Compilation results for pki-root1002.eqiad.wmnet: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	2929
Resources added:	378
Resources removed:	165
Resources modified:	567
Change percentage:	37.90%

Resources only in the new catalog

Service[bacula-fd]
File[/etc/cfssl/ssl/etcd/etcd-key.pem]
File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr]
Cfssl::Signer[Wikimedia_Internal_Root_CA]
File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]
Cfssl::Csr[/etc/cfssl/csr/puppet.csr]
Systemd::Timer[wmf_auto_restart_ulogd2]
File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr]
Concat_file[/etc/bacula/ssl/cert.pem]
Exec[renew certificate - wikikube_staging_front_proxy]
File[/etc/cfssl/csr/syslog.csr]
Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]
Exec[renew certificate - mlserve_staging]
Exec[Generate cert aux refresh]
Ferm::Rule[drop-blocked-nets]
Package[ulogd2]
File[/etc/cfssl/ssl/zuul/zuul.csr]
Apt::Package_from_component[bacula-trixie]
Exec[Generate cert aux_front_proxy]
Exec[Generate cert wikikube_staging_front_proxy]
File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr]
Cfssl::Csr[/etc/cfssl/csr/aux.csr]
File[/var/log/wmf_auto_restart_ulogd2]
File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem]
Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert]
File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem]
Exec[Generate cert wikikube refresh]
Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]
Exec[update_alternative_iptables]
Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]
File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem]
File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf]
File[/etc/cfssl/ssl/cassandra/cassandra-key.pem]
Exec[Generate cert mlserve]
Ferm::Rule[log-everything]
Systemd::Service[wmf_auto_restart_ulogd2]
File[/etc/cfssl/csr/cassandra.csr]
File[/etc/cfssl/ssl/syslog/syslog.csr]
File[/etc/ferm/conf.d/98_log-everything]
Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]
File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]
Exec[Generate cert cassandra]
File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem]
Cfssl::Config[Wikimedia_Internal_Root_CA]
File[/etc/cfssl/ssl/discovery2026]
Exec[renew certificate - cloud_wmnet_ca]
File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]
Exec[Generate cert cloud_wmnet_ca]
Exec[renew certificate - puppet]
Exec[Generate cert zuul]
Exec[renew certificate - wikikube]
File[/etc/cfssl/csr/wikikube_staging.csr]
File[/etc/cfssl/ssl/mlserve/mlserve.csr]
Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]
Exec[Generate cert etcd refresh]
Logrotate::Conf[wmf_auto_restart_ulogd2]
File[/etc/cfssl/ssl/dse]
File[/etc/cfssl/ssl/puppet/puppet.pem]
File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem]
Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh]
Cfssl::Cert[mlserve_front_proxy]
Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]
Systemd::Unit[wmf_auto_restart_ulogd2.timer]
File[/etc/cfssl/ssl/dse_front_proxy]
File[/etc/cfssl/ssl/network_devices/network_devices-key.pem]
Service[wmf_auto_restart_ulogd2.timer]
File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem]
Exec[Generate cert cassandra refresh]
Exec[Generate cert wikikube]
File[/etc/sudoers.d/nrpe-check_ferm_active]
Cfssl::Cert[cloud_wmnet_ca]
Ferm::Service[ssh_from_bastion]
File[/etc/cfssl/ssl/mlserve]
Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]
File[/etc/bacula/bacula-fd.conf]
File[/etc/bacula/ssl/server.key]
File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem]
File[/etc/bacula/ssl]
Exec[Generate cert dse]
Cfssl::Cert[puppet_rsa]
File[/etc/cfssl/ssl/mlserve/mlserve-key.pem]
Exec[Generate cert mlserve_staging_front_proxy]
Exec[Generate cert mlserve refresh]
Exec[Generate cert wikikube_front_proxy refresh]
File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem]
Exec[Generate cert dse_front_proxy]
Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]
Class[Profile::Pki::Root_ca]
Alternatives::Select[ip6tables]
Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]
Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]
Systemd::Timer::Job[wmf_auto_restart_ulogd2]
Motd::Script[pki::root]
File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]
File[/etc/cfssl/ssl/syslog/syslog-key.pem]
File[/etc/cfssl/ssl/cassandra/cassandra.csr]
File[/etc/cfssl/ssl/mlserve_staging_front_proxy]
Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]
Cfssl::Csr[/etc/cfssl/csr/dse.csr]
Profile::Auto_restarts::Service[ulogd2]
File[/etc/cfssl/ssl/kafka/kafka.pem]
File[/etc/ferm/conf.d/02_main]
Exec[Generate cert cloud_wmnet_ca refresh]
Exec[renew certificate - puppet_rsa]
File[/etc/cfssl/csr/mlserve.csr]
File[/etc/cfssl/ssl/syslog]
Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]
File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem]
File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]
File[/etc/cfssl/ssl/cloud_wmnet_ca]
File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem]
Exec[Generate cert wikikube_staging_front_proxy refresh]
Systemd::Timer::Job[nrpe2nodexp-ferm_active]
File[/etc/cfssl/ssl/wikikube_staging]
Cfssl::Cert[etcd]
File[/etc/cfssl/csr/discovery2026.csr]
Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]
Exec[Generate cert debmonitor refresh]
File[/etc/rsyslog.d/40-ulogd.conf]
File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem]
Cfssl::Cert[wikikube_front_proxy]
Concat_fragment[/etc/bacula_puppet_ca_chain]
Systemd::Service[nrpe2nodexp-ferm_active]
Exec[renew certificate - kafka]
File[/etc/cfssl/ssl/wikikube]
File[/etc/cfssl/ssl/aux/aux-key.pem]
File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr]
File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem]
Cfssl::Cert[dse]
Package[bacula-common]
Exec[Generate cert network_devices refresh]
File[/etc/ferm/conf.d]
File[/etc/cfssl/ssl/mlserve_front_proxy]
File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem]
File[/etc/cfssl/ssl/network_devices/network_devices.csr]
File[/etc/cfssl/ssl/network_devices/network_devices.pem]
Motd::Script[backups-pki-root-cfssl]
Exec[Generate cert puppet_rsa]
Ferm::Conf[defs]
File[/etc/cfssl/csr/puppet.csr]
File_line[auto_restart_file_presence_ulogd2]
Class[Profile::Backup::Host]
File[/etc/ferm/conf.d/98_filter_log_filter-bootp]
Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]
Cfssl::Cert[wikikube]
Exec[Generate cert wikikube_staging refresh]
Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]
Service[ulogd2]
File[/etc/cfssl/ssl/debmonitor]
File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr]
Systemd::Unit[nrpe2nodexp-ferm_active.timer]
File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]
File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]
Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]
File[/etc/ferm/conf.d/00_defs]
File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem]
File[/etc/cfssl/csr/puppet_rsa.csr]
File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem]
Concat[/etc/bacula/ssl/cert.pem]
Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]
Exec[renew certificate - mlserve]
File[/etc/cfssl/ssl/cassandra/cassandra.pem]
File[/etc/cfssl/ssl/mlserve/mlserve.pem]
File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list]
File[/etc/cfssl/ssl/wikikube_staging_front_proxy]
File[/etc/cfssl/ssl/etcd/etcd.csr]
Exec[renew certificate - debmonitor]
File[/etc/cfssl/csr/aux.csr]
File[/etc/cfssl/ssl/puppet_rsa]
Cfssl::Cert[wikikube_staging]
Systemd::Timer[nrpe2nodexp-ferm_active]
Exec[Generate cert wikikube_front_proxy]
Backup::Set[pki-root-cfssl]
Concat::Fragment[/etc/bacula_puppet_agent_cert]
Node[__node_regexp__pki-root10012.eqiad.]
File[/etc/logrotate.d/ulogd]
Class[Role::Pki::Root]
File[/etc/cfssl/ssl/syslog/syslog.pem]
File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem]
Exec[Generate cert puppet_rsa refresh]
Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]
Exec[Generate cert mlserve_front_proxy refresh]
Concat_fragment[/etc/bacula_puppet_agent_cert]
Class[Bacula::Client]
Exec[Generate cert aux]
Rsyslog::Conf[wmf_auto_restart_ulogd2]
File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf]
Exec[renew certificate - wikikube_staging]
File[/etc/cfssl/ssl/kafka/kafka.csr]
Exec[apt_package_from_component_bacula-trixie]
Exec[Generate cert network_devices]
Exec[Generate cert mlserve_front_proxy]
File[/etc/nagios/nrpe.d/check_ferm_active.cfg]
Rsyslog::Conf[nrpe2nodexp-ferm_active]
Cfssl::Cert[dse_front_proxy]
Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert]
File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr]
Exec[Generate cert puppet]
File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]
File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem]
Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]
Exec[Generate cert mlserve_staging]
Ferm::Conf[main]
File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem]
File[/etc/cfssl/ssl/kafka/kafka-key.pem]
Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]
File[/etc/cfssl/ssl/dse/dse.csr]
Exec[renew certificate - syslog]
Exec[Generate cert discovery2026]
Alternatives::Select[iptables]
File[/etc/cfssl/csr/mlserve_front_proxy.csr]
Systemd::Override[ferm-service-status-restart]
Cfssl::Cert[puppet]
File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]
File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]
Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]
File[/var/log/ulogd]
Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]
File[/etc/ferm/conf.d/10_ssh_from_bastion]
Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]
Exec[renew certificate - etcd]
File[/etc/cfssl/csr/wikikube_front_proxy.csr]
Cfssl::Cert[discovery2026]
File[/etc/cfssl/ssl/dse/dse.pem]
Cfssl::Cert[aux_front_proxy]
Exec[renew certificate - discovery2026]
Systemd::Syslog[ulogd]
Exec[renew certificate - aux]
File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem]
Monitoring::Service[ferm_active]
Exec[update_alternative_ip6tables]
File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr]
Systemd::Unit[ferm-ferm-service-status-restart]
File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca]
Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]
Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]
File[/etc/cfssl/ssl/kafka]
File[/etc/ferm/conf.d/99_dscp-default]
File[/etc/cfssl/ssl/puppet]
Systemd::Unit[nrpe2nodexp-ferm_active.service]
File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert]
File[/etc/default/ferm]
Cfssl::Db[Wikimedia_Internal_Root_CA]
File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]
Package[bacula-fd]
Ferm::Rule[filter_log_filter-bootp]
Cfssl::Csr[/etc/cfssl/csr/etcd.csr]
File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem]
File[/etc/cfssl/ssl/zuul/zuul.pem]
File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]
Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]
Cfssl::Cert[cassandra]
Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]
Puppet::Expose_agent_certs[/etc/bacula]
Exec[Generate cert syslog refresh]
Exec[Generate cert zuul refresh]
Exec[renew certificate - network_devices]
Exec[Generate cert dse refresh]
File[/etc/ferm/ferm.conf]
File[/etc/logrotate.d/wmf_auto_restart_ulogd2]
File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr]
File[/etc/cfssl/ssl/etcd/etcd.pem]
File[/etc/cfssl/csr/dse_front_proxy.csr]
Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]
File[/etc/cfssl/ssl/aux]
File[/etc/cfssl/ssl/wikikube/wikikube.csr]
Nrpe::Monitor_service[ferm_active]
Cfssl::Cert[debmonitor]
Exec[renew certificate - dse_front_proxy]
File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA]
Ferm::Service[full_monitoring_metrics_access_tcp]
Exec[Generate cert etcd]
File[/etc/cfssl/ssl/etcd]
Exec[Generate cert dse_front_proxy refresh]
Exec[renew certificate - cassandra]
File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]
Systemd::Syslog[wmf_auto_restart_ulogd2]
File[/etc/cfssl/csr/etcd.csr]
File[/etc/cfssl/ssl/debmonitor/debmonitor.csr]
Exec[create-/etc/bacula-keypair]
File[/etc/cfssl/ssl/debmonitor/debmonitor.pem]
File[/etc/cfssl/ssl/puppet/puppet.csr]
Exec[renew certificate - dse]
File[/etc/cfssl/ssl/zuul]
Cfssl::Cert[aux]
Exec[Generate cert mlserve_staging refresh]
Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]
File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]
Ferm::Service[ssh_from_cumin_masters]
File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet]
Logrotate::Conf[ulogd]
Cfssl::Csr[/etc/cfssl/csr/syslog.csr]
Exec[renew certificate - zuul]
Sudo::User[nrpe-check_ferm_active]
File[/etc/cfssl/csr/dse.csr]
Cfssl::Cert[mlserve_staging_front_proxy]
Cfssl::Cert[network_devices]
Exec[Generate cert discovery2026 refresh]
File[/etc/ferm/functions.conf]
File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr]
File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]
Ferm::Filter_log[filter-bootp]
Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]
Concat::Fragment[/etc/bacula_puppet_ca_chain]
Systemd::Unit[wmf_auto_restart_ulogd2.service]
Class[Ulogd]
Exec[Generate cert kafka]
Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]
File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem]
Cfssl::Cert[wikikube_staging_front_proxy]
Monitoring::Exported_nagios_service[pki-root1002 ferm_active]
Exec[renew certificate - aux_front_proxy]
File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]
File[/etc/cfssl/ssl/aux_front_proxy]
Rsyslog::Conf[ulogd]
Service[ferm]
File[/etc/cfssl/csr/cloud_wmnet_ca.csr]
File[/etc/ulogd.conf]
Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]
File[/etc/cfssl/ssl/aux/aux.pem]
Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad]
File[/etc/cfssl/csr/debmonitor.csr]
Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]
Service[nrpe2nodexp-ferm_active.timer]
Exec[renew certificate - wikikube_front_proxy]
File[/etc/cfssl/ssl/wikikube/wikikube.pem]
Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]
Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]
File[/etc/bacula/ssl/server.p12]
Exec[Generate cert debmonitor]
File[/etc/bacula/ssl/server-keypair.pem]
File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]
Nrpe::Plugin[check_ferm]
Cfssl::Cert[zuul]
Nrpe::Check[check_ferm_active]
File[/etc/cfssl/ssl/aux/aux.csr]
Cfssl::Cert[syslog]
Ferm::Service[full_monitoring_metrics_access_udp]
Cfssl::Cert[mlserve_staging]
File[/etc/cfssl/csr/aux_front_proxy.csr]
File[/etc/cfssl/ssl/mlserve_staging]
File[/etc/ferm/conf.d/01_drop-blocked-nets]
File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem]
File[/etc/systemd/system/ferm.service.d]
File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem]
File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]
File[/etc/cfssl/ssl/zuul/zuul-key.pem]
File[/etc/cfssl/ssl/cassandra]
Class[Profile::Firewall::Log::Ferm]
Exec[Generate cert puppet refresh]
Exec[Generate cert kafka refresh]
Cfssl::Cert[mlserve]
Motd::Message[pki::root]
File[/etc/cfssl/ssl/puppet/puppet-key.pem]
File[/etc/cfssl/ssl/network_devices]
File[/etc/cfssl/csr/network_devices.csr]
File[/etc/update-motd.d/05-pki--root]
Ferm::Rule[dscp-default]
Exec[Generate cert syslog]
File[/etc/cfssl/csr/kafka.csr]
Exec[Generate cert aux_front_proxy refresh]
File[/etc/cfssl/ssl/wikikube_front_proxy]
Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]
File[/etc/update-motd.d/06-backups-pki-root-cfssl]
File[/etc/cfssl/csr/wikikube.csr]
File[/usr/local/lib/nagios/plugins/check_ferm]
Exec[Generate cert mlserve_staging_front_proxy refresh]
Cfssl::Csr[/etc/cfssl/csr/kafka.csr]
File[/etc/cfssl/csr/mlserve_staging.csr]
Exec[Generate cert wikikube_staging]
File[/etc/cfssl/ssl/dse/dse-key.pem]
Exec[renew certificate - mlserve_front_proxy]
File[/etc/cfssl/csr/zuul.csr]
File[/etc/cfssl/ssl/wikikube/wikikube-key.pem]
Cfssl::Cert[kafka]
Exec[renew certificate - mlserve_staging_front_proxy]
File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr]
Cfssl::Csr[/etc/cfssl/csr/zuul.csr]

