOMAIN_NETWORKS']\n-    proto               => tcp\n-    port                => 443\n-    ensure              => present\n-    notrack             => False\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "File[/etc/cfssl/signers/cassandra/ca]", "parameters": "--- File[/etc/cfssl/signers/cassandra/ca].orig\n+++ File[/etc/cfssl/signers/cassandra/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-discovery2026-certificate-expiry --cert-path /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --outfile /var/lib/prometheus/node.d/discovery2026_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery2026 -profile ocsp /etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet\n\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_mlserve]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_mlserve].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_mlserve]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem']\n-    user       => nagios\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_dse]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_dse].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_dse]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem']\n-    user       => nagios\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/cfssl/ocsp/etcd.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/etcd.ocsp].orig\n+++ File[/etc/cfssl/ocsp/etcd.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-dse-certificate-expiry --cert-path /etc/cfssl/signers/dse/ca/dse.pem --outfile /var/lib/prometheus/node.d/dse_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-wikikube]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-wikikube].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-wikikube]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-network_devices-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-network_devices-certificate-expiry --cert-path /etc/cfssl/signers/network_devices/ca/network_devices.pem --outfile /var/lib/prometheus/node.d/network_devices_intermediate.prom\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-debmonitor.timer]']\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging/ca]", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging/ca].orig\n+++ File[/etc/cfssl/signers/wikikube_staging/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-aux.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-aux.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - aux\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/aux/ca/aux.pem --responses-file /etc/cfssl/ocsp/aux.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@aux' aux ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-aux.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]\n"}, {"resource": "Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label network_devices -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/apache2/sites-available/00-dummy.conf]", "parameters": "--- File[/etc/apache2/sites-available/00-dummy.conf].orig\n+++ File[/etc/apache2/sites-available/00-dummy.conf]\n\n-    mode   => 0444\n-    source => puppet:///modules/httpd/dummy.conf\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@wikikube]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@wikikube].orig\n+++ Systemd::Unit[cfssl-ocspserve@wikikube]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@wikikube\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_mlserve_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_mlserve_front_proxy!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_syslog.service\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-mlserve_staging.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Httpd::Mod_conf[ssl]", "parameters": "--- Httpd::Mod_conf[ssl].orig\n+++ Httpd::Mod_conf[ssl]\n\n-    loadfile => ssl.load\n-    mod      => ssl\n-    ensure   => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@Wikimedia_Internal_Root_CA\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_puppet_rsa!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: puppet_rsa\n-    check_interval         => 1\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Ocsp[discovery]", "parameters": "--- Cfssl::Ocsp[discovery].orig\n+++ Cfssl::Ocsp[discovery]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10002\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/discovery/ca/discovery.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-zuul-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-zuul-certificate-expiry --cert-path /etc/cfssl/signers/zuul/ca/zuul.pem --outfile /var/lib/prometheus/node.d/zuul_intermediate.prom\n"}, {"resource": "Sudo::User[nrpe_certificate_check_debmonitor]", "parameters": "--- Sudo::User[nrpe_certificate_check_debmonitor].orig\n+++ Sudo::User[nrpe_certificate_check_debmonitor]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_debmonitor\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[cfssl-ocsprefresh-mlserve.timer]", "parameters": "--- Service[cfssl-ocsprefresh-mlserve.timer].orig\n+++ Service[cfssl-ocsprefresh-mlserve.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Httpd::Mod_conf[proxy_http]", "parameters": "--- Httpd::Mod_conf[proxy_http].orig\n+++ Httpd::Mod_conf[proxy_http]\n\n-    loadfile => proxy_http.load\n-    mod      => proxy_http\n-    ensure   => present\n"}, {"resource": "File[/srv/cfssl/bundles/kafka.pem]", "content": "--- /srv/cfssl/bundles/kafka.pem.orig\n+++ /srv/cfssl/bundles/kafka.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqDCCAwmgAwIBAgIUTWT2navXkMW9fz3oUB7Fc6azbKcwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjExMDI4MTMwNjAwWhcNMjYxMDI3MTMwNjAwWjBz\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ4wDAYDVQQDEwVrYWZrYTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAScI\n-AVY36upnobdfvpQJ7Y5uefRAv0OsdtR++HEqm2kTatOG4BJTdjdBv3+gyd3rJccd\n-DEifyU1EcxVVXjjXzqdHADiJ+Zol5mwexbnrpF8JDBiJv7ntNamdr7Xjv4kw8Tkp\n-kgl70aFalPLjpwjDNyrm2ACxPmHxK8EOu7eXb8RImqeVo4IBDDCCAQgwDgYDVR0P\n-AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGIY/nB0tTtl\n-RGdO5J4ck+RM8p8rMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2MFYG\n-CCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zlcnku\n-d21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBB\n-MD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1lZGlh\n-X0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBv8ZMP7g8aPkc\n-tcrO4rXcBkhFIWH9+4H4iTbuSBtjVtUXdsRW++IU89BjVVKQxv/4ZDm8hlpd+vJU\n-b9xj3WUpi8cCQgFpjYqKVM+I5eRpIjhWoPxognJtGI3626wAOpV2CPauciD51gP3\n-up2xe36OG3Z8XDcbNGoNiG3505+af9zBrt3c4g==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/kafka.pem].orig\n+++ File[/srv/cfssl/bundles/kafka.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Cfssl::Ocsp[etcd]", "parameters": "--- Cfssl::Ocsp[etcd].orig\n+++ Cfssl::Ocsp[etcd]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10005\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/etcd/ca/etcd.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Exec[Generate initial CRL for aux_front_proxy]", "parameters": "--- Exec[Generate initial CRL for aux_front_proxy].orig\n+++ Exec[Generate initial CRL for aux_front_proxy]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/aux_front_proxy\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/aux_front_proxy\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]']\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-wikikube-certificate-expiry --cert-path /etc/cfssl/signers/wikikube/ca/wikikube.pem --outfile /var/lib/prometheus/node.d/wikikube_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026/cfssl.conf]", "content": "--- /etc/cfssl/signers/discovery2026/cfssl.conf.orig\n+++ /etc/cfssl/signers/discovery2026/cfssl.conf\n@@ -1,129 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/discovery2026\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/discovery2026\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_staging\": {\n-        \"auth_key\": \"k8s_staging\",\n-        \"expiry\": \"24h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_wikikube\": {\n-        \"auth_key\": \"k8s_wikikube\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_mlserve\": {\n-        \"auth_key\": \"k8s_mlserve\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_mlstaging\": {\n-        \"auth_key\": \"k8s_mlstaging\",\n-        \"expiry\": \"24h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_dse\": {\n-        \"auth_key\": \"k8s_dse\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      },\n-      \"k8s_dse_opensearch\": {\n-        \"auth_key\": \"k8s_dse\",\n-        \"expiry\": \"4380h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      },\n-      \"k8s_aux\": {\n-        \"auth_key\": \"k8s_aux\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/discovery2026/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/discovery2026/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Concat_fragment[main]", "content": "--- main.orig\n+++ main\n@@ -14,7 +14,6 @@\n [agent]\n use_srv_records = true\n srv_domain = eqiad.wmnet\n-dns_alt_names = pki.discovery.wmnet\n daemonize = false\n http_connect_timeout = 60\n http_read_timeout = 960"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-kafka-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-discovery2026].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-discovery2026]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-discovery2026.service\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_dse command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_dse\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"4384c5ebc49e03dbe331e279fac3f393\" --timeout 10 --check-command \"check_check_certificate_expiry_dse\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-aux_front_proxy-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --outfile /var/lib/prometheus/node.d/aux_front_proxy_intermediate.prom\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-wikikube_front_proxy.service\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_kafka]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_kafka].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_kafka]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem']\n-    user       => nagios\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-aux]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => aux\n-    notify          => Service[cfssl-ocspserve@aux]\n-    profile         => ocsp\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-mlserve-certificate-expiry --cert-path /etc/cfssl/signers/mlserve/ca/mlserve.pem --outfile /var/lib/prometheus/node.d/mlserve_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_aux.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_aux.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_aux.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]']\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_etcd command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_etcd\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"c834f873297e445663ead81279c0b928\" --timeout 10 --check-command \"check_check_certificate_expiry_etcd\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-dse-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-dse-certificate-expiry --cert-path /etc/cfssl/signers/dse/ca/dse.pem --outfile /var/lib/prometheus/node.d/dse_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Package[python3-pymysql]", "parameters": "--- Package[python3-pymysql].orig\n+++ Package[python3-pymysql]\n\n-    provider => apt\n-    ensure   => installed\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-zuul.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-zuul\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-zuul\n-\n-/var/log/cfssl-ocsprefresh-zuul/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-zuul].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]']\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_zuul]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_zuul].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_zuul]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca]", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_cassandra]", "parameters": "--- Monitoring::Service[check_certificate_expiry_cassandra].orig\n+++ Monitoring::Service[check_certificate_expiry_cassandra]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_cassandra!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: cassandra\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-discovery2026-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-discovery2026-certificate-expiry --cert-path /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --outfile /var/lib/prometheus/node.d/discovery2026_intermediate.prom\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_dse_front_proxy!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    check_interval         => 1\n"}, {"resource": "File[/etc/apache2/sites-enabled/00-dummy.conf]", "parameters": "--- File[/etc/apache2/sites-enabled/00-dummy.conf].orig\n+++ File[/etc/apache2/sites-enabled/00-dummy.conf]\n\n-    target => /etc/apache2/sites-available/00-dummy.conf\n-    ensure => link\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-etcd]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-etcd].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-etcd]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_discovery2026 command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_discovery2026\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"bf2e3510cb63e5f05f545e816bab4edf\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery2026\"\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]']\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_network_devices]", "parameters": "--- Monitoring::Service[check_certificate_expiry_network_devices].orig\n+++ Monitoring::Service[check_certificate_expiry_network_devices]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_network_devices!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: network_devices\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[wmf_auto_restart_apache2.timer]']\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]", "content": "--- /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem.orig\n+++ /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem\n@@ -1 +0,0 @@\n-test", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_syslog.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_aux_front_proxy command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_aux_front_proxy\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"99cf4f8f014e8fd527800abcc213f494\" --timeout 10 --check-command \"check_check_certificate_expiry_aux_front_proxy\"\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Augeas[Apache2 logs]", "parameters": "--- Augeas[Apache2 logs].orig\n+++ Augeas[Apache2 logs]\n\n-    incl    => /etc/logrotate.d/apache2\n-    require => Package[apache2]\n-    lens    => Logrotate.lns\n-    changes => ['set rule/schedule daily', 'set rule/rotate 30']\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-network_devices].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - network_devices\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/network_devices/ca/network_devices.pem --responses-file /etc/cfssl/ocsp/network_devices.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@network_devices' network_devices \n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]", "content": "--- /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem.orig\n+++ /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUHWrqd3I2VME7z6A5M3brKa5UlOgwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9tbHNlcnZlX3N0YWdpbmcwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAAu0g2dBBEAH2iUfZLPv+mA+1srb6S3bdVyH/kRk+QZDoOMnM0H8Edn\n-V+dakFKXnwl+w+qsOsWj1NP2FlOm3bTglwCIxFAzX5XaDfqWa74L1tIqDH6kx+bX\n-yxnuGWT/U1cv8rIHFap7ccH3h5YxPQfHy73KRTWxPln6ByswgxekotwnCKOCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBSRzdapYuh57Gp5MstVlUJNJ+6zTzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AY8VuLFo6MpcfxrDG8Junk8mESfQTMRbfeZM6WpHqKYBTESkpeV8HIdTYliFDAMX\n-JqE94+xbPVaTS8DZ0xiXz4SjAkIBEIIXA4nOdLYbX/MvdKWr7aDunH8n1oO3K/op\n-7NktfJd5CXuECxdSonHOb7PFW5lbpCtZrLxFzhB2Hlp1TBWHX84=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/cfssl/signers/syslog]", "parameters": "--- File[/etc/cfssl/signers/syslog].orig\n+++ File[/etc/cfssl/signers/syslog]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-mlserve]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-mlserve].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-mlserve]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-mlserve]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]']\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[apache2]', 'Package[links]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[python3-pymysql]', 'Package[python3-cryptography]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status].orig\n+++ Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status]\n\n-    splay              => 300\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_cfssl-multirootca_status.service\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-aux.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-aux.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-aux.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-aux.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    intermediate => mlserve_staging_front_proxy\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-network_devices]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-network_devices].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-network_devices]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-network_devices]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[cfssl-gc-expired-certs]", "parameters": "--- Systemd::Service[cfssl-gc-expired-certs].orig\n+++ Systemd::Service[cfssl-gc-expired-certs]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-gc-expired-certs.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@etcd.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@etcd.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@etcd.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (etcd)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10005 \\\n-          -responses /etc/cfssl/ocsp/etcd.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@etcd.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@etcd.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-cloud_wmnet_ca.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label network_devices -profile ocsp /etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - puppet_rsa\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --responses-file /etc/cfssl/ocsp/puppet_rsa.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@puppet_rsa' puppet_rsa \n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_mlserve))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"bfd2f7c6497e1da6323bef48d24f9e8e\",check_name=\"check_check_certificate_expiry_mlserve\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__mlserve\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/var/log/cfssl-gc-expired-certs]", "parameters": "--- File[/var/log/cfssl-gc-expired-certs].orig\n+++ File[/var/log/cfssl-gc-expired-certs]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-zuul.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-zuul.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-zuul.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-zuul.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-wikikube]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-wikikube].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-wikikube]\n\n-    ensure => present\n"}, {"resource": "Exec[Generate initial CRL for wikikube_staging]", "parameters": "--- Exec[Generate initial CRL for wikikube_staging].orig\n+++ Exec[Generate initial CRL for wikikube_staging]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/wikikube_staging\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/wikikube_staging\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-aux-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-aux-certificate-expiry --cert-path /etc/cfssl/signers/aux/ca/aux.pem --outfile /var/lib/prometheus/node.d/aux_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_discovery].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_discovery]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-kafka.timer]']\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]", "content": "--- /etc/cfssl/signers/network_devices/ca/network_devices.pem.orig\n+++ /etc/cfssl/signers/network_devices/ca/network_devices.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUS2pUBD1erPOX2W9m08l4NjcjbVYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNzE0MTAxODAwWhcNMjgwNzEyMTAxODAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9uZXR3b3JrX2RldmljZXMwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABABVWARjDjpjG7IlggP4BkOm5hanZXdtYYzUb1CsmHvpBA4W6s8CjzHp\n-QlZoBzaMi6SSO5Q7v9rAuymjLctweVRy7gAkNU3jjQXZPjRKaW/ofZlUhDyhgyCS\n-WNr9LBjYklAnMM3yz3J6EG9aHehHbV11lq24AQDrZ4bEtNzGHMQyU9ufZ6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBRmY7aPPiOyhsjgXpDtumx9X/wcGzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-ARWhtt4Mi0I8j+6LUC+ZJfTnhYkEWSXa6nhttbzNPLzHuBTnj42WE8a2oQW2Mv5w\n-mzRdtJGsstcrgGwGt5FyLP6WAkIAxYlEt4MHqohD9adWY1IsnX4qWBYRw4tXrx0T\n-tF1M2n2K7ww/zCL9HkBoWVe249y+ctpGqqgw0ROMnMN6Q2Zg8ic=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/network_devices/ca/network_devices.pem].orig\n+++ File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_cassandra.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Cfssl::Signer[network_devices]", "parameters": "--- Cfssl::Signer[network_devices].orig\n+++ Cfssl::Signer[network_devices]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsjCCAxOgAwIBAgIUS2pUBD1erPOX2W9m08l4NjcjbVYwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwNzE0MTAxODAwWhcNMjgwNzEyMTAxODAwWjB9\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRgwFgYDVQQDDA9uZXR3b3JrX2RldmljZXMwgZswEAYHKoZIzj0CAQYFK4EE\nACMDgYYABABVWARjDjpjG7IlggP4BkOm5hanZXdtYYzUb1CsmHvpBA4W6s8CjzHp\nQlZoBzaMi6SSO5Q7v9rAuymjLctweVRy7gAkNU3jjQXZPjRKaW/ofZlUhDyhgyCS\nWNr9LBjYklAnMM3yz3J6EG9aHehHbV11lq24AQDrZ4bEtNzGHMQyU9ufZ6OCAQww\nggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\nBBRmY7aPPiOyhsjgXpDtumx9X/wcGzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\ng5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\nZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\nSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\nL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\nARWhtt4Mi0I8j+6LUC+ZJfTnhYkEWSXa6nhttbzNPLzHuBTnj42WE8a2oQW2Mv5w\nmzRdtJGsstcrgGwGt5FyLP6WAkIAxYlEt4MHqohD9adWY1IsnX4qWBYRw4tXrx0T\ntF1M2n2K7ww/zCL9HkBoWVe249y+ctpGqqgw0ROMnMN6Q2Zg8ic=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/network_devices\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => fake key\n\n-    ca_file          => /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/network_devices/ca/network_devices-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 8760h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/network_devices\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_zuul))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: zuul\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: zuul\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"373325faaa689f3e9b058d91d4eb6cdb\",check_name=\"check_check_certificate_expiry_zuul\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__zuul\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_aux!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: aux\n-    check_interval         => 1\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem']\n-    user       => nagios\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_cloud_wmnet_ca!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@dse_front_proxy]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Motd::Message[insetup::infrastructure_foundations_ferm]", "parameters": "--- Motd::Message[insetup::infrastructure_foundations_ferm].orig\n+++ Motd::Message[insetup::infrastructure_foundations_ferm]\n\n+    priority => 5\n+    message  => pki1001 is a Host being setup by Infrastructure Foundations SREs with ferm (insetup::infrastructure_foundations_ferm)\n+    ensure   => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - debmonitor\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --responses-file /etc/cfssl/ocsp/debmonitor.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@debmonitor' debmonitor \n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_discovery2026.service\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-debmonitor.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-debmonitor.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@discovery2026]", "parameters": "--- Systemd::Service[cfssl-ocspserve@discovery2026].orig\n+++ Systemd::Service[cfssl-ocspserve@discovery2026]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/usr/local/sbin/cfssl-ocsprefresh]", "parameters": "--- File[/usr/local/sbin/cfssl-ocsprefresh].orig\n+++ File[/usr/local/sbin/cfssl-ocsprefresh]\n\n-    mode   => 0550\n-    source => puppet:///modules/cfssl/cfssl_ocsprefresh.py\n-    ensure => file\n-    owner  => root\n-    group  => root\n"}, {"resource": "Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-mlserve_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"wmf_auto_restart_apache-htcacheclean\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/wmf_auto_restart_apache-htcacheclean/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-aux_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_wikikube_staging].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_wikikube_staging]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"wikikube_staging\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-kafka.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-kafka.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-kafka.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-kafka.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[Generate initial CRL for network_devices]", "parameters": "--- Exec[Generate initial CRL for network_devices].orig\n+++ Exec[Generate initial CRL for network_devices]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/network_devices\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/network_devices/ca/network_devices.pem /etc/cfssl/signers/network_devices/ca/network_devices-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/network_devices\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@zuul]", "parameters": "--- Systemd::Service[cfssl-ocspserve@zuul].orig\n+++ Systemd::Service[cfssl-ocspserve@zuul]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"9d6dd05c8e5e1bb294462d932b24bd1a\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_etcd]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_etcd].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_etcd]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"etcd\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_cfssl-multirootca_status.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-mlserve_staging.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-mlserve_staging.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_cassandra command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_cassandra\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"f5e260f525c48c963fb2e6c86a0d5d63\" --timeout 10 --check-command \"check_check_certificate_expiry_cassandra\"\n"}, {"resource": "File[/etc/cfssl/signers/dse/ca]", "parameters": "--- File[/etc/cfssl/signers/dse/ca].orig\n+++ File[/etc/cfssl/signers/dse/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@aux_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@aux_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@aux_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-cassandra]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-cassandra].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-cassandra]\n\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-wikikube_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]\n"}, {"resource": "Systemd::Unit[cfssl-gc-expired-certs.service]", "parameters": "--- Systemd::Unit[cfssl-gc-expired-certs.service].orig\n+++ Systemd::Unit[cfssl-gc-expired-certs.service]\n\n-    override          => False\n-    unit              => cfssl-gc-expired-certs.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-cloud_wmnet_ca.service\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]']\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Ferm::Service[csr_and_ocsp_responder]", "parameters": "--- Ferm::Service[csr_and_ocsp_responder].orig\n+++ Ferm::Service[csr_and_ocsp_responder]\n\n-    desc                => \n-    prio                => 10\n-    unrestricted_access => False\n-    src_sets            => ['DOMAIN_NETWORKS', 'MGMT_NETWORKS']\n-    proto               => tcp\n-    port                => 80\n-    ensure              => present\n-    notrack             => False\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (Wikimedia_Internal_Root_CA)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10000 \\\n-          -responses /etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]\n"}, {"resource": "File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]", "content": "--- /etc/cfssl/signers/zuul/ca/zuul-key.pem.orig\n+++ /etc/cfssl/signers/zuul/ca/zuul-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/zuul/ca/zuul-key.pem].orig\n+++ File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]", "content": "--- /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem.orig\n+++ /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n@@ -1,30 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIFNDCCBJagAwIBAgIUOR+ZAFtrzLKYphDIGMa9eF6O0LIwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjIwMTIwNTAwWhcNMjgwNjE4MTIwNTAwWjB4\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRMwEQYDVQQDDApwdXBwZXRfcnNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n-MIICCgKCAgEA4urK5Og7RVGoXg6KzYywzaXyRROuj0Kauc7n/BgCWvsKv9Ll4f/p\n-lbVGOSln3akzhBlJwmVTGrgCmWQVxMF2agKAR+R1aV2Wc+yEfofUbW1oRgBCelMQ\n-Xutw0cApO+lzjHNtduffeIEVBjwLcEG/OdaUa2CGFGLG/dHox7o8AZgkH7SFJyby\n-z/rzip+szHpMThhjs0PKx91VS1srb7Q1jE1OlB7ydhX+gLRWTjwxOp1ITFXjNobk\n-i16jcP3YYgCvj8qwWMcYmtI7iExSeFdptv3fmajBeoi1o52LUWKUrslwtNa/emaB\n-FBGRZfu8ap+BWWpYYarI4mOCyvetw/6FZ2LnuWy5cNA3GoALB5xfLpO3twYnrveP\n-BnxULp4Q8szITB/bjPBMkd8FG8Frpe3eZNKNHG9xjJGdS1Bxhq7Zgfy09V1RJCym\n-AJSWERHRrxjEnRCDd7HUAhfaDCygeooe4wGRR5bG8WqOpkQDtYPP3yfk5NBhcJpW\n-mXTRFTFkuslEL/2bwa9EPIOAKAINDeJOCHqJMQd6EXwTP2LabWU3oI+sfeBdCoSd\n-Rn+q2Z0kSLu8fqXsgPgvdgyWjfPkQnyLAz9rdsal2x4x9SilDkov+l6Q9DXGGoYO\n-GGOHHFCFhM9CS02zFGLe1JbqiHPuYuIkEnGjGJyCqdIB8Rz0JxdypEcCAwEAAaOC\n-AQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud\n-DgQWBBRrq/ZHBKl8OZGQrQCiUq4GRc86YDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yA\n-vzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9w\n-a2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3Rf\n-Q0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQv\n-Y3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCB\n-hwJBJHrjuBvyK8Sv40xCW/TrVtOCIVaXfjwsKau9lkmt/6purO/xkppZDMajueYw\n-9koKhj6SvliOpiwgypfOKP7nbsACQgFAnawARDYCoOQ8pQDoqpRkPBBScMOTMPFu\n-xTekxW2V7POn9dn6uavLJz/wha+sNgAnYT4wHWkRJzbUk+1H3Hb3NA==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem].orig\n+++ File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_etcd]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_etcd].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_etcd]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem']\n-    user       => nagios\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_aux.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/etcd/ca/etcd.pem]", "content": "--- /etc/cfssl/signers/etcd/ca/etcd.pem.orig\n+++ /etc/cfssl/signers/etcd/ca/etcd.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpzCCAwigAwIBAgIUOk3cFWirYBfYaO6q8zyqfEHxwVEwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIwODEwMTAzODAwWhcNMjcwODA5MTAzODAwWjBy\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ0wCwYDVQQDEwRldGNkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAgtdp\n-7nZHIAQhEm2IlJ7AzfGjWIGGzKzCfnBQ8d+euPiOZ3ccv1YXfx0f+WmV35vuEmA/\n-ZSw/6iJrKBnYsZAR6U0ByUUqg6nUYg4P47Sc/kMTWmVIgRuNhmrgavCK+qRQdnZs\n-N/OOGTgFNG0icty63dUF4NZz80HxHSrPQYaNxZ9ydY2jggEMMIIBCDAOBgNVHQ8B\n-Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUtvZYHyYnZHZP\n-ZLIB5kqPcVOVI9owHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\n-KwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\n-bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\n-P6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\n-SW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgEgYyeOREniK9JC\n-4hvIiuv9D7mVVXzX5/s8GuhTbRadqZr41ulpHT53lFcbt+xhAsyqMxXPhgT/OyMQ\n-jkXuEh5oBQJCAM22xLZpt2XwKCp0opgXlC5fm5+YjKba2COlr43q78I2la57aYdp\n-UF7sFgBRFVx7FNY7CASuZMYsW+4wltPTXVau\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/etcd/ca/etcd.pem].orig\n+++ File[/etc/cfssl/signers/etcd/ca/etcd.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Exec[Generate initial CRL for syslog]", "parameters": "--- Exec[Generate initial CRL for syslog].orig\n+++ Exec[Generate initial CRL for syslog]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/syslog\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/syslog/ca/syslog.pem /etc/cfssl/signers/syslog/ca/syslog-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/syslog\n"}, {"resource": "Logrotate::Conf[cfssl-gc-expired-certs]", "parameters": "--- Logrotate::Conf[cfssl-gc-expired-certs].orig\n+++ Logrotate::Conf[cfssl-gc-expired-certs]\n\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_discovery.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_discovery.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]\n"}, {"resource": "File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-wikikube_staging\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-wikikube_staging/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Exec[Generate initial CRL for kafka]", "parameters": "--- Exec[Generate initial CRL for kafka].orig\n+++ Exec[Generate initial CRL for kafka]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/kafka\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/kafka/ca/kafka.pem /etc/cfssl/signers/kafka/ca/kafka-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/kafka\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-discovery].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-discovery]\n\n-    ensure => present\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-zuul]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-zuul].orig\n+++ File[/var/log/cfssl-ocsprefresh-zuul]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-network_devices.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-network_devices.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - network_devices\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/network_devices/ca/network_devices.pem --responses-file /etc/cfssl/ocsp/network_devices.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@network_devices' network_devices ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-kafka.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-kafka.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - kafka\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/kafka/ca/kafka.pem --responses-file /etc/cfssl/ocsp/kafka.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@kafka' kafka ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-discovery\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-discovery/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/kafka]", "parameters": "--- File[/etc/cfssl/signers/kafka].orig\n+++ File[/etc/cfssl/signers/kafka]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/srv/cfssl/bundles/network_devices.pem]", "content": "--- /srv/cfssl/bundles/network_devices.pem.orig\n+++ /srv/cfssl/bundles/network_devices.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUS2pUBD1erPOX2W9m08l4NjcjbVYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNzE0MTAxODAwWhcNMjgwNzEyMTAxODAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9uZXR3b3JrX2RldmljZXMwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABABVWARjDjpjG7IlggP4BkOm5hanZXdtYYzUb1CsmHvpBA4W6s8CjzHp\n-QlZoBzaMi6SSO5Q7v9rAuymjLctweVRy7gAkNU3jjQXZPjRKaW/ofZlUhDyhgyCS\n-WNr9LBjYklAnMM3yz3J6EG9aHehHbV11lq24AQDrZ4bEtNzGHMQyU9ufZ6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBRmY7aPPiOyhsjgXpDtumx9X/wcGzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-ARWhtt4Mi0I8j+6LUC+ZJfTnhYkEWSXa6nhttbzNPLzHuBTnj42WE8a2oQW2Mv5w\n-mzRdtJGsstcrgGwGt5FyLP6WAkIAxYlEt4MHqohD9adWY1IsnX4qWBYRw4tXrx0T\n-tF1M2n2K7ww/zCL9HkBoWVe249y+ctpGqqgw0ROMnMN6Q2Zg8ic=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/network_devices.pem].orig\n+++ File[/srv/cfssl/bundles/network_devices.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_dse.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_dse.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port]", "parameters": "--- Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port].orig\n+++ Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port]\n\n-    conf_type => conf\n-    ensure    => present\n-    priority  => 50\n"}, {"resource": "Cfssl::Ocsp[wikikube_staging_front_proxy]", "parameters": "--- Cfssl::Ocsp[wikikube_staging_front_proxy].orig\n+++ Cfssl::Ocsp[wikikube_staging_front_proxy]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20021\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-etcd\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-etcd/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/logrotate.d/cfssl-gc-expired-certs]", "content": "--- /etc/logrotate.d/cfssl-gc-expired-certs.orig\n+++ /etc/logrotate.d/cfssl-gc-expired-certs\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-gc-expired-certs\n-\n-/var/log/cfssl-gc-expired-certs/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-gc-expired-certs].orig\n+++ File[/etc/logrotate.d/cfssl-gc-expired-certs]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocsprefresh-discovery2026.timer]", "parameters": "--- Service[cfssl-ocsprefresh-discovery2026.timer].orig\n+++ Service[cfssl-ocsprefresh-discovery2026.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-dse\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-dse/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/srv/cfssl/bundles/syslog.pem]", "content": "--- /srv/cfssl/bundles/syslog.pem.orig\n+++ /srv/cfssl/bundles/syslog.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqTCCAwqgAwIBAgIUI5/ixOCtnw8ZXV6xWw6RVC/D6rwwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwOTI4MTAzNzAwWhcNMjgwOTI2MTAzNzAwWjB0\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ8wDQYDVQQDEwZzeXNsb2cwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABL\n-CaZwsDnVcBhApShaeA1j8/9w4S2re0Zmjx7GTeBXiJcKF0dAhgAQRCMrGtWEimmQ\n-W94s5015H1MknO61lLOY+wDAFYkq98rZF2aRRILm1w/5iRkqTDiBECBVE15jrPzD\n-q4zZCQ5V5ellWhzfGfPMxFOogIm1sqZsqZvB7zZaCSOrbaOCAQwwggEIMA4GA1Ud\n-DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRvwMc33QVQ\n-qaT1dZmUUtkBeYiyzjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBW\n-BggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5\n-LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMw\n-QTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRp\n-YV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAUtK7APyQamN\n-8DYOBCd1wJQ1DbYlzcQOcupJns2RKKcxFp1evo2GQjDA15TN1OXtA+pvK/liCAEh\n-p828+NcE6fPMAkIBN/Yjhvy0lrtVzshqckUEciShFhbDU0QZOHuzIXCVjdskzQfu\n-as4ZMO15kIv0MZUJ6V9aKEE6nqzi9QXifjuoY54=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/syslog.pem].orig\n+++ File[/srv/cfssl/bundles/syslog.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_dse]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_dse].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_dse]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"dse\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-wikikube_staging.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@mlserve]", "parameters": "--- Systemd::Service[cfssl-ocspserve@mlserve].orig\n+++ Systemd::Service[cfssl-ocspserve@mlserve]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_cloud_wmnet_ca!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    check_interval         => 1\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-wikikube-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-wikikube-certificate-expiry --cert-path /etc/cfssl/signers/wikikube/ca/wikikube.pem --outfile /var/lib/prometheus/node.d/wikikube_intermediate.prom\n"}, {"resource": "File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "content": "--- /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr.orig\n+++ /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr\n@@ -1,14 +0,0 @@\n-{\n-  \"CN\": \"pki.discovery.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\",\n-    \"pki.discovery.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/aux_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@mlserve_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@mlserve_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@mlserve_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-mlserve_staging-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_intermediate.prom\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/srv/cfssl/bundles/dse_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/dse_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/dse_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUBGeKXglKnoXGyRgWodaHSfz0z/gwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9kc2VfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAGUNx07sN1MWk3DzjEFh3pfYaQVrqo1tWFQjf7URfwqfyZY81Tqt6yl\n-y/zj3DpvtOmvyI5jPH91yPBaFho0/SpP6wFkBIyE8/Ik2b80slPKuzstrYgBlYsG\n-+Fxop4CYWjLItOy1Ut82aYr76hNm0goEma9ETjgE4nfBEU3vi77QO/B9E6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBQPHxMmkuy8EqO+Wz7TmM1MfmcXDDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AO3JNb9OyC3JQ3mmkgt+Db3NMgLArYlvcYd8Nd5uWEXm6d6NfUPDN5XBGkjly1B7\n-N18vKQYxlZzX2wgYqaK9LYs9AkIBch3vTND/M2T78Hhp5YoodasCdLDcpMJ1Qn3T\n-fI0Lwjt7W50T0FMle6CwZkI+ZrxRzqvic19IUSTDDqwiOFgLhqM=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/dse_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/dse_front_proxy.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-aux-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-aux-certificate-expiry --cert-path /etc/cfssl/signers/aux/ca/aux.pem --outfile /var/lib/prometheus/node.d/aux_intermediate.prom\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]", "content": "--- /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem.orig\n+++ /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDtzCCAxigAwIBAgIUIw4+rszPiPmnvGoMBfrD29oWNKcwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\n-gTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEcMBoGA1UEAwwTbWxzZXJ2ZV9mcm9udF9wcm94eTCBmzAQBgcqhkjOPQIB\n-BgUrgQQAIwOBhgAEATdxtFPSx+kYYz4a6PyKfBi000SHiFxHSQqS71Bs13jbumD2\n-h6uPdTyD3dT79AdxQVzoer7inVQZM1vz5ZioLN0mAVH9OdSm8NLPpy9CAjT/2puk\n-6PZWtowGmcoOkXeZeZDIUOYam0f4udjmot9TDQPF07pSqABlhz1ejSC3AKOJDym+\n-o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD\n-VR0OBBYEFDoU1EzaIZxR2ktTe35M8ILp07mdMB8GA1UdIwQYMBaAFDutonHmNL0b\n-/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDov\n-L3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\n-dF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5l\n-dC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwA\n-MIGIAkIBsRpAWU0SxP3lwtUrriS8Dtal1vh2vfBMUzvx8hzjHGSYCg3xlG2cfnXN\n-lFIhsQaWUmiJFZg8m+rCdYNkUMsdpeACQgCCHUls+Tf5Kcc756qs2iC2JSf2yd2U\n-EM7VAJqZRVG9HrCUnzDLJT7bIQswE6i/O1zNhKjYV9xgd6LW+XCF0cVB7A==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_apache2]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_apache2].orig\n+++ Systemd::Syslog[wmf_auto_restart_apache2]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging -profile ocsp /etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@wikikube_staging]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@wikikube_staging].orig\n+++ Systemd::Unit[cfssl-ocspserve@wikikube_staging]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@wikikube_staging\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_aux.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_aux.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_debmonitor))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: debmonitor\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: debmonitor\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"224e2ac3574a9ce482218106d95a2931\",check_name=\"check_check_certificate_expiry_debmonitor\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__debmonitor\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/etc/apache2/conf-available/00-defaults.conf]", "parameters": "--- File[/etc/apache2/conf-available/00-defaults.conf].orig\n+++ File[/etc/apache2/conf-available/00-defaults.conf]\n\n-    mode   => 0444\n-    source => puppet:///modules/httpd/defaults.conf\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "Exec[apache2_test_config_and_restart]", "parameters": "--- Exec[apache2_test_config_and_restart].orig\n+++ Exec[apache2_test_config_and_restart]\n\n-    before      => Service[apache2]\n-    onlyif      => /usr/sbin/apache2ctl configtest\n-    refreshonly => True\n-    command     => /usr/sbin/service apache2 restart\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-aux.timer]']\n"}, {"resource": "File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]", "parameters": "--- File[/etc/cfssl/signers/kafka/ca/kafka-key.pem].orig\n+++ File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_apache2]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_apache2].orig\n+++ Logrotate::Conf[wmf_auto_restart_apache2]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_aux.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-zuul-certificate-expiry --cert-path /etc/cfssl/signers/zuul/ca/zuul.pem --outfile /var/lib/prometheus/node.d/zuul_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@mlserve_staging_front_proxy\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-network_devices-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-network_devices-certificate-expiry --cert-path /etc/cfssl/signers/network_devices/ca/network_devices.pem --outfile /var/lib/prometheus/node.d/network_devices_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]\n"}, {"resource": "Sudo::User[nrpe_certificate_check_aux_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_aux_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_aux_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_aux_front_proxy\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_cloud_wmnet_ca command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"f87f54115f2f782169eed72541c30a1e\" --timeout 10 --check-command \"check_check_certificate_expiry_cloud_wmnet_ca\"\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@cassandra.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@cassandra.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (cassandra)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10006 \\\n-          -responses /etc/cfssl/ocsp/cassandra.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@cassandra.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]\n"}, {"resource": "Cfssl::Config[mlserve]", "parameters": "--- Cfssl::Config[mlserve].orig\n+++ Cfssl::Config[mlserve]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/mlserve\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/mlserve/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/mlserve\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-discovery]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => discovery\n-    notify          => Service[cfssl-ocspserve@discovery]\n-    profile         => ocsp\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-etcd.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-etcd.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - etcd\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/etcd/ca/etcd.pem --responses-file /etc/cfssl/ocsp/etcd.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@etcd' etcd ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-mlserve_staging].orig\n+++ File[/var/log/cfssl-ocsprefresh-mlserve_staging]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods]", "parameters": "--- Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods].orig\n+++ Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods]\n\n-    desc                => \n-    prio                => 10\n-    unrestricted_access => False\n-    src_sets            => ['WIKIKUBE_KUBEPODS_NETWORKS', 'STAGING_KUBEPODS_NETWORKS', 'MLSERVE_KUBEPODS_NETWORKS', 'MLSTAGE_KUBEPODS_NETWORKS', 'DSE_KUBEPODS_NETWORKS', 'AUX_KUBEPODS_NETWORKS']\n-    proto               => tcp\n-    ensure              => present\n-    port                => 8443\n-    notrack             => False\n"}, {"resource": "Cfssl::Ocsp[aux_front_proxy]", "parameters": "--- Cfssl::Ocsp[aux_front_proxy].orig\n+++ Cfssl::Ocsp[aux_front_proxy]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20051\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-wikikube_staging.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-wikikube_staging.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_aux]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_aux].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_aux]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"aux\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-aux-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_wikikube]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_wikikube].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_wikikube]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: wikikube\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_mlserve]", "parameters": "--- Monitoring::Service[check_certificate_expiry_mlserve].orig\n+++ Monitoring::Service[check_certificate_expiry_mlserve]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_mlserve!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: mlserve\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-etcd]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => etcd\n-    notify          => Service[cfssl-ocspserve@etcd]\n-    profile         => ocsp\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_apache2.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_apache2.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_apache2.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Auto restart job: apache2\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/wmf-auto-restart -s apache2", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_apache2.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_apache2.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-debmonitor].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-debmonitor]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-debmonitor]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_discovery2026]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-dse_front_proxy-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --outfile /var/lib/prometheus/node.d/dse_front_proxy_intermediate.prom\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Sudo::User[nrpe_certificate_check_etcd]", "parameters": "--- Sudo::User[nrpe_certificate_check_etcd].orig\n+++ Sudo::User[nrpe_certificate_check_etcd]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_etcd\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-cassandra.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-cassandra.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - cassandra\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/cassandra/ca/cassandra.pem --responses-file /etc/cfssl/ocsp/cassandra.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@cassandra' cassandra ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-mlserve_staging_front_proxy-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_front_proxy_intermediate.prom\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - mlserve_staging_front_proxy\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --responses-file /etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_staging_front_proxy' mlserve_staging_front_proxy \n"}, {"resource": "Cfssl::Config[mlserve_front_proxy]", "parameters": "--- Cfssl::Config[mlserve_front_proxy].orig\n+++ Cfssl::Config[mlserve_front_proxy]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/mlserve_front_proxy\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/mlserve_front_proxy/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/mlserve_front_proxy\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_wikikube.service\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "parameters": "--- Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods].orig\n+++ Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods]\n\n-    desc                => \n-    prio                => 10\n-    unrestricted_access => False\n-    src_sets            => ['WIKIKUBE_KUBEPODS_NETWORKS', 'STAGING_KUBEPODS_NETWORKS', 'MLSERVE_KUBEPODS_NETWORKS', 'MLSTAGE_KUBEPODS_NETWORKS', 'DSE_KUBEPODS_NETWORKS', 'AUX_KUBEPODS_NETWORKS']\n-    proto               => tcp\n-    ensure              => present\n-    port                => 8443\n-    notrack             => False\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_kafka]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Httpd::Conf[dummy]", "parameters": "--- Httpd::Conf[dummy].orig\n+++ Httpd::Conf[dummy]\n\n-    conf_type => sites\n-    source    => puppet:///modules/httpd/dummy.conf\n-    ensure    => present\n-    priority  => 0\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-zuul]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => zuul\n-    notify          => Service[cfssl-ocspserve@zuul]\n-    profile         => ocsp\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_dse.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[Generate initial CRL for puppet_rsa]", "parameters": "--- Exec[Generate initial CRL for puppet_rsa].orig\n+++ Exec[Generate initial CRL for puppet_rsa]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/puppet_rsa\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/puppet_rsa\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]\n\n-    mode   => 0440\n-    source => puppet:///modules/profile/pki/intermediates/puppet_rsa-cert.pem\n-    ensure => file\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_zuul\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Cfssl::Signer[cloud_wmnet_ca]", "parameters": "--- Cfssl::Signer[cloud_wmnet_ca].orig\n+++ Cfssl::Signer[cloud_wmnet_ca]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDrzCCAxKgAwIBAgIURAaLNJ85iLqv3Tqt4ylu7Dhe0o0wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjExMjEzMTg1NTAwWhcNMjYxMjEyMTg1NTAwWjB8\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRcwFQYDVQQDDA5jbG91ZF93bW5ldF9jYTCBmzAQBgcqhkjOPQIBBgUrgQQA\nIwOBhgAEAFsH4mfZKGu87WTpX9yabGE0+vO4UBQaN/IUGnjmscZTZ7761iAwuZcs\n33yjwzoX2W+R0IwAPJbagtB92uYPmA6eAUDV4WAuOml+AqAP0elVtW7i+T/Bm4qc\nSrlGCDsALgJ765YZCDS9OmzAm9rXbQXFmsxqrm9I3aPXIOWIww5+Zg1mo4IBDDCC\nAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\nFMavCWJlEuGLgOx5zgBdQCQ0Zxj7MB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGD\nkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5k\naXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBK\nBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwv\nV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYoAMIGGAkEQ\nXFKpUB99oxOp7uK3GztZblTr8DECjcwbJOXYfZLGyfzzNIKPMGPkBGNmGkP7Ie1G\nRSCNRsI1VR8/geUR0YUrpwJBRZWF4DZM3cga+6VB7pEv/7r/pQERs/ivzckNwDLi\n/LK1pbHc/MeNOdoy7TouLf1djsw40VYtGNT7/9FldHoWqsA=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/cloud_wmnet_ca\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => fake\n\n-    ca_file          => /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/cloud_wmnet_ca\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-kafka]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-kafka].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-kafka]\n\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocsprefresh-aux_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-aux_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-aux_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[kafka]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[kafka].orig\n+++ Profile::Pki::Multirootca::Monitoring[kafka]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/kafka/ca/kafka.pem\n-    intermediate => kafka\n"}, {"resource": "Cfssl::Config[puppet_rsa]", "parameters": "--- Cfssl::Config[puppet_rsa].orig\n+++ Cfssl::Config[puppet_rsa]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/puppet_rsa\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/puppet_rsa/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/puppet_rsa\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-mlserve.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_debmonitor.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-mlserve_front_proxy.service\n"}, {"resource": "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]", "content": "--- /etc/update-motd.d/05-insetup--infrastructure-foundations-ferm.orig\n+++ /etc/update-motd.d/05-insetup--infrastructure-foundations-ferm\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+printf \"%s\\n\" \"pki1001 is a Host being setup by Infrastructure Foundations SREs with ferm (insetup::infrastructure_foundations_ferm)\"", "parameters": "--- File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm].orig\n+++ File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]\n\n+    mode   => 0555\n+    owner  => root\n+    group  => root\n+    ensure => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"pki::multirootca\",cluster=\"pki\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_ferm\",cluster=\"insetup\"} 1.0"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-aux_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/network_devices/cfssl.conf]", "content": "--- /etc/cfssl/signers/network_devices/cfssl.conf.orig\n+++ /etc/cfssl/signers/network_devices/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"8760h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/network_devices\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/network_devices\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/network_devices/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/network_devices/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-debmonitor]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-debmonitor].orig\n+++ File[/var/log/cfssl-ocsprefresh-debmonitor]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_discovery]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-puppet_rsa-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry --cert-path /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --outfile /var/lib/prometheus/node.d/puppet_rsa_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@syslog]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Config[cloud_wmnet_ca]", "parameters": "--- Cfssl::Config[cloud_wmnet_ca].orig\n+++ Cfssl::Config[cloud_wmnet_ca]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/cloud_wmnet_ca\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/cloud_wmnet_ca\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_debmonitor]", "parameters": "--- Monitoring::Service[check_certificate_expiry_debmonitor].orig\n+++ Monitoring::Service[check_certificate_expiry_debmonitor]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_debmonitor!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: debmonitor\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]", "content": "--- /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem.orig\n+++ /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "File[/etc/cfssl/signers/syslog/ca]", "parameters": "--- File[/etc/cfssl/signers/syslog/ca].orig\n+++ File[/etc/cfssl/signers/syslog/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - wikikube\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube/ca/wikikube.pem --responses-file /etc/cfssl/ocsp/wikikube.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube' wikikube ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - mlserve_front_proxy\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --responses-file /etc/cfssl/ocsp/mlserve_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_front_proxy' mlserve_front_proxy \n"}, {"resource": "File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Service[cfssl-ocspserve@cassandra]", "parameters": "--- Service[cfssl-ocspserve@cassandra].orig\n+++ Service[cfssl-ocspserve@cassandra]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-wikikube_staging_front_proxy-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_front_proxy_intermediate.prom\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-wikikube_staging-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[mlserve_staging]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[mlserve_staging].orig\n+++ Profile::Pki::Multirootca::Monitoring[mlserve_staging]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    intermediate => mlserve_staging\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_aux\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-kafka]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-kafka].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-kafka]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-kafka]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "content": "--- /etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods.orig\n+++ /etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 8443, ($WIKIKUBE_KUBEPODS_NETWORKS $STAGING_KUBEPODS_NETWORKS $MLSERVE_KUBEPODS_NETWORKS $MLSTAGE_KUBEPODS_NETWORKS $DSE_KUBEPODS_NETWORKS $AUX_KUBEPODS_NETWORKS));\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods].orig\n+++ File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]\n\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n-    tag     => ferm\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[ferm]\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_mlserve\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"bfd2f7c6497e1da6323bef48d24f9e8e\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve\"\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_mlserve_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"9d6dd05c8e5e1bb294462d932b24bd1a\",check_name=\"check_check_certificate_expiry_mlserve_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__mlserve_front_proxy\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer]\n\n-    override          => False\n-    unit              => wmf_auto_restart_apache-htcacheclean.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/ocsp/mlserve_staging.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/mlserve_staging.ocsp].orig\n+++ File[/etc/cfssl/ocsp/mlserve_staging.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_network_devices command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_network_devices\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"21dac3775d059b8c991626e2ca33f951\" --timeout 10 --check-command \"check_check_certificate_expiry_network_devices\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"dse_front_proxy\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_aux_front_proxy!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    check_interval         => 1\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_discovery command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_discovery\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"38e4dbcfd07ed60daf5bb89397abbe29\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Cfssl::Config[discovery]", "parameters": "--- Cfssl::Config[discovery].orig\n+++ Cfssl::Config[discovery]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/discovery\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/discovery/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/discovery\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-mlserve_staging_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Service[cfssl-ocspserve@mlserve]", "parameters": "--- Service[cfssl-ocspserve@mlserve].orig\n+++ Service[cfssl-ocspserve@mlserve]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy].orig\n+++ Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    intermediate => wikikube_front_proxy\n"}, {"resource": "Cfssl::Signer[syslog]", "parameters": "--- Cfssl::Signer[syslog].orig\n+++ Cfssl::Signer[syslog]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqTCCAwqgAwIBAgIUI5/ixOCtnw8ZXV6xWw6RVC/D6rwwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwOTI4MTAzNzAwWhcNMjgwOTI2MTAzNzAwWjB0\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQ8wDQYDVQQDEwZzeXNsb2cwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABL\nCaZwsDnVcBhApShaeA1j8/9w4S2re0Zmjx7GTeBXiJcKF0dAhgAQRCMrGtWEimmQ\nW94s5015H1MknO61lLOY+wDAFYkq98rZF2aRRILm1w/5iRkqTDiBECBVE15jrPzD\nq4zZCQ5V5ellWhzfGfPMxFOogIm1sqZsqZvB7zZaCSOrbaOCAQwwggEIMA4GA1Ud\nDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRvwMc33QVQ\nqaT1dZmUUtkBeYiyzjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBW\nBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5\nLndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMw\nQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRp\nYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAUtK7APyQamN\n8DYOBCd1wJQ1DbYlzcQOcupJns2RKKcxFp1evo2GQjDA15TN1OXtA+pvK/liCAEh\np828+NcE6fPMAkIBN/Yjhvy0lrtVzshqckUEciShFhbDU0QZOHuzIXCVjdskzQfu\nas4ZMO15kIv0MZUJ6V9aKEE6nqzi9QXifjuoY54=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/syslog\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/syslog/ca/syslog.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/syslog/ca/syslog-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/syslog\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_debmonitor]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_debmonitor].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_debmonitor]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"debmonitor\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "File[/etc/cfssl/signers/cassandra]", "parameters": "--- File[/etc/cfssl/signers/cassandra].orig\n+++ File[/etc/cfssl/signers/cassandra]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/cfssl/signers/dse]", "parameters": "--- File[/etc/cfssl/signers/dse].orig\n+++ File[/etc/cfssl/signers/dse]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_kafka.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_kafka.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - puppet_rsa\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --responses-file /etc/cfssl/ocsp/puppet_rsa.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@puppet_rsa' puppet_rsa ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging -profile ocsp /etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet\n\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_kafka]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_kafka].orig\n+++ Nrpe::Check[check_check_certificate_expiry_kafka]\n\n-    before    => Monitoring::Service[check_certificate_expiry_kafka]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/kafka/ca/kafka.pem\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_zuul.service\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@mlserve_staging_front_proxy].orig\n+++ Service[cfssl-ocspserve@mlserve_staging_front_proxy]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]", "parameters": "--- File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf].orig\n+++ File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]\n\n-    target => /etc/apache2/sites-available/50-pki-discovery-wmnet.conf\n-    ensure => link\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-discovery2026.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-discovery2026.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-puppet_rsa]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-etcd.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-etcd\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-etcd\n-\n-/var/log/cfssl-ocsprefresh-etcd/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-etcd].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_syslog))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: syslog\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: syslog\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"e3b9b989d5062ce2d267023dfe42fcd8\",check_name=\"check_check_certificate_expiry_syslog\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__syslog\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_dse!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: dse\n-    check_interval         => 1\n"}, {"resource": "Exec[ensure_present_mod_status]", "parameters": "--- Exec[ensure_present_mod_status].orig\n+++ Exec[ensure_present_mod_status]\n\n-    require => Package[apache2]\n-    creates => /etc/apache2/mods-enabled/status.load\n-    notify  => Service[apache2]\n-    command => /usr/sbin/a2enmod status\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-gc-expired-certs.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-gc-expired-certs.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-gc-expired-certs\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-gc-expired-certs/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@network_devices]", "parameters": "--- Systemd::Service[cfssl-ocspserve@network_devices].orig\n+++ Systemd::Service[cfssl-ocspserve@network_devices]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cassandra -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-discovery2026]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-discovery2026].orig\n+++ File[/var/log/cfssl-ocsprefresh-discovery2026]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@cloud_wmnet_ca]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_dse.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_dse.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_dse.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]']\n"}, {"resource": "Cfssl::Cert[puppet_rsa__pki_discovery_wmnet]", "parameters": "--- Cfssl::Cert[puppet_rsa__pki_discovery_wmnet].orig\n+++ Cfssl::Cert[puppet_rsa__pki_discovery_wmnet]\n\n-    hosts           => ['pki1001.eqiad.wmnet']\n-    names           => []\n-    owner           => root\n-    common_name     => pki.discovery.wmnet\n-    renew_seconds   => 952200\n-    provide_chain   => True\n-    auto_renew      => True\n-    mode            => 0740\n-    notify_services => ['apache2']\n-    before_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => puppet_rsa\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-mlserve_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-mlserve_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_aux_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_wikikube.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_wikikube.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-aux_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --outfile /var/lib/prometheus/node.d/aux_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - discovery\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery/ca/discovery.pem --responses-file /etc/cfssl/ocsp/discovery.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery' discovery ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 raid_md].orig\n+++ Monitoring::Exported_nagios_service[pki1001 raid_md]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n"}, {"resource": "File[/var/log/wmf_auto_restart_apache-htcacheclean]", "parameters": "--- File[/var/log/wmf_auto_restart_apache-htcacheclean].orig\n+++ File[/var/log/wmf_auto_restart_apache-htcacheclean]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => absent\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-zuul.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-zuul.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-zuul.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-zuul.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_aux))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: aux\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: aux\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"f7dfe9e2cd77303dfae7ae11c5c56d90\",check_name=\"check_check_certificate_expiry_aux\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__aux\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_cfssl-multirootca_status\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_dse.service\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-debmonitor.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-debmonitor.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - debmonitor\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --responses-file /etc/cfssl/ocsp/debmonitor.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@debmonitor' debmonitor ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-discovery2026-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-discovery2026-certificate-expiry --cert-path /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --outfile /var/lib/prometheus/node.d/discovery2026_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_dse_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_dse_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_dse_front_proxy]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_dse_front_proxy!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: dse_front_proxy\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/srv/cfssl/bundles/discovery.pem]", "content": "--- /srv/cfssl/bundles/discovery.pem.orig\n+++ /srv/cfssl/bundles/discovery.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n-3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\n-wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n-5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\n-q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\n-ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n-4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/discovery.pem].orig\n+++ File[/srv/cfssl/bundles/discovery.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-mlserve_staging\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-mlserve_staging/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]\n"}, {"resource": "File[/etc/cfssl/signers/aux/ca]", "parameters": "--- File[/etc/cfssl/signers/aux/ca].orig\n+++ File[/etc/cfssl/signers/aux/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp]", "parameters": "--- File[/etc/cfssl/ssl/ocsp].orig\n+++ File[/etc/cfssl/ssl/ocsp]\n\n-    mode    => 0740\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n-    recurse => True\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-discovery]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - discovery\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery/ca/discovery.pem --responses-file /etc/cfssl/ocsp/discovery.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery' discovery \n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_discovery!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: discovery\n-    check_interval         => 1\n"}, {"resource": "File[/etc/cfssl/signers/wikikube]", "parameters": "--- File[/etc/cfssl/signers/wikikube].orig\n+++ File[/etc/cfssl/signers/wikikube]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/apache2/conf-enabled/00-defaults.conf]", "parameters": "--- File[/etc/apache2/conf-enabled/00-defaults.conf].orig\n+++ File[/etc/apache2/conf-enabled/00-defaults.conf]\n\n-    target => /etc/apache2/conf-available/00-defaults.conf\n-    ensure => link\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-aux-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_discovery2026.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_discovery2026.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_mlserve_staging_front_proxy!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]']\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-aux.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-aux.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-aux.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-aux.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "parameters": "--- Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem].orig\n+++ Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]\n\n-    require   => Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]\n-    subscribe => ['Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]', 'File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]', 'File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]']\n-    unless    => /usr/bin/test \"$(/bin/cat /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem | sha512sum)\"\n\n-    notify    => ['Service[apache2]']\n-    command   => /bin/cat /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem > /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@aux]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocsprefresh-wikikube_staging.timer]", "parameters": "--- Service[cfssl-ocsprefresh-wikikube_staging.timer].orig\n+++ Service[cfssl-ocsprefresh-wikikube_staging.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"wikikube_front_proxy\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n\n-    hosts       => ['pki1001.eqiad.wmnet']\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki.discovery.wmnet\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-dse]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-dse].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-dse]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-dse]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-mlserve]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-mlserve].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-mlserve]\n\n-    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_apache2]", "content": "--- /etc/logrotate.d/wmf_auto_restart_apache2.orig\n+++ /etc/logrotate.d/wmf_auto_restart_apache2\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for wmf_auto_restart_apache2\n-\n-/var/log/wmf_auto_restart_apache2/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_apache2].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_apache2]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Exec[Generate initial CRL for mlserve]", "parameters": "--- Exec[Generate initial CRL for mlserve].orig\n+++ Exec[Generate initial CRL for mlserve]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/mlserve\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/mlserve/ca/mlserve.pem /etc/cfssl/signers/mlserve/ca/mlserve-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/mlserve\n"}, {"resource": "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "parameters": "--- File[/usr/local/lib/nagios/plugins/check_systemd_unit_status].orig\n+++ File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]\n\n-    mode    => 0555\n-    require => File[/usr/local/lib/nagios/plugins/]\n-    source  => puppet:///modules/systemd/check_systemd_unit_status\n-    ensure  => file\n-    tag     => nrpe::plugin\n-    owner   => root\n-    group   => root\n"}, {"resource": "Monitoring::Exported_nagios_host[pki1001]", "parameters": "--- Monitoring::Exported_nagios_host[pki1001].orig\n+++ Monitoring::Exported_nagios_host[pki1001]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    hostgroups            => pki_eqiad,asw2-a-eqiad\n+    hostgroups            => insetup_eqiad,asw2-a-eqiad\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-wikikube_front_proxy-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_front_proxy_intermediate.prom\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-wikikube\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-wikikube/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-kafka]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-kafka].orig\n+++ File[/var/log/cfssl-ocsprefresh-kafka]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@mlserve_staging]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate initial CRL for cassandra]", "parameters": "--- Exec[Generate initial CRL for cassandra].orig\n+++ Exec[Generate initial CRL for cassandra]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/cassandra\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/cassandra/ca/cassandra.pem /etc/cfssl/signers/cassandra/ca/cassandra-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/cassandra\n"}, {"resource": "Profile::Auto_restarts::Service[apache-htcacheclean]", "parameters": "--- Profile::Auto_restarts::Service[apache-htcacheclean].orig\n+++ Profile::Auto_restarts::Service[apache-htcacheclean]\n\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]']\n"}, {"resource": "Exec[ensure_present_mod_access_compat]", "parameters": "--- Exec[ensure_present_mod_access_compat].orig\n+++ Exec[ensure_present_mod_access_compat]\n\n-    require => Package[apache2]\n-    creates => /etc/apache2/mods-enabled/access_compat.load\n-    notify  => Service[apache2]\n-    command => /usr/sbin/a2enmod access_compat\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_kafka!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: kafka\n-    check_interval         => 1\n"}, {"resource": "Sudo::User[nrpe_certificate_check_wikikube_staging]", "parameters": "--- Sudo::User[nrpe_certificate_check_wikikube_staging].orig\n+++ Sudo::User[nrpe_certificate_check_wikikube_staging]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_wikikube_staging\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet\n\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/wikikube_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/wikikube_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/wikikube_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/wikikube_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/cfssl/signers/debmonitor/ca]", "parameters": "--- File[/etc/cfssl/signers/debmonitor/ca].orig\n+++ File[/etc/cfssl/signers/debmonitor/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@kafka.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@kafka.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@kafka.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (kafka)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10003 \\\n-          -responses /etc/cfssl/ocsp/kafka.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@kafka.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@kafka.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]\n"}, {"resource": "Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "content": "--- /etc/apache2/sites-available/50-pki-discovery-wmnet.conf.orig\n+++ /etc/apache2/sites-available/50-pki-discovery-wmnet.conf\n@@ -1,149 +0,0 @@\n-#####################################################################\n-\n-### THIS FILE IS MANAGED BY PUPPET\n-#####################################################################\n-# vim: filetype=apache\n-<VirtualHost *:80>\n-  ServerName pki.discovery.wmnet\n-  ServerAlias pki1001.eqiad.wmnet\n-  DocumentRoot /srv/cfssl\n-\n-  <Directory  /srv/cfssl>\n-    Require all granted\n-  </Directory>\n-\n-  <Location /metrics>\n-    Require host prometheus1005.eqiad.wmnet prometheus1006.eqiad.wmnet prometheus1007.eqiad.wmnet prometheus1008.eqiad.wmnet\n-    ProxyPass http://127.0.0.1:8888/metrics\n-    ProxyPassReverse http://127.0.0.1:8888/metrics\n-  </Location>\n-\n-  # Wikimedia_Internal_Root_CA\n-  ProxyPass /ocsp/Wikimedia_Internal_Root_CA  http://localhost:10000/\n-  ProxyPassReverse /ocsp/Wikimedia_Internal_Root_CA  http://localhost:10000/\n-  # debmonitor\n-  ProxyPass /ocsp/debmonitor  http://localhost:10001/\n-  ProxyPassReverse /ocsp/debmonitor  http://localhost:10001/\n-  # discovery\n-  ProxyPass /ocsp/discovery  http://localhost:10002/\n-  ProxyPassReverse /ocsp/discovery  http://localhost:10002/\n-  # kafka\n-  ProxyPass /ocsp/kafka  http://localhost:10003/\n-  ProxyPassReverse /ocsp/kafka  http://localhost:10003/\n-  # cloud_wmnet_ca\n-  ProxyPass /ocsp/cloud_wmnet_ca  http://localhost:10004/\n-  ProxyPassReverse /ocsp/cloud_wmnet_ca  http://localhost:10004/\n-  # etcd\n-  ProxyPass /ocsp/etcd  http://localhost:10005/\n-  ProxyPassReverse /ocsp/etcd  http://localhost:10005/\n-  # cassandra\n-  ProxyPass /ocsp/cassandra  http://localhost:10006/\n-  ProxyPassReverse /ocsp/cassandra  http://localhost:10006/\n-  # syslog\n-  ProxyPass /ocsp/syslog  http://localhost:10007/\n-  ProxyPassReverse /ocsp/syslog  http://localhost:10007/\n-  # puppet_rsa\n-  ProxyPass /ocsp/puppet_rsa  http://localhost:10008/\n-  ProxyPassReverse /ocsp/puppet_rsa  http://localhost:10008/\n-  # zuul\n-  ProxyPass /ocsp/zuul  http://localhost:10009/\n-  ProxyPassReverse /ocsp/zuul  http://localhost:10009/\n-  # discovery2026\n-  ProxyPass /ocsp/discovery2026  http://localhost:10010/\n-  ProxyPassReverse /ocsp/discovery2026  http://localhost:10010/\n-  # wikikube\n-  ProxyPass /ocsp/wikikube  http://localhost:20010/\n-  ProxyPassReverse /ocsp/wikikube  http://localhost:20010/\n-  # wikikube_front_proxy\n-  ProxyPass /ocsp/wikikube_front_proxy  http://localhost:20011/\n-  ProxyPassReverse /ocsp/wikikube_front_proxy  http://localhost:20011/\n-  # wikikube_staging\n-  ProxyPass /ocsp/wikikube_staging  http://localhost:20020/\n-  ProxyPassReverse /ocsp/wikikube_staging  http://localhost:20020/\n-  # wikikube_staging_front_proxy\n-  ProxyPass /ocsp/wikikube_staging_front_proxy  http://localhost:20021/\n-  ProxyPassReverse /ocsp/wikikube_staging_front_proxy  http://localhost:20021/\n-  # mlserve\n-  ProxyPass /ocsp/mlserve  http://localhost:20030/\n-  ProxyPassReverse /ocsp/mlserve  http://localhost:20030/\n-  # mlserve_front_proxy\n-  ProxyPass /ocsp/mlserve_front_proxy  http://localhost:20031/\n-  ProxyPassReverse /ocsp/mlserve_front_proxy  http://localhost:20031/\n-  # mlserve_staging\n-  ProxyPass /ocsp/mlserve_staging  http://localhost:20040/\n-  ProxyPassReverse /ocsp/mlserve_staging  http://localhost:20040/\n-  # mlserve_staging_front_proxy\n-  ProxyPass /ocsp/mlserve_staging_front_proxy  http://localhost:20041/\n-  ProxyPassReverse /ocsp/mlserve_staging_front_proxy  http://localhost:20041/\n-  # aux\n-  ProxyPass /ocsp/aux  http://localhost:20050/\n-  ProxyPassReverse /ocsp/aux  http://localhost:20050/\n-  # aux_front_proxy\n-  ProxyPass /ocsp/aux_front_proxy  http://localhost:20051/\n-  ProxyPassReverse /ocsp/aux_front_proxy  http://localhost:20051/\n-  # dse\n-  ProxyPass /ocsp/dse  http://localhost:20061/\n-  ProxyPassReverse /ocsp/dse  http://localhost:20061/\n-  # dse_front_proxy\n-  ProxyPass /ocsp/dse_front_proxy  http://localhost:20062/\n-  ProxyPassReverse /ocsp/dse_front_proxy  http://localhost:20062/\n-  # network_devices\n-  ProxyPass /ocsp/network_devices  http://localhost:20063/\n-  ProxyPassReverse /ocsp/network_devices  http://localhost:20063/\n-\n-  LogLevel warn\n-  ErrorLog /var/log/apache2/pki.discovery.wmnet_error.log\n-  CustomLog /var/log/apache2/pki.discovery.wmnet_access.log wmf\n-</VirtualHost>\n-\n-<VirtualHost *:443>\n-  # Protected by client auth\n-  ServerName pki.discovery.wmnet\n-  ServerAlias pki1001.eqiad.wmnet\n-  DocumentRoot /srv/cfssl\n-\n-  SSLEngine on\n-  SSLCertificateFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem\n-  SSLCertificateKeyFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem\n-  SSLCertificateChainFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem\n-  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\n-  SSLCipherSuite -ALL:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256\n-  SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256\n-  SSLHonorCipherOrder On\n-  SSLOpenSSLConfCmd DHParameters \"/etc/ssl/dhparam.pem\"\n-  Header always set Strict-Transport-Security \"max-age=106384710; includeSubDomains; preload\"\n-  SSLVerifyClient require\n-  SSLVerifyDepth 2\n-  SSLCACertificateFile /etc/ssl/localcerts/multiroot_ca.pem\n-\n-  ProxyPass /  http://127.0.0.1:8888/\n-  ProxyPassReverse / http://127.0.0.1:8888/\n-\n-  LogLevel warn ssl:info\n-  ErrorLog /var/log/apache2/pki.discovery.wmnet_ssl_error.log\n-  CustomLog /var/log/apache2/pki.discovery.wmnet_ssl_access.log wmf\n-</VirtualHost>\n-<VirtualHost *:8443>\n-  # Protected by iptables\n-  ServerName pki.discovery.wmnet\n-  ServerAlias pki1001.eqiad.wmnet\n-  DocumentRoot /srv/cfssl\n-\n-  SSLEngine on\n-  SSLCertificateFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem\n-  SSLCertificateKeyFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem\n-  SSLCertificateChainFile /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem\n-  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\n-  SSLCipherSuite -ALL:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256\n-  SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256\n-  SSLHonorCipherOrder On\n-  SSLOpenSSLConfCmd DHParameters \"/etc/ssl/dhparam.pem\"\n-  Header always set Strict-Transport-Security \"max-age=106384710; includeSubDomains; preload\"\n-\n-  ProxyPass /  http://127.0.0.1:8888/\n-  ProxyPassReverse / http://127.0.0.1:8888/\n-\n-  LogLevel warn ssl:info\n-  ErrorLog /var/log/apache2/pki.discovery.wmnet_k8s_error.log\n-  CustomLog /var/log/apache2/pki.discovery.wmnet_k8s_access.log wmf\n-</VirtualHost>", "parameters": "--- File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf].orig\n+++ File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-wikikube.timer]']\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_network_devices]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_network_devices].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_network_devices]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve -profile ocsp /etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet\n\n"}, {"resource": "Service[cfssl-ocspserve@mlserve_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@mlserve_front_proxy].orig\n+++ Service[cfssl-ocspserve@mlserve_front_proxy]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-wikikube]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-wikikube].orig\n+++ Systemd::Service[cfssl-ocsprefresh-wikikube]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-wikikube.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_discovery.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]']\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]", "content": "--- /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem.orig\n+++ /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-etcd-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-syslog]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => syslog\n-    notify          => Service[cfssl-ocspserve@syslog]\n-    profile         => ocsp\n"}, {"resource": "Systemd::Override[apache2-after-network-online-target]", "parameters": "--- Systemd::Override[apache2-after-network-online-target].orig\n+++ Systemd::Override[apache2-after-network-online-target]\n\n-    unit    => apache2\n-    ensure  => absent\n-    restart => False\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-aux_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-aux_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-cassandra]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-cassandra].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-cassandra]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-cassandra]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@aux]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@aux].orig\n+++ Systemd::Unit[cfssl-ocspserve@aux]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@aux\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem']\n-    user       => nagios\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-etcd.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-etcd.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-etcd.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-etcd.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_mlserve]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_mlserve].orig\n+++ Nrpe::Check[check_check_certificate_expiry_mlserve]\n\n-    before    => Monitoring::Service[check_certificate_expiry_mlserve]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve/ca/mlserve.pem\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-debmonitor.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-debmonitor.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - cloud_wmnet_ca\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --responses-file /etc/cfssl/ocsp/cloud_wmnet_ca.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@cloud_wmnet_ca' cloud_wmnet_ca \n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_staging command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_wikikube_staging\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"f389c556cebfcfc345b3d6802f320045\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_staging\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-wikikube_staging_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label kafka -profile ocsp /etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-wikikube.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-wikikube\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-wikikube\n-\n-/var/log/cfssl-ocsprefresh-wikikube/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]", "parameters": "--- File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem].orig\n+++ File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]\n\n-    mode   => 0444\n-    source => /var/lib/puppet/ssl/certs/ca.pem\n-    ensure => file\n-    owner  => root\n-    group  => root\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Httpd::Mod_conf[access_compat]", "parameters": "--- Httpd::Mod_conf[access_compat].orig\n+++ Httpd::Mod_conf[access_compat]\n\n-    loadfile => access_compat.load\n-    mod      => access_compat\n-    ensure   => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@mlserve]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@mlserve].orig\n+++ Systemd::Unit[cfssl-ocspserve@mlserve]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@mlserve\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-cassandra.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-cassandra.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-cassandra.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-cassandra.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_discovery.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)].orig\n+++ Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-multirootca]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@discovery]", "parameters": "--- Systemd::Service[cfssl-ocspserve@discovery].orig\n+++ Systemd::Service[cfssl-ocspserve@discovery]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-mlserve_staging_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Class[Profile::Pki::Multirootca]", "parameters": "--- Class[Profile::Pki::Multirootca].orig\n+++ Class[Profile::Pki::Multirootca]\n\n-    root_ca_cn         => Wikimedia_Internal_Root_CA\n-    vhost              => pki.discovery.wmnet\n-    enable_k8s_vhost   => True\n-    root_ca_cert       => profile/pki/ROOT/Wikimedia_Internal_Root_CA.pem\n-    db_host            => m1-master.eqiad.wmnet\n-    db_name            => pki\n-    default_usages     => ['signing', 'key encipherment', 'client auth']\n-    root_ocsp_key      => pki/ROOT/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem\n-    enable_client_auth => True\n-    private_cert_base  => pki/intermediates\n-    default_nets       => ['127.0.0.1/32']\n-    root_ocsp_cert     => profile/pki/ROOT/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem\n-    default_expiry     => 672h\n-    db_driver          => mysql\n-    default_auth_keys  => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    enable_monitoring  => True\n-    default_profiles   => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    client_ca_source   => puppet:///modules/profile/pki/production/client_auth_CA.pem\n-    public_cert_base   => profile/pki/intermediates\n-    root_ocsp_port     => 10000\n-    db_user            => pki\n-    cfssl_httpd_cert   => True\n-    intermediates      => {'debmonitor': {'ocsp_port': 10001}, 'discovery': {'ocsp_port': 10002, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'kafka': {'ocsp_port': 10003, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth'], 'profiles': {'kafka_11': {'expiry': '8760h'}}}, 'cloud_wmnet_ca': {'ocsp_port': 10004, 'default_usages': ['digital signature', 'key encipherment', 'server auth']}, 'etcd': {'ocsp_port': 10005, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'cassandra': {'ocsp_port': 10006, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'syslog': {'ocsp_port': 10007, 'default_usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'puppet_rsa': {'ocsp_port': 10008, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'mtls': {'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'zuul': {'ocsp_port': 10009, 'default_usages': ['server auth', 'client auth']}, 'discovery2026': {'ocsp_port': 10010, 'default_usages': ['digital signature', 'key encipherment', 'server auth'], 'profiles': {'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}}, 'wikikube': {'ocsp_port': 20010, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_front_proxy': {'ocsp_port': 20011}, 'wikikube_staging': {'ocsp_port': 20020, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'wikikube_staging_front_proxy': {'ocsp_port': 20021, 'default_expiry': '72h'}, 'mlserve': {'ocsp_port': 20030, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_front_proxy': {'ocsp_port': 20031}, 'mlserve_staging': {'ocsp_port': 20040, 'default_expiry': '72h', 'profiles': {'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'mlserve_staging_front_proxy': {'ocsp_port': 20041, 'default_expiry': '72h'}, 'aux': {'ocsp_port': 20050, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'aux_front_proxy': {'ocsp_port': 20051}, 'dse': {'ocsp_port': 20061, 'profiles': {'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}}, 'dse_front_proxy': {'ocsp_port': 20062}, 'network_devices': {'ocsp_port': 20063, 'default_expiry': '8760h', 'default_usages': ['digital signature', 'key encipherment', 'server auth']}}\n-    maintenance_jobs   => True\n-    db_pass            => changeme\n-    prometheus_nodes   => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet']\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_zuul.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Cfssl::Ocsp[kafka]", "parameters": "--- Cfssl::Ocsp[kafka].orig\n+++ Cfssl::Ocsp[kafka]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10003\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/kafka/ca/kafka.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n"}, {"resource": "File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]", "content": "--- /etc/cfssl/signers/etcd/ca/etcd-key.pem.orig\n+++ /etc/cfssl/signers/etcd/ca/etcd-key.pem\n@@ -1 +0,0 @@\n-##### FAKE FOR PUPPET ######", "parameters": "--- File[/etc/cfssl/signers/etcd/ca/etcd-key.pem].orig\n+++ File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Cfssl::Signer[wikikube]", "parameters": "--- Cfssl::Signer[wikikube].orig\n+++ Cfssl::Signer[wikikube]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqzCCAwygAwIBAgIUWXrkQs5GEdgVcV7/XAEZOXQLYlowCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB2\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMREwDwYDVQQDEwh3aWtpa3ViZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAE\nAX4fMTh3NrBZlCMop5eKr6F/RXTefrSSdu6DE39OOKTTdYM3TxK8tPmTDm9EE+XT\n4rO+VHuaIVVirgB2JQtla8oZAZb60Pw8v9BlJ1JLLK9vpWA9Vce7DKmMNxIWK9GA\nYIUQufjHVD2eibYJsK54NGkBe3frhPhwayIvzJ3gGO34GRaRo4IBDDCCAQgwDgYD\nVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAaU1Sae\nB9+FDd+SrIADU8yIo+xJMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2\nMFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zl\ncnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8E\nQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1l\nZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBFZVjRbh3\nGaouRaz9IPef3q+9s+TleKGby7nJQ6z71M3rpJIsHr9lncr/9GPq5v5cHDYOHmgK\nGBupTY7FNMwL8aACQgCgoDP6PO23Dw6tuswLIbeY+o5l3K8R5L3RS1DO59OXXV2f\n9FmoJNLgGXgP87rOkFW1fn9/QcvX85zD0urkq8gNjg==\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/wikikube\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => test\n\n-    ca_file          => /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    ca_key_file      => /etc/cfssl/signers/wikikube/ca/wikikube-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/wikikube\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label zuul -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-cloud_wmnet_ca-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry --cert-path /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --outfile /var/lib/prometheus/node.d/cloud_wmnet_ca_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-syslog]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-syslog].