Resources only in the old catalog

File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]
File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]
File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]
File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]
Systemd::Service[nftables]
File[/var/log/prometheus-node-textfile-check-nft]
File[/etc/nftables/prerouting]
File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]
Nftables::File[base]
Nftables::Set[KAFKA_BROKERS_LOGGING]
File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]
File[/etc/nftables/forward]
File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]
File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]
Rsyslog::Conf[prometheus-node-textfile-check-nft]
File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]
File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]
File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]
Nftables::Set[DEPLOYMENT_HOSTS]
File[/etc/nftables/sets]
File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]
File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]
Nftables::Set[KAFKAMON_HOSTS]
File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]
File[/usr/local/bin/check-nft]
File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]
File[/etc/nftables/postrouting]
File[/etc/nftables/input/10_ssh-from-bastion.nft]
File[/etc/logrotate.d/prometheus-node-textfile-check-nft]
Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]
File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]
Nftables::Set[DRUID_PUBLIC_HOSTS]
Class[Role::Insetup::Infrastructure_foundations_nftables]
File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]
File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]
File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]
File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]
File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]
Systemd::Unmask[nftables.service]
Nftables::Set[LINK_LOCAL]
Nftables::Service[ssh-from-cumin-masters]
File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]
File[/etc/nftables.conf]
File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]
Systemd::Service[prometheus-node-textfile-check-nft]
File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]
File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]
File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]
File[/etc/nftables/sets/CACHES_ipv4.nft]
File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]
File[/etc/systemd/system/nftables.service.d]
Nftables::Set[MONITORING_HOSTS]
File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]
Motd::Script[insetup::infrastructure_foundations_nftables]
Service[nftables]
File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]
Nftables::Set[KAFKA_BROKERS_MAIN]
Service[prometheus-node-textfile-check-nft.timer]
File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]
File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]
Nftables::Service[full-monitoring-metrics-access-udp]
File[/etc/nftables/notrack]
Class[Profile::Firewall::Nftables_base_sets]
Systemd::Unit[prometheus-node-textfile-check-nft.service]
Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]
File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]
Systemd::Syslog[prometheus-node-textfile-check-nft]
File[/etc/nftables/sets/CACHES_ipv6.nft]
Logrotate::Conf[prometheus-node-textfile-check-nft]
Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]
Nftables::Set[LABS_NETWORKS]
File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]
File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]
File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]
File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]
File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]
File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]
Nftables::Set[SANDBOX_NETWORKS]
File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]
File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]
File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]
Nftables::Set[CUMIN_MASTERS]
Nftables::Service[full-monitoring-metrics-access-tcp]
Nftables::Set[PROMETHEUS_HOSTS]
Nftables::Set[INTERNAL]
Systemd::Unit[prometheus-node-textfile-check-nft.timer]
File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]
File[/etc/nftables/main.nft]
Nftables::Set[CLOUD_NETWORKS_PUBLIC]
File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]
Nftables::Set[ZOOKEEPER_HOSTS_MAIN]
File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]
Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]
Nftables::Service[ssh-from-bastion]
Nftables::Set[BASTION_HOSTS]
File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]
Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]
Exec[unmask_nftables.service]
Nftables::Set[DOMAIN_NETWORKS]
File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]
Nftables::Set[STAGING_KUBEPODS_NETWORKS]
Nftables::Set[KAFKA_BROKERS_JUMBO]
File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]
File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]
File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]
File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]
File[/etc/nftables/100_base_puppet.nft]
Nftables::Set[ZOOKEEPER_FLINK_HOSTS]
Nftables::Set[CACHES]
File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]
File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]
Class[Nftables]
File[/etc/nftables/input]
File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]
File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]
Systemd::Unit[nftables]
File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]
Nftables::Set[NETWORK_INFRA]
Nftables::Set[PRODUCTION_NETWORKS]
File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]
File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]
File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]
File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]
Nftables::Set[CLOUD_PRIVATE_NETWORKS]
Motd::Message[insetup::infrastructure_foundations_nftables]
File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]
File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]
File[/etc/nftables/]
Prometheus::Node_textfile[check-nft]
File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]
File[/etc/nftables/sets/INTERNAL_ipv6.nft]
File[/etc/nftables/output]
File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]
File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]
Nftables::Set[AUX_KUBEPODS_NETWORKS]
File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]
File[/etc/nftables/sets/INTERNAL_ipv4.nft]
Nftables::Set[FRACK_NETWORKS]
File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]
Systemd::Timer[prometheus-node-textfile-check-nft]
File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]
Systemd::Timer::Job[prometheus-node-textfile-check-nft]
Nftables::Set[MW_APPSERVER_NETWORKS]
Exec[systemd daemon-reload for nftables.service (nftables)]
File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]
File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]
File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]
Nftables::Set[INSTALL_HOSTS]
File[/etc/systemd/system/nftables.service.d/puppet-override.conf]
File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]
Nftables::Set[MYSQL_ROOT_CLIENTS]
Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]
Nftables::Set[DSE_KUBEPODS_NETWORKS]
Nftables::Set[LABSTORE_HOSTS]
File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]
Node[__node_regexp__pki-root1002.eqiad.]
File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]
Package[nftables]
File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]
File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]
File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]
Nftables::Set[CLOUD_NETWORKS]
Nftables::Set[MGMT_NETWORKS]
Nftables::Set[ANALYTICS_NETWORKS]
File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]