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-syslog]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-syslog]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_network_devices]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_network_devices].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_network_devices]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: network_devices\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/etc/apache2/conf-available/50-server-status.conf]", "parameters": "--- File[/etc/apache2/conf-available/50-server-status.conf].orig\n+++ File[/etc/apache2/conf-available/50-server-status.conf]\n\n-    mode   => 0444\n-    source => puppet:///modules/httpd/status.conf\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_puppet_rsa]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_puppet_rsa].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_puppet_rsa]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"puppet_rsa\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_discovery2026]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_discovery2026].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_discovery2026]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: discovery2026\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-dse]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-dse].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-dse]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-dse.service\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-puppet_rsa.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@puppet_rsa.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@puppet_rsa.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (puppet_rsa)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10008 \\\n-          -responses /etc/cfssl/ocsp/puppet_rsa.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]\n"}, {"resource": "File[/etc/cfssl/ocsp/wikikube_staging.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/wikikube_staging.ocsp].orig\n+++ File[/etc/cfssl/ocsp/wikikube_staging.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_wikikube_staging]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_wikikube_staging].orig\n+++ Nrpe::Check[check_check_certificate_expiry_wikikube_staging]\n\n-    before    => Monitoring::Service[check_certificate_expiry_wikikube_staging]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n"}, {"resource": "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-discovery-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-aux_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-aux_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Cfssl::Ocsp[zuul]", "parameters": "--- Cfssl::Ocsp[zuul].orig\n+++ Cfssl::Ocsp[zuul]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10009\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/zuul/ca/zuul.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-aux_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-aux_front_proxy]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/signers/cassandra/cfssl.conf]", "content": "--- /etc/cfssl/signers/cassandra/cfssl.conf.orig\n+++ /etc/cfssl/signers/cassandra/cfssl.conf\n@@ -1,65 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/cassandra\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/cassandra\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/cassandra/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/cassandra/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Exec[Generate initial CRL for zuul]", "parameters": "--- Exec[Generate initial CRL for zuul].orig\n+++ Exec[Generate initial CRL for zuul]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/zuul\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/zuul/ca/zuul.pem /etc/cfssl/signers/zuul/ca/zuul-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/zuul\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-zuul-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy]\n\n-    ensure => present\n"}, {"resource": "Cfssl::Config[zuul]", "parameters": "--- Cfssl::Config[zuul].orig\n+++ Cfssl::Config[zuul]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/zuul\n-    default_auth_remote => {}\n-    default_usages      => ['server auth', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/zuul/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/zuul\n"}, {"resource": "Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => dse_front_proxy\n-    notify          => Service[cfssl-ocspserve@dse_front_proxy]\n-    profile         => ocsp\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-wikikube.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@aux_front_proxy]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_discovery].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_discovery]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: discovery\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]']\n"}, {"resource": "File[/etc/cfssl/signers/syslog/cfssl.conf]", "content": "--- /etc/cfssl/signers/syslog/cfssl.conf.orig\n+++ /etc/cfssl/signers/syslog/cfssl.conf\n@@ -1,65 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/syslog\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/syslog\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/syslog/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/syslog/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_debmonitor].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-wikikube_front_proxy\n-\n-/var/log/cfssl-ocsprefresh-wikikube_front_proxy/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-kafka-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-kafka-certificate-expiry --cert-path /etc/cfssl/signers/kafka/ca/kafka.pem --outfile /var/lib/prometheus/node.d/kafka_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_etcd]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Package[links]", "parameters": "--- Package[links].orig\n+++ Package[links]\n\n-    provider => apt\n-    ensure   => installed\n"}, {"resource": "File[/srv/cfssl/bundles/mlserve.pem]", "content": "--- /srv/cfssl/bundles/mlserve.pem.orig\n+++ /srv/cfssl/bundles/mlserve.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqTCCAwugAwIBAgIUC2E+U3FwNsKpcXq1D5KD3ILh08QwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB1\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRAwDgYDVQQDEwdtbHNlcnZlMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA\n-4+yIcr5bDRYOqvzsS95b/CFOM84v7vZlxRXO9paOop7nSpVED1+upVrhfM69F4Rd\n-hMDYeRBUiXxZsecByAdWu0AAEWeCZiL+QqMEJeoGML8iobA6rGa+5y2qePBUcV5m\n-4u0sePHBq8CYXdIgPHo8bIho/A30Q/IhwEIln0OoSq1ZlcOjggEMMIIBCDAOBgNV\n-HQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUYMFEsH4H\n-fAVzgmuJIW+M+s7UPVEwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYw\n-VgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVy\n-eS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRD\n-MEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVk\n-aWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQUW5mZclFy2C\n-6VREX3v/LuAnzguojsBHnRSGXWR1TYoN8aBrtzC0w6KaC+5ka5VCByGmlMDY4GxF\n-GLuM8bnvHf4FAkIBva6mukWZ7ZKbNSGakTVG3PeEvZs1b4xkq7+6RYjlv819FjLm\n-jPag2y90JiWcyA7gw4IZqc3BgFuT46K+AqsKzhY=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/mlserve.pem].orig\n+++ File[/srv/cfssl/bundles/mlserve.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Cfssl::Ocsp[mlserve]", "parameters": "--- Cfssl::Ocsp[mlserve].orig\n+++ Cfssl::Ocsp[mlserve]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20030\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_apache2.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_apache2.service].orig\n+++ Systemd::Unit[wmf_auto_restart_apache2.service]\n\n-    override          => False\n-    unit              => wmf_auto_restart_apache2.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@network_devices.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@network_devices.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (network_devices)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20063 \\\n-          -responses /etc/cfssl/ocsp/network_devices.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@network_devices.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]\n"}, {"resource": "Service[cfssl-ocspserve@etcd]", "parameters": "--- Service[cfssl-ocspserve@etcd].orig\n+++ Service[cfssl-ocspserve@etcd]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "File[/etc/cfssl/signers/dse/ca/dse-key.pem]", "parameters": "--- File[/etc/cfssl/signers/dse/ca/dse-key.pem].orig\n+++ File[/etc/cfssl/signers/dse/ca/dse-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging -profile ocsp /etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-wikikube_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-wikikube_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_discovery2026))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery2026\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: discovery2026\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"bf2e3510cb63e5f05f545e816bab4edf\",check_name=\"check_check_certificate_expiry_discovery2026\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__discovery2026\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n"}, {"resource": "Exec[Generate initial CRL for dse_front_proxy]", "parameters": "--- Exec[Generate initial CRL for dse_front_proxy].orig\n+++ Exec[Generate initial CRL for dse_front_proxy]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/dse_front_proxy\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/dse_front_proxy\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-wikikube_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-wikikube_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]\n"}, {"resource": "Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => debmonitor\n-    notify          => Service[cfssl-ocspserve@debmonitor]\n-    profile         => ocsp\n"}, {"resource": "Systemd::Monitor[cfssl-multirootca]", "parameters": "--- Systemd::Monitor[cfssl-multirootca].orig\n+++ Systemd::Monitor[cfssl-multirootca]\n\n-    migration_task => T350694\n-    critical       => True\n-    retries        => 2\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI\n-    ensure         => present\n-    contact_group  => admins\n-    check_interval => 10\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@cassandra]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@cassandra].orig\n+++ Systemd::Unit[cfssl-ocspserve@cassandra]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@cassandra\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Cfssl::Ocsp[puppet_rsa]", "parameters": "--- Cfssl::Ocsp[puppet_rsa].orig\n+++ Cfssl::Ocsp[puppet_rsa]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10008\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-dse_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-dse_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-discovery.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-discovery.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-discovery.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-discovery.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]\n"}, {"resource": "Service[cfssl-multirootca]", "parameters": "--- Service[cfssl-multirootca].orig\n+++ Service[cfssl-multirootca]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Service[cfssl-ocspserve@dse_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@dse_front_proxy].orig\n+++ Service[cfssl-ocspserve@dse_front_proxy]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"72h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/wikikube_staging_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/wikikube_staging_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_etcd]", "parameters": "--- Monitoring::Service[check_certificate_expiry_etcd].orig\n+++ Monitoring::Service[check_certificate_expiry_etcd]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_etcd!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: etcd\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-dse]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-dse].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-dse]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-etcd]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-etcd].orig\n+++ Systemd::Service[cfssl-ocsprefresh-etcd]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-etcd.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]", "content": "--- /etc/cfssl/signers/discovery2026/ca/discovery2026.pem.orig\n+++ /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrzCCAxGgAwIBAgIUa46nWae1FhV+WZzdsRMJchzTP54wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjYwNDIwMTUzNjAwWhcNMzEwNDE5MTUzNjAwWjB7\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRYwFAYDVQQDEw1kaXNjb3ZlcnkyMDI2MIGbMBAGByqGSM49AgEGBSuBBAAj\n-A4GGAAQBNeE+xxvbq00KO92aWhHFTLosZBkXul9ufZINtOUd90TXpQnJvpEv7kK8\n-HQpufac9Dez+MBhLzQXoTY+ElhRCsQQBwlu+rIeqpbJEh87DQ2RTfzhTJmlm/9de\n-1fiM38/51DacwYS/vW0psN/lKSoM7cX/Paw6Qg7pBUmUGCq2vE9wDbmjggEMMIIB\n-CDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU\n-SXZcMeXrgnEYbZ3z1m8j/+8XmugwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR\n-0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRp\n-c2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoG\n-A1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9X\n-aWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQgD4\n-UGn506FGvacDvYS6t8JEMo6YH7jxK8dKeiZNEnhG5FSjA4Lt2BCz85sOBczxSD9h\n-b9wLCxy5wOpifRePlyrZQgJBNKUXBImWpyoHmt6hNOA6X7+FmGl0tD5tLnbeuPx7\n-aTlv8rfJ0d7JdsZXx+7M6YcsmxMgZCKUh4UMYu/WcczIq30=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem].orig\n+++ File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_wikikube_staging_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"e515778a769f523fb98a7f642670e011\",check_name=\"check_check_certificate_expiry_wikikube_staging_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__wikikube_staging_front_proxy\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-kafka.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-kafka.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-kafka.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-kafka.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_staging_front_proxy command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"e515778a769f523fb98a7f642670e011\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_staging_front_proxy\"\n"}, {"resource": "File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]", "content": "--- /etc/cfssl/signers/wikikube/ca/wikikube-key.pem.orig\n+++ /etc/cfssl/signers/wikikube/ca/wikikube-key.pem\n@@ -1 +0,0 @@\n-test", "parameters": "--- File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem].orig\n+++ File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Service[cfssl-ocsprefresh-network_devices.timer]", "parameters": "--- Service[cfssl-ocsprefresh-network_devices.timer].orig\n+++ Service[cfssl-ocsprefresh-network_devices.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]", "content": "--- /etc/cfssl/signers/puppet_rsa/cfssl.conf.orig\n+++ /etc/cfssl/signers/puppet_rsa/cfssl.conf\n@@ -1,73 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/puppet_rsa\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/puppet_rsa\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"mtls\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-syslog\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-syslog/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/apache2/conf-enabled/50-server-status.conf]", "parameters": "--- File[/etc/apache2/conf-enabled/50-server-status.conf].orig\n+++ File[/etc/apache2/conf-enabled/50-server-status.conf]\n\n-    target => /etc/apache2/conf-available/50-server-status.conf\n-    ensure => link\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "content": "--- /etc/cfssl/signers/discovery/ca/discovery.pem.orig\n+++ /etc/cfssl/signers/discovery/ca/discovery.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrDCCAw2gAwIBAgIUcVMxEVtp5xErDjx/jInOFcUaRjkwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwNTA0MTM1NDAwWhcNMjYwNTAzMTM1NDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwlkaXNjb3ZlcnkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BAG7X6lQ05D8EQYwPd+v2qT12Y35j/YQTaOEbAuKQJBshTdMizCxGe4GUB33Nivw\n-3B0o9EcyCQokcUCUGtVlI3U0QQArB+LuehDTw7D5JKwOUK5GpSG5YlNL7Kg2c3gI\n-wyck1+Z5yDMIsclW5FtaM1IIFeUIOXrulmih3zM4PPrVtP3Vh6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSJ76Rw\n-5IjvCdxrdGkh4PHUL7PCBjAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCAeamwKAw\n-q+lKC/GdcPuP2SOoyij0+LFWucrQwxxiCiXlMAhSnj3fkKk5G5pLoFnY2X7hB0w4\n-ZPtLXG7If9pmIDjwAkIBwnJUYLz3dJTbZudeUJFX4yD49liKTYMPDpl/HWKSh9m4\n-4PZKXsAIs4CT29jwwtmsLK1HkPB0ShO8Egm/KB5dLUs=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/discovery/ca/discovery.pem].orig\n+++ File[/etc/cfssl/signers/discovery/ca/discovery.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/mlserve_staging_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/mlserve_staging_front_proxy.pem\n@@ -1,23 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDvjCCAyCgAwIBAgIUV8ha2UdjViI49Xr/fZzbY4YPZdYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\n-iTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEkMCIGA1UEAwwbbWxzZXJ2ZV9zdGFnaW5nX2Zyb250X3Byb3h5MIGbMBAG\n-ByqGSM49AgEGBSuBBAAjA4GGAAQAyrMiWBRjOWCaMXsvXC0wS6VzHyLLGFT8BpM9\n-EhYcloDfNnb8no2+YXrBzj4+lAg3D3dq53q+hyHko3+YsVVF/qABa55syWkYtxDB\n-xy5FNq6Iq/s2E3vO2YpQifWXlaSZvvuZCGhhTPDOp/zdI/kKdco9Jehsu6CdyElj\n-lCgJTZupZCmjggEMMIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB\n-/wIBATAdBgNVHQ4EFgQUj5l8xt65hr4t5yj8xKYmUsKwk9YwHwYDVR0jBBgwFoAU\n-O62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAB\n-hjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRl\n-cm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjO\n-PQQDBAOBiwAwgYcCQgD24XA2cP2pFwE3onWEosbFqDEaFwD5kNg7eSOkncJIceFU\n-bCX1f6VOYSv6UbiEQV0EwS0d34EawydbLcqXqfHgpgJBJJjdNhpjAcwyRt1+unRc\n-dYn6ys1ZElRXMld7NUq+nCInX5cVk8uPeSev6IxIJc2eyBCb4jtjvE3TAQ2RHvT9\n-sBI=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-kafka]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-kafka].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-kafka]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - kafka\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/kafka/ca/kafka.pem --responses-file /etc/cfssl/ocsp/kafka.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@kafka' kafka \n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-network_devices.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-network_devices.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-network_devices.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-network_devices.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]']\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - Wikimedia_Internal_Root_CA\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem --responses-file /etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@Wikimedia_Internal_Root_CA' Wikimedia_Internal_Root_CA \n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[cassandra]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[cassandra].orig\n+++ Profile::Pki::Multirootca::Monitoring[cassandra]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    intermediate => cassandra\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]']\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Cfssl::Config[wikikube_staging]", "parameters": "--- Cfssl::Config[wikikube_staging].orig\n+++ Cfssl::Config[wikikube_staging]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/wikikube_staging\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/wikikube_staging/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment', 'server auth']}, 'service-account-management': {'expiry': '72h', 'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    default_expiry      => 72h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/wikikube_staging\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-puppet_rsa.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-puppet_rsa.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]\n"}, {"resource": "Service[cfssl-ocspserve@mlserve_staging]", "parameters": "--- Service[cfssl-ocspserve@mlserve_staging].orig\n+++ Service[cfssl-ocspserve@mlserve_staging]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "File[/etc/cfssl/signers/aux/ca/aux-key.pem]", "content": "--- /etc/cfssl/signers/aux/ca/aux-key.pem.orig\n+++ /etc/cfssl/signers/aux/ca/aux-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/aux/ca/aux-key.pem].orig\n+++ File[/etc/cfssl/signers/aux/ca/aux-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label etcd -profile ocsp /etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_mlserve.service\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (wikikube_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20011 \\\n-          -responses /etc/cfssl/ocsp/wikikube_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]\n"}, {"resource": "Class[Puppet::Agent]", "parameters": "--- Class[Puppet::Agent].orig\n+++ Class[Puppet::Agent]\n\n@@\n-    dns_alt_names => ['pki.discovery.wmnet']\n+    dns_alt_names => []\n"}, {"resource": "Cfssl::Config[network_devices]", "parameters": "--- Cfssl::Config[network_devices].orig\n+++ Cfssl::Config[network_devices]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/network_devices\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/network_devices/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 8760h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/network_devices\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"mlserve_front_proxy\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/srv/cfssl/bundles/wikikube_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/wikikube_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/wikikube_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDuDCCAxmgAwIBAgIUCqmj+2MwaOqLPb5TPXkbkF/PGkUwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\n-gjELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczEdMBsGA1UEAwwUd2lraWt1YmVfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0C\n-AQYFK4EEACMDgYYABAAUuXSlLM/Sq6jmsr6/+aqYnBNDoelW5+uJ8kWFyR/9xaFf\n-hmvvui358ZLmOym6cA1tpoA1+PVZ1sVOE++GDsWQ3QDAG2kk8o0QxpXsCXLWBmJZ\n-92Z/pIO7Fc65qe6XDnuZLEaqbb6VWkqQPI15cL9AhJ8HgNbaoaxrT51MfCrHEteP\n-raOCAQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0G\n-A1UdDgQWBBTlGjpQ7L1N14lCjcKcI/4LLNraBjAfBgNVHSMEGDAWgBQ7raJx5jS9\n-G/yAvzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6\n-Ly9wa2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jv\n-b3RfQ0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21u\n-ZXQvY3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GM\n-ADCBiAJCAYT0XLJdjumemn8jpqv058zb+c+3zb+05EhNcj15wcjRUq8SU+c2+H8a\n-hzfph97+CVSvGaV6Cf7phTSEBDPk9+T4AkIBdOmzIcRH+K9UcDzvdxqerOiXJaBC\n-0Bgbg9dOhcd6d0j3CObOuIp760FFQLSli2ocG3WLkfNsXlL1/3+VL+yarNo=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/wikikube_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/wikikube_front_proxy.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-kafka.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-kafka\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-kafka\n-\n-/var/log/cfssl-ocsprefresh-kafka/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-kafka].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change].orig\n+++ Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]\n\n-    subscribe   => File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]\n-    refreshonly => True\n-    require     => Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    notify      => ['Service[apache2]']\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa  /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet\n\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_kafka.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-gc-expired-certs.timer]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_syslog]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_syslog].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_syslog]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Cfssl::Config[aux]", "parameters": "--- Cfssl::Config[aux].orig\n+++ Cfssl::Config[aux]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/aux\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/aux/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/aux\n"}, {"resource": "File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-cloud_wmnet_ca\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-cloud_wmnet_ca/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]']\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-zuul.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-zuul.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - zuul\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/zuul/ca/zuul.pem --responses-file /etc/cfssl/ocsp/zuul.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@zuul' zuul ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]\n"}, {"resource": "Service[cfssl-ocsprefresh-zuul.timer]", "parameters": "--- Service[cfssl-ocsprefresh-zuul.timer].orig\n+++ Service[cfssl-ocsprefresh-zuul.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_syslog command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_syslog\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"e3b9b989d5062ce2d267023dfe42fcd8\" --timeout 10 --check-command \"check_check_certificate_expiry_syslog\"\n"}, {"resource": "File[/etc/ferm/conf.d/10_multirootca_tls_termination]", "content": "--- /etc/ferm/conf.d/10_multirootca_tls_termination.orig\n+++ /etc/ferm/conf.d/10_multirootca_tls_termination\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 443, $DOMAIN_NETWORKS);\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_multirootca_tls_termination].orig\n+++ File[/etc/ferm/conf.d/10_multirootca_tls_termination]\n\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n-    tag     => ferm\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[ferm]\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - mlserve_staging_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --responses-file /etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve_staging_front_proxy' mlserve_staging_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_front_proxy command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"4d759acaf0fd7dd3abaa03dc4565aef6\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_front_proxy\"\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_mlserve.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_mlserve.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-dse_front_proxy].orig\n+++ File[/var/log/cfssl-ocsprefresh-dse_front_proxy]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-cassandra.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-cassandra.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-cassandra.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-cassandra.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Sudo::User[nrpe-check_check_cfssl-multirootca_status]", "parameters": "--- Sudo::User[nrpe-check_check_cfssl-multirootca_status].orig\n+++ Sudo::User[nrpe-check_check_cfssl-multirootca_status]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => absent\n-    privileges => []\n-    user       => nagios\n"}, {"resource": "Cfssl::Ocsp[wikikube_front_proxy]", "parameters": "--- Cfssl::Ocsp[wikikube_front_proxy].orig\n+++ Cfssl::Ocsp[wikikube_front_proxy]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20011\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/etc/cfssl/signers/zuul/ca]", "parameters": "--- File[/etc/cfssl/signers/zuul/ca].orig\n+++ File[/etc/cfssl/signers/zuul/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - aux_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --responses-file /etc/cfssl/ocsp/aux_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@aux_front_proxy' aux_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - mlserve\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve/ca/mlserve.pem --responses-file /etc/cfssl/ocsp/mlserve.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve' mlserve ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]", "content": "--- /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem.orig\n+++ /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrzCCAxKgAwIBAgIURAaLNJ85iLqv3Tqt4ylu7Dhe0o0wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjExMjEzMTg1NTAwWhcNMjYxMjEyMTg1NTAwWjB8\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRcwFQYDVQQDDA5jbG91ZF93bW5ldF9jYTCBmzAQBgcqhkjOPQIBBgUrgQQA\n-IwOBhgAEAFsH4mfZKGu87WTpX9yabGE0+vO4UBQaN/IUGnjmscZTZ7761iAwuZcs\n-33yjwzoX2W+R0IwAPJbagtB92uYPmA6eAUDV4WAuOml+AqAP0elVtW7i+T/Bm4qc\n-SrlGCDsALgJ765YZCDS9OmzAm9rXbQXFmsxqrm9I3aPXIOWIww5+Zg1mo4IBDDCC\n-AQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\n-FMavCWJlEuGLgOx5zgBdQCQ0Zxj7MB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGD\n-kdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5k\n-aXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBK\n-BgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwv\n-V2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYoAMIGGAkEQ\n-XFKpUB99oxOp7uK3GztZblTr8DECjcwbJOXYfZLGyfzzNIKPMGPkBGNmGkP7Ie1G\n-RSCNRsI1VR8/geUR0YUrpwJBRZWF4DZM3cga+6VB7pEv/7r/pQERs/ivzckNwDLi\n-/LK1pbHc/MeNOdoy7TouLf1djsw40VYtGNT7/9FldHoWqsA=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca/ca]", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca/ca].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/cfssl/signers/etcd/cfssl.conf]", "content": "--- /etc/cfssl/signers/etcd/cfssl.conf.orig\n+++ /etc/cfssl/signers/etcd/cfssl.conf\n@@ -1,65 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/etcd\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/etcd\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/etcd/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/etcd/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "File[/etc/cfssl/ocsp/wikikube.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/wikikube.ocsp].orig\n+++ File[/etc/cfssl/ocsp/wikikube.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]']\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]']\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_wikikube]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_wikikube].orig\n+++ Nrpe::Check[check_check_certificate_expiry_wikikube]\n\n-    before    => Monitoring::Service[check_certificate_expiry_wikikube]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-discovery.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-discovery\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-discovery\n-\n-/var/log/cfssl-ocsprefresh-discovery/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-discovery].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-kafka.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-kafka.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-kafka.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-kafka.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label network_devices -profile ocsp /etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet\n\n"}, {"resource": "Exec[ensure_present_mod_proxy_http]", "parameters": "--- Exec[ensure_present_mod_proxy_http].orig\n+++ Exec[ensure_present_mod_proxy_http]\n\n-    require => Package[apache2]\n-    creates => /etc/apache2/mods-enabled/proxy_http.load\n-    notify  => Service[apache2]\n-    command => /usr/sbin/a2enmod proxy_http\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-mlserve_staging_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_debmonitor.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_cassandra]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_cassandra].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_cassandra]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-network_devices]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-network_devices].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-network_devices]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-network_devices.service\n"}, {"resource": "Service[cfssl-ocsprefresh-discovery.timer]", "parameters": "--- Service[cfssl-ocsprefresh-discovery.timer].orig\n+++ Service[cfssl-ocsprefresh-discovery.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/cfssl/signers/etcd]", "parameters": "--- File[/etc/cfssl/signers/etcd].orig\n+++ File[/etc/cfssl/signers/etcd]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_staging -profile ocsp /etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/cfssl/ocsp/puppet_rsa.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/puppet_rsa.ocsp].orig\n+++ File[/etc/cfssl/ocsp/puppet_rsa.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_aux.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_aux\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Cfssl::Ocsp[cassandra]", "parameters": "--- Cfssl::Ocsp[cassandra].orig\n+++ Cfssl::Ocsp[cassandra]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10006\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_kafka]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_kafka].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_kafka]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-discovery2026].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-discovery2026]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_wikikube]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_wikikube].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_wikikube]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem']\n-    user       => nagios\n"}, {"resource": "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux -profile ocsp /etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_wikikube_staging.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-discovery.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-discovery.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-discovery.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_discovery]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_discovery].orig\n+++ Nrpe::Check[check_check_certificate_expiry_discovery]\n\n-    before    => Monitoring::Service[check_certificate_expiry_discovery]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-network_devices.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-network_devices.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-network_devices.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-network_devices.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]", "content": "--- /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem.orig\n+++ /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem].orig\n+++ File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_etcd))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: etcd\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: etcd\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"c834f873297e445663ead81279c0b928\",check_name=\"check_check_certificate_expiry_etcd\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__etcd\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Cfssl::Ocsp[mlserve_front_proxy]", "parameters": "--- Cfssl::Ocsp[mlserve_front_proxy].orig\n+++ Cfssl::Ocsp[mlserve_front_proxy]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20031\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[wmf_auto_restart_apache-htcacheclean.timer]", "parameters": "--- Service[wmf_auto_restart_apache-htcacheclean.timer].orig\n+++ Service[wmf_auto_restart_apache-htcacheclean.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]']\n"}, {"resource": "Systemd::Timer::Job[cfssl-gc-expired-certs]", "parameters": "--- Systemd::Timer::Job[cfssl-gc-expired-certs].orig\n+++ Systemd::Timer::Job[cfssl-gc-expired-certs]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Delete expired Certificates from the cfssl DB\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': 'hourly'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-certs clean\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-discovery.timer]']\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_zuul]", "parameters": "--- Monitoring::Service[check_certificate_expiry_zuul].orig\n+++ Monitoring::Service[check_certificate_expiry_zuul]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_zuul!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: zuul\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_mlserve_staging].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_mlserve_staging]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"mlserve_staging\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-discovery2026.timer]']\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_discovery]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_discovery].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_discovery]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"discovery\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-mlserve].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - mlserve\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/mlserve/ca/mlserve.pem --responses-file /etc/cfssl/ocsp/mlserve.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@mlserve' mlserve \n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-discovery2026.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-discovery2026\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-discovery2026\n-\n-/var/log/cfssl-ocsprefresh-discovery2026/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-wikikube_staging]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-wikikube_staging.service\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"72h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/mlserve_staging_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/mlserve_staging_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-kafka\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-kafka/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/wikikube_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/wikikube_front_proxy/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@debmonitor]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-syslog.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-syslog.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - syslog\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/syslog/ca/syslog.pem --responses-file /etc/cfssl/ocsp/syslog.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@syslog' syslog ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n-    role_description => PKI server\n+    role_description => Host being setup by Infrastructure Foundations SREs with ferm\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_apache2.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_apache2.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_apache2.timer]\n\n-    override          => False\n-    unit              => wmf_auto_restart_apache2.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]']\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-discovery-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_zuul.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_zuul.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]\n"}, {"resource": "File[/srv/cfssl/bundles/mlserve_staging.pem]", "content": "--- /srv/cfssl/bundles/mlserve_staging.pem.orig\n+++ /srv/cfssl/bundles/mlserve_staging.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUHWrqd3I2VME7z6A5M3brKa5UlOgwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9tbHNlcnZlX3N0YWdpbmcwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAAu0g2dBBEAH2iUfZLPv+mA+1srb6S3bdVyH/kRk+QZDoOMnM0H8Edn\n-V+dakFKXnwl+w+qsOsWj1NP2FlOm3bTglwCIxFAzX5XaDfqWa74L1tIqDH6kx+bX\n-yxnuGWT/U1cv8rIHFap7ccH3h5YxPQfHy73KRTWxPln6ByswgxekotwnCKOCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBSRzdapYuh57Gp5MstVlUJNJ+6zTzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AY8VuLFo6MpcfxrDG8Junk8mESfQTMRbfeZM6WpHqKYBTESkpeV8HIdTYliFDAMX\n-JqE94+xbPVaTS8DZ0xiXz4SjAkIBEIIXA4nOdLYbX/MvdKWr7aDunH8n1oO3K/op\n-7NktfJd5CXuECxdSonHOb7PFW5lbpCtZrLxFzhB2Hlp1TBWHX84=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/mlserve_staging.pem].orig\n+++ File[/srv/cfssl/bundles/mlserve_staging.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (dse_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20062 \\\n-          -responses /etc/cfssl/ocsp/dse_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/ocsp/discovery2026.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/discovery2026.ocsp].orig\n+++ File[/etc/cfssl/ocsp/discovery2026.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_front_proxy command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"9d6dd05c8e5e1bb294462d932b24bd1a\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_front_proxy\"\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Sudo::User[nrpe_certificate_check_mlserve_staging]", "parameters": "--- Sudo::User[nrpe_certificate_check_mlserve_staging].orig\n+++ Sudo::User[nrpe_certificate_check_mlserve_staging]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_mlserve_staging\n"}, {"resource": "Cfssl::Signer[aux]", "parameters": "--- Cfssl::Signer[aux].orig\n+++ Cfssl::Signer[aux]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDpjCCAwegAwIBAgIUB83dKT9lbMGOLf38Jx6fmsSa714wCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjBx\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQwwCgYDVQQDEwNhdXgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADhzJSO\nh264ltJ1CVADYcfi1rIxQOY3gtAsxonZ6CWNueKg0vjvDeL32l+NZ3f2yj2CIzl5\nsa6sZjXmwAKziuuvCAHmsZDY5gzgBdwhZ6UeGAbwlLMgQajwRvCA2RUMuH8iAd6o\nQcfZyHQFb0zl9mCHYNkjLT4jpwrL4Lx/DGbmkE/ulqOCAQwwggEIMA4GA1UdDwEB\n/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSPVQ8kSyOIH5l4\n1mVGCudJoaowtTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\nBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\nbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\noD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\nbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCALJuWafVNInsE4Q8\ntEHYHqhweF6bEArm7d3dqqTjKHuOcrmhXo4rgX5VsXHtI3qq9XGHoik6JUSwgftV\nSr+GWrIZAkIAuqmJ5vv2LgFcJWvYDkIPH9HXB9rIwAUHPFJ/iX2Ig9By+ss8nJbU\nA3Ml/4NKRsXZwwyScmowVWQHfMpv53BsBv8=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/aux\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/aux/ca/aux.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    ca_key_file      => /etc/cfssl/signers/aux/ca/aux-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/aux\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-syslog.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-syslog.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-syslog.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-syslog.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-syslog-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-syslog-certificate-expiry --cert-path /etc/cfssl/signers/syslog/ca/syslog.pem --outfile /var/lib/prometheus/node.d/syslog_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_dse_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_dse_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_dse_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_dse_front_proxy]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube_staging_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"e515778a769f523fb98a7f642670e011\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube_staging_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]", "content": "--- /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem.orig\n+++ /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDmzCCAvygAwIBAgIUN3uLiKCNVwnGG5H9qKGwTGT4fJowCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwMzI1MTQ1MTAwWhcNMjYwMzI0MTQ1MTAwWjCB\n-mTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxFzAVBgNVBAsTDkNsb3VkIFNlcnZp\n-Y2VzMTUwMwYDVQQDDCxXaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQV9vY3NwX3Np\n-Z25pbmdfY2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLmGOcHNNTGsOVTG\n-17o/lTVCgVJqX751quqBZvJQUbAgfAv0PRgv6yjWzTmZnojzKHYRaV8NXhDIVBzo\n-l2DRWUOjggEbMIIBFzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\n-AwkwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULRRzzcjqWQc2Fjci5s2v0FKSPJww\n-HwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBI\n-MEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dp\n-a2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6\n-Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\n-dF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgCI41DoiQFxqs9gDCZs4VhwcNeatHqe\n-98IqBIzFOMdZdkUnyTNiXf0VDkUYZ+n2mYmB5ZAaBTPYhTHgLNrc3KsmpQJCAfHM\n-Qr3AEz1MlZq2krL+7Mx9OuBQ3B/hXyC+met7EmKDziU8UyScxFfSIY1lwwgAmZHA\n-OEOWpgzuF4fGZFVf0dFi\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0444\n-    before => Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-cloud_wmnet_ca\n-\n-/var/log/cfssl-ocsprefresh-cloud_wmnet_ca/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Cfssl::Ocsp[aux]", "parameters": "--- Cfssl::Ocsp[aux].orig\n+++ Cfssl::Ocsp[aux]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20050\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/aux/ca/aux.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - wikikube_staging_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --responses-file /etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_staging_front_proxy' wikikube_staging_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem']\n-    user       => nagios\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/srv/cfssl/bundles/etcd.pem]", "content": "--- /srv/cfssl/bundles/etcd.pem.orig\n+++ /srv/cfssl/bundles/etcd.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpzCCAwigAwIBAgIUOk3cFWirYBfYaO6q8zyqfEHxwVEwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIwODEwMTAzODAwWhcNMjcwODA5MTAzODAwWjBy\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ0wCwYDVQQDEwRldGNkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAgtdp\n-7nZHIAQhEm2IlJ7AzfGjWIGGzKzCfnBQ8d+euPiOZ3ccv1YXfx0f+WmV35vuEmA/\n-ZSw/6iJrKBnYsZAR6U0ByUUqg6nUYg4P47Sc/kMTWmVIgRuNhmrgavCK+qRQdnZs\n-N/OOGTgFNG0icty63dUF4NZz80HxHSrPQYaNxZ9ydY2jggEMMIIBCDAOBgNVHQ8B\n-Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUtvZYHyYnZHZP\n-ZLIB5kqPcVOVI9owHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\n-KwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\n-bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\n-P6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\n-SW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgEgYyeOREniK9JC\n-4hvIiuv9D7mVVXzX5/s8GuhTbRadqZr41ulpHT53lFcbt+xhAsyqMxXPhgT/OyMQ\n-jkXuEh5oBQJCAM22xLZpt2XwKCp0opgXlC5fm5+YjKba2COlr43q78I2la57aYdp\n-UF7sFgBRFVx7FNY7CASuZMYsW+4wltPTXVau\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/etcd.pem].orig\n+++ File[/srv/cfssl/bundles/etcd.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]']\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_syslog\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_debmonitor command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_debmonitor\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"224e2ac3574a9ce482218106d95a2931\" --timeout 10 --check-command \"check_check_certificate_expiry_debmonitor\"\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_zuul command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_zuul\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"373325faaa689f3e9b058d91d4eb6cdb\" --timeout 10 --check-command \"check_check_certificate_expiry_zuul\"\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@puppet_rsa]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy]", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@zuul.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@zuul.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@zuul.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (zuul)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10009 \\\n-          -responses /etc/cfssl/ocsp/zuul.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@zuul.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@zuul.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "File[/srv/cfssl/bundles/aux_front_proxy.pem]", "content": "--- /srv/cfssl/bundles/aux_front_proxy.pem.orig\n+++ /srv/cfssl/bundles/aux_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUcL3aZt8/kOKuFw8g90SCOk9VZSYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9hdXhfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAFQamNeMXOM8jZDTMiL/0Cgk641Tps3tMBQ6f1OD7fqLh7JGWZXSWIE\n-9v25H6dgcqSIWAlvBkbHQUPU51GmXigXtwCW1bYWFZc+MTjXFo2LBUJVUIxh2mh3\n-pNZYlgVZXP7a0l3zt2u5vegKRuJ6l0ELtjCJjo/TNYo/BA28XrzCL45HO6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBQv7ovDzaQTat1sfWJFkZ+n8+aGSTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AZ7oTip5kp2Yt9BABNEqYi6GjwpXZvmZOgd6So8UA76jP8duYicuOoNvpoHdEy58\n-ZOGpo0lqqIzB8xQcvzvmX7uiAkIAxHVKylOLCoPsUXaZVfUGhNavXXwrbIHTQXDo\n-HEHmc9lIMh9hO5z4vPMEbMkSRuAskcT1K/ydEqp4xI191jnovUg=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/aux_front_proxy.pem].orig\n+++ File[/srv/cfssl/bundles/aux_front_proxy.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-wikikube_staging].orig\n+++ File[/var/log/cfssl-ocsprefresh-wikikube_staging]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-aux_front_proxy]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Service[cfssl-ocspserve@wikikube_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@wikikube_front_proxy].orig\n+++ Service[cfssl-ocspserve@wikikube_front_proxy]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_apache-htcacheclean].orig\n+++ Logrotate::Conf[wmf_auto_restart_apache-htcacheclean]\n\n-    ensure => absent\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-aux]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-aux].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-aux]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@aux_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@aux_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@aux_front_proxy]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@aux_front_proxy\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]", "content": "--- /etc/cfssl/signers/network_devices/ca/network_devices-key.pem.orig\n+++ /etc/cfssl/signers/network_devices/ca/network_devices-key.pem\n@@ -1 +0,0 @@\n-fake key", "parameters": "--- File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem].orig\n+++ File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca]\n\n-    before    => Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n"}, {"resource": "File[/srv/cfssl/bundles/puppet_rsa.pem]", "content": "--- /srv/cfssl/bundles/puppet_rsa.pem.orig\n+++ /srv/cfssl/bundles/puppet_rsa.pem\n@@ -1,30 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIFNDCCBJagAwIBAgIUOR+ZAFtrzLKYphDIGMa9eF6O0LIwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjIwMTIwNTAwWhcNMjgwNjE4MTIwNTAwWjB4\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRMwEQYDVQQDDApwdXBwZXRfcnNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n-MIICCgKCAgEA4urK5Og7RVGoXg6KzYywzaXyRROuj0Kauc7n/BgCWvsKv9Ll4f/p\n-lbVGOSln3akzhBlJwmVTGrgCmWQVxMF2agKAR+R1aV2Wc+yEfofUbW1oRgBCelMQ\n-Xutw0cApO+lzjHNtduffeIEVBjwLcEG/OdaUa2CGFGLG/dHox7o8AZgkH7SFJyby\n-z/rzip+szHpMThhjs0PKx91VS1srb7Q1jE1OlB7ydhX+gLRWTjwxOp1ITFXjNobk\n-i16jcP3YYgCvj8qwWMcYmtI7iExSeFdptv3fmajBeoi1o52LUWKUrslwtNa/emaB\n-FBGRZfu8ap+BWWpYYarI4mOCyvetw/6FZ2LnuWy5cNA3GoALB5xfLpO3twYnrveP\n-BnxULp4Q8szITB/bjPBMkd8FG8Frpe3eZNKNHG9xjJGdS1Bxhq7Zgfy09V1RJCym\n-AJSWERHRrxjEnRCDd7HUAhfaDCygeooe4wGRR5bG8WqOpkQDtYPP3yfk5NBhcJpW\n-mXTRFTFkuslEL/2bwa9EPIOAKAINDeJOCHqJMQd6EXwTP2LabWU3oI+sfeBdCoSd\n-Rn+q2Z0kSLu8fqXsgPgvdgyWjfPkQnyLAz9rdsal2x4x9SilDkov+l6Q9DXGGoYO\n-GGOHHFCFhM9CS02zFGLe1JbqiHPuYuIkEnGjGJyCqdIB8Rz0JxdypEcCAwEAAaOC\n-AQwwggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud\n-DgQWBBRrq/ZHBKl8OZGQrQCiUq4GRc86YDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yA\n-vzVxg5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9w\n-a2kuZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3Rf\n-Q0EwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQv\n-Y3JsL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCB\n-hwJBJHrjuBvyK8Sv40xCW/TrVtOCIVaXfjwsKau9lkmt/6purO/xkppZDMajueYw\n-9koKhj6SvliOpiwgypfOKP7nbsACQgFAnawARDYCoOQ8pQDoqpRkPBBScMOTMPFu\n-xTekxW2V7POn9dn6uavLJz/wha+sNgAnYT4wHWkRJzbUk+1H3Hb3NA==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/puppet_rsa.pem].orig\n+++ File[/srv/cfssl/bundles/puppet_rsa.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/etc/cfssl/signers/network_devices/ca]", "parameters": "--- File[/etc/cfssl/signers/network_devices/ca].orig\n+++ File[/etc/cfssl/signers/network_devices/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_aux_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_aux_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"99cf4f8f014e8fd527800abcc213f494\" --timeout 10 --check-command \"check_check_certificate_expiry_aux_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_dse command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_dse\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"4384c5ebc49e03dbe331e279fac3f393\" --timeout 10 --check-command \"check_check_certificate_expiry_dse\"\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_discovery2026]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_discovery2026].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_discovery2026]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery2026/ca/discovery2026.pem']\n-    user       => nagios\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_etcd.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Sudo::User[nrpe_certificate_check_network_devices]", "parameters": "--- Sudo::User[nrpe_certificate_check_network_devices].orig\n+++ Sudo::User[nrpe_certificate_check_network_devices]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_network_devices\n"}, {"resource": "File[/usr/local/bin/prometheus-check-aux-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-aux-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-aux-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Service[cfssl-ocspserve@cloud_wmnet_ca]", "parameters": "--- Service[cfssl-ocspserve@cloud_wmnet_ca].orig\n+++ Service[cfssl-ocspserve@cloud_wmnet_ca]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "File[/srv/cfssl/bundles/debmonitor.pem]", "content": "--- /srv/cfssl/bundles/debmonitor.pem.orig\n+++ /srv/cfssl/bundles/debmonitor.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqzCCAw6gAwIBAgIUD8gl+8iTKG2ZJ9eRsZs5/C9/7ZMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMzE0MTM0NTAwWhcNMjgwMzEyMTM0NTAwWjB4\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRMwEQYDVQQDEwpkZWJtb25pdG9yMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG\n-AAQBNH4qwApzKzoZpcUF5+rzNhzi2ETF1ToNoWJ4XIJH/PmYzcXmDj41+b+4p4++\n-M+ENQtHt6dfCVv0BmGr8XYTU3YUAQUiLhv/X41GLwCV4Nx5jsnpnlfyi2tfXY2b1\n-WgpdkxBTQi79fWYWJFvuy7AFhP0ahKcKfauegEHf1zJ/j7pKyjSjggEMMIIBCDAO\n-BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU35FY\n-TrdI8tZ8bKAVj8qkrn5sp9QwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9p\n-EzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2Nv\n-dmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1Ud\n-HwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtp\n-bWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYCQXXZh0fs\n-XIlOkz1OPSSRBbEZ6zjvGEJvR6qPVpdkQ8IY+bwqe6J/wrhlAgWfTq7ODhEQYCnx\n-y9Jdg7TfybUaOnmiAkEGKMoHIi/MXfzVrKicaCo4aHIL14vN3V4go08bIsMuIs7p\n-EknA+x7QLKFunnrATNeeF6ETr+3u9/MUDWGW+fBqEw==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/debmonitor.pem].orig\n+++ File[/srv/cfssl/bundles/debmonitor.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@zuul]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-puppet_rsa].orig\n+++ File[/var/log/cfssl-ocsprefresh-puppet_rsa]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-cassandra-certificate-expiry --cert-path /etc/cfssl/signers/cassandra/ca/cassandra.pem --outfile /var/lib/prometheus/node.d/cassandra_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Motd::Message[pki::multirootca]", "parameters": "--- Motd::Message[pki::multirootca].orig\n+++ Motd::Message[pki::multirootca]\n\n-    priority => 5\n-    message  => pki1001 is a PKI server (pki::multirootca)\n-    ensure   => present\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: mlserve_staging_front_proxy\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_mlserve_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Cfssl::Config[etcd]", "parameters": "--- Cfssl::Config[etcd].orig\n+++ Cfssl::Config[etcd]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/etcd\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/etcd/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/etcd\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_discovery.service\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Service[cfssl-ocsprefresh-discovery]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-discovery.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[mlserve]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[mlserve].orig\n+++ Profile::Pki::Multirootca::Monitoring[mlserve]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    intermediate => mlserve\n"}, {"resource": "Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => aux_front_proxy\n-    notify          => Service[cfssl-ocspserve@aux_front_proxy]\n-    profile         => ocsp\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-apache2.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-apache2.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"wmf_auto_restart_apache2\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/wmf_auto_restart_apache2/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Exec[Generate initial CRL for mlserve_staging]", "parameters": "--- Exec[Generate initial CRL for mlserve_staging].orig\n+++ Exec[Generate initial CRL for mlserve_staging]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/mlserve_staging\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/mlserve_staging\n"}, {"resource": "File[/etc/cfssl/signers/zuul/ca/zuul.pem]", "content": "--- /etc/cfssl/signers/zuul/ca/zuul.pem.orig\n+++ /etc/cfssl/signers/zuul/ca/zuul.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpzCCAwigAwIBAgIUMIxkteGnxVGRNFWjJZ+eXPnOeM8wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjUwODIwMTg1NTAwWhcNMzAwODE5MTg1NTAwWjBy\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ0wCwYDVQQDEwR6dXVsMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBNx/m\n-dSpc4EWI68Y36PVvDkvyqlJ6pA4sEXQCrNOM+0jSACRM8Shwqr7uC/JmuP8GIdK3\n-g+SgxQOjF9pfelX2OpAB6leOfgHXhFtzJquX261tKsxQm74cszycF9YTiWDKVq0V\n-g7bFNgf4NcC7NxGfN4SuA58I7dQWJxSWdzTJNQsF2uijggEMMIIBCDAOBgNVHQ8B\n-Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUqyQEoVfbsJqL\n-jr5RyZovCpWdRZUwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYI\n-KwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53\n-bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEw\n-P6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFf\n-SW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgER9R3mwAtzYcIh\n-HAnL2SiHTXBpqitQp6Ce+7nYFP0qyu+Ggkx2bu86bl32lGmvA6ecTKXDiyXW5pMW\n-atmKn0wAegJCAaU9pfWuLIgsVqzB2zvDWMR2HgBMa6MO7dRlG2VUoLvR16NF9cln\n-XjNzIqPRxUpiD5TNC4+p9BoT+RRXEDUeRufH\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/zuul/ca/zuul.pem].orig\n+++ File[/etc/cfssl/signers/zuul/ca/zuul.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-debmonitor].orig\n+++ Systemd::Service[cfssl-ocsprefresh-debmonitor]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => wikikube_staging\n-    notify          => Service[cfssl-ocspserve@wikikube_staging]\n-    profile         => ocsp\n"}, {"resource": "Exec[Generate initial CRL for aux]", "parameters": "--- Exec[Generate initial CRL for aux].orig\n+++ Exec[Generate initial CRL for aux]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/aux\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/aux/ca/aux.pem /etc/cfssl/signers/aux/ca/aux-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/aux\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-syslog-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/lib/systemd/system/cfssl-gc-expired-certs.service]", "content": "--- /lib/systemd/system/cfssl-gc-expired-certs.service.orig\n+++ /lib/systemd/system/cfssl-gc-expired-certs.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Delete expired Certificates from the cfssl DB\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-certs clean", "parameters": "--- File[/lib/systemd/system/cfssl-gc-expired-certs.service].orig\n+++ File[/lib/systemd/system/cfssl-gc-expired-certs.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/discovery2026]", "parameters": "--- File[/etc/cfssl/signers/discovery2026].orig\n+++ File[/etc/cfssl/signers/discovery2026]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-dse_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Monitoring::Service[check_cfssl-multirootca_status]", "parameters": "--- Monitoring::Service[check_cfssl-multirootca_status].orig\n+++ Monitoring::Service[check_cfssl-multirootca_status]\n\n-    check_command  => nrpe_check!check_check_cfssl-multirootca_status!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI\n-    description    => Check unit status of cfssl-multirootca\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => True\n-    retries        => 2\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 10\n"}, {"resource": "Concat::Fragment[main]"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-mlserve_front_proxy-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_front_proxy_intermediate.prom\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_syslog]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_syslog].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_syslog]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem']\n-    user       => nagios\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_wikikube))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"d2a76a31e44e204e2d4788a2698d0e6c\",check_name=\"check_check_certificate_expiry_wikikube\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__wikikube\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/etc/cfssl/signers/discovery]", "parameters": "--- File[/etc/cfssl/signers/discovery].orig\n+++ File[/etc/cfssl/signers/discovery]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/update-motd.d/05-pki--multirootca]", "content": "--- /etc/update-motd.d/05-pki--multirootca.orig\n+++ /etc/update-motd.d/05-pki--multirootca\n@@ -1,2 +0,0 @@\n-#!/bin/sh\n-printf \"%s\\n\" \"pki1001 is a PKI server (pki::multirootca)\"", "parameters": "--- File[/etc/update-motd.d/05-pki--multirootca].orig\n+++ File[/etc/update-motd.d/05-pki--multirootca]\n\n-    mode   => 0555\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@wikikube_staging.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@wikikube_staging.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (wikikube_staging)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20020 \\\n-          -responses /etc/cfssl/ocsp/wikikube_staging.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-debmonitor.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"mlserve_staging_front_proxy\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_wikikube_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Firewall::Service[csr_and_ocsp_responder]", "parameters": "--- Firewall::Service[csr_and_ocsp_responder].orig\n+++ Firewall::Service[csr_and_ocsp_responder]\n\n-    desc                => \n-    prio                => 10\n-    unrestricted_access => False\n-    src_sets            => ['DOMAIN_NETWORKS', 'MGMT_NETWORKS']\n-    proto               => tcp\n-    port                => 80\n-    ensure              => present\n-    notrack             => False\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service\n"}, {"resource": "File[/srv/cfssl/crl]", "parameters": "--- File[/srv/cfssl/crl].orig\n+++ File[/srv/cfssl/crl]\n\n-    owner  => root\n-    group  => root\n-    ensure => directory\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-mlserve.timer]']\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@mlserve_staging]", "parameters": "--- Systemd::Service[cfssl-ocspserve@mlserve_staging].orig\n+++ Systemd::Service[cfssl-ocspserve@mlserve_staging]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-debmonitor-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-debmonitor-certificate-expiry --cert-path /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --outfile /var/lib/prometheus/node.d/debmonitor_intermediate.prom\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"aux_front_proxy\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-puppet_rsa]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-puppet_rsa.service\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]']\n"}, {"resource": "Exec[Generate initial CRL for wikikube_staging_front_proxy]", "parameters": "--- Exec[Generate initial CRL for wikikube_staging_front_proxy].orig\n+++ Exec[Generate initial CRL for wikikube_staging_front_proxy]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/wikikube_staging_front_proxy\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/wikikube_staging_front_proxy\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_apache-htcacheclean].orig\n+++ Systemd::Syslog[wmf_auto_restart_apache-htcacheclean]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => absent\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]\n\n-    owner   => root\n-    require => Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]\n-    group   => root\n-    ensure  => file\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - wikikube_front_proxy\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --responses-file /etc/cfssl/ocsp/wikikube_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_front_proxy' wikikube_front_proxy ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/cfssl/signers/dse/cfssl.conf]", "content": "--- /etc/cfssl/signers/dse/cfssl.conf.orig\n+++ /etc/cfssl/signers/dse/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/dse\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/dse\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/dse/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/dse/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_aux]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-dse.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-dse.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-dse.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-dse.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_debmonitor\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-aux]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-aux].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-aux]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-aux]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label debmonitor -profile ocsp /etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet\n\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_mlserve!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: mlserve\n-    check_interval         => 1\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-mlserve]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-mlserve].orig\n+++ File[/var/log/cfssl-ocsprefresh-mlserve]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_zuul]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_zuul].orig\n+++ Nrpe::Check[check_check_certificate_expiry_zuul]\n\n-    before    => Monitoring::Service[check_certificate_expiry_zuul]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-puppet_rsa-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry --cert-path /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --outfile /var/lib/prometheus/node.d/puppet_rsa_intermediate.prom\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-aux_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-discovery]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-discovery].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-discovery]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-discovery.service\n"}, {"resource": "File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Cfssl::Signer[mlserve]", "parameters": "--- Cfssl::Signer[mlserve].orig\n+++ Cfssl::Signer[mlserve]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqTCCAwugAwIBAgIUC2E+U3FwNsKpcXq1D5KD3ILh08QwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB1\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRAwDgYDVQQDEwdtbHNlcnZlMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA\n4+yIcr5bDRYOqvzsS95b/CFOM84v7vZlxRXO9paOop7nSpVED1+upVrhfM69F4Rd\nhMDYeRBUiXxZsecByAdWu0AAEWeCZiL+QqMEJeoGML8iobA6rGa+5y2qePBUcV5m\n4u0sePHBq8CYXdIgPHo8bIho/A30Q/IhwEIln0OoSq1ZlcOjggEMMIIBCDAOBgNV\nHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUYMFEsH4H\nfAVzgmuJIW+M+s7UPVEwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYw\nVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVy\neS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRD\nMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVk\naWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQUW5mZclFy2C\n6VREX3v/LuAnzguojsBHnRSGXWR1TYoN8aBrtzC0w6KaC+5ka5VCByGmlMDY4GxF\nGLuM8bnvHf4FAkIBva6mukWZ7ZKbNSGakTVG3PeEvZs1b4xkq7+6RYjlv819FjLm\njPag2y90JiWcyA7gw4IZqc3BgFuT46K+AqsKzhY=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/mlserve\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    ca_key_file      => /etc/cfssl/signers/mlserve/ca/mlserve-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/mlserve\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (cloud_wmnet_ca)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10004 \\\n-          -responses /etc/cfssl/ocsp/cloud_wmnet_ca.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@etcd]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_network_devices!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: network_devices\n-    check_interval         => 1\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-zuul]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-zuul].orig\n+++ Systemd::Service[cfssl-ocsprefresh-zuul]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-zuul.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Service[cfssl-ocspserve@puppet_rsa]", "parameters": "--- Service[cfssl-ocspserve@puppet_rsa].orig\n+++ Service[cfssl-ocspserve@puppet_rsa]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-mlserve_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-mlserve_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-mlserve_staging]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/srv/cfssl/bundles/discovery2026.pem]", "content": "--- /srv/cfssl/bundles/discovery2026.pem.orig\n+++ /srv/cfssl/bundles/discovery2026.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrzCCAxGgAwIBAgIUa46nWae1FhV+WZzdsRMJchzTP54wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjYwNDIwMTUzNjAwWhcNMzEwNDE5MTUzNjAwWjB7\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRYwFAYDVQQDEw1kaXNjb3ZlcnkyMDI2MIGbMBAGByqGSM49AgEGBSuBBAAj\n-A4GGAAQBNeE+xxvbq00KO92aWhHFTLosZBkXul9ufZINtOUd90TXpQnJvpEv7kK8\n-HQpufac9Dez+MBhLzQXoTY+ElhRCsQQBwlu+rIeqpbJEh87DQ2RTfzhTJmlm/9de\n-1fiM38/51DacwYS/vW0psN/lKSoM7cX/Paw6Qg7pBUmUGCq2vE9wDbmjggEMMIIB\n-CDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU\n-SXZcMeXrgnEYbZ3z1m8j/+8XmugwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR\n-0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRp\n-c2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoG\n-A1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9X\n-aWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQgD4\n-UGn506FGvacDvYS6t8JEMo6YH7jxK8dKeiZNEnhG5FSjA4Lt2BCz85sOBczxSD9h\n-b9wLCxy5wOpifRePlyrZQgJBNKUXBImWpyoHmt6hNOA6X7+FmGl0tD5tLnbeuPx7\n-aTlv8rfJ0d7JdsZXx+7M6YcsmxMgZCKUh4UMYu/WcczIq30=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/discovery2026.pem].orig\n+++ File[/srv/cfssl/bundles/discovery2026.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-syslog.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-syslog.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-syslog.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-syslog.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_zuul command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_zuul\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"373325faaa689f3e9b058d91d4eb6cdb\" --timeout 10 --check-command \"check_check_certificate_expiry_zuul\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-kafka-certificate-expiry --cert-path /etc/cfssl/signers/kafka/ca/kafka.pem --outfile /var/lib/prometheus/node.d/kafka_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Cfssl::Config[aux_front_proxy]", "parameters": "--- Cfssl::Config[aux_front_proxy].orig\n+++ Cfssl::Config[aux_front_proxy]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/aux_front_proxy\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/aux_front_proxy/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/aux_front_proxy\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Service[cfssl-ocsprefresh-wikikube.timer]", "parameters": "--- Service[cfssl-ocsprefresh-wikikube.timer].orig\n+++ Service[cfssl-ocsprefresh-wikikube.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]']\n"}, {"resource": "Systemd::Service[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Systemd::Service[wmf_auto_restart_apache-htcacheclean].orig\n+++ Systemd::Service[wmf_auto_restart_apache-htcacheclean]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@wikikube]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Syslog[cfssl-gc-expired-certs]", "parameters": "--- Systemd::Syslog[cfssl-gc-expired-certs].orig\n+++ Systemd::Syslog[cfssl-gc-expired-certs]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_puppet_rsa]", "parameters": "--- Monitoring::Service[check_certificate_expiry_puppet_rsa].orig\n+++ Monitoring::Service[check_certificate_expiry_puppet_rsa]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_puppet_rsa!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: puppet_rsa\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-cassandra.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-cassandra.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-cassandra.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-cassandra.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-dse-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-dse-certificate-expiry --cert-path /etc/cfssl/signers/dse/ca/dse.pem --outfile /var/lib/prometheus/node.d/dse_intermediate.prom\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@mlserve]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]']\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-wikikube_staging-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_intermediate.prom\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-aux]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-aux].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-aux]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-debmonitor].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-debmonitor]\n\n-    ensure => present\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_cassandra))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: cassandra\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: cassandra\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"f5e260f525c48c963fb2e6c86a0d5d63\",check_name=\"check_check_certificate_expiry_cassandra\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__cassandra\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]", "content": "--- /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem.orig\n+++ /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem\n@@ -1,19 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDBjCCAmegAwIBAgIUJzV1YuedEKoaCkVVX4sGAX6x9eMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjEwMzI1MTMyNzAwWhcNMzEwMzIzMTMyNzAwWjCB\n-nDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\n-biBGcmFuY2lzY28xIjAgBgNVBAoTGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMx\n-FzAVBgNVBAsTDkNsb3VkIFNlcnZpY2VzMSMwIQYDVQQDDBpXaWtpbWVkaWFfSW50\n-ZXJuYWxfUm9vdF9DQTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAVJE6KrM3i7m\n-7uw5oZ71qWvcQv9wBoNU3nrEqPCDPRd4FS/THrd+OqmnxhJ5UIUhE31H3Ev52dNP\n-LQ+274G2MR9dACOGB4/21O1Ng5aKNAgF0NjwS50RAQmRaGs9f7kQg7coDDBqKQj0\n-GF6wG1tMI0/wdmi71d1qPX5BDYy+xGQZe1Bao0IwQDAOBgNVHQ8BAf8EBAMCAQYw\n-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO62iceY0vRv8gL81cYOR0O9pEzYw\n-CgYIKoZIzj0EAwQDgYwAMIGIAkIB64t/CBqDBhti8ERNX+rUh7k7zaZw0mllpfDa\n-90Gp4vUr5jNTOYi5+Was8xNHz6SCtZK6BkxjF+yb8ogG4ZknV7kCQgD6jCQHgXUx\n-mwKWMrxkrfv/yLCSytHfKCm0HSSyXKpHzKbPaIkt83JQxOoKpBmdHjPjkzVC1vjR\n-EVQD+PGFu+xryQ==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem].orig\n+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_cassandra command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_cassandra\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"f5e260f525c48c963fb2e6c86a0d5d63\" --timeout 10 --check-command \"check_check_certificate_expiry_cassandra\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-discovery2026\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-discovery2026/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Cfssl::Ocsp[cloud_wmnet_ca]", "parameters": "--- Cfssl::Ocsp[cloud_wmnet_ca].orig\n+++ Cfssl::Ocsp[cloud_wmnet_ca]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10004\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Cfssl::Ocsp[wikikube_staging]", "parameters": "--- Cfssl::Ocsp[wikikube_staging].orig\n+++ Cfssl::Ocsp[wikikube_staging]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20020\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "File[/etc/ssl/dhparam.pem]", "parameters": "--- File[/etc/ssl/dhparam.pem].orig\n+++ File[/etc/ssl/dhparam.pem]\n\n-    mode   => 0444\n-    source => puppet:///modules/sslcert/dhparam.pem\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-wikikube-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-wikikube-certificate-expiry --cert-path /etc/cfssl/signers/wikikube/ca/wikikube.pem --outfile /var/lib/prometheus/node.d/wikikube_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_syslog command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_syslog\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"e3b9b989d5062ce2d267023dfe42fcd8\" --timeout 10 --check-command \"check_check_certificate_expiry_syslog\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_mlserve_front_proxy!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: mlserve_front_proxy\n-    check_interval         => 1\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_wikikube!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: wikikube\n-    check_interval         => 1\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Exec[Generate cert puppet_rsa__pki_discovery_wmnet]", "parameters": "--- Exec[Generate cert puppet_rsa__pki_discovery_wmnet].orig\n+++ Exec[Generate cert puppet_rsa__pki_discovery_wmnet]\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem 2>&1)\"\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    notify      => ['Service[apache2]']\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa  /etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet\n\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-etcd.timer]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_discovery2026].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-syslog.timer]']\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_front_proxy_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_discovery2026.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-etcd-certificate-expiry --cert-path /etc/cfssl/signers/etcd/ca/etcd.pem --outfile /var/lib/prometheus/node.d/etcd_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-mlserve.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-mlserve.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]\n"}, {"resource": "Httpd::Conf[defaults]", "parameters": "--- Httpd::Conf[defaults].orig\n+++ Httpd::Conf[defaults]\n\n-    conf_type => conf\n-    source    => puppet:///modules/httpd/defaults.conf\n-    priority  => 0\n-    ensure    => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-network_devices.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-network_devices\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-network_devices\n-\n-/var/log/cfssl-ocsprefresh-network_devices/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]", "content": "--- /etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf.orig\n+++ /etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/cloud_wmnet_ca\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/cloud_wmnet_ca\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/db.conf]", "content": "--- /etc/cfssl/db.conf.orig\n+++ /etc/cfssl/db.conf\n@@ -1 +0,0 @@\n-{\"driver\":\"mysql\",\"data_source\":\"pki:changeme@tcp(m1-master.eqiad.wmnet:3306)/pki?parseTime=true&tls=skip-verify\"}", "parameters": "--- File[/etc/cfssl/db.conf].orig\n+++ File[/etc/cfssl/db.conf]\n\n-    mode      => 0440\n-    require   => ['Package[golang-cfssl]']\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-etcd]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-etcd].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-etcd]\n\n-    ensure => present\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-mlserve_staging_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Cfssl::Config[wikikube]", "parameters": "--- Cfssl::Config[wikikube].orig\n+++ Cfssl::Config[wikikube]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/wikikube\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/wikikube/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/wikikube\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-debmonitor-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-debmonitor-certificate-expiry --cert-path /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --outfile /var/lib/prometheus/node.d/debmonitor_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-dse-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_puppet_rsa))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: puppet_rsa\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: puppet_rsa\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"c1b324b3d8ac107f8d7483b4017f5edf\",check_name=\"check_check_certificate_expiry_puppet_rsa\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__puppet_rsa\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n-    notifications_enabled => True\n+    notifications_enabled => False\n@@\n-    cluster               => pki\n+    cluster               => insetup\n@@\n-    nagios_group          => pki_eqiad\n+    nagios_group          => insetup_eqiad\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Systemd::Service[cfssl-ocsprefresh-mlserve_staging]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_apache2]", "parameters": "--- Systemd::Timer[wmf_auto_restart_apache2].orig\n+++ Systemd::Timer[wmf_auto_restart_apache2]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 22:8:00'}]\n-    unit_name          => wmf_auto_restart_apache2.service\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem']\n-    user       => nagios\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]']\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_cassandra.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_cassandra.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-dse_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-dse_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status]\n\n-    max_check_attempts     => 2\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins,sms,admins\n-    check_command          => nrpe_check!check_check_cfssl-multirootca_status!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 240\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check unit status of cfssl-multirootca #page\n-    check_interval         => 10\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@wikikube]", "parameters": "--- Systemd::Service[cfssl-ocspserve@wikikube].orig\n+++ Systemd::Service[cfssl-ocspserve@wikikube]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-aux]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-aux.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-aux\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-aux\n-\n-/var/log/cfssl-ocsprefresh-aux/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-aux].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-aux]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/apache2/mods-available/status.conf]", "parameters": "--- File[/etc/apache2/mods-available/status.conf].orig\n+++ File[/etc/apache2/mods-available/status.conf]\n\n-    require => Package[apache2]\n-    ensure  => absent\n-    before  => Httpd::Mod_conf[status]\n-    owner   => root\n-    group   => root\n"}, {"resource": "Service[cfssl-ocspserve@debmonitor]", "parameters": "--- Service[cfssl-ocspserve@debmonitor].orig\n+++ Service[cfssl-ocspserve@debmonitor]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Cfssl::Ocsp[debmonitor]", "parameters": "--- Cfssl::Ocsp[debmonitor].orig\n+++ Cfssl::Ocsp[debmonitor]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10001\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-zuul]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-zuul].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-zuul]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-kafka-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-kafka-certificate-expiry --cert-path /etc/cfssl/signers/kafka/ca/kafka.pem --outfile /var/lib/prometheus/node.d/kafka_intermediate.prom\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/apache2/sites-available]", "parameters": "--- File[/etc/apache2/sites-available].orig\n+++ File[/etc/apache2/sites-available]\n\n-    mode    => 0755\n-    require => Package[apache2]\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => network_devices\n-    notify          => Service[cfssl-ocspserve@network_devices]\n-    profile         => ocsp\n"}, {"resource": "File[/etc/cfssl/ocsp/network_devices.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/network_devices.ocsp].orig\n+++ File[/etc/cfssl/ocsp/network_devices.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-wikikube_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_puppet_rsa.service\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_wikikube]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_wikikube].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_wikikube]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: wikikube_staging\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "parameters": "--- Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA].orig\n+++ Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]']\n"}, {"resource": "Service[cfssl-ocsprefresh-dse.timer]", "parameters": "--- Service[cfssl-ocsprefresh-dse.timer].orig\n+++ Service[cfssl-ocsprefresh-dse.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@etcd]", "parameters": "--- Systemd::Service[cfssl-ocspserve@etcd].orig\n+++ Systemd::Service[cfssl-ocspserve@etcd]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_zuul]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_zuul].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_zuul]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"zuul\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Cfssl::Ocsp[mlserve_staging]", "parameters": "--- Cfssl::Ocsp[mlserve_staging].orig\n+++ Cfssl::Ocsp[mlserve_staging]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20040\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_aux]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_aux].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_aux]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: aux\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-zuul-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-zuul-certificate-expiry --cert-path /etc/cfssl/signers/zuul/ca/zuul.pem --outfile /var/lib/prometheus/node.d/zuul_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]\n"}, {"resource": "File[/srv/cfssl/bundles/dse.pem]", "content": "--- /srv/cfssl/bundles/dse.pem.orig\n+++ /srv/cfssl/bundles/dse.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpTCCAwegAwIBAgIUb4Tdc/LBMz08oj3vXm9vyvVoa8kwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjBx\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQwwCgYDVQQDEwNkc2UwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEKIsRi\n-rMZazQ75DhhEGhtUEr3248uYpcVNJ3Mp/1IdsIkgdy3vU97D4x+FWvbcITOzw9xz\n-apIVnwWIAU7hei4jEwCAIr3llako75gtbD7Xvq9y6UDUcp/LOGBkmGMBktL2Q9qz\n-Dgc4AgI29X2/hGBuYEglW2Qhpnbu0+q+7Xi/eKSG3aOCAQwwggEIMA4GA1UdDwEB\n-/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSp3KLmcR8APKuf\n-wQNUAmw4ugiWrzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\n-BgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\n-bmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\n-oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\n-bnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCBhwJCAYGa4oeqY5OQzJhU\n-JqhW7Wn0V5dXQ3F0LJKbf70afe5Xx/jkMKMXv6cpUoCgq6OW5CzFHvwyYGDYc3Uy\n-Dj63k3tQAkFP3CHPBJahbaziMXpat5mFpYeRit/bScad+W+ysdXe4wLSRK3skzhU\n-pOp2n7NgGJQbM1fWuRcBPMQLEZVFsbo04A==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/dse.pem].orig\n+++ File[/srv/cfssl/bundles/dse.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_mlserve_staging]", "parameters": "--- Monitoring::Service[check_certificate_expiry_mlserve_staging].orig\n+++ Monitoring::Service[check_certificate_expiry_mlserve_staging]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_mlserve_staging!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: mlserve_staging\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_staging command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_mlserve_staging\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"7cff186656c3cabbca85b5b57d0c8679\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_staging\"\n"}, {"resource": "Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_aux_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: aux_front_proxy\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"99cf4f8f014e8fd527800abcc213f494\",check_name=\"check_check_certificate_expiry_aux_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__aux_front_proxy\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-zuul]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-zuul].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-zuul]\n\n-    ensure => present\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_wikikube]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Motd::Script[insetup::infrastructure_foundations_ferm]", "parameters": "--- Motd::Script[insetup::infrastructure_foundations_ferm].orig\n+++ Motd::Script[insetup::infrastructure_foundations_ferm]\n\n+    ensure   => present\n+    priority => 5\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube -profile ocsp /etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@mlserve_front_proxy\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca].orig\n+++ Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-aux]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-aux].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-aux]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - aux\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/aux/ca/aux.pem --responses-file /etc/cfssl/ocsp/aux.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@aux' aux \n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: mlserve_staging\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-mlserve]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-mlserve].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-mlserve]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-mlserve.service\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]']\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]\n"}, {"resource": "File_line[auto_restart_file_presence_apache-htcacheclean]", "parameters": "--- File_line[auto_restart_file_presence_apache-htcacheclean].orig\n+++ File_line[auto_restart_file_presence_apache-htcacheclean]\n\n-    line    => apache-htcacheclean\n-    require => File[/etc/debdeploy-client/autorestarts.conf]\n-    path    => /etc/debdeploy-client/autorestarts.conf\n-    ensure  => absent\n"}, {"resource": "Service[cfssl-ocspserve@wikikube]", "parameters": "--- Service[cfssl-ocspserve@wikikube].orig\n+++ Service[cfssl-ocspserve@wikikube]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@discovery2026.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@discovery2026.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (discovery2026)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10010 \\\n-          -responses /etc/cfssl/ocsp/discovery2026.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca]", "parameters": "--- Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca].orig\n+++ Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[discovery]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[discovery].orig\n+++ Profile::Pki::Multirootca::Monitoring[discovery]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/discovery/ca/discovery.pem\n-    intermediate => discovery\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-wikikube_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-dse]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-dse.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-dse\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-dse\n-\n-/var/log/cfssl-ocsprefresh-dse/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-dse].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-dse]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Cfssl::Ocsp[wikikube]", "parameters": "--- Cfssl::Ocsp[wikikube].orig\n+++ Cfssl::Ocsp[wikikube]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20010\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@etcd]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@etcd].orig\n+++ Systemd::Unit[cfssl-ocspserve@etcd]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@etcd\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/discovery/cfssl.conf]", "content": "--- /etc/cfssl/signers/discovery/cfssl.conf.orig\n+++ /etc/cfssl/signers/discovery/cfssl.conf\n@@ -1,129 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"digital signature\",\n-        \"key encipherment\",\n-        \"server auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/discovery\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/discovery\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_staging\": {\n-        \"auth_key\": \"k8s_staging\",\n-        \"expiry\": \"24h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_wikikube\": {\n-        \"auth_key\": \"k8s_wikikube\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_mlserve\": {\n-        \"auth_key\": \"k8s_mlserve\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_mlstaging\": {\n-        \"auth_key\": \"k8s_mlstaging\",\n-        \"expiry\": \"24h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"k8s_dse\": {\n-        \"auth_key\": \"k8s_dse\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      },\n-      \"k8s_dse_opensearch\": {\n-        \"auth_key\": \"k8s_dse\",\n-        \"expiry\": \"4380h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\",\n-          \"client auth\"\n-        ]\n-      },\n-      \"k8s_aux\": {\n-        \"auth_key\": \"k8s_aux\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/discovery/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/discovery/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --outfile /var/lib/prometheus/node.d/dse_front_proxy_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Cfssl::Signer[dse]", "parameters": "--- Cfssl::Signer[dse].orig\n+++ Cfssl::Signer[dse]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDpTCCAwegAwIBAgIUb4Tdc/LBMz08oj3vXm9vyvVoa8kwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjBx\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQwwCgYDVQQDEwNkc2UwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEKIsRi\nrMZazQ75DhhEGhtUEr3248uYpcVNJ3Mp/1IdsIkgdy3vU97D4x+FWvbcITOzw9xz\napIVnwWIAU7hei4jEwCAIr3llako75gtbD7Xvq9y6UDUcp/LOGBkmGMBktL2Q9qz\nDgc4AgI29X2/hGBuYEglW2Qhpnbu0+q+7Xi/eKSG3aOCAQwwggEIMA4GA1UdDwEB\n/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSp3KLmcR8APKuf\nwQNUAmw4ugiWrzAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\nBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\nbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\noD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\nbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GLADCBhwJCAYGa4oeqY5OQzJhU\nJqhW7Wn0V5dXQ3F0LJKbf70afe5Xx/jkMKMXv6cpUoCgq6OW5CzFHvwyYGDYc3Uy\nDj63k3tQAkFP3CHPBJahbaziMXpat5mFpYeRit/bScad+W+ysdXe4wLSRK3skzhU\npOp2n7NgGJQbM1fWuRcBPMQLEZVFsbo04A==\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/dse\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => \n-    ca_file          => /etc/cfssl/signers/dse/ca/dse.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    ca_key_file      => /etc/cfssl/signers/dse/ca/dse-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/dse\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Package[apache2]", "parameters": "--- Package[apache2].orig\n+++ Package[apache2]\n\n-    provider => apt\n-    ensure   => installed\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_etcd command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_etcd\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"c834f873297e445663ead81279c0b928\" --timeout 10 --check-command \"check_check_certificate_expiry_etcd\"\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-dse.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-dse.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - dse\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/dse/ca/dse.pem --responses-file /etc/cfssl/ocsp/dse.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@dse' dse ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-dse.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_aux]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_aux].orig\n+++ Nrpe::Check[check_check_certificate_expiry_aux]\n\n-    before    => Monitoring::Service[check_certificate_expiry_aux]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux/ca/aux.pem\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_kafka.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_cloud_wmnet_ca))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: cloud_wmnet_ca\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"f87f54115f2f782169eed72541c30a1e\",check_name=\"check_check_certificate_expiry_cloud_wmnet_ca\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__cloud_wmnet_ca\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_dse]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_dse].orig\n+++ Nrpe::Check[check_check_certificate_expiry_dse]\n\n-    before    => Monitoring::Service[check_certificate_expiry_dse]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse/ca/dse.pem\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-dse]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-dse].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-dse]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - dse\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/dse/ca/dse.pem --responses-file /etc/cfssl/ocsp/dse.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@dse' dse \n"}, {"resource": "File[/etc/cfssl/signers/kafka/ca/kafka.pem]", "content": "--- /etc/cfssl/signers/kafka/ca/kafka.pem.orig\n+++ /etc/cfssl/signers/kafka/ca/kafka.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqDCCAwmgAwIBAgIUTWT2navXkMW9fz3oUB7Fc6azbKcwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjExMDI4MTMwNjAwWhcNMjYxMDI3MTMwNjAwWjBz\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQ4wDAYDVQQDEwVrYWZrYTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAScI\n-AVY36upnobdfvpQJ7Y5uefRAv0OsdtR++HEqm2kTatOG4BJTdjdBv3+gyd3rJccd\n-DEifyU1EcxVVXjjXzqdHADiJ+Zol5mwexbnrpF8JDBiJv7ntNamdr7Xjv4kw8Tkp\n-kgl70aFalPLjpwjDNyrm2ACxPmHxK8EOu7eXb8RImqeVo4IBDDCCAQgwDgYDVR0P\n-AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGIY/nB0tTtl\n-RGdO5J4ck+RM8p8rMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2MFYG\n-CCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zlcnku\n-d21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBB\n-MD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1lZGlh\n-X0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBv8ZMP7g8aPkc\n-tcrO4rXcBkhFIWH9+4H4iTbuSBtjVtUXdsRW++IU89BjVVKQxv/4ZDm8hlpd+vJU\n-b9xj3WUpi8cCQgFpjYqKVM+I5eRpIjhWoPxognJtGI3626wAOpV2CPauciD51gP3\n-up2xe36OG3Z8XDcbNGoNiG3505+af9zBrt3c4g==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/kafka/ca/kafka.pem].orig\n+++ File[/etc/cfssl/signers/kafka/ca/kafka.