Resources modified

File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft
@@ -1,183 +0,0 @@
-# Autogenerated by puppet
-set PRODUCTION_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2001:df2:e500:101::/64,
-             2001:df2:e500:103::/64,
-             2001:df2:e500:1::/64,
-             2001:df2:e500:3::/64,
-             2001:df2:e500:ed1a::/64,
-             2620:0:860:100::/64,
-             2620:0:860:101::/64,
-             2620:0:860:102::/64,
-             2620:0:860:103::/64,
-             2620:0:860:104::/64,
-             2620:0:860:105::/64,
-             2620:0:860:106::/64,
-             2620:0:860:107::/64,
-             2620:0:860:108::/64,
-             2620:0:860:109::/64,
-             2620:0:860:10a::/64,
-             2620:0:860:10b::/64,
-             2620:0:860:10c::/64,
-             2620:0:860:10d::/64,
-             2620:0:860:10e::/64,
-             2620:0:860:10f::/64,
-             2620:0:860:110::/64,
-             2620:0:860:111::/64,
-             2620:0:860:112::/64,
-             2620:0:860:113::/64,
-             2620:0:860:114::/64,
-             2620:0:860:115::/64,
-             2620:0:860:116::/64,
-             2620:0:860:118::/64,
-             2620:0:860:119::/64,
-             2620:0:860:11a::/64,
-             2620:0:860:11b::/64,
-             2620:0:860:11c::/64,
-             2620:0:860:11d::/64,
-             2620:0:860:11e::/64,
-             2620:0:860:11f::/64,
-             2620:0:860:120::/64,
-             2620:0:860:121::/64,
-             2620:0:860:122::/64,
-             2620:0:860:123::/64,
-             2620:0:860:124::/64,
-             2620:0:860:125::/64,
-             2620:0:860:126::/64,
-             2620:0:860:127::/64,
-             2620:0:860:12b::/64,
-             2620:0:860:12c::/64,
-             2620:0:860:12d::/64,
-             2620:0:860:12e::/64,
-             2620:0:860:140::/64,
-             2620:0:860:1::/64,
-             2620:0:860:2::/64,
-             2620:0:860:300::/64,
-             2620:0:860:301::/64,
-             2620:0:860:302::/64,
-             2620:0:860:303::/64,
-             2620:0:860:304::/64,
-             2620:0:860:305::/64,
-             2620:0:860:307::/64,
-             2620:0:860:308::/64,
-             2620:0:860:3::/64,
-             2620:0:860:4::/64,
-             2620:0:860:5::/64,
-             2620:0:860:babe::/64,
-             2620:0:860:babf::/64,
-             2620:0:860:cabe::/64,
-             2620:0:860:cabf::/64,
-             2620:0:860:ed1a::/64,
-             2620:0:861:100::/64,
-             2620:0:861:101::/64,
-             2620:0:861:102::/64,
-             2620:0:861:103::/64,
-             2620:0:861:104::/64,
-             2620:0:861:105::/64,
-             2620:0:861:106::/64,
-             2620:0:861:107::/64,
-             2620:0:861:108::/64,
-             2620:0:861:109::/64,
-             2620:0:861:10a::/64,
-             2620:0:861:10b::/64,
-             2620:0:861:10c::/64,
-             2620:0:861:10d::/64,
-             2620:0:861:10e::/64,
-             2620:0:861:10f::/64,
-             2620:0:861:110::/64,
-             2620:0:861:111::/64,
-             2620:0:861:112::/64,
-             2620:0:861:113::/64,
-             2620:0:861:114::/64,
-             2620:0:861:115::/64,
-             2620:0:861:116::/64,
-             2620:0:861:117::/64,
-             2620:0:861:118::/64,
-             2620:0:861:119::/64,
-             2620:0:861:11a::/64,
-             2620:0:861:11c::/64,
-             2620:0:861:11d::/64,
-             2620:0:861:11e::/64,
-             2620:0:861:11f::/64,
-             2620:0:861:120::/64,
-             2620:0:861:121::/64,
-             2620:0:861:122::/64,
-             2620:0:861:123::/64,
-             2620:0:861:124::/64,
-             2620:0:861:125::/64,
-             2620:0:861:126::/64,
-             2620:0:861:127::/64,
-             2620:0:861:128::/64,
-             2620:0:861:129::/64,
-             2620:0:861:12a::/64,
-             2620:0:861:12b::/64,
-             2620:0:861:12c::/64,
-             2620:0:861:12d::/64,
-             2620:0:861:12e::/64,
-             2620:0:861:12f::/64,
-             2620:0:861:131::/64,
-             2620:0:861:132::/64,
-             2620:0:861:133::/64,
-             2620:0:861:134::/64,
-             2620:0:861:135::/64,
-             2620:0:861:136::/64,
-             2620:0:861:137::/64,
-             2620:0:861:138::/64,
-             2620:0:861:139::/64,
-             2620:0:861:13a::/64,
-             2620:0:861:13b::/64,
-             2620:0:861:13c::/64,
-             2620:0:861:13d::/64,
-             2620:0:861:13e::/64,
-             2620:0:861:13f::/64,
-             2620:0:861:140::/64,
-             2620:0:861:141::/64,
-             2620:0:861:142::/64,
-             2620:0:861:143::/64,
-             2620:0:861:144::/64,
-             2620:0:861:145::/64,
-             2620:0:861:1::/64,
-             2620:0:861:2::/64,
-             2620:0:861:300::/64,
-             2620:0:861:301::/116,
-             2620:0:861:302::/64,
-             2620:0:861:303::/116,
-             2620:0:861:304::/116,
-             2620:0:861:305::/64,
-             2620:0:861:3::/64,
-             2620:0:861:4::/64,
-             2620:0:861:babe::/64,
-             2620:0:861:babf::/116,
-             2620:0:861:cabe::/64,
-             2620:0:861:cabf::/116,
-             2620:0:861:ed1a::/64,
-             2620:0:863:101::/64,
-             2620:0:863:102::/64,
-             2620:0:863:103::/64,
-             2620:0:863:1::/64,
-             2620:0:863:2::/64,
-             2620:0:863:3::/64,
-             2620:0:863:ed1a::/64,
-             2a02:ec80:300:101::/64,
-             2a02:ec80:300:102::/64,
-             2a02:ec80:300:103::/64,
-             2a02:ec80:300:1::/64,
-             2a02:ec80:300:2::/64,
-             2a02:ec80:300:3::/64,
-             2a02:ec80:300:ed1a::/64,
-             2a02:ec80:600:101::/64,
-             2a02:ec80:600:102::/64,
-             2a02:ec80:600:1::/64,
-             2a02:ec80:600:2::/64,
-             2a02:ec80:600:ed1a::/64,
-             2a02:ec80:700:101::/64,
-             2a02:ec80:700:102::/64,
-             2a02:ec80:700:103::/64,
-             2a02:ec80:700:1::/64,
-             2a02:ec80:700:2::/64,
-             2a02:ec80:700:3::/64,
-             2a02:ec80:700:ed1a::/64
-    }
-}

File[/etc/cfssl/csr/syslog.csr]

Parameters differences:

--- File[/etc/cfssl/csr/syslog.csr].orig
+++ File[/etc/cfssl/csr/syslog.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/syslog.csr.orig
+++ /etc/cfssl/csr/syslog.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "syslog",
+  "hosts": [
+    "syslog"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]

Parameters differences:

--- Nftables::Set[MLSERVE_KUBEPODS_NETWORKS].orig
+++ Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]

-    ensure => present
-    hosts  => ['10.67.16.0/21', '2620:0:861:300::/64', '10.194.16.0/21', '2620:0:860:300::/64']

Exec[renew certificate - mlserve_staging]

Parameters differences:

--- Exec[renew certificate - mlserve_staging].orig
+++ Exec[renew certificate - mlserve_staging]

+    require     => Exec[Generate cert mlserve_staging]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging/mlserve_staging

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem -checkend 952200

Exec[Generate cert aux refresh]

Parameters differences:

--- Exec[Generate cert aux refresh].orig
+++ Exec[Generate cert aux refresh]

+    subscribe   => File[/etc/cfssl/csr/aux.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/aux.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux/aux

File[/etc/cfssl/ssl/zuul/zuul.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/zuul/zuul.csr].orig
+++ File[/etc/cfssl/ssl/zuul/zuul.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Class[Profile::Cumin::Target]

Parameters differences:

--- Class[Profile::Cumin::Target].orig
+++ Class[Profile::Cumin::Target]

@@
-    cluster => insetup
+    cluster => pki

File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr].orig
+++ File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Cfssl::Csr[/etc/cfssl/csr/aux.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/aux.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/aux.csr]

+    ensure      => present
+    common_name => aux
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem].orig
+++ File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Class[Monitoring]

Parameters differences:

--- Class[Monitoring].orig
+++ Class[Monitoring]

@@
-    nagios_group          => insetup_eqiad
+    nagios_group          => pki_eqiad
@@
-    cluster               => insetup
+    cluster               => pki
@@
-    notifications_enabled => False
+    notifications_enabled => True

File[/etc/cfssl/ssl/cassandra/cassandra-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/cassandra/cassandra-key.pem].orig
+++ File[/etc/cfssl/ssl/cassandra/cassandra-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]

Parameters differences:

--- File[/etc/ferm/conf.d/10_ssh_from_cumin_masters].orig
+++ File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_ssh_from_cumin_masters.orig
+++ /etc/ferm/conf.d/10_ssh_from_cumin_masters
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 22, $CUMIN_MASTERS);
+
+

Exec[Generate cert cassandra]

Parameters differences:

--- Exec[Generate cert cassandra].orig
+++ Exec[Generate cert cassandra]

+    require     => Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/cassandra.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cassandra/cassandra

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/cassandra/cassandra.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/cassandra/cassandra-key.pem 2>&1)"

File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]

Parameters differences:

--- File[/lib/systemd/system/prometheus-node-textfile-check-nft.service].orig
+++ File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]

-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]
-    mode   => 0444
-    group  => root
-    ensure => present
-    owner  => root

Content differences:

--- /lib/systemd/system/prometheus-node-textfile-check-nft.service.orig
+++ /lib/systemd/system/prometheus-node-textfile-check-nft.service
@@ -1,8 +0,0 @@
-[Unit]
-Description=Systemd timer to gather node metrics for check-nft
-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/usr/local/bin/check-nft

Cfssl::Config[Wikimedia_Internal_Root_CA]

Parameters differences:

--- Cfssl::Config[Wikimedia_Internal_Root_CA].orig
+++ Cfssl::Config[Wikimedia_Internal_Root_CA]

+    default_ocsp_url    => http://pki.discovery.wmnet/ocsp/Wikimedia_Internal_Root_CA
+    default_crl_url     => http://pki.discovery.wmnet/crl/Wikimedia_Internal_Root_CA
+    profiles            => {'intermediate': {'usages': ['cert sign', 'crl sign'], 'ca_constraint': {'is_ca': True, 'max_path_len': 1}, 'expiry': '43800h'}, 'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}}
+    default_auth_key    => default_auth
+    path                => /etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf
+    default_auth_remote => {}
+    remotes             => {}
+    ensure              => present
+    default_usages      => ['signing', 'key encipherment', 'client auth']
+    default_expiry      => 672h
+    auth_keys           => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}}

File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr].orig
+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft].orig
+++ File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft.orig
+++ /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set CLOUD_NETWORKS_PUBLIC_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2a02:ec80:a000:4000::/64,
-             2a02:ec80:a100:4000::/64
-    }
-}

Exec[renew certificate - puppet]

Parameters differences:

--- Exec[renew certificate - puppet].orig
+++ Exec[renew certificate - puppet]