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[apache2]', 'Package[links]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[python3-pymysql]', 'Package[python3-cryptography]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[network_devices]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[network_devices].orig\n+++ Profile::Pki::Multirootca::Monitoring[network_devices]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-    intermediate => network_devices\n"}, {"resource": "Cfssl::Ocsp[syslog]", "parameters": "--- Cfssl::Ocsp[syslog].orig\n+++ Cfssl::Ocsp[syslog]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10007\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/syslog/ca/syslog.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-puppet_rsa.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@zuul]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@zuul].orig\n+++ Systemd::Unit[cfssl-ocspserve@zuul]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@zuul\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry --cert-path /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem --outfile /var/lib/prometheus/node.d/puppet_rsa_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Service[cfssl-ocsprefresh-cassandra.timer]", "parameters": "--- Service[cfssl-ocsprefresh-cassandra.timer].orig\n+++ Service[cfssl-ocsprefresh-cassandra.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (wikikube_staging_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20021 \\\n-          -responses /etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]\n"}, {"resource": "Exec[Generate initial CRL for discovery2026]", "parameters": "--- Exec[Generate initial CRL for discovery2026].orig\n+++ Exec[Generate initial CRL for discovery2026]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/discovery2026\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/discovery2026/ca/discovery2026.pem /etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/discovery2026\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@discovery.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@discovery.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (discovery)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10002 \\\n-          -responses /etc/cfssl/ocsp/discovery.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@discovery.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@discovery.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@mlserve_staging]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@mlserve_staging].orig\n+++ Systemd::Unit[cfssl-ocspserve@mlserve_staging]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@mlserve_staging\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => cassandra\n-    notify          => Service[cfssl-ocspserve@cassandra]\n-    profile         => ocsp\n"}, {"resource": "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem']\n-    user       => nagios\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-wikikube_staging.timer]']\n"}, {"resource": "Cfssl::Config[wikikube_front_proxy]", "parameters": "--- Cfssl::Config[wikikube_front_proxy].orig\n+++ Cfssl::Config[wikikube_front_proxy]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/wikikube_front_proxy\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/wikikube_front_proxy/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/wikikube_front_proxy\n"}, {"resource": "Exec[Generate initial CRL for mlserve_front_proxy]", "parameters": "--- Exec[Generate initial CRL for mlserve_front_proxy].orig\n+++ Exec[Generate initial CRL for mlserve_front_proxy]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/mlserve_front_proxy\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/mlserve_front_proxy\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp].orig\n+++ File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]']\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_cfssl-multirootca_status command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_cfssl-multirootca_status\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"52832284a5fb8b8ea6f55bb6271912c9\" --timeout 10 --check-command \"check_check_cfssl-multirootca_status\" --page", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-zuul.timer]']\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_cfssl-multirootca_status.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_puppet_rsa]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_puppet_rsa].orig\n+++ Nrpe::Check[check_check_certificate_expiry_puppet_rsa]\n\n-    before    => Monitoring::Service[check_certificate_expiry_puppet_rsa]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-kafka]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-kafka].orig\n+++ Systemd::Service[cfssl-ocsprefresh-kafka]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-kafka.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Sudo::User[nrpe_certificate_check_dse_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_dse_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_dse_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_dse_front_proxy\n"}, {"resource": "Cfssl::Db[multirootca-db]", "parameters": "--- Cfssl::Db[multirootca-db].orig\n+++ Cfssl::Db[multirootca-db]\n\n-    python_config     => True\n-    driver            => mysql\n-    dbname            => pki\n-    username          => pki\n-    ssl_checkhostname => False\n-    notify_service    => cfssl-multirootca\n-    ssl_ca            => /etc/ssl/certs/wmf-ca-certificates.crt\n-    host              => m1-master.eqiad.wmnet\n-    dbcharset         => utf8mb4\n-    port              => 3306\n-    conf_file         => /etc/cfssl/db.conf\n-    password          => changeme\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Auto restart job: apache-htcacheclean\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/wmf-auto-restart -s apache-htcacheclean", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]\n"}, {"resource": "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label wikikube_staging_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_network_devices))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: network_devices\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: network_devices\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"21dac3775d059b8c991626e2ca33f951\",check_name=\"check_check_certificate_expiry_network_devices\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__network_devices\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-discovery]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-discovery].orig\n+++ File[/var/log/cfssl-ocsprefresh-discovery]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_kafka]", "parameters": "--- Monitoring::Service[check_certificate_expiry_kafka].orig\n+++ Monitoring::Service[check_certificate_expiry_kafka]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_kafka!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: kafka\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-syslog]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-syslog].orig\n+++ Systemd::Service[cfssl-ocsprefresh-syslog]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-syslog.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-wikikube_staging_front_proxy-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_front_proxy_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_aux command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_aux\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"f7dfe9e2cd77303dfae7ae11c5c56d90\" --timeout 10 --check-command \"check_check_certificate_expiry_aux\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-network_devices\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-network_devices/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_kafka))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: kafka\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: kafka\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"22922fd6bc2d570e018cbe5ccd8d1727\",check_name=\"check_check_certificate_expiry_kafka\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__kafka\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_cassandra]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_cassandra].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_cassandra]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/cassandra/ca/cassandra.pem']\n-    user       => nagios\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-discovery2026].orig\n+++ Systemd::Service[cfssl-ocsprefresh-discovery2026]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/srv/cfssl]", "parameters": "--- File[/srv/cfssl].orig\n+++ File[/srv/cfssl]\n\n-    owner  => root\n-    group  => root\n-    ensure => directory\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: wikikube_staging_front_proxy\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-mlserve_staging.timer]']\n"}, {"resource": "File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_network_devices command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_network_devices\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"21dac3775d059b8c991626e2ca33f951\" --timeout 10 --check-command \"check_check_certificate_expiry_network_devices\"\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-wikikube_staging_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Httpd::Site[dummy]", "parameters": "--- Httpd::Site[dummy].orig\n+++ Httpd::Site[dummy]\n\n-    source   => puppet:///modules/httpd/dummy.conf\n-    priority => 0\n-    ensure   => present\n"}, {"resource": "File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp].orig\n+++ File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/srv/cfssl/bundles/aux.pem]", "content": "--- /srv/cfssl/bundles/aux.pem.orig\n+++ /srv/cfssl/bundles/aux.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDpjCCAwegAwIBAgIUB83dKT9lbMGOLf38Jx6fmsSa714wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjBx\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMQwwCgYDVQQDEwNhdXgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADhzJSO\n-h264ltJ1CVADYcfi1rIxQOY3gtAsxonZ6CWNueKg0vjvDeL32l+NZ3f2yj2CIzl5\n-sa6sZjXmwAKziuuvCAHmsZDY5gzgBdwhZ6UeGAbwlLMgQajwRvCA2RUMuH8iAd6o\n-QcfZyHQFb0zl9mCHYNkjLT4jpwrL4Lx/DGbmkE/ulqOCAQwwggEIMA4GA1UdDwEB\n-/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSPVQ8kSyOIH5l4\n-1mVGCudJoaowtTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kTNjBWBggr\n-BgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292ZXJ5Lndt\n-bmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0fBEMwQTA/\n-oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2ltZWRpYV9J\n-bnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJCALJuWafVNInsE4Q8\n-tEHYHqhweF6bEArm7d3dqqTjKHuOcrmhXo4rgX5VsXHtI3qq9XGHoik6JUSwgftV\n-Sr+GWrIZAkIAuqmJ5vv2LgFcJWvYDkIPH9HXB9rIwAUHPFJ/iX2Ig9By+ss8nJbU\n-A3Ml/4NKRsXZwwyScmowVWQHfMpv53BsBv8=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/aux.pem].orig\n+++ File[/srv/cfssl/bundles/aux.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_discovery command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_discovery\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"38e4dbcfd07ed60daf5bb89397abbe29\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery\"\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]']\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_wikikube_front_proxy!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    check_interval         => 1\n"}, {"resource": "Service[wmf_auto_restart_apache2.timer]", "parameters": "--- Service[wmf_auto_restart_apache2.timer].orig\n+++ Service[wmf_auto_restart_apache2.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]", "content": "--- /etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa.orig\n+++ /etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for cfssl-ocsprefresh-puppet_rsa\n-\n-/var/log/cfssl-ocsprefresh-puppet_rsa/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa].orig\n+++ File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_cassandra]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_cassandra].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_cassandra]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"cassandra\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-network_devices]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-network_devices].orig\n+++ File[/var/log/cfssl-ocsprefresh-network_devices]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]", "content": "--- /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem.orig\n+++ /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsjCCAxOgAwIBAgIUcL3aZt8/kOKuFw8g90SCOk9VZSYwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjE0MTczMTAwWhcNMjgwMjEzMTczMTAwWjB9\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRgwFgYDVQQDDA9hdXhfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\n-ACMDgYYABAFQamNeMXOM8jZDTMiL/0Cgk641Tps3tMBQ6f1OD7fqLh7JGWZXSWIE\n-9v25H6dgcqSIWAlvBkbHQUPU51GmXigXtwCW1bYWFZc+MTjXFo2LBUJVUIxh2mh3\n-pNZYlgVZXP7a0l3zt2u5vegKRuJ6l0ELtjCJjo/TNYo/BA28XrzCL45HO6OCAQww\n-ggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\n-BBQv7ovDzaQTat1sfWJFkZ+n8+aGSTAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\n-g5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\n-ZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\n-SgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\n-L1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\n-AZ7oTip5kp2Yt9BABNEqYi6GjwpXZvmZOgd6So8UA76jP8duYicuOoNvpoHdEy58\n-ZOGpo0lqqIzB8xQcvzvmX7uiAkIAxHVKylOLCoPsUXaZVfUGhNavXXwrbIHTQXDo\n-HEHmc9lIMh9hO5z4vPMEbMkSRuAskcT1K/ydEqp4xI191jnovUg=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label aux -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet\n\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_aux]", "parameters": "--- Sudo::User[nrpe_certificate_check_aux].orig\n+++ Sudo::User[nrpe_certificate_check_aux]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_aux\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-cassandra]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-cassandra].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-cassandra]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cassandra -profile ocsp /etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet\n\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]']\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]", "content": "--- /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem.orig\n+++ /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n@@ -1,23 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDwDCCAyGgAwIBAgIUJT4TJHFy4qcc2DDVjG00p9VDOcIwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjCB\n-ijELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\n-GVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\n-aW9uczElMCMGA1UEAwwcd2lraWt1YmVfc3RhZ2luZ19mcm9udF9wcm94eTCBmzAQ\n-BgcqhkjOPQIBBgUrgQQAIwOBhgAEAQkWDUaTmBFtrLcFLkOP5LV+kGQdr0TIYAMX\n-FR7UbUmysish4+UlH7C2vcugX/XmmIoh2asGRkfb0kjTQUUjqDmmANYQARMmx/V4\n-j87yMi11K3IxBh2Ei7KJzvXD5yhg/rQa1TVcdvZ1GHBL1QvBU5x2L95G+Exi1amQ\n-dC4vktygtdo8o4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\n-Af8CAQEwHQYDVR0OBBYEFANI4okfmz36Vpe1jEq4tkgKl5HzMB8GA1UdIwQYMBaA\n-FDutonHmNL0b/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcw\n-AYY6aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50\n-ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2Nv\n-dmVyeS53bW5ldC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZI\n-zj0EAwQDgYwAMIGIAkIBuKBFQ/g6puAs+HK7+bE4eiatpN7eotPUTNbVuxN4+rEO\n-E6JEpXslb/Ad0rVDvEOmXGSH9EdqjCNJs0Qv5kFnqZQCQgCPyFWGoBUxDcWLjOEL\n-2a1pt4joI2BUut3NtLOBgPeaI/5qqPoLFbxn/1DMBmZLlsoNhnrg99F5LgvQVEAA\n-/3y5tw==\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem].orig\n+++ File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for prometheus-check-etcd-certificate-expiry\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/prometheus-check-etcd-certificate-expiry --cert-path /etc/cfssl/signers/etcd/ca/etcd.pem --outfile /var/lib/prometheus/node.d/etcd_intermediate.prom", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[syslog]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[syslog].orig\n+++ Profile::Pki::Multirootca::Monitoring[syslog]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/syslog/ca/syslog.pem\n-    intermediate => syslog\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem']\n-    user       => nagios\n"}, {"resource": "Exec[Generate initial CRL for etcd]", "parameters": "--- Exec[Generate initial CRL for etcd].orig\n+++ Exec[Generate initial CRL for etcd]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/etcd\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/etcd/ca/etcd.pem /etc/cfssl/signers/etcd/ca/etcd-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/etcd\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/srv/cfssl/bundles/cassandra.pem]", "content": "--- /srv/cfssl/bundles/cassandra.pem.orig\n+++ /srv/cfssl/bundles/cassandra.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqjCCAw2gAwIBAgIUN8PPoG0JeyUfDWKQhN0B2AOw4G8wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwNjE5MTI1MDAwWhcNMjgwNjE3MTI1MDAwWjB3\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRIwEAYDVQQDEwljYXNzYW5kcmEwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\n-BABpd+xtElegZM2bsg1caGxmHV5hs7l7qxmKFS3oSAu1jo1+N/uSppDtSWZzG+8C\n-zjIrytBMxBWhNqsOw9msEWhbBAEYESw1oKj+APqOlCafGdXQI1ZvMafexxTqDNN1\n-CA2gq4ivn82r2Ya3LLqwICxK3MlcmGuLwR5amxiLchok3cZ3X6OCAQwwggEIMA4G\n-A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQBN6m6\n-eyaSV8l2Il/bwcfpWTmplDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVxg5HQ72kT\n-NjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2kuZGlzY292\n-ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwSgYDVR0f\n-BEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3JsL1dpa2lt\n-ZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GKADCBhgJBRhCSOg5L\n-+EuYGdsW8T9S/tXzYURZpnQItn2nYjM6ky1nxqG6F+V2WsiijiPpEQxr7QUvfZhf\n-D2zhB5BS8ynWCpYCQRGo4eZuUHyRMNqg/ZDljT1dqr09n0wQhszrJ4eCmebLVsDm\n-B6AM3pPRygYo0REwxHbpTBAIt26zjGiKiFQqUjwa\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/cassandra.pem].orig\n+++ File[/srv/cfssl/bundles/cassandra.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_syslog.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_etcd]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_etcd].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_etcd]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: etcd\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-zuul]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-zuul].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-zuul]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-zuul.service\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_debmonitor command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_debmonitor\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"224e2ac3574a9ce482218106d95a2931\" --timeout 10 --check-command \"check_check_certificate_expiry_debmonitor\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Service[cfssl-ocsprefresh-aux.timer]", "parameters": "--- Service[cfssl-ocsprefresh-aux.timer].orig\n+++ Service[cfssl-ocsprefresh-aux.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve -profile ocsp /etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet\n\n"}, {"resource": "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse_front_proxy -profile ocsp /etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[cfssl-ocspserve@wikikube_staging]", "parameters": "--- Service[cfssl-ocspserve@wikikube_staging].orig\n+++ Service[cfssl-ocspserve@wikikube_staging]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Cfssl::Config[dse]", "parameters": "--- Cfssl::Config[dse].orig\n+++ Cfssl::Config[dse]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/dse\n-    default_auth_remote => {}\n-    default_usages      => ['signing', 'key encipherment', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/dse/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'service-account-management': {'usages': ['digital signature', 'key encipherment']}, 'prometheus': {'expiry': '8760h', 'usages': ['digital signature', 'key encipherment', 'client auth']}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/dse\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/mlserve_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/mlserve_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/mlserve_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/mlserve_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_network_devices]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_network_devices].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_network_devices]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem']\n-    user       => nagios\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-dse.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-dse.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-dse.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-dse.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]\n"}, {"resource": "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cassandra -profile ocsp /etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-cassandra].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - cassandra\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/cassandra/ca/cassandra.pem --responses-file /etc/cfssl/ocsp/cassandra.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@cassandra' cassandra \n"}, {"resource": "File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Service[cfssl-ocspserve@aux_front_proxy]", "parameters": "--- Service[cfssl-ocspserve@aux_front_proxy].orig\n+++ Service[cfssl-ocspserve@aux_front_proxy]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@mlserve_staging.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@mlserve_staging.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (mlserve_staging)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20040 \\\n-          -responses /etc/cfssl/ocsp/mlserve_staging.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-zuul.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-zuul.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-zuul.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-zuul.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "parameters": "--- Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer].orig\n+++ Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_staging_front_proxy_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_discovery2026!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: discovery2026\n-    check_interval         => 1\n"}, {"resource": "Cfssl::Config[discovery2026]", "parameters": "--- Cfssl::Config[discovery2026].orig\n+++ Cfssl::Config[discovery2026]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/discovery2026\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/discovery2026/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'k8s_staging': {'expiry': '24h', 'auth_key': 'k8s_staging'}, 'k8s_wikikube': {'auth_key': 'k8s_wikikube'}, 'k8s_mlserve': {'auth_key': 'k8s_mlserve'}, 'k8s_mlstaging': {'expiry': '24h', 'auth_key': 'k8s_mlstaging'}, 'k8s_dse': {'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_dse_opensearch': {'expiry': '4380h', 'auth_key': 'k8s_dse', 'usages': ['digital signature', 'key encipherment', 'server auth', 'client auth']}, 'k8s_aux': {'auth_key': 'k8s_aux'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/discovery2026\n"}, {"resource": "Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label kafka -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@syslog.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@syslog.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@syslog.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (syslog)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 10007 \\\n-          -responses /etc/cfssl/ocsp/syslog.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@syslog.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@syslog.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - dse_front_proxy\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem --responses-file /etc/cfssl/ocsp/dse_front_proxy.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@dse_front_proxy' dse_front_proxy \n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging]\n\n-    ensure => present\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-wikikube_staging.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-etcd]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-etcd].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-etcd]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-etcd]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_kafka.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]']\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-discovery].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-discovery]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-discovery]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Cfssl::Signer[dse_front_proxy]", "parameters": "--- Cfssl::Signer[dse_front_proxy].orig\n+++ Cfssl::Signer[dse_front_proxy]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDsjCCAxOgAwIBAgIUBGeKXglKnoXGyRgWodaHSfz0z/gwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMjIyMTczMzAwWhcNMjgwMjIxMTczMzAwWjB9\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRgwFgYDVQQDDA9kc2VfZnJvbnRfcHJveHkwgZswEAYHKoZIzj0CAQYFK4EE\nACMDgYYABAGUNx07sN1MWk3DzjEFh3pfYaQVrqo1tWFQjf7URfwqfyZY81Tqt6yl\ny/zj3DpvtOmvyI5jPH91yPBaFho0/SpP6wFkBIyE8/Ik2b80slPKuzstrYgBlYsG\n+Fxop4CYWjLItOy1Ut82aYr76hNm0goEma9ETjgE4nfBEU3vi77QO/B9E6OCAQww\nggEIMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW\nBBQPHxMmkuy8EqO+Wz7TmM1MfmcXDDAfBgNVHSMEGDAWgBQ7raJx5jS9G/yAvzVx\ng5HQ72kTNjBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAGGOmh0dHA6Ly9wa2ku\nZGlzY292ZXJ5LndtbmV0L29jc3AvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0Ew\nSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3BraS5kaXNjb3Zlcnkud21uZXQvY3Js\nL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMAoGCCqGSM49BAMEA4GMADCBiAJC\nAO3JNb9OyC3JQ3mmkgt+Db3NMgLArYlvcYd8Nd5uWEXm6d6NfUPDN5XBGkjly1B7\nN18vKQYxlZzX2wgYqaK9LYs9AkIBch3vTND/M2T78Hhp5YoodasCdLDcpMJ1Qn3T\nfI0Lwjt7W50T0FMle6CwZkI+ZrxRzqvic19IUSTDDqwiOFgLhqM=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/dse_front_proxy\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => \n-    ca_file          => /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/dse_front_proxy\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube/ca/wikikube.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Exec[Generate initial CRL for mlserve_staging_front_proxy]", "parameters": "--- Exec[Generate initial CRL for mlserve_staging_front_proxy].orig\n+++ Exec[Generate initial CRL for mlserve_staging_front_proxy]\n\n-    require => ['Package[golang-cfssl]']\n-    path    => ['/usr/bin']\n-    creates => /srv/cfssl/crl/mlserve_staging_front_proxy\n-    command => /usr/bin/cfssl gencrl - /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem 157680000 </dev/null |/usr/bin/base64 -d > /srv/cfssl/crl/mlserve_staging_front_proxy\n"}, {"resource": "File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]", "content": "--- /etc/cfssl/signers/aux_front_proxy/cfssl.conf.orig\n+++ /etc/cfssl/signers/aux_front_proxy/cfssl.conf\n@@ -1,64 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/aux_front_proxy\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/aux_front_proxy\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca].orig\n+++ Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-    intermediate => cloud_wmnet_ca\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_mlserve.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Sudo::User[nrpe_certificate_check_wikikube]", "parameters": "--- Sudo::User[nrpe_certificate_check_wikikube].orig\n+++ Sudo::User[nrpe_certificate_check_wikikube]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_wikikube\n"}, {"resource": "File[/etc/cfssl/multiroot.conf]", "content": "--- /etc/cfssl/multiroot.conf.orig\n+++ /etc/cfssl/multiroot.conf\n@@ -1,138 +0,0 @@\n-[debmonitor]\n-private = file:///etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n-certificate = /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-config = /etc/cfssl/signers/debmonitor/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[discovery]\n-private = file:///etc/cfssl/signers/discovery/ca/discovery-key.pem\n-certificate = /etc/cfssl/signers/discovery/ca/discovery.pem\n-config = /etc/cfssl/signers/discovery/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[kafka]\n-private = file:///etc/cfssl/signers/kafka/ca/kafka-key.pem\n-certificate = /etc/cfssl/signers/kafka/ca/kafka.pem\n-config = /etc/cfssl/signers/kafka/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[cloud_wmnet_ca]\n-private = file:///etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem\n-certificate = /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem\n-config = /etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[etcd]\n-private = file:///etc/cfssl/signers/etcd/ca/etcd-key.pem\n-certificate = /etc/cfssl/signers/etcd/ca/etcd.pem\n-config = /etc/cfssl/signers/etcd/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[cassandra]\n-private = file:///etc/cfssl/signers/cassandra/ca/cassandra-key.pem\n-certificate = /etc/cfssl/signers/cassandra/ca/cassandra.pem\n-config = /etc/cfssl/signers/cassandra/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[syslog]\n-private = file:///etc/cfssl/signers/syslog/ca/syslog-key.pem\n-certificate = /etc/cfssl/signers/syslog/ca/syslog.pem\n-config = /etc/cfssl/signers/syslog/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[puppet_rsa]\n-private = file:///etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem\n-certificate = /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem\n-config = /etc/cfssl/signers/puppet_rsa/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[zuul]\n-private = file:///etc/cfssl/signers/zuul/ca/zuul-key.pem\n-certificate = /etc/cfssl/signers/zuul/ca/zuul.pem\n-config = /etc/cfssl/signers/zuul/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[discovery2026]\n-private = file:///etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem\n-certificate = /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-config = /etc/cfssl/signers/discovery2026/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[wikikube]\n-private = file:///etc/cfssl/signers/wikikube/ca/wikikube-key.pem\n-certificate = /etc/cfssl/signers/wikikube/ca/wikikube.pem\n-config = /etc/cfssl/signers/wikikube/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[wikikube_front_proxy]\n-private = file:///etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n-config = /etc/cfssl/signers/wikikube_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[wikikube_staging]\n-private = file:///etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem\n-certificate = /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-config = /etc/cfssl/signers/wikikube_staging/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[wikikube_staging_front_proxy]\n-private = file:///etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n-config = /etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[mlserve]\n-private = file:///etc/cfssl/signers/mlserve/ca/mlserve-key.pem\n-certificate = /etc/cfssl/signers/mlserve/ca/mlserve.pem\n-config = /etc/cfssl/signers/mlserve/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[mlserve_front_proxy]\n-private = file:///etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-config = /etc/cfssl/signers/mlserve_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[mlserve_staging]\n-private = file:///etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem\n-certificate = /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n-config = /etc/cfssl/signers/mlserve_staging/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[mlserve_staging_front_proxy]\n-private = file:///etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-config = /etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[aux]\n-private = file:///etc/cfssl/signers/aux/ca/aux-key.pem\n-certificate = /etc/cfssl/signers/aux/ca/aux.pem\n-config = /etc/cfssl/signers/aux/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[aux_front_proxy]\n-private = file:///etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem\n-config = /etc/cfssl/signers/aux_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[dse]\n-private = file:///etc/cfssl/signers/dse/ca/dse-key.pem\n-certificate = /etc/cfssl/signers/dse/ca/dse.pem\n-config = /etc/cfssl/signers/dse/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[dse_front_proxy]\n-private = file:///etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem\n-certificate = /etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem\n-config = /etc/cfssl/signers/dse_front_proxy/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-\n-[network_devices]\n-private = file:///etc/cfssl/signers/network_devices/ca/network_devices-key.pem\n-certificate = /etc/cfssl/signers/network_devices/ca/network_devices.pem\n-config = /etc/cfssl/signers/network_devices/cfssl.conf\n-dbconfig = /etc/cfssl/db.conf\n-", "parameters": "--- File[/etc/cfssl/multiroot.conf].orig\n+++ File[/etc/cfssl/multiroot.conf]\n\n-    owner  => root\n-    group  => root\n-    ensure => present\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-aux.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-aux.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-aux.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-aux.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_dse_front_proxy command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_dse_front_proxy\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"2560f4f577ba169af651cf96bd5dc1ba\" --timeout 10 --check-command \"check_check_certificate_expiry_dse_front_proxy\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-cassandra-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-cassandra-certificate-expiry --cert-path /etc/cfssl/signers/cassandra/ca/cassandra.pem --outfile /var/lib/prometheus/node.d/cassandra_intermediate.prom\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_syslog]", "parameters": "--- Monitoring::Service[check_certificate_expiry_syslog].orig\n+++ Monitoring::Service[check_certificate_expiry_syslog]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_syslog!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: syslog\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]", "content": "--- /etc/cfssl/signers/mlserve/ca/mlserve.pem.orig\n+++ /etc/cfssl/signers/mlserve/ca/mlserve.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqTCCAwugAwIBAgIUC2E+U3FwNsKpcXq1D5KD3ILh08QwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjB1\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRAwDgYDVQQDEwdtbHNlcnZlMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA\n-4+yIcr5bDRYOqvzsS95b/CFOM84v7vZlxRXO9paOop7nSpVED1+upVrhfM69F4Rd\n-hMDYeRBUiXxZsecByAdWu0AAEWeCZiL+QqMEJeoGML8iobA6rGa+5y2qePBUcV5m\n-4u0sePHBq8CYXdIgPHo8bIho/A30Q/IhwEIln0OoSq1ZlcOjggEMMIIBCDAOBgNV\n-HQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUYMFEsH4H\n-fAVzgmuJIW+M+s7UPVEwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYw\n-VgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVy\n-eS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRD\n-MEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVk\n-aWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBiwAwgYcCQUW5mZclFy2C\n-6VREX3v/LuAnzguojsBHnRSGXWR1TYoN8aBrtzC0w6KaC+5ka5VCByGmlMDY4GxF\n-GLuM8bnvHf4FAkIBva6mukWZ7ZKbNSGakTVG3PeEvZs1b4xkq7+6RYjlv819FjLm\n-jPag2y90JiWcyA7gw4IZqc3BgFuT46K+AqsKzhY=\n------END CERTIFICATE-----", "parameters": "--- File[/etc/cfssl/signers/mlserve/ca/mlserve.pem].orig\n+++ File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]\n\n-    mode   => 0444\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[cfssl-multirootca]\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-aux]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-aux].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-aux]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-aux.service\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@puppet_rsa]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@puppet_rsa].orig\n+++ Systemd::Unit[cfssl-ocspserve@puppet_rsa]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@puppet_rsa\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Cfssl::Config[cassandra]", "parameters": "--- Cfssl::Config[cassandra].orig\n+++ Cfssl::Config[cassandra]\n\n-    notify              => Service[cfssl-multirootca]\n-    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/cassandra\n-    default_auth_remote => {}\n-    default_usages      => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    remotes             => {}\n-    path                => /etc/cfssl/signers/cassandra/cfssl.conf\n-    ensure              => present\n-    profiles            => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    default_expiry      => 672h\n-    default_auth_key    => default_auth\n-    default_crl_url     => http://pki.discovery.wmnet/crl/cassandra\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_mlserve_staging_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@dse_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@dse_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@dse_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]", "parameters": "--- Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet].orig\n+++ Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label kafka -profile ocsp /etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Timer[cfssl-gc-expired-certs]", "parameters": "--- Systemd::Timer[cfssl-gc-expired-certs].orig\n+++ Systemd::Timer[cfssl-gc-expired-certs]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': 'hourly'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-gc-expired-certs.service\n"}, {"resource": "Cfssl::Signer[mlserve_staging_front_proxy]", "parameters": "--- Cfssl::Signer[mlserve_staging_front_proxy].orig\n+++ Cfssl::Signer[mlserve_staging_front_proxy]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDvjCCAyCgAwIBAgIUV8ha2UdjViI49Xr/fZzbY4YPZdYwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\niTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\naW9uczEkMCIGA1UEAwwbbWxzZXJ2ZV9zdGFnaW5nX2Zyb250X3Byb3h5MIGbMBAG\nByqGSM49AgEGBSuBBAAjA4GGAAQAyrMiWBRjOWCaMXsvXC0wS6VzHyLLGFT8BpM9\nEhYcloDfNnb8no2+YXrBzj4+lAg3D3dq53q+hyHko3+YsVVF/qABa55syWkYtxDB\nxy5FNq6Iq/s2E3vO2YpQifWXlaSZvvuZCGhhTPDOp/zdI/kKdco9Jehsu6CdyElj\nlCgJTZupZCmjggEMMIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB\n/wIBATAdBgNVHQ4EFgQUj5l8xt65hr4t5yj8xKYmUsKwk9YwHwYDVR0jBBgwFoAU\nO62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAB\nhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRl\ncm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292\nZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjO\nPQQDBAOBiwAwgYcCQgD24XA2cP2pFwE3onWEosbFqDEaFwD5kNg7eSOkncJIceFU\nbCX1f6VOYSv6UbiEQV0EwS0d34EawydbLcqXqfHgpgJBJJjdNhpjAcwyRt1+unRc\ndYn6ys1ZElRXMld7NUq+nCInX5cVk8uPeSev6IxIJc2eyBCb4jtjvE3TAQ2RHvT9\nsBI=\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/mlserve_staging_front_proxy\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 72h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/mlserve_staging_front_proxy\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@aux.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@aux.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@aux.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (aux)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20050 \\\n-          -responses /etc/cfssl/ocsp/aux.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@aux.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@aux.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]\n"}, {"resource": "Cfssl::Signer[debmonitor]", "parameters": "--- Cfssl::Signer[debmonitor].orig\n+++ Cfssl::Signer[debmonitor]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqzCCAw6gAwIBAgIUD8gl+8iTKG2ZJ9eRsZs5/C9/7ZMwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMzE0MTM0NTAwWhcNMjgwMzEyMTM0NTAwWjB4\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMRMwEQYDVQQDEwpkZWJtb25pdG9yMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG\nAAQBNH4qwApzKzoZpcUF5+rzNhzi2ETF1ToNoWJ4XIJH/PmYzcXmDj41+b+4p4++\nM+ENQtHt6dfCVv0BmGr8XYTU3YUAQUiLhv/X41GLwCV4Nx5jsnpnlfyi2tfXY2b1\nWgpdkxBTQi79fWYWJFvuy7AFhP0ahKcKfauegEHf1zJ/j7pKyjSjggEMMIIBCDAO\nBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU35FY\nTrdI8tZ8bKAVj8qkrn5sp9QwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9p\nEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2Nv\ndmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1Ud\nHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtp\nbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYCQXXZh0fs\nXIlOkz1OPSSRBbEZ6zjvGEJvR6qPVpdkQ8IY+bwqe6J/wrhlAgWfTq7ODhEQYCnx\ny9Jdg7TfybUaOnmiAkEGKMoHIi/MXfzVrKicaCo4aHIL14vN3V4go08bIsMuIs7p\nEknA+x7QLKFunnrATNeeF6ETr+3u9/MUDWGW+fBqEw==\n-----END CERTIFICATE-----\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/debmonitor\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => ##### FAKE FOR PUPPET ######\n\n-    ca_file          => /etc/cfssl/signers/debmonitor/ca/debmonitor.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/debmonitor\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry --cert-path /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem --outfile /var/lib/prometheus/node.d/mlserve_staging_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]", "parameters": "--- Exec[renew certificate - puppet_rsa__pki_discovery_wmnet].orig\n+++ Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]\n\n-    require     => Exec[Generate cert puppet_rsa__pki_discovery_wmnet]\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem -checkend 952200\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    notify      => ['Service[apache2]']\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label puppet_rsa  /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet\n\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-aux\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-aux/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[pki1001 ferm_active]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (mlserve_front_proxy)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20031 \\\n-          -responses /etc/cfssl/ocsp/mlserve_front_proxy.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Ocsp[dse]", "parameters": "--- Cfssl::Ocsp[dse].orig\n+++ Cfssl::Ocsp[dse]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 20061\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/dse/ca/dse.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6]", "parameters": "--- Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6].orig\n+++ Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_certificate_expiry_wikikube_front_proxy))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    team               => observability\n-    summary            => NRPE CHECK: Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 3m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"4d759acaf0fd7dd3abaa03dc4565aef6\",check_name=\"check_check_certificate_expiry_wikikube_front_proxy\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_to_ensure_the_signer_certificate_is_valid_CA__wikikube_front_proxy\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0440\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    backup    => False\n-    group     => root\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem --outfile /var/lib/prometheus/node.d/wikikube_front_proxy_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]']\n"}, {"resource": "File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]", "content": "--- /srv/cfssl/bundles/cloud_wmnet_ca.pem.orig\n+++ /srv/cfssl/bundles/cloud_wmnet_ca.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDrzCCAxKgAwIBAgIURAaLNJ85iLqv3Tqt4ylu7Dhe0o0wCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjExMjEzMTg1NTAwWhcNMjYxMjEyMTg1NTAwWjB8\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRcwFQYDVQQDDA5jbG91ZF93bW5ldF9jYTCBmzAQBgcqhkjOPQIBBgUrgQQA\n-IwOBhgAEAFsH4mfZKGu87WTpX9yabGE0+vO4UBQaN/IUGnjmscZTZ7761iAwuZcs\n-33yjwzoX2W+R0IwAPJbagtB92uYPmA6eAUDV4WAuOml+AqAP0elVtW7i+T/Bm4qc\n-SrlGCDsALgJ765YZCDS9OmzAm9rXbQXFmsxqrm9I3aPXIOWIww5+Zg1mo4IBDDCC\n-AQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\n-FMavCWJlEuGLgOx5zgBdQCQ0Zxj7MB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGD\n-kdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5k\n-aXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBK\n-BgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwv\n-V2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYoAMIGGAkEQ\n-XFKpUB99oxOp7uK3GztZblTr8DECjcwbJOXYfZLGyfzzNIKPMGPkBGNmGkP7Ie1G\n-RSCNRsI1VR8/geUR0YUrpwJBRZWF4DZM3cga+6VB7pEv/7r/pQERs/ivzckNwDLi\n-/LK1pbHc/MeNOdoy7TouLf1djsw40VYtGNT7/9FldHoWqsA=\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/cloud_wmnet_ca.pem].orig\n+++ File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca]", "parameters": "--- Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca].orig\n+++ Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca]\n\n-    follow_redirects        => False\n-    header_not_matches      => []\n-    probe_summary           => Service {{ $labels.instance }} has failed probes ({{ $labels.module }})\n-    timeout                 => 3s\n-    status_matches          => []\n-    header_matches          => []\n-    prometheus_instance     => ops\n-    site                    => eqiad\n-    body_regex_matches      => ['\"success\":true']\n-    ssl_expired_runbook     => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n-    force_tls               => False\n-    probe_description       => {{ $labels.instance }} failed when probed by {{ $labels.module }} from {{ $externalLabels.site }}. Availability is {{ $value }}%.\n-    port                    => 443\n-    req_headers             => {}\n-    alert_after             => 2m\n-    body_raw                => {\"label\":\"cloud_wmnet_ca\"}\n-    client_auth_cert        => /etc/prometheus/ssl/cert.pem\n-    ssl_expired_dashboard   => https://grafana.wikimedia.org/d/K1dRhGCnz/probes-tls-dashboard\n-    ssl_expired_description => The certificate presented by service {{ $labels.instance }} is going to expire in {{ $value | humanizeDuration }}\n-    ip4                     => 10.64.0.10\n-    client_auth_key         => /etc/prometheus/ssl/server.key\n-    server_name             => pki.discovery.wmnet\n-    use_client_auth         => True\n-    path                    => /api/v1/cfssl/info\n-    method                  => POST\n-    probe_runbook           => https://wikitech.wikimedia.org/wiki/Runbook#{{ $labels.instance }}\n-    ssl_expired_summary     => Certificate for service {{ $labels.instance }} is about to expire\n-    team                    => sre\n-    insecure_tls            => False\n-    ip6                     => 2620:0:861:101:10:64:0:10\n-    probe_dashboard         => https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job={{ $labels.job }}&var-module=All\n-    certificate_expiry_days => 10\n-    body_regex_not_matches  => []\n-    instance_label          => pki1001\n-    body                    => {}\n-    ip_families             => ['ip4', 'ip6']\n-    severity                => critical\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_zuul]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_zuul].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_zuul]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: zuul\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/zuul/ca/zuul.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_syslog]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_syslog].orig\n+++ Nrpe::Check[check_check_certificate_expiry_syslog]\n\n-    before    => Monitoring::Service[check_certificate_expiry_syslog]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem\n"}, {"resource": "Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "parameters": "--- Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer].orig\n+++ Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-wikikube]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-wikikube].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-wikikube]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-wikikube.service\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-network_devices-certificate-expiry --cert-path /etc/cfssl/signers/network_devices/ca/network_devices.pem --outfile /var/lib/prometheus/node.d/network_devices_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_dse_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@discovery]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_wikikube_staging\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Class[Httpd]", "parameters": "--- Class[Httpd].orig\n+++ Class[Httpd]\n\n-    legacy_compat        => present\n-    rotate               => 30\n-    enable_forensic_log  => False\n-    http_only            => False\n-    wait_network_online  => False\n-    extra_pkgs           => []\n-    remove_default_ports => False\n-    modules              => ['proxy_http', 'ssl', 'headers']\n-    purge_manual_config  => True\n-    period               => daily\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_wikikube_staging]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-debmonitor]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-debmonitor].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-debmonitor]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Cfssl::Ocsp[Wikimedia_Internal_Root_CA]", "parameters": "--- Cfssl::Ocsp[Wikimedia_Internal_Root_CA].orig\n+++ Cfssl::Ocsp[Wikimedia_Internal_Root_CA]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10000\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    require            => Service[cfssl-multirootca]\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem\n-    cert_content       => -----BEGIN CERTIFICATE-----\nMIIDmzCCAvygAwIBAgIUN3uLiKCNVwnGG5H9qKGwTGT4fJowCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjEwMzI1MTQ1MTAwWhcNMjYwMzI0MTQ1MTAwWjCB\nmTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxFzAVBgNVBAsTDkNsb3VkIFNlcnZp\nY2VzMTUwMwYDVQQDDCxXaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQV9vY3NwX3Np\nZ25pbmdfY2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLmGOcHNNTGsOVTG\n17o/lTVCgVJqX751quqBZvJQUbAgfAv0PRgv6yjWzTmZnojzKHYRaV8NXhDIVBzo\nl2DRWUOjggEbMIIBFzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwkwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULRRzzcjqWQc2Fjci5s2v0FKSPJww\nHwYDVR0jBBgwFoAUO62iceY0vRv8gL81cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBI\nMEYGCCsGAQUFBzABhjpodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9vY3NwL1dp\na2ltZWRpYV9JbnRlcm5hbF9Sb290X0NBMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6\nLy9wa2kuZGlzY292ZXJ5LndtbmV0L2NybC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\ndF9DQTAKBggqhkjOPQQDBAOBjAAwgYgCQgCI41DoiQFxqs9gDCZs4VhwcNeatHqe\n98IqBIzFOMdZdkUnyTNiXf0VDkUYZ+n2mYmB5ZAaBTPYhTHgLNrc3KsmpQJCAfHM\nQr3AEz1MlZq2krL+7Mx9OuBQ3B/hXyC+met7EmKDziU8UyScxFfSIY1lwwgAmZHA\nOEOWpgzuF4fGZFVf0dFi\n-----END CERTIFICATE-----\n\n-    key_content        => FAKE FAKE FAKE\n\n-    db_conf_file       => /etc/cfssl/db.conf\n-    db_driver          => mysql\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_discovery2026 command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_discovery2026\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"bf2e3510cb63e5f05f545e816bab4edf\" --timeout 10 --check-command \"check_check_certificate_expiry_discovery2026\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_mlserve]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_mlserve].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_mlserve]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_cfssl-multirootca_status command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_cfssl-multirootca_status\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 300\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"52832284a5fb8b8ea6f55bb6271912c9\" --timeout 10 --check-command \"check_check_cfssl-multirootca_status\" --page\n"}, {"resource": "Service[cfssl-ocsprefresh-syslog.timer]", "parameters": "--- Service[cfssl-ocsprefresh-syslog.timer].orig\n+++ Service[cfssl-ocsprefresh-syslog.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@syslog]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@syslog].orig\n+++ Systemd::Unit[cfssl-ocspserve@syslog]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@syslog\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/zuul/cfssl.conf]", "content": "--- /etc/cfssl/signers/zuul/cfssl.conf.orig\n+++ /etc/cfssl/signers/zuul/cfssl.conf\n@@ -1,63 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"server auth\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/zuul\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/zuul\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/zuul/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/zuul/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@wikikube_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@wikikube_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@wikikube_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-mlserve.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-mlserve.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-mlserve.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-mlserve.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Service[cfssl-ocsprefresh-mlserve_staging.timer]", "parameters": "--- Service[cfssl-ocsprefresh-mlserve_staging.timer].orig\n+++ Service[cfssl-ocsprefresh-mlserve_staging.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/cfssl/ocsp/kafka.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/kafka.ocsp].orig\n+++ File[/etc/cfssl/ocsp/kafka.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-dse_front_proxy]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service].orig\n+++ Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]\n\n-    override          => False\n-    unit              => wmf_auto_restart_apache-htcacheclean.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_wikikube\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"d2a76a31e44e204e2d4788a2698d0e6c\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]\n"}, {"resource": "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label cloud_wmnet_ca -profile ocsp /etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-cassandra]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-cassandra].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-cassandra]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-cassandra.service\n"}, {"resource": "Sudo::User[nrpe_certificate_check_discovery2026]", "parameters": "--- Sudo::User[nrpe_certificate_check_discovery2026].orig\n+++ Sudo::User[nrpe_certificate_check_discovery2026]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_discovery2026\n"}, {"resource": "File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-syslog-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-mlserve_staging_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]\n"}, {"resource": "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label syslog -profile ocsp /etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet\n\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_kafka command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_kafka\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"22922fd6bc2d570e018cbe5ccd8d1727\" --timeout 10 --check-command \"check_check_certificate_expiry_kafka\"\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem']\n-    user       => nagios\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/ssl/localcerts/multiroot_ca.pem]", "parameters": "--- File[/etc/ssl/localcerts/multiroot_ca.pem].orig\n+++ File[/etc/ssl/localcerts/multiroot_ca.pem]\n\n-    mode   => 0440\n-    source => puppet:///modules/profile/pki/production/client_auth_CA.pem\n-    ensure => file\n-    owner  => root\n-    group  => root\n-    notify => Service[apache2]\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 disk_space].orig\n+++ Monitoring::Exported_nagios_service[pki1001 disk_space]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]", "content": "--- /lib/systemd/system/cfssl-ocspserve@mlserve.service.orig\n+++ /lib/systemd/system/cfssl-ocspserve@mlserve.service\n@@ -1,15 +0,0 @@\n-[Unit]\n-Description=Cloudflare SSL OCSP Responder (mlserve)\n-After=network.target remote-fs.target nss-lookup.target\n-Documentation=https://github.com/cloudflare/cfssl/tree/master/doc\n-\n-[Service]\n-ExecStart=/usr/bin/cfssl ocspserve \\\n-          -address 127.0.0.1 \\\n-          -port 20030 \\\n-          -responses /etc/cfssl/ocsp/mlserve.ocsp\n-Restart=always\n-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocspserve@mlserve.service].orig\n+++ File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9]", "parameters": "--- Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9].orig\n+++ Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9]\n\n-    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_cfssl-multirootca_status))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n-    description        => NRPE CHECK: Check unit status of cfssl-multirootca\n-    team               => observability\n-    summary            => NRPE CHECK: Check unit status of cfssl-multirootca #page\n-    dashboard          => TODO\n-    runbook            => https://wikitech.wikimedia.org/wiki/PKI\n-    def_label_whitelst => ['team', 'severity']\n-    for                => 11m\n-    ensure             => absent\n-    expr               => (nagios_nrpe_check_result{alert_rule_hash=\"52832284a5fb8b8ea6f55bb6271912c9\",check_name=\"check_check_cfssl-multirootca_status\", status=\"CRITICAL\", severity=\"page\"} > 0) * on (instance) group_left (team) role_owner\n-    instance           => ops\n-    site               => eqiad\n-    alert_name         => nrpe_Check_unit_status_of_cfssl_multirootca\n-    group              => nrpechecks\n-    severity           => info\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-cloud_wmnet_ca-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry --cert-path /etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem --outfile /var/lib/prometheus/node.d/cloud_wmnet_ca_intermediate.prom\n"}, {"resource": "Cfssl::Ocsp[discovery2026]", "parameters": "--- Cfssl::Ocsp[discovery2026].orig\n+++ Cfssl::Ocsp[discovery2026]\n\n-    listen_addr        => 127.0.0.1\n-    log_level          => info\n-    ocsprefresh_update => True\n-    listen_port        => 10010\n-    common_name        => pki1001.eqiad.wmnet\n-    additional_names   => []\n-    refresh_interval   => 96h\n-    ca_file            => /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    db_driver          => mysql\n-    db_conf_file       => /etc/cfssl/db.conf\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]']\n"}, {"resource": "Class[Profile::Puppet::Agent]", "parameters": "--- Class[Profile::Puppet::Agent].orig\n+++ Class[Profile::Puppet::Agent]\n\n@@\n-    dns_alt_names => ['pki.discovery.wmnet']\n+    dns_alt_names => []\n"}, {"resource": "Httpd::Mod_conf[status]", "parameters": "--- Httpd::Mod_conf[status].orig\n+++ Httpd::Mod_conf[status]\n\n-    loadfile => status.load\n-    mod      => status\n-    ensure   => present\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry --cert-path /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem --outfile /var/lib/prometheus/node.d/aux_front_proxy_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-dse]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-dse].orig\n+++ File[/var/log/cfssl-ocsprefresh-dse]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Nrpe::Monitor_service[check_certificate_expiry_syslog]", "parameters": "--- Nrpe::Monitor_service[check_certificate_expiry_syslog].orig\n+++ Nrpe::Monitor_service[check_certificate_expiry_syslog]\n\n-    notes_url                   => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description                 => Check to ensure the signer certificate is valid CA: syslog\n-    nrpe_command                => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem\n-    retry_interval              => 1\n-    timeout                     => 10\n-    migration_task              => T350694\n-    alertmanager_team           => observability\n-    sudo_user                   => root\n-    nrpe2nodexp_parse_perf_data => False\n-    critical                    => False\n-    retries                     => 3\n-    ensure                      => present\n-    enable_nrpe2nodexp          => False\n-    enable_icinga_check         => True\n-    contact_group               => admins\n-    check_interval              => 1\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_wikikube command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_wikikube\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"d2a76a31e44e204e2d4788a2698d0e6c\" --timeout 10 --check-command \"check_check_certificate_expiry_wikikube\"\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label zuul -profile ocsp /etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-wikikube_staging]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-wikikube_staging].orig\n+++ Systemd::Service[cfssl-ocsprefresh-wikikube_staging]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-dse_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-dse_front_proxy].orig\n+++ Systemd::Service[cfssl-ocsprefresh-dse_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@kafka]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/usr/local/sbin/cfssl-certs]", "parameters": "--- File[/usr/local/sbin/cfssl-certs].orig\n+++ File[/usr/local/sbin/cfssl-certs]\n\n-    mode   => 0500\n-    source => puppet:///modules/cfssl/cfssl_certs.py\n-    ensure => file\n-    owner  => root\n-    group  => root\n"}, {"resource": "Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@kafka]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@kafka].orig\n+++ Systemd::Unit[cfssl-ocspserve@kafka]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@kafka\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-network_devices]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-network_devices].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-network_devices]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@mlserve_front_proxy]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status].orig\n+++ Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul].orig\n+++ Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul]\n\n-    max_check_attempts     => 3\n-    notes_url              => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    active_checks_enabled  => 1\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    check_period           => 24x7\n-    check_freshness        => 0\n-    passive_checks_enabled => 1\n-    contact_groups         => admins\n-    check_command          => nrpe_check!check_check_certificate_expiry_zuul!10\n-    host_name              => pki1001\n-    notifications_enabled  => 1\n-    notification_interval  => 0\n-    notification_options   => c,r,f\n-    servicegroups          => pki_eqiad\n-    ensure                 => present\n-    notification_period    => 24x7\n-    service_description    => Check to ensure the signer certificate is valid CA: zuul\n-    check_interval         => 1\n"}, {"resource": "Cfssl::Signer[mlserve_front_proxy]", "parameters": "--- Cfssl::Signer[mlserve_front_proxy].orig\n+++ Cfssl::Signer[mlserve_front_proxy]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDtzCCAxigAwIBAgIUIw4+rszPiPmnvGoMBfrD29oWNKcwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjMwMTI1MTY1NDAwWhcNMjgwMTI0MTY1NDAwWjCB\ngTELMAkGA1UEBhMCVVMxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoT\nGVdpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMxGDAWBgNVBAsTD1NSRSBGb3VuZGF0\naW9uczEcMBoGA1UEAwwTbWxzZXJ2ZV9mcm9udF9wcm94eTCBmzAQBgcqhkjOPQIB\nBgUrgQQAIwOBhgAEATdxtFPSx+kYYz4a6PyKfBi000SHiFxHSQqS71Bs13jbumD2\nh6uPdTyD3dT79AdxQVzoer7inVQZM1vz5ZioLN0mAVH9OdSm8NLPpy9CAjT/2puk\n6PZWtowGmcoOkXeZeZDIUOYam0f4udjmot9TDQPF07pSqABlhz1ejSC3AKOJDym+\no4IBDDCCAQgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD\nVR0OBBYEFDoU1EzaIZxR2ktTe35M8ILp07mdMB8GA1UdIwQYMBaAFDutonHmNL0b\n/IC/NXGDkdDvaRM2MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDov\nL3BraS5kaXNjb3Zlcnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9v\ndF9DQTBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5l\ndC9jcmwvV2lraW1lZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwA\nMIGIAkIBsRpAWU0SxP3lwtUrriS8Dtal1vh2vfBMUzvx8hzjHGSYCg3xlG2cfnXN\nlFIhsQaWUmiJFZg8m+rCdYNkUMsdpeACQgCCHUls+Tf5Kcc756qs2iC2JSf2yd2U\nEM7VAJqZRVG9HrCUnzDLJT7bIQswE6i/O1zNhKjYV9xgd6LW+XCF0cVB7A==\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/mlserve_front_proxy\n-    db_host          => localhost\n-    default_usages   => ['signing', 'key encipherment', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => nosecret\n\n-    ca_file          => /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}}\n-    ca_key_file      => /etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/mlserve_front_proxy\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy].orig\n+++ Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@wikikube_front_proxy\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Sudo::User[nrpe_certificate_check_cloud_wmnet_ca]", "parameters": "--- Sudo::User[nrpe_certificate_check_cloud_wmnet_ca].orig\n+++ Sudo::User[nrpe_certificate_check_cloud_wmnet_ca]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_cloud_wmnet_ca\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=daily\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "parameters": "--- Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy].orig\n+++ Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_wikikube_staging]", "parameters": "--- Monitoring::Service[check_certificate_expiry_wikikube_staging].orig\n+++ Monitoring::Service[check_certificate_expiry_wikikube_staging]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_wikikube_staging!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: wikikube_staging\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => discovery2026\n-    notify          => Service[cfssl-ocspserve@discovery2026]\n-    profile         => ocsp\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry].orig\n+++ Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'daily'}]\n-    unit_name          => prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Cfssl::Signer[kafka]", "parameters": "--- Cfssl::Signer[kafka].orig\n+++ Cfssl::Signer[kafka]\n\n-    listen_addr      => pki1001.eqiad.wmnet\n-    ca_cert_content  => -----BEGIN CERTIFICATE-----\nMIIDqDCCAwmgAwIBAgIUTWT2navXkMW9fz3oUB7Fc6azbKcwCgYIKoZIzj0EAwQw\ngZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\ndGVybmFsX1Jvb3RfQ0EwHhcNMjExMDI4MTMwNjAwWhcNMjYxMDI3MTMwNjAwWjBz\nMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\nV2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\nb25zMQ4wDAYDVQQDEwVrYWZrYTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAScI\nAVY36upnobdfvpQJ7Y5uefRAv0OsdtR++HEqm2kTatOG4BJTdjdBv3+gyd3rJccd\nDEifyU1EcxVVXjjXzqdHADiJ+Zol5mwexbnrpF8JDBiJv7ntNamdr7Xjv4kw8Tkp\nkgl70aFalPLjpwjDNyrm2ACxPmHxK8EOu7eXb8RImqeVo4IBDDCCAQgwDgYDVR0P\nAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGIY/nB0tTtl\nRGdO5J4ck+RM8p8rMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2MFYG\nCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zlcnku\nd21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8EQzBB\nMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1lZGlh\nX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBv8ZMP7g8aPkc\ntcrO4rXcBkhFIWH9+4H4iTbuSBtjVtUXdsRW++IU89BjVVKQxv/4ZDm8hlpd+vJU\nb9xj3WUpi8cCQgFpjYqKVM+I5eRpIjhWoPxognJtGI3626wAOpV2CPauciD51gP3\nup2xe36OG3Z8XDcbNGoNiG3505+af9zBrt3c4g==\n-----END CERTIFICATE-----\n\n-    default_ocsp_url => http://pki.discovery.wmnet/ocsp/kafka\n-    db_host          => localhost\n-    default_usages   => ['digital signature', 'key encipherment', 'server auth', 'client auth']\n-    db_name          => cfssl\n-    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}, 'k8s_staging': {'key': 'ddddccccbbbbaaaa', 'type': 'standard'}, 'k8s_wikikube': {'key': 'ddddccccbbbbaaab', 'type': 'standard'}, 'k8s_mlserve': {'key': 'bbbbccccddddaaaa', 'type': 'standard'}, 'k8s_mlstaging': {'key': 'ccccbbbbaaaadddd', 'type': 'standard'}, 'k8s_dse': {'key': 'bbbbaaaaddddcccc', 'type': 'standard'}, 'k8s_aux': {'key': 'ffffffffffffffff', 'type': 'standard'}}\n-    manage_services  => False\n-    ca_key_content   => \n-    ca_file          => /etc/cfssl/signers/kafka/ca/kafka.pem\n-    profiles         => {'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}, 'server': {'usages': ['digital signature', 'key encipherment', 'server auth'], 'expiry': '672h'}, 'kafka_11': {'expiry': '8760h'}}\n-    ca_key_file      => /etc/cfssl/signers/kafka/ca/kafka-key.pem\n-    db_driver        => sqlite3\n-    default_expiry   => 672h\n-    default_crl_url  => http://pki.discovery.wmnet/crl/kafka\n-    log_level        => info\n-    serve_ensure     => absent\n-    serve_service    => cfssl-multirootca\n-    listen_port      => 8888\n-    manage_db        => False\n-    db_user          => cfssl\n-    db_pass          => changeme\n-    db_conf_file     => /etc/cfssl/db.conf\n-    default_auth_key => default_auth\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/signers/mlserve]", "parameters": "--- File[/etc/cfssl/signers/mlserve].orig\n+++ File[/etc/cfssl/signers/mlserve]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/usr/local/bin/prometheus-check-dse-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-dse-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-dse-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe_certificate_check_dse]", "parameters": "--- File[/etc/sudoers.d/nrpe_certificate_check_dse].orig\n+++ File[/etc/sudoers.d/nrpe_certificate_check_dse]\n\n-    owner  => root\n-    group  => root\n-    ensure => absent\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[wikikube_staging]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[wikikube_staging].orig\n+++ Profile::Pki::Multirootca::Monitoring[wikikube_staging]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem\n-    intermediate => wikikube_staging\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0440\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - wikikube_staging\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem --responses-file /etc/cfssl/ocsp/wikikube_staging.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@wikikube_staging' wikikube_staging ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]\n"}, {"resource": "Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca]", "parameters": "--- Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca].orig\n+++ Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca]\n\n-    override          => False\n-    unit              => cfssl-ocspserve@cloud_wmnet_ca\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => True\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]']\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd].orig\n+++ Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]\n-    monitoring_critical      => False\n-    ensure                   => absent\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[discovery2026]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[discovery2026].orig\n+++ Profile::Pki::Multirootca::Monitoring[discovery2026]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/discovery2026/ca/discovery2026.pem\n-    intermediate => discovery2026\n"}, {"resource": "File[/etc/cfssl/signers/wikikube/ca]", "parameters": "--- File[/etc/cfssl/signers/wikikube/ca].orig\n+++ File[/etc/cfssl/signers/wikikube/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_apache2.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_apache2.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_apache2.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of wmf_auto_restart_apache2.service\n-\n-[Timer]\n-Unit=wmf_auto_restart_apache2.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 22:8:00\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_apache2.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_apache2.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_mlserve\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"bfd2f7c6497e1da6323bef48d24f9e8e\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_network_devices.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of wmf_auto_restart_apache-htcacheclean.service\n-\n-[Timer]\n-Unit=wmf_auto_restart_apache-htcacheclean.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 3:51:00\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=OCSP Refresh job - Wikimedia_Internal_Root_CA\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem --responses-file /etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@Wikimedia_Internal_Root_CA' Wikimedia_Internal_Root_CA ", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]\n"}, {"resource": "File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]", "parameters": "--- File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry].orig\n+++ File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]\n\n-    mode   => 0555\n-    source => puppet:///modules/prometheus/check_certificate_expiry.py\n-    ensure => present\n-    owner  => root\n-    group  => root\n"}, {"resource": "Systemd::Service[wmf_auto_restart_apache2]", "parameters": "--- Systemd::Service[wmf_auto_restart_apache2].orig\n+++ Systemd::Service[wmf_auto_restart_apache2]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[wmf_auto_restart_apache2.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "File[/srv/cfssl/bundles/wikikube_staging.pem]", "content": "--- /srv/cfssl/bundles/wikikube_staging.pem.orig\n+++ /srv/cfssl/bundles/wikikube_staging.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDsTCCAxSgAwIBAgIUKJGxrsUkuGnKTwrJIdYlm1ZK6uMwCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB+\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMRkwFwYDVQQDDBB3aWtpa3ViZV9zdGFnaW5nMIGbMBAGByqGSM49AgEGBSuB\n-BAAjA4GGAAQBJQPiRDYxLnr33KdzugCHk21yjDhyRHMrAIJ0qGmasdcMNZpK9P9u\n-6ISJRfTC73WiKOSSWBuJAhsdK2Y7hIoUOikAexL5MOVOFAK8MtWXx6j7MmuuPGnC\n-MIyIk1pqxzoacZWJ8uJe/WGw/Udd/RPxAfsxN8loKKT0+zs3WzGw63saO6yjggEM\n-MIIBCDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4E\n-FgQU8bcT1hszDpGqcobdFXNOugsbu0MwHwYDVR0jBBgwFoAUO62iceY0vRv8gL81\n-cYOR0O9pEzYwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzABhjpodHRwOi8vcGtp\n-LmRpc2NvdmVyeS53bW5ldC9vY3NwL1dpa2ltZWRpYV9JbnRlcm5hbF9Sb290X0NB\n-MEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9wa2kuZGlzY292ZXJ5LndtbmV0L2Ny\n-bC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTAKBggqhkjOPQQDBAOBigAwgYYC\n-QTKbWZ4u9V6ei9rgB4XXyyVEzIZMgVCdwuytcmqEaB9ZavqjYsdrgTOsgcy2Jw1C\n-id1Sw/9g5YpcZBLaXh52CuNVAkFnnXo7+fe5kgOs2vTIsbIG4huh6ftI/8bmIdr2\n-9FHm9FXlmSIDWQIn7Fq4TFLVmiatI/TdiGK+n3oT/st73jwn1A==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/wikikube_staging.pem].orig\n+++ File[/srv/cfssl/bundles/wikikube_staging.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]", "content": "--- /etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf.orig\n+++ /etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf\n@@ -1,3 +0,0 @@\n-[Unit]\n-After=network-online.target\n-Wants=network-online.target", "parameters": "--- File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf].orig\n+++ File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]\n"}, {"resource": "Service[cfssl-ocspserve@dse]", "parameters": "--- Service[cfssl-ocspserve@dse].orig\n+++ Service[cfssl-ocspserve@dse]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Systemd::Service[cfssl-ocspserve@wikikube_staging]", "parameters": "--- Systemd::Service[cfssl-ocspserve@wikikube_staging].orig\n+++ Systemd::Service[cfssl-ocspserve@wikikube_staging]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => True\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => service\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]\n\n-    override          => False\n-    unit              => nrpe2nodexp-check_certificate_expiry_cassandra.service\n-    require           => ['Class[Systemd]']\n-    ensure            => absent\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-syslog]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-syslog].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-syslog]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - syslog\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/syslog/ca/syslog.pem --responses-file /etc/cfssl/ocsp/syslog.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@syslog' syslog \n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_etcd]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_etcd].orig\n+++ Nrpe::Check[check_check_certificate_expiry_etcd]\n\n-    before    => Monitoring::Service[check_certificate_expiry_etcd]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/etcd/ca/etcd.pem\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-mlserve-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-mlserve-certificate-expiry --cert-path /etc/cfssl/signers/mlserve/ca/mlserve.pem --outfile /var/lib/prometheus/node.d/mlserve_intermediate.prom\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@wikikube_staging_front_proxy]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Service[cfssl-ocsprefresh-mlserve]", "parameters": "--- Systemd::Service[cfssl-ocsprefresh-mlserve].orig\n+++ Systemd::Service[cfssl-ocsprefresh-mlserve]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[cfssl-ocsprefresh-mlserve.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]']\n"}, {"resource": "Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "parameters": "--- Service[nrpe2nodexp-check_certificate_expiry_zuul.timer].orig\n+++ Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]\n\n-    provider => systemd\n-    ensure   => stopped\n-    enable   => False\n-    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]']\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-debmonitor\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-debmonitor/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[cfssl-ocsprefresh-zuul]", "parameters": "--- Rsyslog::Conf[cfssl-ocsprefresh-zuul].orig\n+++ Rsyslog::Conf[cfssl-ocsprefresh-zuul]\n\n-    mode     => 0444\n-    require  => File[/var/log/cfssl-ocsprefresh-zuul]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label discovery2026 -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet\n\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "parameters": "--- Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry].orig\n+++ Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]\n\n-    override                 => False\n-    monitoring_enabled       => False\n-    migration_task           => T407130\n-    require                  => Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]\n-    monitoring_critical      => False\n-    ensure                   => present\n-    restart                  => False\n-    service_params           => {}\n-    monitoring_contact_group => admins\n-    unit_type                => timer\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::pki::multirootca:\n+role::insetup::infrastructure_foundations_ferm:\n - Infrastructure Foundations"}, {"resource": "File[/etc/cfssl/ocsp/discovery.ocsp]", "parameters": "--- File[/etc/cfssl/ocsp/discovery.ocsp].orig\n+++ File[/etc/cfssl/ocsp/discovery.ocsp]\n\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Httpd::Mod_conf[headers]", "parameters": "--- Httpd::Mod_conf[headers].orig\n+++ Httpd::Mod_conf[headers]\n\n-    loadfile => headers.load\n-    mod      => headers\n-    ensure   => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service\n@@ -1,11 +0,0 @@\n-[Unit]\n-Description=execution of nrpe2nodexp for the check_check_certificate_expiry_mlserve_staging command.\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=nagios\n-\n-Group=prometheus-node-exporter\n-SyslogIdentifier=nrpe2nodexp-check_certificate_expiry_mlserve_staging\n-ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"7cff186656c3cabbca85b5b57d0c8679\" --timeout 10 --check-command \"check_check_certificate_expiry_mlserve_staging\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]\n"}, {"resource": "Service[cfssl-ocsprefresh-dse_front_proxy.timer]", "parameters": "--- Service[cfssl-ocsprefresh-dse_front_proxy.timer].orig\n+++ Service[cfssl-ocsprefresh-dse_front_proxy.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]']\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_mlserve_staging]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_mlserve_staging].orig\n+++ Nrpe::Check[check_check_certificate_expiry_mlserve_staging]\n\n-    before    => Monitoring::Service[check_certificate_expiry_mlserve_staging]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => mlserve_staging_front_proxy\n-    notify          => Service[cfssl-ocspserve@mlserve_staging_front_proxy]\n-    profile         => ocsp\n"}, {"resource": "Sudo::User[nrpe_certificate_check_mlserve]", "parameters": "--- Sudo::User[nrpe_certificate_check_mlserve].orig\n+++ Sudo::User[nrpe_certificate_check_mlserve]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_mlserve\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-syslog-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-syslog-certificate-expiry --cert-path /etc/cfssl/signers/syslog/ca/syslog.pem --outfile /var/lib/prometheus/node.d/syslog_intermediate.prom\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_discovery2026]", "parameters": "--- Monitoring::Service[check_certificate_expiry_discovery2026].orig\n+++ Monitoring::Service[check_certificate_expiry_discovery2026]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_discovery2026!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: discovery2026\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Sudo::User[nrpe_certificate_check_wikikube_front_proxy]", "parameters": "--- Sudo::User[nrpe_certificate_check_wikikube_front_proxy].orig\n+++ Sudo::User[nrpe_certificate_check_wikikube_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_wikikube_front_proxy\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]\n\n-    mode     => 0444\n-    ensure   => absent\n-    priority => 25\n"}, {"resource": "Service[cfssl-ocsprefresh-etcd.timer]", "parameters": "--- Service[cfssl-ocsprefresh-etcd.timer].orig\n+++ Service[cfssl-ocsprefresh-etcd.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_aux_front_proxy]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging/ca]", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging/ca].orig\n+++ File[/etc/cfssl/signers/mlserve_staging/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    ensure => present\n"}, {"resource": "Sudo::User[nrpe_certificate_check_puppet_rsa]", "parameters": "--- Sudo::User[nrpe_certificate_check_puppet_rsa].orig\n+++ Sudo::User[nrpe_certificate_check_puppet_rsa]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_puppet_rsa\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices].orig\n+++ Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices]\n\n-    splay              => 60\n-    fixed_random_delay => True\n-    ensure             => absent\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => nrpe2nodexp-check_certificate_expiry_network_devices.service\n"}, {"resource": "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]\n-    refreshonly => True\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label dse -profile ocsp /etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet\n\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => wikikube\n-    notify          => Service[cfssl-ocspserve@wikikube]\n-    profile         => ocsp\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_mlserve_staging\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1min\n-OnActiveSec=1s\n-RandomizedDelaySec=60\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]\n"}, {"resource": "File[/etc/cfssl/signers/aux/cfssl.conf]", "content": "--- /etc/cfssl/signers/aux/cfssl.conf.orig\n+++ /etc/cfssl/signers/aux/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"672h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/aux\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/aux\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"672h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/aux/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/aux/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem -checkend 952200\n-    require     => Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem -label mlserve_front_proxy -profile ocsp /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet\n\n"}, {"resource": "Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry]", "parameters": "--- Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry].orig\n+++ Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry]\n\n-    filesource     => puppet:///modules/prometheus/check_certificate_expiry.py\n-    run_cmd        => /usr/local/bin/prometheus-check-debmonitor-certificate-expiry --cert-path /etc/cfssl/signers/debmonitor/ca/debmonitor.pem --outfile /var/lib/prometheus/node.d/debmonitor_intermediate.prom\n-    user           => root\n-    require        => ['Package[python3-cryptography]', 'Package[python3-prometheus-client]']\n-    ensure         => present\n-    extra_packages => []\n-    environment    => {}\n-    interval       => daily\n"}, {"resource": "Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy]", "parameters": "--- Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy].orig\n+++ Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy]\n\n-    require    => ['Class[Sudo]']\n-    tag        => nrpe::check\n-    ensure     => present\n-    privileges => ['ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem']\n-    user       => nagios\n"}, {"resource": "Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "parameters": "--- Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer].orig\n+++ Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Service[cfssl-ocspserve@discovery]", "parameters": "--- Service[cfssl-ocspserve@discovery].orig\n+++ Service[cfssl-ocspserve@discovery]\n\n-    ensure => running\n-    enable => True\n"}, {"resource": "Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa]", "parameters": "--- Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa].orig\n+++ Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa]\n\n-    ensure => present\n"}, {"resource": "File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]", "content": "--- /etc/cfssl/signers/cassandra/ca/cassandra-key.pem.orig\n+++ /etc/cfssl/signers/cassandra/ca/cassandra-key.pem\n@@ -1 +0,0 @@\n-nosecret", "parameters": "--- File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem].orig\n+++ File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]\n\n-    mode      => 0400\n-    ensure    => file\n-    show_diff => False\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-multirootca]\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]\n\n-    refreshonly => True\n-    notify      => ['Service[cfssl-ocspserve@mlserve_staging_front_proxy]']\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Monitoring::Service[check_certificate_expiry_wikikube_front_proxy].orig\n+++ Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_wikikube_front_proxy!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: wikikube_front_proxy\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "parameters": "--- Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA].orig\n+++ Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n\n-    splay              => 0\n-    fixed_random_delay => False\n-    ensure             => present\n-    accuracy           => 15sec\n-    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '1h'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n-    unit_name          => cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_dse]", "parameters": "--- Monitoring::Service[check_certificate_expiry_dse].orig\n+++ Monitoring::Service[check_certificate_expiry_dse]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_dse!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: dse\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]\n\n-    override          => False\n-    unit              => prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]", "content": "--- /etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf.orig\n+++ /etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"cfssl-ocsprefresh-aux_front_proxy\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/cfssl-ocsprefresh-aux_front_proxy/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf].orig\n+++ File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Profile::Pki::Multirootca::Monitoring[zuul]", "parameters": "--- Profile::Pki::Multirootca::Monitoring[zuul].orig\n+++ Profile::Pki::Multirootca::Monitoring[zuul]\n\n-    vhost        => pki.discovery.wmnet\n-    ensure       => present\n-    ca_file      => /etc/cfssl/signers/zuul/ca/zuul.pem\n-    intermediate => zuul\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Systemd timer to gather node metrics for prometheus-check-discovery-certificate-expiry\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'daily'}\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/prometheus-check-discovery-certificate-expiry --cert-path /etc/cfssl/signers/discovery/ca/discovery.pem --outfile /var/lib/prometheus/node.d/discovery_intermediate.prom\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_apache2]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_apache2].orig\n+++ Rsyslog::Conf[wmf_auto_restart_apache2]\n\n-    mode     => 0444\n-    require  => File[/var/log/wmf_auto_restart_apache2]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]", "parameters": "--- Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026].orig\n+++ Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => OCSP Refresh job - discovery2026\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnUnitInactiveSec', 'interval': '1h'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/cfssl-ocsprefresh --update --responder-cert /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem --responder-key /etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem --ca-file /etc/cfssl/signers/discovery2026/ca/discovery2026.pem --responses-file /etc/cfssl/ocsp/discovery2026.ocsp --dbconfig /etc/cfssl/db.conf --restart-service 'cfssl-ocspserve@discovery2026' discovery2026 \n"}, {"resource": "Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-kafka]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => kafka\n-    notify          => Service[cfssl-ocspserve@kafka]\n-    profile         => ocsp\n"}, {"resource": "Monitoring::Service[check_certificate_expiry_discovery]", "parameters": "--- Monitoring::Service[check_certificate_expiry_discovery].orig\n+++ Monitoring::Service[check_certificate_expiry_discovery]\n\n-    check_command  => nrpe_check!check_check_certificate_expiry_discovery!10\n-    notes_url      => https://wikitech.wikimedia.org/wiki/PKI/CA_Operations\n-    description    => Check to ensure the signer certificate is valid CA: discovery\n-    config_dir     => /etc/nagios\n-    retry_interval => 1\n-    freshness      => 36000\n-    migration_task => T350694\n-    critical       => False\n-    retries        => 3\n-    ensure         => present\n-    host           => pki1001\n-    passive        => False\n-    contact_group  => admins\n-    check_interval => 1\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg\n@@ -1,2 +0,0 @@\n-# File generated by puppet. DO NOT edit by hand\n-command[check_check_certificate_expiry_syslog]=/usr/bin/sudo /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/syslog/ca/syslog.pem", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]\n\n-    mode    => 0444\n-    require => Package[nagios-nrpe-server]\n-    tag     => nrpe::check\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[nagios-nrpe-server]\n"}, {"resource": "Service[cfssl-ocsprefresh-puppet_rsa.timer]", "parameters": "--- Service[cfssl-ocsprefresh-puppet_rsa.timer].orig\n+++ Service[cfssl-ocsprefresh-puppet_rsa.timer]\n\n-    provider => systemd\n-    ensure   => running\n-    enable   => True\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]", "content": "--- /etc/cfssl/signers/mlserve_staging/cfssl.conf.orig\n+++ /etc/cfssl/signers/mlserve_staging/cfssl.conf\n@@ -1,81 +0,0 @@\n-{\n-  \"auth_keys\": {\n-    \"default_auth\": {\n-      \"key\": \"aaaabbbbccccdddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_staging\": {\n-      \"key\": \"ddddccccbbbbaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_wikikube\": {\n-      \"key\": \"ddddccccbbbbaaab\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlserve\": {\n-      \"key\": \"bbbbccccddddaaaa\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_mlstaging\": {\n-      \"key\": \"ccccbbbbaaaadddd\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_dse\": {\n-      \"key\": \"bbbbaaaaddddcccc\",\n-      \"type\": \"standard\"\n-    },\n-    \"k8s_aux\": {\n-      \"key\": \"ffffffffffffffff\",\n-      \"type\": \"standard\"\n-    }\n-  },\n-  \"signing\": {\n-    \"default\": {\n-      \"auth_key\": \"default_auth\",\n-      \"usages\": [\n-        \"signing\",\n-        \"key encipherment\",\n-        \"client auth\"\n-      ],\n-      \"expiry\": \"72h\",\n-      \"crl_url\": \"http://pki.discovery.wmnet/crl/mlserve_staging\",\n-      \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/mlserve_staging\"\n-    },\n-    \"profiles\": {\n-      \"ocsp\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"43800h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"ocsp signing\"\n-        ]\n-      },\n-      \"server\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"72h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"server auth\"\n-        ]\n-      },\n-      \"service-account-management\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"72h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\"\n-        ]\n-      },\n-      \"prometheus\": {\n-        \"auth_key\": \"default_auth\",\n-        \"expiry\": \"8760h\",\n-        \"usages\": [\n-          \"digital signature\",\n-          \"key encipherment\",\n-          \"client auth\"\n-        ]\n-      }\n-    }\n-  }\n-}", "parameters": "--- File[/etc/cfssl/signers/mlserve_staging/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]\n\n-    mode      => 0440\n-    ensure    => present\n-    show_diff => False\n-    owner     => root\n-    group     => root\n"}, {"resource": "Systemd::Unit[cfssl-gc-expired-certs.timer]", "parameters": "--- Systemd::Unit[cfssl-gc-expired-certs.timer].orig\n+++ Systemd::Unit[cfssl-gc-expired-certs.timer]\n\n-    override          => False\n-    unit              => cfssl-gc-expired-certs.timer\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]", "parameters": "--- Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)].orig\n+++ Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n-    before      => ['Service[cfssl-ocsprefresh-dse.timer]']\n"}, {"resource": "File[/srv/cfssl/bundles/wikikube.pem]", "content": "--- /srv/cfssl/bundles/wikikube.pem.orig\n+++ /srv/cfssl/bundles/wikikube.pem\n@@ -1,22 +0,0 @@\n------BEGIN CERTIFICATE-----\n-MIIDqzCCAwygAwIBAgIUWXrkQs5GEdgVcV7/XAEZOXQLYlowCgYIKoZIzj0EAwQw\n-gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\n-YW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\n-MRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEjMCEGA1UEAwwaV2lraW1lZGlhX0lu\n-dGVybmFsX1Jvb3RfQ0EwHhcNMjIxMjEyMTQyOTAwWhcNMjcxMjExMTQyOTAwWjB2\n-MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEiMCAGA1UEChMZ\n-V2lraW1lZGlhIEZvdW5kYXRpb24sIEluYzEYMBYGA1UECxMPU1JFIEZvdW5kYXRp\n-b25zMREwDwYDVQQDEwh3aWtpa3ViZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAE\n-AX4fMTh3NrBZlCMop5eKr6F/RXTefrSSdu6DE39OOKTTdYM3TxK8tPmTDm9EE+XT\n-4rO+VHuaIVVirgB2JQtla8oZAZb60Pw8v9BlJ1JLLK9vpWA9Vce7DKmMNxIWK9GA\n-YIUQufjHVD2eibYJsK54NGkBe3frhPhwayIvzJ3gGO34GRaRo4IBDDCCAQgwDgYD\n-VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAaU1Sae\n-B9+FDd+SrIADU8yIo+xJMB8GA1UdIwQYMBaAFDutonHmNL0b/IC/NXGDkdDvaRM2\n-MFYGCCsGAQUFBwEBBEowSDBGBggrBgEFBQcwAYY6aHR0cDovL3BraS5kaXNjb3Zl\n-cnkud21uZXQvb2NzcC9XaWtpbWVkaWFfSW50ZXJuYWxfUm9vdF9DQTBKBgNVHR8E\n-QzBBMD+gPaA7hjlodHRwOi8vcGtpLmRpc2NvdmVyeS53bW5ldC9jcmwvV2lraW1l\n-ZGlhX0ludGVybmFsX1Jvb3RfQ0EwCgYIKoZIzj0EAwQDgYwAMIGIAkIBFZVjRbh3\n-GaouRaz9IPef3q+9s+TleKGby7nJQ6z71M3rpJIsHr9lncr/9GPq5v5cHDYOHmgK\n-GBupTY7FNMwL8aACQgCgoDP6PO23Dw6tuswLIbeY+o5l3K8R5L3RS1DO59OXXV2f\n-9FmoJNLgGXgP87rOkFW1fn9/QcvX85zD0urkq8gNjg==\n------END CERTIFICATE-----", "parameters": "--- File[/srv/cfssl/bundles/wikikube.pem].orig\n+++ File[/srv/cfssl/bundles/wikikube.pem]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "File[/var/log/cfssl-ocsprefresh-syslog]", "parameters": "--- File[/var/log/cfssl-ocsprefresh-syslog].orig\n+++ File[/var/log/cfssl-ocsprefresh-syslog]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "Sudo::User[nrpe_certificate_check_syslog]", "parameters": "--- Sudo::User[nrpe_certificate_check_syslog].orig\n+++ Sudo::User[nrpe_certificate_check_syslog]\n\n-    require    => ['Class[Sudo]']\n-    privileges => []\n-    ensure     => absent\n-    user       => nrpe_certificate_check_syslog\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    common_name => pki1001.eqiad.wmnet\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy].orig\n+++ Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy]\n\n-    before    => Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem\n"}, {"resource": "File[/etc/apache2/sites-enabled]", "parameters": "--- File[/etc/apache2/sites-enabled].orig\n+++ File[/etc/apache2/sites-enabled]\n\n-    owner   => root\n-    recurse => True\n-    purge   => True\n-    mode    => 0755\n-    require => Package[apache2]\n-    ensure  => directory\n-    group   => root\n-    notify  => Service[apache2]\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry\n-\n-/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry/*.log {\n-    daily\n-    copytruncate\n-    missingok\n-    compress\n-    delaycompress\n-    notifempty\n-    rotate 15\n-    size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]\n\n-    mode   => 0444\n-    owner  => root\n-    group  => root\n-    ensure => present\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer\n@@ -1,14 +0,0 @@\n-[Unit]\n-Description=Periodic execution of nrpe2nodexp-check_cfssl-multirootca_status.service\n-\n-[Timer]\n-Unit=nrpe2nodexp-check_cfssl-multirootca_status.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=5min\n-OnActiveSec=1s\n-RandomizedDelaySec=300\n-FixedRandomDelay=true\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]\n"}, {"resource": "File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"pki1001.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"pki1001.eqiad.wmnet\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]\n\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n-    ensure => file\n"}, {"resource": "Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet].orig\n+++ Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]\n\n-    names           => []\n-    provide_chain   => False\n-    auto_renew      => True\n-    mode            => 0740\n-    before_services => []\n-    before          => Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    group           => root\n-    signer_config   => {'config_file': '/etc/cfssl/client-cfssl.conf'}\n-    hosts           => []\n-    owner           => root\n-    tls_key         => /var/lib/puppet/ssl/private_keys/pki1001.eqiad.wmnet.pem\n-    renew_seconds   => 952200\n-    tls_cert        => /etc/cfssl/mutual_tls_client_cert.pem\n-    common_name     => pki1001.eqiad.wmnet\n-    outdir          => /etc/cfssl/ssl/ocsp\n-    notify_services => []\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    label           => mlserve_front_proxy\n-    notify          => Service[cfssl-ocspserve@mlserve_front_proxy]\n-    profile         => ocsp\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]\n\n-    refreshonly => True\n-    command     => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry].orig\n+++ Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}, {"resource": "Exec[ensure_present_mod_headers]", "parameters": "--- Exec[ensure_present_mod_headers].orig\n+++ Exec[ensure_present_mod_headers]\n\n-    require => Package[apache2]\n-    creates => /etc/apache2/mods-enabled/headers.load\n-    notify  => Service[apache2]\n-    command => /usr/sbin/a2enmod headers\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Auto restart job: apache-htcacheclean\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    require                   => File[/usr/local/sbin/wmf-auto-restart]\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 3:51:00'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/wmf-auto-restart -s apache-htcacheclean\n"}, {"resource": "Nrpe::Check[check_check_certificate_expiry_network_devices]", "parameters": "--- Nrpe::Check[check_check_certificate_expiry_network_devices].orig\n+++ Nrpe::Check[check_check_certificate_expiry_network_devices]\n\n-    before    => Monitoring::Service[check_certificate_expiry_network_devices]\n-    ensure    => present\n-    sudo_user => root\n-    command   => /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/network_devices/ca/network_devices.pem\n"}, {"resource": "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]", "content": "--- /lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer.orig\n+++ /lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer\n@@ -1,13 +0,0 @@\n-[Unit]\n-Description=Periodic execution of cfssl-ocsprefresh-mlserve_front_proxy.service\n-\n-[Timer]\n-Unit=cfssl-ocsprefresh-mlserve_front_proxy.