+    require     => Exec[Generate cert puppet]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/puppet/puppet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet/puppet

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet/puppet.pem -checkend 952200

File[/etc/cfssl/csr/wikikube_staging.csr]

Parameters differences:

--- File[/etc/cfssl/csr/wikikube_staging.csr].orig
+++ File[/etc/cfssl/csr/wikikube_staging.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/wikikube_staging.csr.orig
+++ /etc/cfssl/csr/wikikube_staging.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "wikikube_staging",
+  "hosts": [
+    "wikikube_staging"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft.orig
+++ /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft
@@ -1,11 +0,0 @@
-# Autogenerated by puppet
-set MYSQL_ROOT_CLIENTS_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.16.90,
-             10.192.16.191,
-             10.64.16.154,
-             10.192.32.49,
-             208.80.154.9,
-             10.64.0.20
-    }
-}

Logrotate::Conf[wmf_auto_restart_ulogd2]

Parameters differences:

--- Logrotate::Conf[wmf_auto_restart_ulogd2].orig
+++ Logrotate::Conf[wmf_auto_restart_ulogd2]

+    ensure => present

File[/etc/cfssl/ssl/dse_front_proxy]

Parameters differences:

--- File[/etc/cfssl/ssl/dse_front_proxy].orig
+++ File[/etc/cfssl/ssl/dse_front_proxy]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Service[wmf_auto_restart_ulogd2.timer]

Parameters differences:

--- Service[wmf_auto_restart_ulogd2.timer].orig
+++ Service[wmf_auto_restart_ulogd2.timer]

+    ensure   => running
+    provider => systemd
+    enable   => True

Exec[Generate cert wikikube_front_proxy refresh]

Parameters differences:

--- Exec[Generate cert wikikube_front_proxy refresh].orig
+++ Exec[Generate cert wikikube_front_proxy refresh]

+    subscribe   => File[/etc/cfssl/csr/wikikube_front_proxy.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/wikikube_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy

Nftables::Set[CLOUD_NETWORKS]

Parameters differences:

--- Nftables::Set[CLOUD_NETWORKS].orig
+++ Nftables::Set[CLOUD_NETWORKS]

-    ensure => present
-    hosts  => ['172.16.0.0/21', '172.16.128.0/24', '172.16.129.0/24', '172.16.130.0/24', '172.16.131.0/24', '172.16.16.0/21', '172.16.24.0/24', '172.16.8.0/21', '172.20.1.0/24', '172.20.2.0/24', '172.20.254.0/24', '172.20.255.0/24', '172.20.3.0/24', '172.20.4.0/24', '172.20.5.0/24', '185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:100::/64', '2a02:ec80:a000:1::/64', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '2a02:ec80:a000:2ff::/64', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:100::/64', '2a02:ec80:a100:1::/64', '2a02:ec80:a100:205::/64', '2a02:ec80:a100:2ff::/64', '2a02:ec80:a100:4000::/64']

Alternatives::Select[ip6tables]

Parameters differences:

--- Alternatives::Select[ip6tables].orig
+++ Alternatives::Select[ip6tables]

+    path    => /usr/sbin/ip6tables-legacy
+    require => Package[iptables]

Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/mlserve.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]

+    ensure      => present
+    common_name => mlserve
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MGMT_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/MGMT_NETWORKS_ipv4.nft
@@ -1,14 +0,0 @@
-# Autogenerated by puppet
-set MGMT_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.65.0.0/16,
-             10.128.128.0/17,
-             10.193.0.0/16,
-             10.80.128.0/17,
-             10.132.128.0/17,
-             10.136.128.0/17,
-             10.140.128.0/17
-    }
-}

File[/etc/cfssl/ssl/cassandra/cassandra.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/cassandra/cassandra.csr].orig
+++ File[/etc/cfssl/ssl/cassandra/cassandra.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set MLSERVE_KUBEPODS_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:861:300::/64,
-             2620:0:860:300::/64
-    }
-}

Exec[renew certificate - puppet_rsa]

Parameters differences:

--- Exec[renew certificate - puppet_rsa].orig
+++ Exec[renew certificate - puppet_rsa]

+    require     => Exec[Generate cert puppet_rsa]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa/puppet_rsa

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem -checkend 952200

Nftables::Service[ssh-from-cumin-masters]

Parameters differences:

--- Nftables::Service[ssh-from-cumin-masters].orig
+++ Nftables::Service[ssh-from-cumin-masters]

-    src_sets            => ['CUMIN_MASTERS']
-    desc                => 
-    prio                => 10
-    proto               => tcp
-    unrestricted_access => False
-    notrack             => False
-    ensure              => present
-    port                => 22

Nftables::Set[LABS_NETWORKS]

Parameters differences:

--- Nftables::Set[LABS_NETWORKS].orig
+++ Nftables::Set[LABS_NETWORKS]

-    ensure => present
-    hosts  => ['172.16.0.0/21', '172.16.128.0/24', '172.16.129.0/24', '172.16.130.0/24', '172.16.131.0/24', '172.16.16.0/21', '172.16.24.0/24', '172.16.8.0/21', '172.20.1.0/24', '172.20.2.0/24', '172.20.254.0/24', '172.20.255.0/24', '172.20.3.0/24', '172.20.4.0/24', '172.20.5.0/24', '185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:100::/64', '2a02:ec80:a000:1::/64', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '2a02:ec80:a000:2ff::/64', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:100::/64', '2a02:ec80:a100:1::/64', '2a02:ec80:a100:205::/64', '2a02:ec80:a100:2ff::/64', '2a02:ec80:a100:4000::/64']

File[/etc/cfssl/ssl/network_devices/network_devices.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/network_devices/network_devices.csr].orig
+++ File[/etc/cfssl/ssl/network_devices/network_devices.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Exec[Generate cert wikikube_staging refresh]

Parameters differences:

--- Exec[Generate cert wikikube_staging refresh].orig
+++ Exec[Generate cert wikikube_staging refresh]

+    subscribe   => File[/etc/cfssl/csr/wikikube_staging.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/wikikube_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging/wikikube_staging

Service[ulogd2]

Parameters differences:

--- Service[ulogd2].orig
+++ Service[ulogd2]

+    ensure  => running
+    require => Package[ulogd2]
+    enable  => True

Class[Profile::Contacts]

Parameters differences:

--- Class[Profile::Contacts].orig
+++ Class[Profile::Contacts]

@@
-    cluster => insetup
+    cluster => pki

Nftables::Set[ZOOKEEPER_FLINK_HOSTS]

Parameters differences:

--- Nftables::Set[ZOOKEEPER_FLINK_HOSTS].orig
+++ Nftables::Set[ZOOKEEPER_FLINK_HOSTS]

-    ensure => present
-    hosts  => ['10.64.16.9', '2620:0:861:102:10:64:16:9', '10.64.0.8', '2620:0:861:101:10:64:0:8', '10.64.32.41', '2620:0:861:103:10:64:32:41', '10.192.16.227', '2620:0:860:102:10:192:16:227', '10.192.32.179', '2620:0:860:103:10:192:32:179', '10.192.48.219', '2620:0:860:104:10:192:48:219']

Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]

Parameters differences:

--- Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header].orig
+++ Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]

+    tag    => _etc_apt_sources.list.d_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources
+    source => puppet:///modules/apt/sources-deb822-header.txt
+    order  => 01
+    target => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources

Concat[/etc/bacula/ssl/cert.pem]

Parameters differences:

--- Concat[/etc/bacula/ssl/cert.pem].orig
+++ Concat[/etc/bacula/ssl/cert.pem]

+    show_diff      => True
+    backup         => puppet
+    replace        => True
+    format         => plain
+    ensure_newline => False
+    force          => False
+    path           => /etc/bacula/ssl/cert.pem
+    warn           => False
+    mode           => 0644
+    ensure         => present
+    order          => alpha

File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/FRACK_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/FRACK_NETWORKS_ipv4.nft
@@ -1,22 +0,0 @@
-# Autogenerated by puppet
-set FRACK_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.195.0.0/27,
-             10.195.0.128/29,
-             10.195.0.32/27,
-             10.195.0.64/28,
-             10.195.0.80/29,
-             10.195.0.96/27,
-             10.195.1.0/25,
-             10.64.40.0/27,
-             10.64.40.160/27,
-             10.64.40.192/26,
-             10.64.40.32/27,
-             10.64.40.64/27,
-             10.64.40.96/27,
-             208.80.152.224/28,
-             208.80.155.0/27
-    }
-}

File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list]

Parameters differences:

--- File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list].orig
+++ File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list]

+    ensure => absent
+    owner  => root
+    group  => root

File[/etc/cfssl/ssl/wikikube_staging_front_proxy]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_staging_front_proxy].orig
+++ File[/etc/cfssl/ssl/wikikube_staging_front_proxy]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/cfssl/csr/aux.csr]

Parameters differences:

--- File[/etc/cfssl/csr/aux.csr].orig
+++ File[/etc/cfssl/csr/aux.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/aux.csr.orig
+++ /etc/cfssl/csr/aux.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "aux",
+  "hosts": [
+    "aux"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft
@@ -1,27 +0,0 @@
-# Autogenerated by puppet
-set CLOUD_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 172.16.0.0/21,
-             172.16.128.0/24,
-             172.16.129.0/24,
-             172.16.130.0/24,
-             172.16.131.0/24,
-             172.16.16.0/21,
-             172.16.24.0/24,
-             172.16.8.0/21,
-             172.20.1.0/24,
-             172.20.2.0/24,
-             172.20.254.0/24,
-             172.20.255.0/24,
-             172.20.3.0/24,
-             172.20.4.0/24,
-             172.20.5.0/24,
-             185.15.56.0/25,
-             185.15.56.160/28,
-             185.15.57.0/29,
-             185.15.57.16/29,
-             185.15.57.24/29
-    }
-}

File[/etc/systemd/system/nftables.service.d/puppet-override.conf]

Parameters differences:

--- File[/etc/systemd/system/nftables.service.d/puppet-override.conf].orig
+++ File[/etc/systemd/system/nftables.service.d/puppet-override.conf]

-    notify => Exec[systemd daemon-reload for nftables.service (nftables)]
-    mode   => 0444
-    group  => root
-    ensure => present
-    owner  => root

Content differences:

--- /etc/systemd/system/nftables.service.d/puppet-override.conf.orig
+++ /etc/systemd/system/nftables.service.d/puppet-override.conf
@@ -1,5 +0,0 @@
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/nft -f /etc/nftables/main.nft
-ExecReload=
-ExecReload=/usr/sbin/nft -f /etc/nftables/main.nft

Cfssl::Cert[dse_front_proxy]

Parameters differences:

--- Cfssl::Cert[dse_front_proxy].orig
+++ Cfssl::Cert[dse_front_proxy]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => dse_front_proxy
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Exec[Generate cert mlserve_staging]

Parameters differences:

--- Exec[Generate cert mlserve_staging].orig
+++ Exec[Generate cert mlserve_staging]

+    require     => Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/mlserve_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging/mlserve_staging