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnUnitInactiveSec=1h\n-OnActiveSec=1s\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer].orig\n+++ File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_mlserve\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]", "content": "--- /etc/ferm/conf.d/10_csr_and_ocsp_responder.orig\n+++ /etc/ferm/conf.d/10_csr_and_ocsp_responder\n@@ -1,6 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# \n-&R_SERVICE(tcp, 80, ($DOMAIN_NETWORKS $MGMT_NETWORKS));\n-\n-", "parameters": "--- File[/etc/ferm/conf.d/10_csr_and_ocsp_responder].orig\n+++ File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]\n\n-    mode    => 0400\n-    require => File[/etc/ferm/conf.d]\n-    tag     => ferm\n-    ensure  => present\n-    owner   => root\n-    group   => root\n-    notify  => Service[ferm]\n"}, {"resource": "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]", "content": "--- /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem.orig\n+++ /etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem\n@@ -1 +0,0 @@\n-FAKE FAKE FAKE", "parameters": "--- File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]\n\n-    mode      => 0400\n-    show_diff => False\n-    before    => Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]\n-    owner     => root\n-    group     => root\n-    notify    => Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_apache2]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_apache2].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_apache2]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => Auto restart job: apache2\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => root\n-    ignore_errors             => False\n-    success_exit_status       => []\n-    private_tmp               => False\n-    logging_enabled           => True\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => False\n-    require                   => File[/usr/local/sbin/wmf-auto-restart]\n-    ensure                    => present\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 22:8:00'}\n-    logfile_perms             => all\n-    command                   => /usr/local/sbin/wmf-auto-restart -s apache2\n"}, {"resource": "Httpd::Mod_conf[filter]", "parameters": "--- Httpd::Mod_conf[filter].orig\n+++ Httpd::Mod_conf[filter]\n\n-    loadfile => filter.load\n-    mod      => filter\n-    ensure   => present\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]", "parameters": "--- Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service].orig\n+++ Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]\n\n-    override          => False\n-    unit              => cfssl-ocsprefresh-dse_front_proxy.service\n-    require           => ['Class[Systemd]']\n-    ensure            => present\n-    restart           => False\n-    override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf\n@@ -1,10 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-if $programname contains \"nrpe2nodexp-check_certificate_expiry_discovery2026\" then {\n-    if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n-        # Send logs to kafka\n-        set $.log_outputs = \"kafka ecs_170 local\";\n-    } else {\n-        # Filter out non-relevant nrpe2nodexp messages\n-        stop\n-    }\n-}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]\n\n-    mode   => 0444\n-    ensure => absent\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "parameters": "--- File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry].orig\n+++ File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]\n\n-    mode   => 0755\n-    force  => True\n-    ensure => directory\n-    owner  => root\n-    backup => False\n-    group  => root\n"}, {"resource": "File[/etc/cfssl/signers/dse_front_proxy/ca]", "parameters": "--- File[/etc/cfssl/signers/dse_front_proxy/ca].orig\n+++ File[/etc/cfssl/signers/dse_front_proxy/ca]\n\n-    mode    => 0550\n-    require => ['Package[golang-cfssl]']\n-    ensure  => directory\n-    owner   => root\n-    group   => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "content": "--- /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery.orig\n+++ /etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery\n@@ -1,3 +0,0 @@\n-# This file is managed by Puppet!\n-\n-nagios ALL = (root) NOPASSWD: /usr/bin/openssl x509 -checkend 4687200 -in /etc/cfssl/signers/discovery/ca/discovery.pem", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]\n\n-    mode         => 0440\n-    require      => Package[nagios-nrpe-server]\n-    validate_cmd => /usr/sbin/visudo -cqf %\n-    ensure       => present\n-    owner        => root\n-    group        => root\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n\n-    mode     => 0444\n-    require  => File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]\n-    ensure   => present\n-    priority => 40\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]\n\n-    syslog_force_stop         => True\n-    send_mail_to              => root@pki1001.eqiad.wmnet\n-    description               => execution of nrpe2nodexp for the check_check_certificate_expiry_dse_front_proxy command.\n-    send_mail_only_on_error   => True\n-    send_mail                 => False\n-    user                      => nagios\n-    syslog_identifier         => nrpe2nodexp-check_certificate_expiry_dse_front_proxy\n-    ignore_errors             => True\n-    success_exit_status       => []\n-    group                     => prometheus-node-exporter\n-    private_tmp               => False\n-    splay                     => 60\n-    logging_enabled           => False\n-    logfile_basedir           => /var/log\n-    syslog_match_startswith   => True\n-    monitoring_contact_groups => admins\n-    logfile_name              => syslog.log\n-    fixed_random_delay        => True\n-    ensure                    => absent\n-    logfile_group             => root\n-    environment               => {}\n-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-    monitoring_enabled        => False\n-    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '1min'}]\n-    logfile_perms             => all\n-    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"2560f4f577ba169af651cf96bd5dc1ba\" --timeout 10 --check-command \"check_check_certificate_expiry_dse_front_proxy\"\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry\" then {\n-    action(\n-        type=\"omfile\" file=\"/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry/syslog.log\"\n-        fileOwner=\"root\" fileGroup=\"root\"\n-        fileCreateMode=\"0644\"\n-    )\n-    & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]\n\n-    mode   => 0444\n-    ensure => present\n-    owner  => root\n-    group  => root\n-    notify => Service[rsyslog]\n"}, {"resource": "Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy]", "parameters": "--- Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy].orig\n+++ Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy]\n\n-    base_dir               => /var/log\n-    owner                  => root\n-    force_stop             => True\n-    programname_comparison => startswith\n-    ensure                 => present\n-    readable_by            => all\n-    group                  => root\n-    log_filename           => syslog.log\n"}], "perc_changed": "87.77%"}, "core": {"total": 4897, "only_in_self": ["Augeas[Apache2 logs]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet]", "Exec[Generate initial CRL for aux]", "Exec[Generate initial CRL for aux_front_proxy]", "Exec[Generate initial CRL for cassandra]", "Exec[Generate initial CRL for cloud_wmnet_ca]", "Exec[Generate initial CRL for debmonitor]", "Exec[Generate initial CRL for discovery2026]", "Exec[Generate initial CRL for discovery]", "Exec[Generate initial CRL for dse]", "Exec[Generate initial CRL for dse_front_proxy]", "Exec[Generate initial CRL for etcd]", "Exec[Generate initial CRL for kafka]", "Exec[Generate initial CRL for mlserve]", "Exec[Generate initial CRL for mlserve_front_proxy]", "Exec[Generate initial CRL for mlserve_staging]", "Exec[Generate initial CRL for mlserve_staging_front_proxy]", "Exec[Generate initial CRL for network_devices]", "Exec[Generate initial CRL for puppet_rsa]", "Exec[Generate initial CRL for syslog]", "Exec[Generate initial CRL for wikikube]", "Exec[Generate initial CRL for wikikube_front_proxy]", "Exec[Generate initial CRL for wikikube_staging]", "Exec[Generate initial CRL for wikikube_staging_front_proxy]", "Exec[Generate initial CRL for zuul]", "Exec[apache2_test_config_and_restart]", "Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "Exec[ensure_present_mod_access_compat]", "Exec[ensure_present_mod_filter]", "Exec[ensure_present_mod_headers]", "Exec[ensure_present_mod_proxy_http]", "Exec[ensure_present_mod_ssl]", "Exec[ensure_present_mod_status]", "Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]", "Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]", "Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]", "Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]", "Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]", "Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]", "Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]", "File[/etc/apache2/conf-available/00-defaults.conf]", "File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-available/50-server-status.conf]", "File[/etc/apache2/conf-available]", "File[/etc/apache2/conf-enabled/00-defaults.conf]", "File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-enabled/50-server-status.conf]", "File[/etc/apache2/conf-enabled]", "File[/etc/apache2/env-available]", "File[/etc/apache2/env-enabled]", "File[/etc/apache2/mods-available/status.conf]", "File[/etc/apache2/mods-enabled/status.conf]", "File[/etc/apache2/ports.conf]", "File[/etc/apache2/sites-available/00-dummy.conf]", "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-available]", "File[/etc/apache2/sites-enabled/00-dummy.conf]", "File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-enabled]", "File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/db.conf.json]", "File[/etc/cfssl/db.conf]", "File[/etc/cfssl/multiroot.conf]", "File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]", "File[/etc/cfssl/ocsp/aux.ocsp]", "File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/cassandra.ocsp]", "File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]", "File[/etc/cfssl/ocsp/debmonitor.ocsp]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/ocsp/discovery2026.ocsp]", "File[/etc/cfssl/ocsp/dse.ocsp]", "File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/etcd.ocsp]", "File[/etc/cfssl/ocsp/kafka.ocsp]", "File[/etc/cfssl/ocsp/mlserve.ocsp]", "File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/network_devices.ocsp]", "File[/etc/cfssl/ocsp/puppet_rsa.ocsp]", "File[/etc/cfssl/ocsp/syslog.ocsp]", "File[/etc/cfssl/ocsp/wikikube.ocsp]", "File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/zuul.ocsp]", "File[/etc/cfssl/signers/aux/ca/aux-key.pem]", "File[/etc/cfssl/signers/aux/ca/aux.pem]", "File[/etc/cfssl/signers/aux/ca]", "File[/etc/cfssl/signers/aux/cfssl.conf]", "File[/etc/cfssl/signers/aux]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca]", "File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/aux_front_proxy]", "File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]", "File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]", "File[/etc/cfssl/signers/cassandra/ca]", "File[/etc/cfssl/signers/cassandra/cfssl.conf]", "File[/etc/cfssl/signers/cassandra]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca]", "File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]", "File[/etc/cfssl/signers/cloud_wmnet_ca]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]", "File[/etc/cfssl/signers/debmonitor/ca]", "File[/etc/cfssl/signers/debmonitor/cfssl.conf]", "File[/etc/cfssl/signers/debmonitor]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]", "File[/etc/cfssl/signers/discovery2026/ca]", "File[/etc/cfssl/signers/discovery2026/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/signers/dse/ca/dse-key.pem]", "File[/etc/cfssl/signers/dse/ca/dse.pem]", "File[/etc/cfssl/signers/dse/ca]", "File[/etc/cfssl/signers/dse/cfssl.conf]", "File[/etc/cfssl/signers/dse]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca]", "File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/dse_front_proxy]", "File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]", "File[/etc/cfssl/signers/etcd/ca/etcd.pem]", "File[/etc/cfssl/signers/etcd/ca]", "File[/etc/cfssl/signers/etcd/cfssl.conf]", "File[/etc/cfssl/signers/etcd]", "File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]", "File[/etc/cfssl/signers/kafka/ca/kafka.pem]", "File[/etc/cfssl/signers/kafka/ca]", "File[/etc/cfssl/signers/kafka/cfssl.conf]", "File[/etc/cfssl/signers/kafka]", "File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]", "File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]", "File[/etc/cfssl/signers/mlserve/ca]", "File[/etc/cfssl/signers/mlserve/cfssl.conf]", "File[/etc/cfssl/signers/mlserve]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_front_proxy]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca]", "File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy]", "File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]", "File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]", "File[/etc/cfssl/signers/network_devices/ca]", "File[/etc/cfssl/signers/network_devices/cfssl.conf]", "File[/etc/cfssl/signers/network_devices]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca]", "File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]", "File[/etc/cfssl/signers/puppet_rsa]", "File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]", "File[/etc/cfssl/signers/syslog/ca/syslog.pem]", "File[/etc/cfssl/signers/syslog/ca]", "File[/etc/cfssl/signers/syslog/cfssl.conf]", "File[/etc/cfssl/signers/syslog]", "File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]", "File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]", "File[/etc/cfssl/signers/wikikube/ca]", "File[/etc/cfssl/signers/wikikube/cfssl.conf]", "File[/etc/cfssl/signers/wikikube]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_front_proxy]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca]", "File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy]", "File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]", "File[/etc/cfssl/signers/zuul/ca/zuul.pem]", "File[/etc/cfssl/signers/zuul/ca]", "File[/etc/cfssl/signers/zuul/cfssl.conf]", "File[/etc/cfssl/signers/zuul]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]", "File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "File[/etc/logrotate.d/cfssl-gc-expired-certs]", "File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]", "File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]", "File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]", "File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]", "File[/etc/logrotate.d/wmf_auto_restart_apache2]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]", "File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]", "File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]", "File[/etc/ssl/dhparam.pem]", "File[/etc/ssl/localcerts/multiroot_ca.pem]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]", "File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]", "File[/etc/sudoers.d/nrpe_certificate_check_aux]", "File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_cassandra]", "File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_dse]", "File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_etcd]", "File[/etc/sudoers.d/nrpe_certificate_check_kafka]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_network_devices]", "File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]", "File[/etc/sudoers.d/nrpe_certificate_check_syslog]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_zuul]", "File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]", "File[/etc/update-motd.d/05-pki--multirootca]", "File[/lib/systemd/system/cfssl-gc-expired-certs.service]", "File[/lib/systemd/system/cfssl-gc-expired-certs.timer]", "File[/lib/systemd/system/cfssl-multirootca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]", "File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]", "File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@etcd.service]", "File[/lib/systemd/system/cfssl-ocspserve@kafka.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]", "File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocspserve@syslog.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache2.service]", "File[/lib/systemd/system/wmf_auto_restart_apache2.timer]", "File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]", "File[/srv/cfssl/bundles/aux.pem]", "File[/srv/cfssl/bundles/aux_front_proxy.pem]", "File[/srv/cfssl/bundles/cassandra.pem]", "File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]", "File[/srv/cfssl/bundles/debmonitor.pem]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/srv/cfssl/bundles/discovery2026.pem]", "File[/srv/cfssl/bundles/dse.pem]", "File[/srv/cfssl/bundles/dse_front_proxy.pem]", "File[/srv/cfssl/bundles/etcd.pem]", "File[/srv/cfssl/bundles/kafka.pem]", "File[/srv/cfssl/bundles/mlserve.pem]", "File[/srv/cfssl/bundles/mlserve_front_proxy.pem]", "File[/srv/cfssl/bundles/mlserve_staging.pem]", "File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/network_devices.pem]", "File[/srv/cfssl/bundles/puppet_rsa.pem]", "File[/srv/cfssl/bundles/syslog.pem]", "File[/srv/cfssl/bundles/wikikube.pem]", "File[/srv/cfssl/bundles/wikikube_front_proxy.pem]", "File[/srv/cfssl/bundles/wikikube_staging.pem]", "File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/zuul.pem]", "File[/srv/cfssl/bundles]", "File[/srv/cfssl/crl]", "File[/srv/cfssl]", "File[/usr/local/bin/apache-status]", "File[/usr/local/bin/prometheus-check-aux-certificate-expiry]", "File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]", "File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]", "File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]", "File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/cfssl-certs]", "File[/usr/local/sbin/cfssl-ocsprefresh]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]", "File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]", "File[/var/log/cfssl-gc-expired-certs]", "File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/var/log/cfssl-ocsprefresh-aux]", "File[/var/log/cfssl-ocsprefresh-aux_front_proxy]", "File[/var/log/cfssl-ocsprefresh-cassandra]", "File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/var/log/cfssl-ocsprefresh-debmonitor]", "File[/var/log/cfssl-ocsprefresh-discovery2026]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/cfssl-ocsprefresh-dse]", "File[/var/log/cfssl-ocsprefresh-dse_front_proxy]", "File[/var/log/cfssl-ocsprefresh-etcd]", "File[/var/log/cfssl-ocsprefresh-kafka]", "File[/var/log/cfssl-ocsprefresh-mlserve]", "File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-network_devices]", "File[/var/log/cfssl-ocsprefresh-puppet_rsa]", "File[/var/log/cfssl-ocsprefresh-syslog]", "File[/var/log/cfssl-ocsprefresh-wikikube]", "File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-zuul]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/var/log/wmf_auto_restart_apache-htcacheclean]", "File[/var/log/wmf_auto_restart_apache2]", "File_line[auto_restart_file_presence_apache-htcacheclean]", "File_line[auto_restart_file_presence_apache2]", "File_line[load_env_enabled]", "Node[__node_regexp__pki10012.eqiad.]", "Package[apache2]", "Package[links]", "Package[python3-cryptography]", "Package[python3-pymysql]", "Service[apache-htcacheclean]", "Service[apache2]", "Service[cfssl-gc-expired-certs.timer]", "Service[cfssl-multirootca]", "Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Service[cfssl-ocsprefresh-aux.timer]", "Service[cfssl-ocsprefresh-aux_front_proxy.timer]", "Service[cfssl-ocsprefresh-cassandra.timer]", "Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Service[cfssl-ocsprefresh-debmonitor.timer]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocsprefresh-discovery2026.timer]", "Service[cfssl-ocsprefresh-dse.timer]", "Service[cfssl-ocsprefresh-dse_front_proxy.timer]", "Service[cfssl-ocsprefresh-etcd.timer]", "Service[cfssl-ocsprefresh-kafka.timer]", "Service[cfssl-ocsprefresh-mlserve.timer]", "Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Service[cfssl-ocsprefresh-mlserve_staging.timer]", "Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-network_devices.timer]", "Service[cfssl-ocsprefresh-puppet_rsa.timer]", "Service[cfssl-ocsprefresh-syslog.timer]", "Service[cfssl-ocsprefresh-wikikube.timer]", "Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Service[cfssl-ocsprefresh-wikikube_staging.timer]", "Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-zuul.timer]", "Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Service[cfssl-ocspserve@aux]", "Service[cfssl-ocspserve@aux_front_proxy]", "Service[cfssl-ocspserve@cassandra]", "Service[cfssl-ocspserve@cloud_wmnet_ca]", "Service[cfssl-ocspserve@debmonitor]", "Service[cfssl-ocspserve@discovery2026]", "Service[cfssl-ocspserve@discovery]", "Service[cfssl-ocspserve@dse]", "Service[cfssl-ocspserve@dse_front_proxy]", "Service[cfssl-ocspserve@etcd]", "Service[cfssl-ocspserve@kafka]", "Service[cfssl-ocspserve@mlserve]", "Service[cfssl-ocspserve@mlserve_front_proxy]", "Service[cfssl-ocspserve@mlserve_staging]", "Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Service[cfssl-ocspserve@network_devices]", "Service[cfssl-ocspserve@puppet_rsa]", "Service[cfssl-ocspserve@syslog]", "Service[cfssl-ocspserve@wikikube]", "Service[cfssl-ocspserve@wikikube_front_proxy]", "Service[cfssl-ocspserve@wikikube_staging]", "Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Service[cfssl-ocspserve@zuul]", "Service[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Service[wmf_auto_restart_apache-htcacheclean.timer]", "Service[wmf_auto_restart_apache2.timer]"], "only_in_other": ["File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]", "Node[__node_regexp__pki1001.eqiad.]"], "resource_diffs": [{"resource": "Concat_fragment[main]", "content": "--- main.orig\n+++ main\n@@ -14,7 +14,6 @@\n [agent]\n use_srv_records = true\n srv_domain = eqiad.wmnet\n-dns_alt_names = pki.discovery.wmnet\n daemonize = false\n http_connect_timeout = 60\n http_read_timeout = 960"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"pki::multirootca\",cluster=\"pki\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_ferm\",cluster=\"insetup\"} 1.0"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::pki::multirootca:\n+role::insetup::infrastructure_foundations_ferm:\n - Infrastructure Foundations"}], "perc_changed": "23.69%"}, "main": {"total": 4897, "only_in_self": ["Augeas[Apache2 logs]", "Cfssl::Cert[OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_aux_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_cassandra_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_debmonitor_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_discovery2026_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_discovery_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_dse_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_etcd_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_kafka_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_network_devices_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_syslog_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Cfssl::Cert[OCSP_zuul_pki1001_eqiad_wmnet]", "Cfssl::Cert[puppet_rsa__pki_discovery_wmnet]", "Cfssl::Config[aux]", "Cfssl::Config[aux_front_proxy]", "Cfssl::Config[cassandra]", "Cfssl::Config[cloud_wmnet_ca]", "Cfssl::Config[debmonitor]", "Cfssl::Config[discovery2026]", "Cfssl::Config[discovery]", "Cfssl::Config[dse]", "Cfssl::Config[dse_front_proxy]", "Cfssl::Config[etcd]", "Cfssl::Config[kafka]", "Cfssl::Config[mlserve]", "Cfssl::Config[mlserve_front_proxy]", "Cfssl::Config[mlserve_staging]", "Cfssl::Config[mlserve_staging_front_proxy]", "Cfssl::Config[network_devices]", "Cfssl::Config[puppet_rsa]", "Cfssl::Config[syslog]", "Cfssl::Config[wikikube]", "Cfssl::Config[wikikube_front_proxy]", "Cfssl::Config[wikikube_staging]", "Cfssl::Config[wikikube_staging_front_proxy]", "Cfssl::Config[zuul]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "Cfssl::Db[multirootca-db]", "Cfssl::Ocsp[Wikimedia_Internal_Root_CA]", "Cfssl::Ocsp[aux]", "Cfssl::Ocsp[aux_front_proxy]", "Cfssl::Ocsp[cassandra]", "Cfssl::Ocsp[cloud_wmnet_ca]", "Cfssl::Ocsp[debmonitor]", "Cfssl::Ocsp[discovery2026]", "Cfssl::Ocsp[discovery]", "Cfssl::Ocsp[dse]", "Cfssl::Ocsp[dse_front_proxy]", "Cfssl::Ocsp[etcd]", "Cfssl::Ocsp[kafka]", "Cfssl::Ocsp[mlserve]", "Cfssl::Ocsp[mlserve_front_proxy]", "Cfssl::Ocsp[mlserve_staging]", "Cfssl::Ocsp[mlserve_staging_front_proxy]", "Cfssl::Ocsp[network_devices]", "Cfssl::Ocsp[puppet_rsa]", "Cfssl::Ocsp[syslog]", "Cfssl::Ocsp[wikikube]", "Cfssl::Ocsp[wikikube_front_proxy]", "Cfssl::Ocsp[wikikube_staging]", "Cfssl::Ocsp[wikikube_staging_front_proxy]", "Cfssl::Ocsp[zuul]", "Cfssl::Signer[aux]", "Cfssl::Signer[aux_front_proxy]", "Cfssl::Signer[cassandra]", "Cfssl::Signer[cloud_wmnet_ca]", "Cfssl::Signer[debmonitor]", "Cfssl::Signer[discovery2026]", "Cfssl::Signer[discovery]", "Cfssl::Signer[dse]", "Cfssl::Signer[dse_front_proxy]", "Cfssl::Signer[etcd]", "Cfssl::Signer[kafka]", "Cfssl::Signer[mlserve]", "Cfssl::Signer[mlserve_front_proxy]", "Cfssl::Signer[mlserve_staging]", "Cfssl::Signer[mlserve_staging_front_proxy]", "Cfssl::Signer[network_devices]", "Cfssl::Signer[puppet_rsa]", "Cfssl::Signer[syslog]", "Cfssl::Signer[wikikube]", "Cfssl::Signer[wikikube_front_proxy]", "Cfssl::Signer[wikikube_staging]", "Cfssl::Signer[wikikube_staging_front_proxy]", "Cfssl::Signer[zuul]", "Class[Cfssl::Multirootca]", "Class[Httpd]", "Class[Profile::Pki::Multirootca]", "Class[Role::Pki::Multirootca]", "Class[Sslcert::Dhparam]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_aux_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_dse_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet refresh]", "Exec[Generate cert OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh on intermediate ca change]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet refresh]", "Exec[Generate cert puppet_rsa__pki_discovery_wmnet]", "Exec[Generate initial CRL for aux]", "Exec[Generate initial CRL for aux_front_proxy]", "Exec[Generate initial CRL for cassandra]", "Exec[Generate initial CRL for cloud_wmnet_ca]", "Exec[Generate initial CRL for debmonitor]", "Exec[Generate initial CRL for discovery2026]", "Exec[Generate initial CRL for discovery]", "Exec[Generate initial CRL for dse]", "Exec[Generate initial CRL for dse_front_proxy]", "Exec[Generate initial CRL for etcd]", "Exec[Generate initial CRL for kafka]", "Exec[Generate initial CRL for mlserve]", "Exec[Generate initial CRL for mlserve_front_proxy]", "Exec[Generate initial CRL for mlserve_staging]", "Exec[Generate initial CRL for mlserve_staging_front_proxy]", "Exec[Generate initial CRL for network_devices]", "Exec[Generate initial CRL for puppet_rsa]", "Exec[Generate initial CRL for syslog]", "Exec[Generate initial CRL for wikikube]", "Exec[Generate initial CRL for wikikube_front_proxy]", "Exec[Generate initial CRL for wikikube_staging]", "Exec[Generate initial CRL for wikikube_staging_front_proxy]", "Exec[Generate initial CRL for zuul]", "Exec[apache2_test_config_and_restart]", "Exec[create chained cert /etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "Exec[ensure_present_mod_access_compat]", "Exec[ensure_present_mod_filter]", "Exec[ensure_present_mod_headers]", "Exec[ensure_present_mod_proxy_http]", "Exec[ensure_present_mod_ssl]", "Exec[ensure_present_mod_status]", "Exec[renew certificate - OCSP_aux_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_aux_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cassandra_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_debmonitor_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery2026_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_discovery_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_dse_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_etcd_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_kafka_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_mlserve_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_network_devices_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_puppet_rsa_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_syslog_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_wikikube_staging_pki1001_eqiad_wmnet]", "Exec[renew certificate - OCSP_zuul_pki1001_eqiad_wmnet]", "Exec[renew certificate - puppet_rsa__pki_discovery_wmnet]", "Exec[systemd daemon-reload for apache2.service (apache2-apache2-after-network-online-target)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.service (cfssl-gc-expired-certs.service)]", "Exec[systemd daemon-reload for cfssl-gc-expired-certs.timer (cfssl-gc-expired-certs.timer)]", "Exec[systemd daemon-reload for cfssl-multirootca.service (cfssl-multirootca)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer (cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.service (cfssl-ocsprefresh-aux.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux.timer (cfssl-ocsprefresh-aux.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.service (cfssl-ocsprefresh-aux_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-aux_front_proxy.timer (cfssl-ocsprefresh-aux_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.service (cfssl-ocsprefresh-cassandra.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cassandra.timer (cfssl-ocsprefresh-cassandra.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.service (cfssl-ocsprefresh-cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-cloud_wmnet_ca.timer (cfssl-ocsprefresh-cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.service (cfssl-ocsprefresh-debmonitor.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-debmonitor.timer (cfssl-ocsprefresh-debmonitor.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.service (cfssl-ocsprefresh-discovery.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery.timer (cfssl-ocsprefresh-discovery.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.service (cfssl-ocsprefresh-discovery2026.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-discovery2026.timer (cfssl-ocsprefresh-discovery2026.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.service (cfssl-ocsprefresh-dse.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse.timer (cfssl-ocsprefresh-dse.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.service (cfssl-ocsprefresh-dse_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-dse_front_proxy.timer (cfssl-ocsprefresh-dse_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.service (cfssl-ocsprefresh-etcd.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-etcd.timer (cfssl-ocsprefresh-etcd.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.service (cfssl-ocsprefresh-kafka.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-kafka.timer (cfssl-ocsprefresh-kafka.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.service (cfssl-ocsprefresh-mlserve.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve.timer (cfssl-ocsprefresh-mlserve.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.service (cfssl-ocsprefresh-mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_front_proxy.timer (cfssl-ocsprefresh-mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.service (cfssl-ocsprefresh-mlserve_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging.timer (cfssl-ocsprefresh-mlserve_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.service (cfssl-ocsprefresh-mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-mlserve_staging_front_proxy.timer (cfssl-ocsprefresh-mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.service (cfssl-ocsprefresh-network_devices.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-network_devices.timer (cfssl-ocsprefresh-network_devices.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.service (cfssl-ocsprefresh-puppet_rsa.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-puppet_rsa.timer (cfssl-ocsprefresh-puppet_rsa.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.service (cfssl-ocsprefresh-syslog.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-syslog.timer (cfssl-ocsprefresh-syslog.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.service (cfssl-ocsprefresh-wikikube.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube.timer (cfssl-ocsprefresh-wikikube.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.service (cfssl-ocsprefresh-wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_front_proxy.timer (cfssl-ocsprefresh-wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.service (cfssl-ocsprefresh-wikikube_staging.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging.timer (cfssl-ocsprefresh-wikikube_staging.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.service (cfssl-ocsprefresh-wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-wikikube_staging_front_proxy.timer (cfssl-ocsprefresh-wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.service (cfssl-ocsprefresh-zuul.service)]", "Exec[systemd daemon-reload for cfssl-ocsprefresh-zuul.timer (cfssl-ocsprefresh-zuul.timer)]", "Exec[systemd daemon-reload for cfssl-ocspserve@Wikimedia_Internal_Root_CA.service (cfssl-ocspserve@Wikimedia_Internal_Root_CA)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux.service (cfssl-ocspserve@aux)]", "Exec[systemd daemon-reload for cfssl-ocspserve@aux_front_proxy.service (cfssl-ocspserve@aux_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cassandra.service (cfssl-ocspserve@cassandra)]", "Exec[systemd daemon-reload for cfssl-ocspserve@cloud_wmnet_ca.service (cfssl-ocspserve@cloud_wmnet_ca)]", "Exec[systemd daemon-reload for cfssl-ocspserve@debmonitor.service (cfssl-ocspserve@debmonitor)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery.service (cfssl-ocspserve@discovery)]", "Exec[systemd daemon-reload for cfssl-ocspserve@discovery2026.service (cfssl-ocspserve@discovery2026)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse.service (cfssl-ocspserve@dse)]", "Exec[systemd daemon-reload for cfssl-ocspserve@dse_front_proxy.service (cfssl-ocspserve@dse_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@etcd.service (cfssl-ocspserve@etcd)]", "Exec[systemd daemon-reload for cfssl-ocspserve@kafka.service (cfssl-ocspserve@kafka)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve.service (cfssl-ocspserve@mlserve)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_front_proxy.service (cfssl-ocspserve@mlserve_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging.service (cfssl-ocspserve@mlserve_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@mlserve_staging_front_proxy.service (cfssl-ocspserve@mlserve_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@network_devices.service (cfssl-ocspserve@network_devices)]", "Exec[systemd daemon-reload for cfssl-ocspserve@puppet_rsa.service (cfssl-ocspserve@puppet_rsa)]", "Exec[systemd daemon-reload for cfssl-ocspserve@syslog.service (cfssl-ocspserve@syslog)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube.service (cfssl-ocspserve@wikikube)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_front_proxy.service (cfssl-ocspserve@wikikube_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging.service (cfssl-ocspserve@wikikube_staging)]", "Exec[systemd daemon-reload for cfssl-ocspserve@wikikube_staging_front_proxy.service (cfssl-ocspserve@wikikube_staging_front_proxy)]", "Exec[systemd daemon-reload for cfssl-ocspserve@zuul.service (cfssl-ocspserve@zuul)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.service (nrpe2nodexp-check_certificate_expiry_aux.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux.timer (nrpe2nodexp-check_certificate_expiry_aux.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.service (nrpe2nodexp-check_certificate_expiry_cassandra.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cassandra.timer (nrpe2nodexp-check_certificate_expiry_cassandra.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer (nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.service (nrpe2nodexp-check_certificate_expiry_debmonitor.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_debmonitor.timer (nrpe2nodexp-check_certificate_expiry_debmonitor.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.service (nrpe2nodexp-check_certificate_expiry_discovery.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery.timer (nrpe2nodexp-check_certificate_expiry_discovery.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.service (nrpe2nodexp-check_certificate_expiry_discovery2026.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_discovery2026.timer (nrpe2nodexp-check_certificate_expiry_discovery2026.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.service (nrpe2nodexp-check_certificate_expiry_dse.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse.timer (nrpe2nodexp-check_certificate_expiry_dse.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.service (nrpe2nodexp-check_certificate_expiry_etcd.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_etcd.timer (nrpe2nodexp-check_certificate_expiry_etcd.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.service (nrpe2nodexp-check_certificate_expiry_kafka.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_kafka.timer (nrpe2nodexp-check_certificate_expiry_kafka.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.service (nrpe2nodexp-check_certificate_expiry_mlserve.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve.timer (nrpe2nodexp-check_certificate_expiry_mlserve.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.service (nrpe2nodexp-check_certificate_expiry_network_devices.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_network_devices.timer (nrpe2nodexp-check_certificate_expiry_network_devices.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.service (nrpe2nodexp-check_certificate_expiry_puppet_rsa.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer (nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.service (nrpe2nodexp-check_certificate_expiry_syslog.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_syslog.timer (nrpe2nodexp-check_certificate_expiry_syslog.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.service (nrpe2nodexp-check_certificate_expiry_wikikube.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube.timer (nrpe2nodexp-check_certificate_expiry_wikikube.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer (nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.service (nrpe2nodexp-check_certificate_expiry_zuul.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_certificate_expiry_zuul.timer (nrpe2nodexp-check_certificate_expiry_zuul.timer)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.service (nrpe2nodexp-check_cfssl-multirootca_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_cfssl-multirootca_status.timer (nrpe2nodexp-check_cfssl-multirootca_status.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer (prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.service (wmf_auto_restart_apache-htcacheclean.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache-htcacheclean.timer (wmf_auto_restart_apache-htcacheclean.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.service (wmf_auto_restart_apache2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_apache2.timer (wmf_auto_restart_apache2.timer)]", "Ferm::Service[csr_and_ocsp_responder]", "Ferm::Service[multirootca_tls_termination]", "Ferm::Service[multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "File[/etc/apache2/conf-available/00-defaults.conf]", "File[/etc/apache2/conf-available/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-available/50-server-status.conf]", "File[/etc/apache2/conf-available]", "File[/etc/apache2/conf-enabled/00-defaults.conf]", "File[/etc/apache2/conf-enabled/50-cfssl-issuer-k8s-pods-vhost-port.conf]", "File[/etc/apache2/conf-enabled/50-server-status.conf]", "File[/etc/apache2/conf-enabled]", "File[/etc/apache2/env-available]", "File[/etc/apache2/env-enabled]", "File[/etc/apache2/mods-available/status.conf]", "File[/etc/apache2/mods-enabled/status.conf]", "File[/etc/apache2/ports.conf]", "File[/etc/apache2/sites-available/00-dummy.conf]", "File[/etc/apache2/sites-available/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-available]", "File[/etc/apache2/sites-enabled/00-dummy.conf]", "File[/etc/apache2/sites-enabled/50-pki-discovery-wmnet.conf]", "File[/etc/apache2/sites-enabled]", "File[/etc/cfssl/csr/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/db.conf.json]", "File[/etc/cfssl/db.conf]", "File[/etc/cfssl/multiroot.conf]", "File[/etc/cfssl/ocsp/Wikimedia_Internal_Root_CA.ocsp]", "File[/etc/cfssl/ocsp/aux.ocsp]", "File[/etc/cfssl/ocsp/aux_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/cassandra.ocsp]", "File[/etc/cfssl/ocsp/cloud_wmnet_ca.ocsp]", "File[/etc/cfssl/ocsp/debmonitor.ocsp]", "File[/etc/cfssl/ocsp/discovery.ocsp]", "File[/etc/cfssl/ocsp/discovery2026.ocsp]", "File[/etc/cfssl/ocsp/dse.ocsp]", "File[/etc/cfssl/ocsp/dse_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/etcd.ocsp]", "File[/etc/cfssl/ocsp/kafka.ocsp]", "File[/etc/cfssl/ocsp/mlserve.ocsp]", "File[/etc/cfssl/ocsp/mlserve_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging.ocsp]", "File[/etc/cfssl/ocsp/mlserve_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/network_devices.ocsp]", "File[/etc/cfssl/ocsp/puppet_rsa.ocsp]", "File[/etc/cfssl/ocsp/syslog.ocsp]", "File[/etc/cfssl/ocsp/wikikube.ocsp]", "File[/etc/cfssl/ocsp/wikikube_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging.ocsp]", "File[/etc/cfssl/ocsp/wikikube_staging_front_proxy.ocsp]", "File[/etc/cfssl/ocsp/zuul.ocsp]", "File[/etc/cfssl/signers/aux/ca/aux-key.pem]", "File[/etc/cfssl/signers/aux/ca/aux.pem]", "File[/etc/cfssl/signers/aux/ca]", "File[/etc/cfssl/signers/aux/cfssl.conf]", "File[/etc/cfssl/signers/aux]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy-key.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca/aux_front_proxy.pem]", "File[/etc/cfssl/signers/aux_front_proxy/ca]", "File[/etc/cfssl/signers/aux_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/aux_front_proxy]", "File[/etc/cfssl/signers/cassandra/ca/cassandra-key.pem]", "File[/etc/cfssl/signers/cassandra/ca/cassandra.pem]", "File[/etc/cfssl/signers/cassandra/ca]", "File[/etc/cfssl/signers/cassandra/cfssl.conf]", "File[/etc/cfssl/signers/cassandra]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/signers/cloud_wmnet_ca/ca]", "File[/etc/cfssl/signers/cloud_wmnet_ca/cfssl.conf]", "File[/etc/cfssl/signers/cloud_wmnet_ca]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor-key.pem]", "File[/etc/cfssl/signers/debmonitor/ca/debmonitor.pem]", "File[/etc/cfssl/signers/debmonitor/ca]", "File[/etc/cfssl/signers/debmonitor/cfssl.conf]", "File[/etc/cfssl/signers/debmonitor]", "File[/etc/cfssl/signers/discovery/ca/discovery-key.pem]", "File[/etc/cfssl/signers/discovery/ca/discovery.pem]", "File[/etc/cfssl/signers/discovery/ca]", "File[/etc/cfssl/signers/discovery/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026-key.pem]", "File[/etc/cfssl/signers/discovery2026/ca/discovery2026.pem]", "File[/etc/cfssl/signers/discovery2026/ca]", "File[/etc/cfssl/signers/discovery2026/cfssl.conf]", "File[/etc/cfssl/signers/discovery2026]", "File[/etc/cfssl/signers/discovery]", "File[/etc/cfssl/signers/dse/ca/dse-key.pem]", "File[/etc/cfssl/signers/dse/ca/dse.pem]", "File[/etc/cfssl/signers/dse/ca]", "File[/etc/cfssl/signers/dse/cfssl.conf]", "File[/etc/cfssl/signers/dse]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy-key.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca/dse_front_proxy.pem]", "File[/etc/cfssl/signers/dse_front_proxy/ca]", "File[/etc/cfssl/signers/dse_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/dse_front_proxy]", "File[/etc/cfssl/signers/etcd/ca/etcd-key.pem]", "File[/etc/cfssl/signers/etcd/ca/etcd.pem]", "File[/etc/cfssl/signers/etcd/ca]", "File[/etc/cfssl/signers/etcd/cfssl.conf]", "File[/etc/cfssl/signers/etcd]", "File[/etc/cfssl/signers/kafka/ca/kafka-key.pem]", "File[/etc/cfssl/signers/kafka/ca/kafka.pem]", "File[/etc/cfssl/signers/kafka/ca]", "File[/etc/cfssl/signers/kafka/cfssl.conf]", "File[/etc/cfssl/signers/kafka]", "File[/etc/cfssl/signers/mlserve/ca/mlserve-key.pem]", "File[/etc/cfssl/signers/mlserve/ca/mlserve.pem]", "File[/etc/cfssl/signers/mlserve/ca]", "File[/etc/cfssl/signers/mlserve/cfssl.conf]", "File[/etc/cfssl/signers/mlserve]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca/mlserve_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_front_proxy]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging-key.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca/mlserve_staging.pem]", "File[/etc/cfssl/signers/mlserve_staging/ca]", "File[/etc/cfssl/signers/mlserve_staging/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/ca]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/mlserve_staging_front_proxy]", "File[/etc/cfssl/signers/network_devices/ca/network_devices-key.pem]", "File[/etc/cfssl/signers/network_devices/ca/network_devices.pem]", "File[/etc/cfssl/signers/network_devices/ca]", "File[/etc/cfssl/signers/network_devices/cfssl.conf]", "File[/etc/cfssl/signers/network_devices]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa-key.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca/puppet_rsa.pem]", "File[/etc/cfssl/signers/puppet_rsa/ca]", "File[/etc/cfssl/signers/puppet_rsa/cfssl.conf]", "File[/etc/cfssl/signers/puppet_rsa]", "File[/etc/cfssl/signers/syslog/ca/syslog-key.pem]", "File[/etc/cfssl/signers/syslog/ca/syslog.pem]", "File[/etc/cfssl/signers/syslog/ca]", "File[/etc/cfssl/signers/syslog/cfssl.conf]", "File[/etc/cfssl/signers/syslog]", "File[/etc/cfssl/signers/wikikube/ca/wikikube-key.pem]", "File[/etc/cfssl/signers/wikikube/ca/wikikube.pem]", "File[/etc/cfssl/signers/wikikube/ca]", "File[/etc/cfssl/signers/wikikube/cfssl.conf]", "File[/etc/cfssl/signers/wikikube]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca/wikikube_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_front_proxy]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging-key.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca/wikikube_staging.pem]", "File[/etc/cfssl/signers/wikikube_staging/ca]", "File[/etc/cfssl/signers/wikikube_staging/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/ca]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy/cfssl.conf]", "File[/etc/cfssl/signers/wikikube_staging_front_proxy]", "File[/etc/cfssl/signers/zuul/ca/zuul-key.pem]", "File[/etc/cfssl/signers/zuul/ca/zuul.pem]", "File[/etc/cfssl/signers/zuul/ca]", "File[/etc/cfssl/signers/zuul/cfssl.conf]", "File[/etc/cfssl/signers/zuul]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_Wikimedia_Internal_Root_CA_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_aux_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cassandra_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_cloud_wmnet_ca_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_debmonitor_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery2026_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_discovery_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_dse_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_etcd_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_kafka_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_mlserve_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_network_devices_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_puppet_rsa_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_syslog_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_front_proxy_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_wikikube_staging_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet-key.pem]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.csr]", "File[/etc/cfssl/ssl/ocsp/OCSP_zuul_pki1001_eqiad_wmnet.pem]", "File[/etc/cfssl/ssl/ocsp]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chain.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.chained.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.csr]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet/puppet_rsa__pki_discovery_wmnet.pem]", "File[/etc/cfssl/ssl/puppet_rsa__pki_discovery_wmnet]", "File[/etc/ferm/conf.d/10_csr_and_ocsp_responder]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination]", "File[/etc/ferm/conf.d/10_multirootca_tls_termination_for_cfssl_issuer_k8s_pods]", "File[/etc/logrotate.d/cfssl-gc-expired-certs]", "File[/etc/logrotate.d/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux]", "File[/etc/logrotate.d/cfssl-ocsprefresh-aux_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cassandra]", "File[/etc/logrotate.d/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/etc/logrotate.d/cfssl-ocsprefresh-debmonitor]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery2026]", "File[/etc/logrotate.d/cfssl-ocsprefresh-discovery]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse]", "File[/etc/logrotate.d/cfssl-ocsprefresh-dse_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-etcd]", "File[/etc/logrotate.d/cfssl-ocsprefresh-kafka]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-network_devices]", "File[/etc/logrotate.d/cfssl-ocsprefresh-puppet_rsa]", "File[/etc/logrotate.d/cfssl-ocsprefresh-syslog]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging]", "File[/etc/logrotate.d/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/etc/logrotate.d/cfssl-ocsprefresh-zuul]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/etc/logrotate.d/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/etc/logrotate.d/wmf_auto_restart_apache-htcacheclean]", "File[/etc/logrotate.d/wmf_auto_restart_apache2]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_aux_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cassandra.