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem 2>&1)"

Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]

Parameters differences:

--- Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS].orig
+++ Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]

-    ensure => present
-    hosts  => ['10.194.61.0/24', '2620:0:860:302::/64']

Class[Profile::Base]

Parameters differences:

--- Class[Profile::Base].orig
+++ Class[Profile::Base]

@@
-    cluster => insetup
+    cluster => pki

Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]

+    ensure      => present
+    common_name => mlserve_front_proxy
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Cfssl::Cert[discovery2026]

Parameters differences:

--- Cfssl::Cert[discovery2026].orig
+++ Cfssl::Cert[discovery2026]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => discovery2026
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem].orig
+++ File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set MLSERVE_KUBEPODS_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.67.16.0/21,
-             10.194.16.0/21
-    }
-}

Systemd::Unit[ferm-ferm-service-status-restart]

Parameters differences:

--- Systemd::Unit[ferm-ferm-service-status-restart].orig
+++ Systemd::Unit[ferm-ferm-service-status-restart]

+    override          => True
+    require           => ['Class[Systemd]']
+    source            => puppet:///modules/ferm/ferm_systemd_override
+    ensure            => present
+    unit              => ferm
+    restart           => False
+    override_filename => ferm-service-status-restart

File[/etc/ferm/conf.d/99_dscp-default]

Parameters differences:

--- File[/etc/ferm/conf.d/99_dscp-default].orig
+++ File[/etc/ferm/conf.d/99_dscp-default]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/99_dscp-default.orig
+++ /etc/ferm/conf.d/99_dscp-default
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 99_dscp-default: 
+
+domain (ip ip6) {
+	table mangle {
+		chain POSTROUTING {
+			DSCP set-dscp-class CS0;
+		}
+	}
+}

File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert]

Parameters differences:

--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert].orig
+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Cfssl::Db[Wikimedia_Internal_Root_CA]

Parameters differences:

--- Cfssl::Db[Wikimedia_Internal_Root_CA].orig
+++ Cfssl::Db[Wikimedia_Internal_Root_CA]

+    username          => pki
+    dbname            => pki
+    password          => changeme
+    sqlite_path       => /etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.db
+    driver            => mysql
+    dbcharset         => utf8mb4
+    python_config     => False
+    host              => m1-master.eqiad.wmnet
+    ssl_checkhostname => False
+    conf_file         => /etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf
+    port              => 3306

File[/etc/cfssl/csr/dse_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse_front_proxy.csr].orig
+++ File[/etc/cfssl/csr/dse_front_proxy.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/dse_front_proxy.csr.orig
+++ /etc/cfssl/csr/dse_front_proxy.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "dse_front_proxy",
+  "hosts": [
+    "dse_front_proxy"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Exec[Generate cert dse_front_proxy refresh]

Parameters differences:

--- Exec[Generate cert dse_front_proxy refresh].orig
+++ Exec[Generate cert dse_front_proxy refresh]

+    subscribe   => File[/etc/cfssl/csr/dse_front_proxy.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/dse_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy

File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]

Parameters differences:

--- File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf].orig
+++ File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]

+    notify => Service[rsyslog]
+    mode   => 0444
+    group  => root
+    ensure => present
+    owner  => root

Content differences:

--- /etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf.orig
+++ /etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: Apache-2.0
+if $programname contains "nrpe2nodexp-ferm_active" then {
+    if ($msg contains "\"ecs.version\": \"1.7.0\"") then {
+        # Send logs to kafka
+        set $.log_outputs = "kafka ecs_170 local";
+    } else {
+        # Filter out non-relevant nrpe2nodexp messages
+        stop
+    }
+}

File[/etc/cfssl/csr/etcd.csr]

Parameters differences:

--- File[/etc/cfssl/csr/etcd.csr].orig
+++ File[/etc/cfssl/csr/etcd.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/etcd.csr.orig
+++ /etc/cfssl/csr/etcd.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "etcd",
+  "hosts": [
+    "etcd"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Exec[renew certificate - dse]

Parameters differences:

--- Exec[renew certificate - dse].orig
+++ Exec[renew certificate - dse]

+    require     => Exec[Generate cert dse]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/dse/dse.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse/dse

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/dse/dse.pem -checkend 952200

File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft].orig
+++ File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft.orig
+++ /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft
@@ -1,15 +0,0 @@
-# Autogenerated by puppet
-set KAFKA_BROKERS_LOGGING_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:102:10:64:16:205,
-             2620:0:861:10c:10:64:133:11,
-             2620:0:861:13d:10:64:183:12,
-             2620:0:861:10a:10:64:131:13,
-             2620:0:861:10e:10:64:135:13,
-             2620:0:860:113:10:192:23:29,
-             2620:0:860:10c:10:192:11:28,
-             2620:0:860:105:10:192:26:22,
-             2620:0:860:10c:10:192:11:27,
-             2620:0:860:11e:10:192:39:25
-    }
-}

Cfssl::Cert[network_devices]

Parameters differences:

--- Cfssl::Cert[network_devices].orig
+++ Cfssl::Cert[network_devices]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => network_devices
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Exec[Generate cert discovery2026 refresh]

Parameters differences:

--- Exec[Generate cert discovery2026 refresh].orig
+++ Exec[Generate cert discovery2026 refresh]

+    subscribe   => File[/etc/cfssl/csr/discovery2026.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026

File[/etc/nftables/input/10_ssh-from-bastion.nft]

Parameters differences:

--- File[/etc/nftables/input/10_ssh-from-bastion.nft].orig
+++ File[/etc/nftables/input/10_ssh-from-bastion.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/input/10_ssh-from-bastion.nft.orig
+++ /etc/nftables/input/10_ssh-from-bastion.nft
@@ -1,4 +0,0 @@
-# Managed by puppet
-# 
-ip saddr { 103.102.166.103, 185.15.58.6, 185.15.59.99, 195.200.68.99, 198.35.26.104, 208.80.153.110, 208.80.154.7 } tcp dport { 22 } accept
-ip6 saddr { 2001:df2:e500:3:103:102:166:103, 2620:0:860:4:208:80:153:110, 2620:0:861:1:208:80:154:7, 2620:0:863:3:198:35:26:104, 2a02:ec80:300:3:185:15:59:99, 2a02:ec80:600:1:185:15:58:6, 2a02:ec80:700:3:195:200:68:99 } tcp dport { 22 } accept

File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem].orig
+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Monitoring::Exported_nagios_service[pki-root1002 ferm_active]

Parameters differences:

--- Monitoring::Exported_nagios_service[pki-root1002 ferm_active].orig
+++ Monitoring::Exported_nagios_service[pki-root1002 ferm_active]

+    host_name              => pki-root1002
+    servicegroups          => pki_eqiad
+    contact_groups         => admins
+    max_check_attempts     => 3
+    active_checks_enabled  => 1
+    notes_url              => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm
+    passive_checks_enabled => 1
+    check_command          => nrpe_check!check_ferm_active!10
+    check_interval         => 30
+    service_description    => Check whether ferm is active by checking the default input chain
+    ensure                 => present
+    retry_interval         => 1
+    check_freshness        => 0
+    notification_options   => c,r,f
+    is_volatile            => 0
+    check_period           => 24x7
+    notification_interval  => 0
+    notification_period    => 24x7
+    notifications_enabled  => 1

File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]

Parameters differences:

--- File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr].orig
+++ File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr.orig
+++ /etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "Wikimedia_Internal_Root_CA",
+  "hosts": [
+    "Wikimedia_Internal_Root_CA"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/cfssl/ssl/aux_front_proxy]

Parameters differences:

--- File[/etc/cfssl/ssl/aux_front_proxy].orig
+++ File[/etc/cfssl/ssl/aux_front_proxy]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/ulogd.conf]

Parameters differences:

--- File[/etc/ulogd.conf].orig
+++ File[/etc/ulogd.conf]

+    ensure => file
+    notify => Service[ulogd2]
+    owner  => root
+    group  => root

Content differences:

--- /etc/ulogd.conf.orig
+++ /etc/ulogd.conf
@@ -0,0 +1,71 @@
+# MANAGED BY PUPPET
+[global]
+logfile=syslog
+loglevel=3
+
+
+stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,syslog1:SYSLOG
+
+
+
+
+[ct1]
+
+[ct2]
+hash_enable=0
+
+[mark]
+
+[log1]
+group=0
+
+[log2]
+group=1
+
+[log3]
+group=2
+
+[logemu1]
+sync=1
+file=/var/log/ulog/syslogemu.log
+
+[emunfct1]
+sync=1
+file=/var/log/ulog/syslogemu_nfct.log
+
+[json1]
+sync=1
+file=/var/log/ulog/ulogd.json
+
+[jsonnfct1]
+sync=1
+file=/var/log/ulog/ulogd_nfct.json
+
+
+[oprint1]
+sync=1
+file=/var/log/ulog/oprint.log
+
+[gprint1]
+sync=1
+file=/var/log/ulog/gprint.log
+
+[json1]
+sync=1
+file=/var/log/ulog/ulogd.json
+
+[xml1]
+sync=1
+file=/var/log/ulog/
+
+[pcap1]
+sync=1
+file=
+
+[nacct1]
+sync=1
+file=
+
+[syslog1]
+facility=LOG_LOCAL7
+level=LOG_INFO

Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad]

Parameters differences:

--- Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad].orig
+++ Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad]

+    fileset     => pki-root-cfssl
+    require     => Class[Bacula::Client]
+    jobdefaults => Monthly-1st-Wed-productionEqiad

Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]

Parameters differences:

--- Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet].orig
+++ Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]

+    desc                => 
+    prio                => 10
+    proto               => tcp
+    srange              => ['backup1014.eqiad.wmnet']
+    unrestricted_access => False
+    notrack             => False
+    ensure              => present
+    port                => 9102

File[/etc/cfssl/ssl/wikikube/wikikube.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube/wikikube.pem].orig
+++ File[/etc/cfssl/ssl/wikikube/wikikube.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Cfssl::Cert[syslog]

Parameters differences:

--- Cfssl::Cert[syslog].orig
+++ Cfssl::Cert[syslog]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => syslog
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/ferm/conf.d/01_drop-blocked-nets]

Parameters differences:

--- File[/etc/ferm/conf.d/01_drop-blocked-nets].orig
+++ File[/etc/ferm/conf.d/01_drop-blocked-nets]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/01_drop-blocked-nets.orig
+++ /etc/ferm/conf.d/01_drop-blocked-nets
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 01_drop-blocked-nets: drop abuse/blocked_nets.yaml defined in the requestctl private repo
+
+domain (ip ip6) {
+	table filter {
+		chain INPUT {
+			saddr $BLOCKED_NETS DROP;
+		}
+	}
+}

File[/etc/cfssl/csr/wikikube.csr]

Parameters differences:

--- File[/etc/cfssl/csr/wikikube.csr].orig
+++ File[/etc/cfssl/csr/wikikube.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/wikikube.csr.orig
+++ /etc/cfssl/csr/wikikube.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "wikikube",
+  "hosts": [
+    "wikikube"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/cfssl/ssl/dse/dse-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/dse/dse-key.pem].orig
+++ File[/etc/cfssl/ssl/dse/dse-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Cfssl::Csr[/etc/cfssl/csr/zuul.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/zuul.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/zuul.csr]

+    ensure      => present
+    common_name => zuul
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr].orig
+++ File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/discovery2026/discovery2026.csr].orig
+++ File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Systemd::Timer[wmf_auto_restart_ulogd2]

Parameters differences:

--- Systemd::Timer[wmf_auto_restart_ulogd2].orig
+++ Systemd::Timer[wmf_auto_restart_ulogd2]

+    fixed_random_delay => False
+    ensure             => present
+    splay              => 0
+    unit_name          => wmf_auto_restart_ulogd2.service
+    accuracy           => 15sec
+    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 0:9:00'}]

File[/var/log/wmf_auto_restart_ulogd2]

Parameters differences:

--- File[/var/log/wmf_auto_restart_ulogd2].orig
+++ File[/var/log/wmf_auto_restart_ulogd2]

+    mode   => 0755
+    backup => False
+    group  => root
+    ensure => directory
+    owner  => root
+    force  => True

Exec[Generate cert wikikube refresh]

Parameters differences:

--- Exec[Generate cert wikikube refresh].orig
+++ Exec[Generate cert wikikube refresh]

+    subscribe   => File[/etc/cfssl/csr/wikikube.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/wikikube.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube/wikikube

File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft.orig
+++ /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft
@@ -1,43 +0,0 @@
-# Autogenerated by puppet
-set LOAD_BALANCER_HEALTH_CHECKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:861:101::/64,
-             2620:0:861:102::/64,
-             2620:0:861:103::/64,
-             2620:0:861:107::/64,
-             2620:0:861:109::/64,
-             2620:0:861:10a::/64,
-             2620:0:861:10b::/64,
-             2620:0:861:10d::/64,
-             2620:0:861:10e::/64,
-             2620:0:861:10f::/64,
-             2620:0:861:119::/64,
-             2620:0:861:10c::/64,
-             2620:0:861:113::/64,
-             2620:0:861:131::/64,
-             2620:0:861:133::/64,
-             2620:0:861:135::/64,
-             2620:0:861:137::/64,
-             2620:0:861:139::/64,
-             2620:0:861:13b::/64,
-             2620:0:861:13d::/64,
-             2620:0:861:13f::/64,
-             2620:0:861:142::/64,
-             2620:0:861:144::/64,
-             2620:0:860:101::/64,
-             2620:0:860:102::/64,
-             2620:0:860:103::/64,
-             2620:0:860:104::/64,
-             2a02:ec80:300:101::/64,
-             2a02:ec80:300:102::/64,
-             2620:0:863:101::/64,
-             2620:0:863:102::/64,
-             2001:df2:e500:101::/64,
-             2a02:ec80:600:101::/64,
-             2a02:ec80:600:102::/64,
-             2a02:ec80:700:101::/64,
-             2a02:ec80:700:102::/64
-    }
-}

File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]

Parameters differences:

--- File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer].orig
+++ File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]

-    notify => Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]
-    mode   => 0444
-    group  => root
-    ensure => present
-    owner  => root

Content differences:

--- /lib/systemd/system/prometheus-node-textfile-check-nft.timer.orig
+++ /lib/systemd/system/prometheus-node-textfile-check-nft.timer
@@ -1,12 +0,0 @@
-[Unit]
-Description=Periodic execution of prometheus-node-textfile-check-nft.service
-
-[Timer]
-Unit=prometheus-node-textfile-check-nft.service
-# Accuracy sets the maximum time interval around the execution time we want to allow
-AccuracySec=15sec
-OnCalendar=*:0/30
-RandomizedDelaySec=0
-
-[Install]
-WantedBy=multi-user.target

File[/etc/cfssl/ssl/puppet/puppet.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/puppet/puppet.pem].orig
+++ File[/etc/cfssl/ssl/puppet/puppet.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh]

Parameters differences:

--- Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh].orig
+++ Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh]

+    subscribe   => File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile ocsp /etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert

Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]

Parameters differences:

--- Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]

+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem].orig
+++ File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Exec[Generate cert cassandra refresh]

Parameters differences:

--- Exec[Generate cert cassandra refresh].orig
+++ Exec[Generate cert cassandra refresh]

+    subscribe   => File[/etc/cfssl/csr/cassandra.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/cassandra.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cassandra/cassandra

Exec[Generate cert wikikube]

Parameters differences:

--- Exec[Generate cert wikikube].orig
+++ Exec[Generate cert wikikube]

+    require     => Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/wikikube.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube/wikikube

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube/wikikube.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/wikikube/wikikube-key.pem 2>&1)"

File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set AUX_KUBEPODS_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:861:305::/64,
-             2620:0:860:305::/64
-    }
-}

Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]

Parameters differences:

--- Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources].orig
+++ Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]

+    show_diff      => True
+    notify         => Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]
+    backup         => puppet
+    replace        => True
+    format         => plain
+    ensure_newline => False
+    owner          => root
+    force          => False
+    path           => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources
+    warn           => False
+    mode           => 0444
+    group          => root
+    ensure         => present
+    order          => alpha

Cfssl::Csr[/etc/cfssl/csr/dse.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse.csr]

+    ensure      => present
+    common_name => dse
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Nftables::Set[DRUID_PUBLIC_HOSTS]

Parameters differences:

--- Nftables::Set[DRUID_PUBLIC_HOSTS].orig
+++ Nftables::Set[DRUID_PUBLIC_HOSTS]

-    ensure => present
-    hosts  => ['10.64.131.9', '2620:0:861:10a:10:64:131:9', '10.64.132.12', '2620:0:861:10b:10:64:132:12', '10.64.135.9', '2620:0:861:10e:10:64:135:9', '10.64.32.101', '2620:0:861:103:10:64:32:101', '10.64.48.185', '2620:0:861:107:10:64:48:185']

Exec[Generate cert wikikube_staging_front_proxy refresh]

Parameters differences:

--- Exec[Generate cert wikikube_staging_front_proxy refresh].orig
+++ Exec[Generate cert wikikube_staging_front_proxy refresh]

+    subscribe   => File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/wikikube_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy

File[/etc/cfssl/csr/discovery2026.csr]

Parameters differences:

--- File[/etc/cfssl/csr/discovery2026.csr].orig
+++ File[/etc/cfssl/csr/discovery2026.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/discovery2026.csr.orig
+++ /etc/cfssl/csr/discovery2026.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "discovery2026",
+  "hosts": [
+    "discovery2026"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/ferm/conf.d]

Parameters differences:

--- File[/etc/ferm/conf.d].orig
+++ File[/etc/ferm/conf.d]

+    require => Package[ferm]
+    notify  => Service[ferm]
+    ignore  => ['.*']
+    owner   => root
+    force   => True
+    recurse => True
+    mode    => 0551
+    group   => adm
+    ensure  => directory
+    purge   => True

Ferm::Conf[defs]

Parameters differences:

--- Ferm::Conf[defs].orig
+++ Ferm::Conf[defs]

+    ensure => present
+    prio   => 00

Motd::Script[backups-pki-root-cfssl]

Parameters differences:

--- Motd::Script[backups-pki-root-cfssl].orig
+++ Motd::Script[backups-pki-root-cfssl]

+    ensure   => present
+    priority => 6
+    tag      => backup-motd

File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft].orig
+++ File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft.orig
+++ /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft
@@ -1,14 +0,0 @@
-# Autogenerated by puppet
-set KAFKA_BROKERS_JUMBO_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.130.10,
-             10.64.131.16,
-             10.64.132.21,
-             10.64.134.9,
-             10.64.135.16,
-             10.64.136.11,
-             10.64.154.15,
-             10.64.160.16,
-             10.64.0.126
-    }
-}

File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr].orig
+++ File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]

Parameters differences:

--- File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer].orig
+++ File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]

+    notify => Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]
+    mode   => 0444
+    group  => root
+    ensure => present
+    owner  => root

Content differences:

--- /lib/systemd/system/wmf_auto_restart_ulogd2.timer.orig
+++ /lib/systemd/system/wmf_auto_restart_ulogd2.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of wmf_auto_restart_ulogd2.service
+
+[Timer]
+Unit=wmf_auto_restart_ulogd2.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 0:9:00
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target

File[/etc/nftables/100_base_puppet.nft]

Parameters differences:

--- File[/etc/nftables/100_base_puppet.nft].orig
+++ File[/etc/nftables/100_base_puppet.nft]

-    require => File[/etc/nftables/]
-    notify  => ['Service[nftables]']
-    mode    => 0444
-    group   => root
-    ensure  => present
-    tag     => nft
-    owner   => root

Content differences:

--- /etc/nftables/100_base_puppet.nft.orig
+++ /etc/nftables/100_base_puppet.nft
@@ -1,45 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-table inet base {
-
-    # Include all Puppet-managed sets
-    include "/etc/nftables/sets/*.nft"
-
-    chain prerouting {
-        type filter hook prerouting priority -300;
-
-        # Include all Puppet-managed rules targetting prerouting chain
-        include "/etc/nftables/prerouting/*.nft"
-        # Include all Puppet-managed exceptions from connection tracking
-        include "/etc/nftables/notrack/*.nft"
-    }
-
-    chain input {
-        type filter hook input priority 0 ; policy drop;
-
-        ct state related,established accept
-        iifname "lo" accept
-        pkttype multicast accept
-        meta l4proto ipv6-icmp accept
-        ip protocol icmp accept
-
-        # Include all Puppet-managed service definitions for incoming traffic
-        include "/etc/nftables/input/*.nft"
-    }
-
-    chain output {
-        type filter hook output priority 0 ; policy accept;
-
-        # Include any Puppet-managed client definitions filtering outbound traffic
-        include "/etc/nftables/output/*.nft"
-    }
-
-    chain postrouting {
-        type filter hook postrouting priority 0 ;
-
-        # Include any Puppet-managed custom rules to mark DSCP bits
-        include "/etc/nftables/postrouting/*.nft"
-        # Anything else mark as CS0 / default priority class
-        ip dscp != cs0 ip dscp set cs0 counter
-        ip6 dscp != cs0 ip6 dscp set cs0 counter
-    }
-}

File[/etc/ferm/conf.d/00_defs]

Parameters differences:

--- File[/etc/ferm/conf.d/00_defs].orig
+++ File[/etc/ferm/conf.d/00_defs]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/00_defs.orig
+++ /etc/ferm/conf.d/00_defs
@@ -0,0 +1,1139 @@
+
+@def $LINK_LOCAL = (169.254.0.0/16 fe80::/10);
+@def $INTERNAL = (10.0.0.0/8 2620:0:860:100::/56 2620:0:861:100::/56 2620:0:863:100::/56 2001:df2:e500:100::/56 2a02:ec80:300:100::/56 2a02:ec80:600:100::/56 2a02:ec80:700:100::/56 2a02:ec80:ff00:100::/56);
+# $DOMAIN_NETWORKS is a set of all networks belonging to a domain.
+# a domain is a realm currently, but the notion is more generic than that on purpose
+@def $DOMAIN_NETWORKS = (10.128.0.0/24 10.128.1.0/24 10.128.2.0/24 10.132.0.0/24 10.132.2.0/24 10.136.0.0/24 10.136.1.0/24 10.140.0.0/24 10.140.1.0/24 10.140.2.0/24 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.20.0/24 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.24.0/23 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.64.0/21 10.192.7.0/24 10.192.72.0/24 10.192.76.0/24 10.192.8.0/24 10.192.80.0/20 10.192.9.0/24 10.192.96.0/21 10.194.0.0/20 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.62.0/23 10.194.64.0/20 10.194.80.0/21 10.2.1.0/24 10.2.2.0/24 10.2.3.0/24 10.2.4.0/24 10.2.5.0/24 10.2.6.0/24 10.2.7.0/24 10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.141.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.148.0/24 10.64.149.0/24 10.64.150.0/24 10.64.151.0/24 10.64.152.0/24 10.64.153.0/24 10.64.154.0/24 10.64.155.0/24 10.64.156.0/24 10.64.157.0/24 10.64.158.0/24 10.64.159.0/24 10.64.16.0/22 10.64.160.0/24 10.64.161.0/24 10.64.162.0/24 10.64.163.0/24 10.64.164.0/24 10.64.165.0/24 10.64.166.0/24 10.64.167.0/24 10.64.169.0/24 10.64.170.0/24 10.64.171.0/24 10.64.172.0/24 10.64.173.0/24 10.64.174.0/24 10.64.175.0/24 10.64.176.0/24 10.64.177.0/24 10.64.178.0/24 10.64.179.0/24 10.64.180.0/24 10.64.181.0/24 10.64.182.0/24 10.64.183.0/24 10.64.184.0/24 10.64.185.0/24 10.64.186.0/24 10.64.187.0/24 10.64.188.0/24 10.64.189.0/24 10.64.190.0/24 10.64.20.0/24 10.64.21.0/24 10.64.24.0/23 10.64.32.0/22 10.64.36.0/24 10.64.48.0/22 10.64.5.0/24 10.64.53.0/24 10.64.64.0/21 10.64.72.0/24 10.64.76.0/24 10.67.0.0/20 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.32.0/20 10.67.64.0/20 10.67.80.0/21 10.80.0.0/24 10.80.1.0/24 10.80.2.0/24 103.102.166.0/28 103.102.166.224/27 103.102.166.96/27 185.15.58.0/27 185.15.58.224/27 185.15.58.32/27 185.15.59.0/27 185.15.59.224/27 185.15.59.32/27 185.15.59.96/27 195.200.68.0/27 195.200.68.224/27 195.200.68.32/27 195.200.68.96/27 198.35.26.0/27 198.35.26.32/27 198.35.26.96/27 198.35.26.96/27 2001:df2:e500:101::/64 2001:df2:e500:103::/64 2001:df2:e500:1::/64 2001:df2:e500:3::/64 2001:df2:e500:ed1a::/64 208.80.152.128/27 208.80.153.0/27 208.80.153.224/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 208.80.154.0/26 208.80.154.128/26 208.80.154.224/27 208.80.154.64/26 208.80.155.96/27 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:118::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 2620:0:860:140::/64 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:300::/64 2620:0:860:301::/64 2620:0:860:302::/64 2620:0:860:303::/64 2620:0:860:304::/64 2620:0:860:305::/64 2620:0:860:307::/64 2620:0:860:308::/64 2620:0:860:3::/64 2620:0:860:4::/64 2620:0:860:5::/64 2620:0:860:babe::/64 2620:0:860:babf::/64 2620:0:860:cabe::/64 2620:0:860:cabf::/64 2620:0:860:ed1a::/64 2620:0:861:100::/64 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:107::/64 2620:0:861:108::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:113::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:118::/64 2620:0:861:119::/64 2620:0:861:11a::/64 2620:0:861:11c::/64 2620:0:861:11d::/64 2620:0:861:11e::/64 2620:0:861:11f::/64 2620:0:861:120::/64 2620:0:861:121::/64 2620:0:861:122::/64 2620:0:861:123::/64 2620:0:861:124::/64 2620:0:861:125::/64 2620:0:861:126::/64 2620:0:861:127::/64 2620:0:861:128::/64 2620:0:861:129::/64 2620:0:861:12a::/64 2620:0:861:12b::/64 2620:0:861:12c::/64 2620:0:861:12d::/64 2620:0:861:12e::/64 2620:0:861:12f::/64 2620:0:861:131::/64 2620:0:861:132::/64 2620:0:861:133::/64 2620:0:861:134::/64 2620:0:861:135::/64 2620:0:861:136::/64 2620:0:861:137::/64 2620:0:861:138::/64 2620:0:861:139::/64 2620:0:861:13a::/64 2620:0:861:13b::/64 2620:0:861:13c::/64 2620:0:861:13d::/64 2620:0:861:13e::/64 2620:0:861:13f::/64 2620:0:861:140::/64 2620:0:861:141::/64 2620:0:861:142::/64 2620:0:861:143::/64 2620:0:861:144::/64 2620:0:861:145::/64 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:300::/64 2620:0:861:301::/116 2620:0:861:302::/64 2620:0:861:303::/116 2620:0:861:304::/116 2620:0:861:305::/64 2620:0:861:3::/64 2620:0:861:4::/64 2620:0:861:babe::/64 2620:0:861:babf::/116 2620:0:861:cabe::/64 2620:0:861:cabf::/116 2620:0:861:ed1a::/64 2620:0:863:101::/64 2620:0:863:102::/64 2620:0:863:103::/64 2620:0:863:1::/64 2620:0:863:2::/64 2620:0:863:3::/64 2620:0:863:ed1a::/64 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 2a02:ec80:300:103::/64 2a02:ec80:300:1::/64 2a02:ec80:300:2::/64 2a02:ec80:300:3::/64 2a02:ec80:300:ed1a::/64 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 2a02:ec80:600:1::/64 2a02:ec80:600:2::/64 2a02:ec80:600:ed1a::/64 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 2a02:ec80:700:103::/64 2a02:ec80:700:1::/64 2a02:ec80:700:2::/64 2a02:ec80:700:3::/64 2a02:ec80:700:ed1a::/64 );
+
+# $PRODUCTION_NETWORKS is a set of all production networks
+@def $PRODUCTION_NETWORKS = (10.128.0.0/24 10.128.1.0/24 10.128.2.0/24 10.132.0.0/24 10.132.2.0/24 10.136.0.0/24 10.136.1.0/24 10.140.0.0/24 10.140.1.0/24 10.140.2.0/24 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.20.0/24 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.24.0/23 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.64.0/21 10.192.7.0/24 10.192.72.0/24 10.192.76.0/24 10.192.8.0/24 10.192.80.0/20 10.192.9.0/24 10.192.96.0/21 10.194.0.0/20 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.62.0/23 10.194.64.0/20 10.194.80.0/21 10.2.1.0/24 10.2.2.0/24 10.2.3.0/24 10.2.4.0/24 10.2.5.0/24 10.2.6.0/24 10.2.7.0/24 10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.141.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.148.0/24 10.64.149.0/24 10.64.150.0/24 10.64.151.0/24 10.64.152.0/24 10.64.153.0/24 10.64.154.0/24 10.64.155.0/24 10.64.156.0/24 10.64.157.0/24 10.64.158.0/24 10.64.159.0/24 10.64.16.0/22 10.64.160.0/24 10.64.161.0/24 10.64.162.0/24 10.64.163.0/24 10.64.164.0/24 10.64.165.0/24 10.64.166.0/24 10.64.167.0/24 10.64.169.0/24 10.64.170.0/24 10.64.171.0/24 10.64.172.0/24 10.64.173.0/24 10.64.174.0/24 10.64.175.0/24 10.64.176.0/24 10.64.177.0/24 10.64.178.0/24 10.64.179.0/24 10.64.180.0/24 10.64.181.0/24 10.64.182.0/24 10.64.183.0/24 10.64.184.0/24 10.64.185.0/24 10.64.186.0/24 10.64.187.0/24 10.64.188.0/24 10.64.189.0/24 10.64.190.0/24 10.64.20.0/24 10.64.21.0/24 10.64.24.0/23 10.64.32.0/22 10.64.36.0/24 10.64.48.0/22 10.64.5.0/24 10.64.53.0/24 10.64.64.0/21 10.64.72.0/24 10.64.76.0/24 10.67.0.0/20 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.32.0/20 10.67.64.0/20 10.67.80.0/21 10.80.0.0/24 10.80.1.0/24 10.80.2.0/24 103.102.166.0/28 103.102.166.224/27 103.102.166.96/27 185.15.58.0/27 185.15.58.224/27 185.15.58.32/27 185.15.59.0/27 185.15.59.224/27 185.15.59.32/27 185.15.59.96/27 195.200.68.0/27 195.200.68.224/27 195.200.68.32/27 195.200.68.96/27 198.35.26.0/27 198.35.26.32/27 198.35.26.96/27 198.35.26.96/27 2001:df2:e500:101::/64 2001:df2:e500:103::/64 2001:df2:e500:1::/64 2001:df2:e500:3::/64 2001:df2:e500:ed1a::/64 208.80.152.128/27 208.80.153.0/27 208.80.153.224/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 208.80.154.0/26 208.80.154.128/26 208.80.154.224/27 208.80.154.64/26 208.80.155.96/27 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:118::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 2620:0:860:140::/64 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:300::/64 2620:0:860:301::/64 2620:0:860:302::/64 2620:0:860:303::/64 2620:0:860:304::/64 2620:0:860:305::/64 2620:0:860:307::/64 2620:0:860:308::/64 2620:0:860:3::/64 2620:0:860:4::/64 2620:0:860:5::/64 2620:0:860:babe::/64 2620:0:860:babf::/64 2620:0:860:cabe::/64 2620:0:860:cabf::/64 2620:0:860:ed1a::/64 2620:0:861:100::/64 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:107::/64 2620:0:861:108::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:113::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:118::/64 2620:0:861:119::/64 2620:0:861:11a::/64 2620:0:861:11c::/64 2620:0:861:11d::/64 2620:0:861:11e::/64 