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_cloud_wmnet_ca.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_debmonitor.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_discovery2026.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_dse_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_etcd.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_kafka.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_mlserve_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_network_devices.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_puppet_rsa.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_syslog.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_wikikube_staging_front_proxy.cfg]", "File[/etc/nagios/nrpe.d/check_check_certificate_expiry_zuul.cfg]", "File[/etc/nagios/nrpe.d/check_check_cfssl-multirootca_status.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-aux.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cassandra.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-debmonitor.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-discovery2026.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-dse.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-etcd.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-kafka.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-mlserve.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-network-devices.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-puppet-rsa.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-syslog.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube-staging.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-wikikube.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-certificate-expiry-zuul.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-cfssl-multirootca-status.conf]", "File[/etc/rsyslog.d/40-cfssl-gc-expired-certs.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-Wikimedia-Internal-Root-CA.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-aux.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cassandra.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-cloud-wmnet-ca.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-debmonitor.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-discovery2026.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-dse.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-etcd.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-kafka.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-mlserve.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-network-devices.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-puppet-rsa.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-syslog.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging-front-proxy.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube-staging.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-wikikube.conf]", "File[/etc/rsyslog.d/40-cfssl-ocsprefresh-zuul.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-aux-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-cloud-wmnet-ca-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-dse-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-mlserve-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-network-devices-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-puppet-rsa-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-wikikube-staging-front-proxy-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache-htcacheclean.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-apache2.conf]", "File[/etc/ssl/dhparam.pem]", "File[/etc/ssl/localcerts/multiroot_ca.pem]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_aux_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cassandra]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_debmonitor]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery2026]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_discovery]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_dse_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_etcd]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_kafka]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_network_devices]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_puppet_rsa]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_syslog]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe-check_check_certificate_expiry_zuul]", "File[/etc/sudoers.d/nrpe-check_check_cfssl-multirootca_status]", "File[/etc/sudoers.d/nrpe_certificate_check_aux]", "File[/etc/sudoers.d/nrpe_certificate_check_aux_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_cassandra]", "File[/etc/sudoers.d/nrpe_certificate_check_cloud_wmnet_ca]", "File[/etc/sudoers.d/nrpe_certificate_check_debmonitor]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery2026]", "File[/etc/sudoers.d/nrpe_certificate_check_discovery]", "File[/etc/sudoers.d/nrpe_certificate_check_dse]", "File[/etc/sudoers.d/nrpe_certificate_check_dse_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_etcd]", "File[/etc/sudoers.d/nrpe_certificate_check_kafka]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_mlserve_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_network_devices]", "File[/etc/sudoers.d/nrpe_certificate_check_puppet_rsa]", "File[/etc/sudoers.d/nrpe_certificate_check_syslog]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging]", "File[/etc/sudoers.d/nrpe_certificate_check_wikikube_staging_front_proxy]", "File[/etc/sudoers.d/nrpe_certificate_check_zuul]", "File[/etc/systemd/system/apache2.service.d/apache2-after-network-online-target.conf]", "File[/etc/update-motd.d/05-pki--multirootca]", "File[/lib/systemd/system/cfssl-gc-expired-certs.service]", "File[/lib/systemd/system/cfssl-gc-expired-certs.timer]", "File[/lib/systemd/system/cfssl-multirootca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-aux_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cassandra.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-debmonitor.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-discovery2026.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-dse_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-etcd.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-kafka.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-network_devices.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-puppet_rsa.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-syslog.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.service]", "File[/lib/systemd/system/cfssl-ocsprefresh-zuul.timer]", "File[/lib/systemd/system/cfssl-ocspserve@Wikimedia_Internal_Root_CA.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux.service]", "File[/lib/systemd/system/cfssl-ocspserve@aux_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@cassandra.service]", "File[/lib/systemd/system/cfssl-ocspserve@cloud_wmnet_ca.service]", "File[/lib/systemd/system/cfssl-ocspserve@debmonitor.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery.service]", "File[/lib/systemd/system/cfssl-ocspserve@discovery2026.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse.service]", "File[/lib/systemd/system/cfssl-ocspserve@dse_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@etcd.service]", "File[/lib/systemd/system/cfssl-ocspserve@kafka.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@network_devices.service]", "File[/lib/systemd/system/cfssl-ocspserve@puppet_rsa.service]", "File[/lib/systemd/system/cfssl-ocspserve@syslog.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging.service]", "File[/lib/systemd/system/cfssl-ocspserve@wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/cfssl-ocspserve@zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_etcd.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_kafka.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_syslog.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.service]", "File[/lib/systemd/system/nrpe2nodexp-check_certificate_expiry_zuul.timer]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_cfssl-multirootca_status.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "File[/lib/systemd/system/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.service]", "File[/lib/systemd/system/wmf_auto_restart_apache-htcacheclean.timer]", "File[/lib/systemd/system/wmf_auto_restart_apache2.service]", "File[/lib/systemd/system/wmf_auto_restart_apache2.timer]", "File[/srv/cfssl/bundles/Puppet_Internal_CA.pem.pem]", "File[/srv/cfssl/bundles/aux.pem]", "File[/srv/cfssl/bundles/aux_front_proxy.pem]", "File[/srv/cfssl/bundles/cassandra.pem]", "File[/srv/cfssl/bundles/cloud_wmnet_ca.pem]", "File[/srv/cfssl/bundles/debmonitor.pem]", "File[/srv/cfssl/bundles/discovery.pem]", "File[/srv/cfssl/bundles/discovery2026.pem]", "File[/srv/cfssl/bundles/dse.pem]", "File[/srv/cfssl/bundles/dse_front_proxy.pem]", "File[/srv/cfssl/bundles/etcd.pem]", "File[/srv/cfssl/bundles/kafka.pem]", "File[/srv/cfssl/bundles/mlserve.pem]", "File[/srv/cfssl/bundles/mlserve_front_proxy.pem]", "File[/srv/cfssl/bundles/mlserve_staging.pem]", "File[/srv/cfssl/bundles/mlserve_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/network_devices.pem]", "File[/srv/cfssl/bundles/puppet_rsa.pem]", "File[/srv/cfssl/bundles/syslog.pem]", "File[/srv/cfssl/bundles/wikikube.pem]", "File[/srv/cfssl/bundles/wikikube_front_proxy.pem]", "File[/srv/cfssl/bundles/wikikube_staging.pem]", "File[/srv/cfssl/bundles/wikikube_staging_front_proxy.pem]", "File[/srv/cfssl/bundles/zuul.pem]", "File[/srv/cfssl/bundles]", "File[/srv/cfssl/crl]", "File[/srv/cfssl]", "File[/usr/local/bin/apache-status]", "File[/usr/local/bin/prometheus-check-aux-certificate-expiry]", "File[/usr/local/bin/prometheus-check-aux_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cassandra-certificate-expiry]", "File[/usr/local/bin/prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/usr/local/bin/prometheus-check-debmonitor-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery-certificate-expiry]", "File[/usr/local/bin/prometheus-check-discovery2026-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse-certificate-expiry]", "File[/usr/local/bin/prometheus-check-dse_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-etcd-certificate-expiry]", "File[/usr/local/bin/prometheus-check-kafka-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-network_devices-certificate-expiry]", "File[/usr/local/bin/prometheus-check-puppet_rsa-certificate-expiry]", "File[/usr/local/bin/prometheus-check-syslog-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging-certificate-expiry]", "File[/usr/local/bin/prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/usr/local/bin/prometheus-check-zuul-certificate-expiry]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/cfssl-certs]", "File[/usr/local/sbin/cfssl-ocsprefresh]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_aux_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cassandra.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_cloud_wmnet_ca.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_debmonitor.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_discovery2026.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_dse_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_etcd.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_kafka.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_mlserve_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_network_devices.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_puppet_rsa.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_syslog.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_wikikube_staging_front_proxy.prom]", "File[/var/lib/prometheus/node.d/check_check_certificate_expiry_zuul.prom]", "File[/var/lib/prometheus/node.d/check_check_cfssl-multirootca_status.prom]", "File[/var/log/cfssl-gc-expired-certs]", "File[/var/log/cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "File[/var/log/cfssl-ocsprefresh-aux]", "File[/var/log/cfssl-ocsprefresh-aux_front_proxy]", "File[/var/log/cfssl-ocsprefresh-cassandra]", "File[/var/log/cfssl-ocsprefresh-cloud_wmnet_ca]", "File[/var/log/cfssl-ocsprefresh-debmonitor]", "File[/var/log/cfssl-ocsprefresh-discovery2026]", "File[/var/log/cfssl-ocsprefresh-discovery]", "File[/var/log/cfssl-ocsprefresh-dse]", "File[/var/log/cfssl-ocsprefresh-dse_front_proxy]", "File[/var/log/cfssl-ocsprefresh-etcd]", "File[/var/log/cfssl-ocsprefresh-kafka]", "File[/var/log/cfssl-ocsprefresh-mlserve]", "File[/var/log/cfssl-ocsprefresh-mlserve_front_proxy]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging]", "File[/var/log/cfssl-ocsprefresh-mlserve_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-network_devices]", "File[/var/log/cfssl-ocsprefresh-puppet_rsa]", "File[/var/log/cfssl-ocsprefresh-syslog]", "File[/var/log/cfssl-ocsprefresh-wikikube]", "File[/var/log/cfssl-ocsprefresh-wikikube_front_proxy]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging]", "File[/var/log/cfssl-ocsprefresh-wikikube_staging_front_proxy]", "File[/var/log/cfssl-ocsprefresh-zuul]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "File[/var/log/prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "File[/var/log/wmf_auto_restart_apache-htcacheclean]", "File[/var/log/wmf_auto_restart_apache2]", "File_line[auto_restart_file_presence_apache-htcacheclean]", "File_line[auto_restart_file_presence_apache2]", "File_line[load_env_enabled]", "Firewall::Service[csr_and_ocsp_responder]", "Firewall::Service[multirootca tls termination]", "Firewall::Service[multirootca-tls-termination-for-cfssl-issuer-k8s-pods]", "Httpd::Conf[cfssl-issuer-k8s-pods-vhost-port]", "Httpd::Conf[defaults]", "Httpd::Conf[dummy]", "Httpd::Conf[pki.discovery.wmnet]", "Httpd::Conf[server-status]", "Httpd::Mod_conf[access_compat]", "Httpd::Mod_conf[filter]", "Httpd::Mod_conf[headers]", "Httpd::Mod_conf[proxy_http]", "Httpd::Mod_conf[ssl]", "Httpd::Mod_conf[status]", "Httpd::Site[dummy]", "Httpd::Site[pki.discovery.wmnet]", "Logrotate::Conf[cfssl-gc-expired-certs]", "Logrotate::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Logrotate::Conf[cfssl-ocsprefresh-aux]", "Logrotate::Conf[cfssl-ocsprefresh-aux_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-cassandra]", "Logrotate::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "Logrotate::Conf[cfssl-ocsprefresh-debmonitor]", "Logrotate::Conf[cfssl-ocsprefresh-discovery2026]", "Logrotate::Conf[cfssl-ocsprefresh-discovery]", "Logrotate::Conf[cfssl-ocsprefresh-dse]", "Logrotate::Conf[cfssl-ocsprefresh-dse_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-etcd]", "Logrotate::Conf[cfssl-ocsprefresh-kafka]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging]", "Logrotate::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-network_devices]", "Logrotate::Conf[cfssl-ocsprefresh-puppet_rsa]", "Logrotate::Conf[cfssl-ocsprefresh-syslog]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging]", "Logrotate::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Logrotate::Conf[cfssl-ocsprefresh-zuul]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Logrotate::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Logrotate::Conf[wmf_auto_restart_apache-htcacheclean]", "Logrotate::Conf[wmf_auto_restart_apache2]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_aux_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cassandra]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_cloud_wmnet_ca]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_debmonitor]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery2026]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_discovery]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_dse_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_etcd]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_kafka]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_mlserve_staging_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_network_devices]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_puppet_rsa]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_syslog]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_wikikube_staging_front_proxy]", "Monitoring::Exported_nagios_service[pki1001 check_certificate_expiry_zuul]", "Monitoring::Exported_nagios_service[pki1001 check_cfssl-multirootca_status]", "Monitoring::Service[check_certificate_expiry_aux]", "Monitoring::Service[check_certificate_expiry_aux_front_proxy]", "Monitoring::Service[check_certificate_expiry_cassandra]", "Monitoring::Service[check_certificate_expiry_cloud_wmnet_ca]", "Monitoring::Service[check_certificate_expiry_debmonitor]", "Monitoring::Service[check_certificate_expiry_discovery2026]", "Monitoring::Service[check_certificate_expiry_discovery]", "Monitoring::Service[check_certificate_expiry_dse]", "Monitoring::Service[check_certificate_expiry_dse_front_proxy]", "Monitoring::Service[check_certificate_expiry_etcd]", "Monitoring::Service[check_certificate_expiry_kafka]", "Monitoring::Service[check_certificate_expiry_mlserve]", "Monitoring::Service[check_certificate_expiry_mlserve_front_proxy]", "Monitoring::Service[check_certificate_expiry_mlserve_staging]", "Monitoring::Service[check_certificate_expiry_mlserve_staging_front_proxy]", "Monitoring::Service[check_certificate_expiry_network_devices]", "Monitoring::Service[check_certificate_expiry_puppet_rsa]", "Monitoring::Service[check_certificate_expiry_syslog]", "Monitoring::Service[check_certificate_expiry_wikikube]", "Monitoring::Service[check_certificate_expiry_wikikube_front_proxy]", "Monitoring::Service[check_certificate_expiry_wikikube_staging]", "Monitoring::Service[check_certificate_expiry_wikikube_staging_front_proxy]", "Monitoring::Service[check_certificate_expiry_zuul]", "Monitoring::Service[check_cfssl-multirootca_status]", "Motd::Message[pki::multirootca]", "Motd::Script[pki::multirootca]", "Node[__node_regexp__pki10012.eqiad.]", "Nrpe::Check[check_check_certificate_expiry_aux]", "Nrpe::Check[check_check_certificate_expiry_aux_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_cassandra]", "Nrpe::Check[check_check_certificate_expiry_cloud_wmnet_ca]", "Nrpe::Check[check_check_certificate_expiry_debmonitor]", "Nrpe::Check[check_check_certificate_expiry_discovery2026]", "Nrpe::Check[check_check_certificate_expiry_discovery]", "Nrpe::Check[check_check_certificate_expiry_dse]", "Nrpe::Check[check_check_certificate_expiry_dse_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_etcd]", "Nrpe::Check[check_check_certificate_expiry_kafka]", "Nrpe::Check[check_check_certificate_expiry_mlserve]", "Nrpe::Check[check_check_certificate_expiry_mlserve_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_mlserve_staging]", "Nrpe::Check[check_check_certificate_expiry_mlserve_staging_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_network_devices]", "Nrpe::Check[check_check_certificate_expiry_puppet_rsa]", "Nrpe::Check[check_check_certificate_expiry_syslog]", "Nrpe::Check[check_check_certificate_expiry_wikikube]", "Nrpe::Check[check_check_certificate_expiry_wikikube_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_wikikube_staging]", "Nrpe::Check[check_check_certificate_expiry_wikikube_staging_front_proxy]", "Nrpe::Check[check_check_certificate_expiry_zuul]", "Nrpe::Check[check_check_cfssl-multirootca_status]", "Nrpe::Monitor_service[check_certificate_expiry_aux]", "Nrpe::Monitor_service[check_certificate_expiry_aux_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_cassandra]", "Nrpe::Monitor_service[check_certificate_expiry_cloud_wmnet_ca]", "Nrpe::Monitor_service[check_certificate_expiry_debmonitor]", "Nrpe::Monitor_service[check_certificate_expiry_discovery2026]", "Nrpe::Monitor_service[check_certificate_expiry_discovery]", "Nrpe::Monitor_service[check_certificate_expiry_dse]", "Nrpe::Monitor_service[check_certificate_expiry_dse_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_etcd]", "Nrpe::Monitor_service[check_certificate_expiry_kafka]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging]", "Nrpe::Monitor_service[check_certificate_expiry_mlserve_staging_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_network_devices]", "Nrpe::Monitor_service[check_certificate_expiry_puppet_rsa]", "Nrpe::Monitor_service[check_certificate_expiry_syslog]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging]", "Nrpe::Monitor_service[check_certificate_expiry_wikikube_staging_front_proxy]", "Nrpe::Monitor_service[check_certificate_expiry_zuul]", "Nrpe::Monitor_service[check_cfssl-multirootca_status]", "Nrpe::Plugin[check_systemd_unit_status]", "Package[apache2]", "Package[links]", "Package[python3-cryptography]", "Package[python3-pymysql]", "Profile::Auto_restarts::Service[apache-htcacheclean]", "Profile::Auto_restarts::Service[apache2]", "Profile::Pki::Multirootca::Monitoring[aux]", "Profile::Pki::Multirootca::Monitoring[aux_front_proxy]", "Profile::Pki::Multirootca::Monitoring[cassandra]", "Profile::Pki::Multirootca::Monitoring[cloud_wmnet_ca]", "Profile::Pki::Multirootca::Monitoring[debmonitor]", "Profile::Pki::Multirootca::Monitoring[discovery2026]", "Profile::Pki::Multirootca::Monitoring[discovery]", "Profile::Pki::Multirootca::Monitoring[dse]", "Profile::Pki::Multirootca::Monitoring[dse_front_proxy]", "Profile::Pki::Multirootca::Monitoring[etcd]", "Profile::Pki::Multirootca::Monitoring[kafka]", "Profile::Pki::Multirootca::Monitoring[mlserve]", "Profile::Pki::Multirootca::Monitoring[mlserve_front_proxy]", "Profile::Pki::Multirootca::Monitoring[mlserve_staging]", "Profile::Pki::Multirootca::Monitoring[mlserve_staging_front_proxy]", "Profile::Pki::Multirootca::Monitoring[network_devices]", "Profile::Pki::Multirootca::Monitoring[puppet_rsa]", "Profile::Pki::Multirootca::Monitoring[syslog]", "Profile::Pki::Multirootca::Monitoring[wikikube]", "Profile::Pki::Multirootca::Monitoring[wikikube_front_proxy]", "Profile::Pki::Multirootca::Monitoring[wikikube_staging]", "Profile::Pki::Multirootca::Monitoring[wikikube_staging_front_proxy]", "Profile::Pki::Multirootca::Monitoring[zuul]", "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_f7dfe9e2cd77303dfae7ae11c5c56d90]", "Prometheus::Alert::Rule[check_check_certificate_expiry_aux_front_proxy_99cf4f8f014e8fd527800abcc213f494]", "Prometheus::Alert::Rule[check_check_certificate_expiry_cassandra_f5e260f525c48c963fb2e6c86a0d5d63]", "Prometheus::Alert::Rule[check_check_certificate_expiry_cloud_wmnet_ca_f87f54115f2f782169eed72541c30a1e]", "Prometheus::Alert::Rule[check_check_certificate_expiry_debmonitor_224e2ac3574a9ce482218106d95a2931]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery2026_bf2e3510cb63e5f05f545e816bab4edf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_discovery_38e4dbcfd07ed60daf5bb89397abbe29]", "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_4384c5ebc49e03dbe331e279fac3f393]", "Prometheus::Alert::Rule[check_check_certificate_expiry_dse_front_proxy_2560f4f577ba169af651cf96bd5dc1ba]", "Prometheus::Alert::Rule[check_check_certificate_expiry_etcd_c834f873297e445663ead81279c0b928]", "Prometheus::Alert::Rule[check_check_certificate_expiry_kafka_22922fd6bc2d570e018cbe5ccd8d1727]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_bfd2f7c6497e1da6323bef48d24f9e8e]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_front_proxy_9d6dd05c8e5e1bb294462d932b24bd1a]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_7cff186656c3cabbca85b5b57d0c8679]", "Prometheus::Alert::Rule[check_check_certificate_expiry_mlserve_staging_front_proxy_b194b5b9b6c9d6e05b9eed8dcfcc40cf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_network_devices_21dac3775d059b8c991626e2ca33f951]", "Prometheus::Alert::Rule[check_check_certificate_expiry_puppet_rsa_c1b324b3d8ac107f8d7483b4017f5edf]", "Prometheus::Alert::Rule[check_check_certificate_expiry_syslog_e3b9b989d5062ce2d267023dfe42fcd8]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_d2a76a31e44e204e2d4788a2698d0e6c]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_front_proxy_4d759acaf0fd7dd3abaa03dc4565aef6]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_f389c556cebfcfc345b3d6802f320045]", "Prometheus::Alert::Rule[check_check_certificate_expiry_wikikube_staging_front_proxy_e515778a769f523fb98a7f642670e011]", "Prometheus::Alert::Rule[check_check_certificate_expiry_zuul_373325faaa689f3e9b058d91d4eb6cdb]", "Prometheus::Alert::Rule[check_check_cfssl-multirootca_status_52832284a5fb8b8ea6f55bb6271912c9]", "Prometheus::Blackbox::Check::Http[PKI_aux]", "Prometheus::Blackbox::Check::Http[PKI_aux_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_cassandra]", "Prometheus::Blackbox::Check::Http[PKI_cloud_wmnet_ca]", "Prometheus::Blackbox::Check::Http[PKI_debmonitor]", "Prometheus::Blackbox::Check::Http[PKI_discovery2026]", "Prometheus::Blackbox::Check::Http[PKI_discovery]", "Prometheus::Blackbox::Check::Http[PKI_dse]", "Prometheus::Blackbox::Check::Http[PKI_dse_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_etcd]", "Prometheus::Blackbox::Check::Http[PKI_kafka]", "Prometheus::Blackbox::Check::Http[PKI_mlserve]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging]", "Prometheus::Blackbox::Check::Http[PKI_mlserve_staging_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_network_devices]", "Prometheus::Blackbox::Check::Http[PKI_puppet_rsa]", "Prometheus::Blackbox::Check::Http[PKI_syslog]", "Prometheus::Blackbox::Check::Http[PKI_wikikube]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging]", "Prometheus::Blackbox::Check::Http[PKI_wikikube_staging_front_proxy]", "Prometheus::Blackbox::Check::Http[PKI_zuul]", "Prometheus::Node_textfile[prometheus-check-aux-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-aux_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-cassandra-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-debmonitor-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-discovery-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-discovery2026-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-dse-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-dse_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-etcd-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-kafka-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_staging-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-network_devices-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-puppet_rsa-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-syslog-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_staging-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Prometheus::Node_textfile[prometheus-check-zuul-certificate-expiry]", "Rsyslog::Conf[cfssl-gc-expired-certs]", "Rsyslog::Conf[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Rsyslog::Conf[cfssl-ocsprefresh-aux]", "Rsyslog::Conf[cfssl-ocsprefresh-aux_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-cassandra]", "Rsyslog::Conf[cfssl-ocsprefresh-cloud_wmnet_ca]", "Rsyslog::Conf[cfssl-ocsprefresh-debmonitor]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery2026]", "Rsyslog::Conf[cfssl-ocsprefresh-discovery]", "Rsyslog::Conf[cfssl-ocsprefresh-dse]", "Rsyslog::Conf[cfssl-ocsprefresh-dse_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-etcd]", "Rsyslog::Conf[cfssl-ocsprefresh-kafka]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging]", "Rsyslog::Conf[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-network_devices]", "Rsyslog::Conf[cfssl-ocsprefresh-puppet_rsa]", "Rsyslog::Conf[cfssl-ocsprefresh-syslog]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging]", "Rsyslog::Conf[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Rsyslog::Conf[cfssl-ocsprefresh-zuul]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cassandra]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_discovery]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_etcd]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_kafka]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_network_devices]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_syslog]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Rsyslog::Conf[nrpe2nodexp-check_certificate_expiry_zuul]", "Rsyslog::Conf[nrpe2nodexp-check_cfssl-multirootca_status]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Rsyslog::Conf[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Rsyslog::Conf[wmf_auto_restart_apache-htcacheclean]", "Rsyslog::Conf[wmf_auto_restart_apache2]", "Service[apache-htcacheclean]", "Service[apache2]", "Service[cfssl-gc-expired-certs.timer]", "Service[cfssl-multirootca]", "Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Service[cfssl-ocsprefresh-aux.timer]", "Service[cfssl-ocsprefresh-aux_front_proxy.timer]", "Service[cfssl-ocsprefresh-cassandra.timer]", "Service[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Service[cfssl-ocsprefresh-debmonitor.timer]", "Service[cfssl-ocsprefresh-discovery.timer]", "Service[cfssl-ocsprefresh-discovery2026.timer]", "Service[cfssl-ocsprefresh-dse.timer]", "Service[cfssl-ocsprefresh-dse_front_proxy.timer]", "Service[cfssl-ocsprefresh-etcd.timer]", "Service[cfssl-ocsprefresh-kafka.timer]", "Service[cfssl-ocsprefresh-mlserve.timer]", "Service[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Service[cfssl-ocsprefresh-mlserve_staging.timer]", "Service[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-network_devices.timer]", "Service[cfssl-ocsprefresh-puppet_rsa.timer]", "Service[cfssl-ocsprefresh-syslog.timer]", "Service[cfssl-ocsprefresh-wikikube.timer]", "Service[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Service[cfssl-ocsprefresh-wikikube_staging.timer]", "Service[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Service[cfssl-ocsprefresh-zuul.timer]", "Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Service[cfssl-ocspserve@aux]", "Service[cfssl-ocspserve@aux_front_proxy]", "Service[cfssl-ocspserve@cassandra]", "Service[cfssl-ocspserve@cloud_wmnet_ca]", "Service[cfssl-ocspserve@debmonitor]", "Service[cfssl-ocspserve@discovery2026]", "Service[cfssl-ocspserve@discovery]", "Service[cfssl-ocspserve@dse]", "Service[cfssl-ocspserve@dse_front_proxy]", "Service[cfssl-ocspserve@etcd]", "Service[cfssl-ocspserve@kafka]", "Service[cfssl-ocspserve@mlserve]", "Service[cfssl-ocspserve@mlserve_front_proxy]", "Service[cfssl-ocspserve@mlserve_staging]", "Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Service[cfssl-ocspserve@network_devices]", "Service[cfssl-ocspserve@puppet_rsa]", "Service[cfssl-ocspserve@syslog]", "Service[cfssl-ocspserve@wikikube]", "Service[cfssl-ocspserve@wikikube_front_proxy]", "Service[cfssl-ocspserve@wikikube_staging]", "Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Service[cfssl-ocspserve@zuul]", "Service[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Service[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Service[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Service[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Service[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Service[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Service[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Service[wmf_auto_restart_apache-htcacheclean.timer]", "Service[wmf_auto_restart_apache2.timer]", "Sudo::User[nrpe-check_check_certificate_expiry_aux]", "Sudo::User[nrpe-check_check_certificate_expiry_aux_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_cassandra]", "Sudo::User[nrpe-check_check_certificate_expiry_cloud_wmnet_ca]", "Sudo::User[nrpe-check_check_certificate_expiry_debmonitor]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery2026]", "Sudo::User[nrpe-check_check_certificate_expiry_discovery]", "Sudo::User[nrpe-check_check_certificate_expiry_dse]", "Sudo::User[nrpe-check_check_certificate_expiry_dse_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_etcd]", "Sudo::User[nrpe-check_check_certificate_expiry_kafka]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging]", "Sudo::User[nrpe-check_check_certificate_expiry_mlserve_staging_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_network_devices]", "Sudo::User[nrpe-check_check_certificate_expiry_puppet_rsa]", "Sudo::User[nrpe-check_check_certificate_expiry_syslog]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging]", "Sudo::User[nrpe-check_check_certificate_expiry_wikikube_staging_front_proxy]", "Sudo::User[nrpe-check_check_certificate_expiry_zuul]", "Sudo::User[nrpe-check_check_cfssl-multirootca_status]", "Sudo::User[nrpe_certificate_check_aux]", "Sudo::User[nrpe_certificate_check_aux_front_proxy]", "Sudo::User[nrpe_certificate_check_cassandra]", "Sudo::User[nrpe_certificate_check_cloud_wmnet_ca]", "Sudo::User[nrpe_certificate_check_debmonitor]", "Sudo::User[nrpe_certificate_check_discovery2026]", "Sudo::User[nrpe_certificate_check_discovery]", "Sudo::User[nrpe_certificate_check_dse]", "Sudo::User[nrpe_certificate_check_dse_front_proxy]", "Sudo::User[nrpe_certificate_check_etcd]", "Sudo::User[nrpe_certificate_check_kafka]", "Sudo::User[nrpe_certificate_check_mlserve]", "Sudo::User[nrpe_certificate_check_mlserve_front_proxy]", "Sudo::User[nrpe_certificate_check_mlserve_staging]", "Sudo::User[nrpe_certificate_check_mlserve_staging_front_proxy]", "Sudo::User[nrpe_certificate_check_network_devices]", "Sudo::User[nrpe_certificate_check_puppet_rsa]", "Sudo::User[nrpe_certificate_check_syslog]", "Sudo::User[nrpe_certificate_check_wikikube]", "Sudo::User[nrpe_certificate_check_wikikube_front_proxy]", "Sudo::User[nrpe_certificate_check_wikikube_staging]", "Sudo::User[nrpe_certificate_check_wikikube_staging_front_proxy]", "Sudo::User[nrpe_certificate_check_zuul]", "Systemd::Monitor[cfssl-multirootca]", "Systemd::Override[apache2-after-network-online-target]", "Systemd::Service[cfssl-gc-expired-certs]", "Systemd::Service[cfssl-multirootca]", "Systemd::Service[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Service[cfssl-ocsprefresh-aux]", "Systemd::Service[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-cassandra]", "Systemd::Service[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Service[cfssl-ocsprefresh-debmonitor]", "Systemd::Service[cfssl-ocsprefresh-discovery2026]", "Systemd::Service[cfssl-ocsprefresh-discovery]", "Systemd::Service[cfssl-ocsprefresh-dse]", "Systemd::Service[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-etcd]", "Systemd::Service[cfssl-ocsprefresh-kafka]", "Systemd::Service[cfssl-ocsprefresh-mlserve]", "Systemd::Service[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Service[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-network_devices]", "Systemd::Service[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Service[cfssl-ocsprefresh-syslog]", "Systemd::Service[cfssl-ocsprefresh-wikikube]", "Systemd::Service[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Service[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Service[cfssl-ocsprefresh-zuul]", "Systemd::Service[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Systemd::Service[cfssl-ocspserve@aux]", "Systemd::Service[cfssl-ocspserve@aux_front_proxy]", "Systemd::Service[cfssl-ocspserve@cassandra]", "Systemd::Service[cfssl-ocspserve@cloud_wmnet_ca]", "Systemd::Service[cfssl-ocspserve@debmonitor]", "Systemd::Service[cfssl-ocspserve@discovery2026]", "Systemd::Service[cfssl-ocspserve@discovery]", "Systemd::Service[cfssl-ocspserve@dse]", "Systemd::Service[cfssl-ocspserve@dse_front_proxy]", "Systemd::Service[cfssl-ocspserve@etcd]", "Systemd::Service[cfssl-ocspserve@kafka]", "Systemd::Service[cfssl-ocspserve@mlserve]", "Systemd::Service[cfssl-ocspserve@mlserve_front_proxy]", "Systemd::Service[cfssl-ocspserve@mlserve_staging]", "Systemd::Service[cfssl-ocspserve@mlserve_staging_front_proxy]", "Systemd::Service[cfssl-ocspserve@network_devices]", "Systemd::Service[cfssl-ocspserve@puppet_rsa]", "Systemd::Service[cfssl-ocspserve@syslog]", "Systemd::Service[cfssl-ocspserve@wikikube]", "Systemd::Service[cfssl-ocspserve@wikikube_front_proxy]", "Systemd::Service[cfssl-ocspserve@wikikube_staging]", "Systemd::Service[cfssl-ocspserve@wikikube_staging_front_proxy]", "Systemd::Service[cfssl-ocspserve@zuul]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Service[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Service[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Service[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Service[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Service[wmf_auto_restart_apache-htcacheclean]", "Systemd::Service[wmf_auto_restart_apache2]", "Systemd::Syslog[cfssl-gc-expired-certs]", "Systemd::Syslog[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Syslog[cfssl-ocsprefresh-aux]", "Systemd::Syslog[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-cassandra]", "Systemd::Syslog[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Syslog[cfssl-ocsprefresh-debmonitor]", "Systemd::Syslog[cfssl-ocsprefresh-discovery2026]", "Systemd::Syslog[cfssl-ocsprefresh-discovery]", "Systemd::Syslog[cfssl-ocsprefresh-dse]", "Systemd::Syslog[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-etcd]", "Systemd::Syslog[cfssl-ocsprefresh-kafka]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Syslog[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-network_devices]", "Systemd::Syslog[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Syslog[cfssl-ocsprefresh-syslog]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Syslog[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Syslog[cfssl-ocsprefresh-zuul]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Syslog[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Syslog[wmf_auto_restart_apache-htcacheclean]", "Systemd::Syslog[wmf_auto_restart_apache2]", "Systemd::Timer::Job[cfssl-gc-expired-certs]", "Systemd::Timer::Job[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Timer::Job[cfssl-ocsprefresh-aux]", "Systemd::Timer::Job[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-cassandra]", "Systemd::Timer::Job[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Timer::Job[cfssl-ocsprefresh-debmonitor]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery2026]", "Systemd::Timer::Job[cfssl-ocsprefresh-discovery]", "Systemd::Timer::Job[cfssl-ocsprefresh-dse]", "Systemd::Timer::Job[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-etcd]", "Systemd::Timer::Job[cfssl-ocsprefresh-kafka]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Timer::Job[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-network_devices]", "Systemd::Timer::Job[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Timer::Job[cfssl-ocsprefresh-syslog]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Timer::Job[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Timer::Job[cfssl-ocsprefresh-zuul]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Timer::Job[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Timer::Job[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Timer::Job[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Timer::Job[wmf_auto_restart_apache-htcacheclean]", "Systemd::Timer::Job[wmf_auto_restart_apache2]", "Systemd::Timer[cfssl-gc-expired-certs]", "Systemd::Timer[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA]", "Systemd::Timer[cfssl-ocsprefresh-aux]", "Systemd::Timer[cfssl-ocsprefresh-aux_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-cassandra]", "Systemd::Timer[cfssl-ocsprefresh-cloud_wmnet_ca]", "Systemd::Timer[cfssl-ocsprefresh-debmonitor]", "Systemd::Timer[cfssl-ocsprefresh-discovery2026]", "Systemd::Timer[cfssl-ocsprefresh-discovery]", "Systemd::Timer[cfssl-ocsprefresh-dse]", "Systemd::Timer[cfssl-ocsprefresh-dse_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-etcd]", "Systemd::Timer[cfssl-ocsprefresh-kafka]", "Systemd::Timer[cfssl-ocsprefresh-mlserve]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging]", "Systemd::Timer[cfssl-ocsprefresh-mlserve_staging_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-network_devices]", "Systemd::Timer[cfssl-ocsprefresh-puppet_rsa]", "Systemd::Timer[cfssl-ocsprefresh-syslog]", "Systemd::Timer[cfssl-ocsprefresh-wikikube]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging]", "Systemd::Timer[cfssl-ocsprefresh-wikikube_staging_front_proxy]", "Systemd::Timer[cfssl-ocsprefresh-zuul]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_aux_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cassandra]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_debmonitor]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery2026]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_discovery]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_dse_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_etcd]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_kafka]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_network_devices]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_puppet_rsa]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_syslog]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy]", "Systemd::Timer[nrpe2nodexp-check_certificate_expiry_zuul]", "Systemd::Timer[nrpe2nodexp-check_cfssl-multirootca_status]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry]", "Systemd::Timer[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry]", "Systemd::Timer[wmf_auto_restart_apache-htcacheclean]", "Systemd::Timer[wmf_auto_restart_apache2]", "Systemd::Unit[apache2-apache2-after-network-online-target]", "Systemd::Unit[cfssl-gc-expired-certs.service]", "Systemd::Unit[cfssl-gc-expired-certs.timer]", "Systemd::Unit[cfssl-multirootca]", "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.service]", "Systemd::Unit[cfssl-ocsprefresh-Wikimedia_Internal_Root_CA.timer]", "Systemd::Unit[cfssl-ocsprefresh-aux.service]", "Systemd::Unit[cfssl-ocsprefresh-aux.timer]", "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-aux_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-cassandra.service]", "Systemd::Unit[cfssl-ocsprefresh-cassandra.timer]", "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.service]", "Systemd::Unit[cfssl-ocsprefresh-cloud_wmnet_ca.timer]", "Systemd::Unit[cfssl-ocsprefresh-debmonitor.service]", "Systemd::Unit[cfssl-ocsprefresh-debmonitor.timer]", "Systemd::Unit[cfssl-ocsprefresh-discovery.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery.timer]", "Systemd::Unit[cfssl-ocsprefresh-discovery2026.service]", "Systemd::Unit[cfssl-ocsprefresh-discovery2026.timer]", "Systemd::Unit[cfssl-ocsprefresh-dse.service]", "Systemd::Unit[cfssl-ocsprefresh-dse.timer]", "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-dse_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-etcd.service]", "Systemd::Unit[cfssl-ocsprefresh-etcd.timer]", "Systemd::Unit[cfssl-ocsprefresh-kafka.service]", "Systemd::Unit[cfssl-ocsprefresh-kafka.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging.timer]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-mlserve_staging_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-network_devices.service]", "Systemd::Unit[cfssl-ocsprefresh-network_devices.timer]", "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.service]", "Systemd::Unit[cfssl-ocsprefresh-puppet_rsa.timer]", "Systemd::Unit[cfssl-ocsprefresh-syslog.service]", "Systemd::Unit[cfssl-ocsprefresh-syslog.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging.timer]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.service]", "Systemd::Unit[cfssl-ocsprefresh-wikikube_staging_front_proxy.timer]", "Systemd::Unit[cfssl-ocsprefresh-zuul.service]", "Systemd::Unit[cfssl-ocsprefresh-zuul.timer]", "Systemd::Unit[cfssl-ocspserve@Wikimedia_Internal_Root_CA]", "Systemd::Unit[cfssl-ocspserve@aux]", "Systemd::Unit[cfssl-ocspserve@aux_front_proxy]", "Systemd::Unit[cfssl-ocspserve@cassandra]", "Systemd::Unit[cfssl-ocspserve@cloud_wmnet_ca]", "Systemd::Unit[cfssl-ocspserve@debmonitor]", "Systemd::Unit[cfssl-ocspserve@discovery2026]", "Systemd::Unit[cfssl-ocspserve@discovery]", "Systemd::Unit[cfssl-ocspserve@dse]", "Systemd::Unit[cfssl-ocspserve@dse_front_proxy]", "Systemd::Unit[cfssl-ocspserve@etcd]", "Systemd::Unit[cfssl-ocspserve@kafka]", "Systemd::Unit[cfssl-ocspserve@mlserve]", "Systemd::Unit[cfssl-ocspserve@mlserve_front_proxy]", "Systemd::Unit[cfssl-ocspserve@mlserve_staging]", "Systemd::Unit[cfssl-ocspserve@mlserve_staging_front_proxy]", "Systemd::Unit[cfssl-ocspserve@network_devices]", "Systemd::Unit[cfssl-ocspserve@puppet_rsa]", "Systemd::Unit[cfssl-ocspserve@syslog]", "Systemd::Unit[cfssl-ocspserve@wikikube]", "Systemd::Unit[cfssl-ocspserve@wikikube_front_proxy]", "Systemd::Unit[cfssl-ocspserve@wikikube_staging]", "Systemd::Unit[cfssl-ocspserve@wikikube_staging_front_proxy]", "Systemd::Unit[cfssl-ocspserve@zuul]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_aux_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cassandra.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_cloud_wmnet_ca.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_debmonitor.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_discovery2026.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_dse_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_etcd.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_kafka.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_mlserve_staging_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_network_devices.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_puppet_rsa.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_syslog.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_wikikube_staging_front_proxy.timer]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.service]", "Systemd::Unit[nrpe2nodexp-check_certificate_expiry_zuul.timer]", "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.service]", "Systemd::Unit[nrpe2nodexp-check_cfssl-multirootca_status.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-aux_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cassandra-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-cloud_wmnet_ca-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-debmonitor-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-discovery2026-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-dse_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-etcd-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-kafka-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-mlserve_staging_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-network_devices-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-puppet_rsa-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-syslog-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-wikikube_staging_front_proxy-certificate-expiry.timer]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.service]", "Systemd::Unit[prometheus-node-textfile-prometheus-check-zuul-certificate-expiry.timer]", "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.service]", "Systemd::Unit[wmf_auto_restart_apache-htcacheclean.timer]", "Systemd::Unit[wmf_auto_restart_apache2.service]", "Systemd::Unit[wmf_auto_restart_apache2.timer]"], "only_in_other": ["Class[Role::Insetup::Infrastructure_foundations_ferm]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]", "Motd::Message[insetup::infrastructure_foundations_ferm]", "Motd::Script[insetup::infrastructure_foundations_ferm]", "Node[__node_regexp__pki1001.eqiad.]"], "resource_diffs": [{"resource": "Monitoring::Exported_nagios_host[pki1001]", "parameters": "--- Monitoring::Exported_nagios_host[pki1001].orig\n+++ Monitoring::Exported_nagios_host[pki1001]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    hostgroups            => pki_eqiad,asw2-a-eqiad\n+    hostgroups            => insetup_eqiad,asw2-a-eqiad\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 ssh].orig\n+++ Monitoring::Exported_nagios_service[pki1001 ssh]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Class[Puppet::Agent]", "parameters": "--- Class[Puppet::Agent].orig\n+++ Class[Puppet::Agent]\n\n@@\n-    dns_alt_names => ['pki.discovery.wmnet']\n+    dns_alt_names => []\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n-    role_description => PKI server\n+    role_description => Host being setup by Infrastructure Foundations SREs with ferm\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n-    notifications_enabled => True\n+    notifications_enabled => False\n@@\n-    cluster               => pki\n+    cluster               => insetup\n@@\n-    nagios_group          => pki_eqiad\n+    nagios_group          => insetup_eqiad\n"}, {"resource": "Concat::Fragment[main]"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n-    notifications_enabled => True\n+    notifications_enabled => False\n@@\n-    cluster               => pki\n+    cluster               => insetup\n@@\n-    nagios_group          => pki_eqiad\n+    nagios_group          => insetup_eqiad\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[apache2]', 'Package[links]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[python3-pymysql]', 'Package[python3-cryptography]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Concat_fragment[main]", "content": "--- main.orig\n+++ main\n@@ -14,7 +14,6 @@\n [agent]\n use_srv_records = true\n srv_domain = eqiad.wmnet\n-dns_alt_names = pki.discovery.wmnet\n daemonize = false\n http_connect_timeout = 60\n http_read_timeout = 960"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[apache2]', 'Package[links]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[python3-pymysql]', 'Package[python3-cryptography]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[atop]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[pki1001 ferm_active]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 disk_space].orig\n+++ Monitoring::Exported_nagios_service[pki1001 disk_space]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n"}, {"resource": "Class[Profile::Puppet::Agent]", "parameters": "--- Class[Profile::Puppet::Agent].orig\n+++ Class[Profile::Puppet::Agent]\n\n@@\n-    dns_alt_names => ['pki.discovery.wmnet']\n+    dns_alt_names => []\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"pki::multirootca\",cluster=\"pki\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_ferm\",cluster=\"insetup\"} 1.0"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::pki::multirootca:\n+role::insetup::infrastructure_foundations_ferm:\n - Infrastructure Foundations"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n-    cluster => pki\n+    cluster => insetup\n"}, {"resource": "Monitoring::Exported_nagios_service[pki1001 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[pki1001 raid_md].orig\n+++ Monitoring::Exported_nagios_service[pki1001 raid_md]\n\n@@\n-    notifications_enabled => 1\n+    notifications_enabled => 0\n@@\n-    servicegroups         => pki_eqiad\n+    servicegroups         => insetup_eqiad\n"}], "perc_changed": "44.15%"}}}