2620:0:861:11f::/64 2620:0:861:120::/64 2620:0:861:121::/64 2620:0:861:122::/64 2620:0:861:123::/64 2620:0:861:124::/64 2620:0:861:125::/64 2620:0:861:126::/64 2620:0:861:127::/64 2620:0:861:128::/64 2620:0:861:129::/64 2620:0:861:12a::/64 2620:0:861:12b::/64 2620:0:861:12c::/64 2620:0:861:12d::/64 2620:0:861:12e::/64 2620:0:861:12f::/64 2620:0:861:131::/64 2620:0:861:132::/64 2620:0:861:133::/64 2620:0:861:134::/64 2620:0:861:135::/64 2620:0:861:136::/64 2620:0:861:137::/64 2620:0:861:138::/64 2620:0:861:139::/64 2620:0:861:13a::/64 2620:0:861:13b::/64 2620:0:861:13c::/64 2620:0:861:13d::/64 2620:0:861:13e::/64 2620:0:861:13f::/64 2620:0:861:140::/64 2620:0:861:141::/64 2620:0:861:142::/64 2620:0:861:143::/64 2620:0:861:144::/64 2620:0:861:145::/64 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:300::/64 2620:0:861:301::/116 2620:0:861:302::/64 2620:0:861:303::/116 2620:0:861:304::/116 2620:0:861:305::/64 2620:0:861:3::/64 2620:0:861:4::/64 2620:0:861:babe::/64 2620:0:861:babf::/116 2620:0:861:cabe::/64 2620:0:861:cabf::/116 2620:0:861:ed1a::/64 2620:0:863:101::/64 2620:0:863:102::/64 2620:0:863:103::/64 2620:0:863:1::/64 2620:0:863:2::/64 2620:0:863:3::/64 2620:0:863:ed1a::/64 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 2a02:ec80:300:103::/64 2a02:ec80:300:1::/64 2a02:ec80:300:2::/64 2a02:ec80:300:3::/64 2a02:ec80:300:ed1a::/64 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 2a02:ec80:600:1::/64 2a02:ec80:600:2::/64 2a02:ec80:600:ed1a::/64 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 2a02:ec80:700:103::/64 2a02:ec80:700:1::/64 2a02:ec80:700:2::/64 2a02:ec80:700:3::/64 2a02:ec80:700:ed1a::/64 );
+# $CLOUD_NETWORKS is a set of all Cloud VPS instance networks
+@def $CLOUD_NETWORKS = (172.16.0.0/21 172.16.128.0/24 172.16.129.0/24 172.16.130.0/24 172.16.131.0/24 172.16.16.0/21 172.16.24.0/24 172.16.8.0/21 172.20.1.0/24 172.20.2.0/24 172.20.254.0/24 172.20.255.0/24 172.20.3.0/24 172.20.4.0/24 172.20.5.0/24 185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:100::/64 2a02:ec80:a000:1::/64 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 2a02:ec80:a000:2ff::/64 2a02:ec80:a000:4000::/64 2a02:ec80:a100:100::/64 2a02:ec80:a100:1::/64 2a02:ec80:a100:205::/64 2a02:ec80:a100:2ff::/64 2a02:ec80:a100:4000::/64 );
+# $LABS_NETWORKS is a deprecated alias for $CLOUD_NETWORKS
+@def $LABS_NETWORKS = (172.16.0.0/21 172.16.128.0/24 172.16.129.0/24 172.16.130.0/24 172.16.131.0/24 172.16.16.0/21 172.16.24.0/24 172.16.8.0/21 172.20.1.0/24 172.20.2.0/24 172.20.254.0/24 172.20.255.0/24 172.20.3.0/24 172.20.4.0/24 172.20.5.0/24 185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:100::/64 2a02:ec80:a000:1::/64 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 2a02:ec80:a000:2ff::/64 2a02:ec80:a000:4000::/64 2a02:ec80:a100:100::/64 2a02:ec80:a100:1::/64 2a02:ec80:a100:205::/64 2a02:ec80:a100:2ff::/64 2a02:ec80:a100:4000::/64 );
+# $CLOUD_NETWORKS_PUBLIC is meant to be a set of all Cloud public networks
+@def $CLOUD_NETWORKS_PUBLIC = (185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:4000::/64 2a02:ec80:a100:4000::/64 );
+# $CLOUD_PRIVATE_NETWORKS is the cloud-private networks with WMCS
+# hardware with cloud realm private 172.20.x.x addresses. These
+# hosts are dual-homed, usually also in at least cloud-hosts.
+@def $CLOUD_PRIVATE_NETWORKS = (172.20.1.0/24 172.20.2.0/24 172.20.3.0/24 172.20.4.0/24 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 172.20.5.0/24 2a02:ec80:a100:205::/64);
+# $FRACK_NETWORKS is meant to be a set of all fundraising networks
+@def $FRACK_NETWORKS = (10.195.0.0/27 10.195.0.128/29 10.195.0.32/27 10.195.0.64/28 10.195.0.80/29 10.195.0.96/27 10.195.1.0/25 10.64.40.0/27 10.64.40.160/27 10.64.40.192/26 10.64.40.32/27 10.64.40.64/27 10.64.40.96/27 208.80.152.224/28 208.80.155.0/27 );
+
+@def $ANALYTICS_NETWORKS = (10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.153.0/24 10.64.155.0/24 10.64.157.0/24 10.64.159.0/24 10.64.161.0/24 10.64.163.0/24 10.64.165.0/24 10.64.167.0/24 10.64.170.0/24 10.64.172.0/24 10.64.174.0/24 10.64.176.0/24 10.64.178.0/24 10.64.180.0/24 10.64.182.0/24 10.64.184.0/24 10.64.186.0/24 10.64.188.0/24 10.64.190.0/24 10.64.21.0/24 10.64.36.0/24 10.64.5.0/24 10.64.53.0/24 2620:0:861:100::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:108::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:11a::/64 2620:0:861:121::/64 2620:0:861:123::/64 2620:0:861:125::/64 2620:0:861:127::/64 2620:0:861:129::/64 2620:0:861:12b::/64 2620:0:861:12d::/64 2620:0:861:12f::/64 2620:0:861:132::/64 2620:0:861:134::/64 2620:0:861:136::/64 2620:0:861:138::/64 2620:0:861:13a::/64 2620:0:861:13c::/64 2620:0:861:13e::/64 2620:0:861:141::/64 2620:0:861:143::/64 2620:0:861:145::/64 );
+@def $MW_APPSERVER_NETWORKS = (10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.141.0/24 10.64.152.0/24 10.64.154.0/24 10.64.156.0/24 10.64.158.0/24 10.64.16.0/22 10.64.160.0/24 10.64.162.0/24 10.64.164.0/24 10.64.166.0/24 10.64.169.0/24 10.64.171.0/24 10.64.173.0/24 10.64.175.0/24 10.64.177.0/24 10.64.179.0/24 10.64.181.0/24 10.64.183.0/24 10.64.185.0/24 10.64.187.0/24 10.64.189.0/24 10.64.32.0/22 10.64.48.0/22 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:107::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:113::/64 2620:0:861:119::/64 2620:0:861:120::/64 2620:0:861:122::/64 2620:0:861:124::/64 2620:0:861:126::/64 2620:0:861:128::/64 2620:0:861:12a::/64 2620:0:861:12c::/64 2620:0:861:12e::/64 2620:0:861:131::/64 2620:0:861:133::/64 2620:0:861:135::/64 2620:0:861:137::/64 2620:0:861:139::/64 2620:0:861:13b::/64 2620:0:861:13d::/64 2620:0:861:13f::/64 2620:0:861:142::/64 2620:0:861:144::/64 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.7.0/24 10.192.8.0/24 10.192.9.0/24 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 10.192.64.0/21 10.192.96.0/21 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.80.0/21 10.64.64.0/21 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.80.0/21 2620:0:860:300::/64 2620:0:860:302::/64 2620:0:860:305::/64 2620:0:860:308::/64 2620:0:860:babe::/64 2620:0:860:cabe::/64 2620:0:861:300::/64 2620:0:861:302::/64 2620:0:861:305::/64 2620:0:861:babe::/64 2620:0:861:cabe::/64 208.80.154.0/26 208.80.154.128/26 208.80.154.64/26 208.80.155.96/27 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:3::/64 2620:0:861:4::/64 208.80.153.0/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:3::/64 2620:0:860:4::/64 );
+@def $WIKIKUBE_KUBEPODS_NETWORKS  = (10.67.128.0/17 2620:0:861:cabe::/64 10.194.128.0/17 2620:0:860:cabe::/64 );
+@def $STAGING_KUBEPODS_NETWORKS  = (10.64.64.0/21 2620:0:861:babe::/64 10.192.64.0/21 2620:0:860:babe::/64 );
+@def $MLSERVE_KUBEPODS_NETWORKS = (10.67.16.0/21 2620:0:861:300::/64 10.194.16.0/21 2620:0:860:300::/64 );
+@def $MLSTAGE_KUBEPODS_NETWORKS = (10.194.61.0/24 2620:0:860:302::/64 );
+@def $DSE_KUBEPODS_NETWORKS = (10.67.24.0/21 2620:0:861:302::/64 10.192.96.0/21 2620:0:860:308::/64 );
+@def $AUX_KUBEPODS_NETWORKS = (10.67.80.0/21 2620:0:861:305::/64 10.194.80.0/21 2620:0:860:305::/64 );
+
+@def $NETWORK_INFRA = (185.15.59.128/27 2a02:ec80:300:fe00::/55 198.35.26.128/27 2620:0:863:fe00::/55 208.80.153.192/27 2620:0:860:fe00::/55 10.192.255.0/24 2620:0:860:13f::/64 10.192.253.0/24 2620:0:860:139::/64 208.80.154.192/27 2620:0:861:fe00::/55 10.64.146.0/24 2620:0:861:11b::/128 10.64.168.0/24 2620:0:861:130::/64 10.64.147.0/24 103.102.166.128/27 2001:df2:e500:fe00::/55 185.15.58.128/27 2a02:ec80:600:fe00::/55 195.200.68.128/27 2a02:ec80:700:fe00::/55);
+@def $MGMT_NETWORKS = (10.65.0.0/16 10.128.128.0/17 10.193.0.0/16 10.80.128.0/17 10.132.128.0/17 10.136.128.0/17 10.140.128.0/17 );
+@def $SANDBOX_NETWORKS = (103.102.166.72/29 185.15.59.72/29 195.200.68.64/29 198.35.26.240/28 2001:df2:e500:202::/64 208.80.152.240/28 208.80.155.64/28 2620:0:860:201::/64 2620:0:861:202::/64 2620:0:863:201::/64 2a02:ec80:300:202::/64 2a02:ec80:700:201::/64 );
+
+@def $DEPLOYMENT_HOSTS = (10.64.16.93 2620:0:861:102:10:64:16:93 10.192.32.7 2620:0:860:103:10:192:32:7 );
+@def $CUMIN_MASTERS = (10.64.16.154 2620:0:861:102:10:64:16:154 10.192.32.49 2620:0:860:103:10:192:32:49 );
+@def $CACHES = (10.64.0.79 2620:0:861:101:10:64:0:79 10.64.0.229 2620:0:861:101:10:64:0:229 10.64.0.14 2620:0:861:101:10:64:0:14 10.64.0.51 2620:0:861:101:10:64:0:51 10.64.16.241 2620:0:861:102:10:64:16:241 10.64.16.94 2620:0:861:102:10:64:16:94 10.64.16.95 2620:0:861:102:10:64:16:95 10.64.16.240 2620:0:861:102:10:64:16:240 10.64.32.14 2620:0:861:103:10:64:32:14 10.64.32.60 2620:0:861:103:10:64:32:60 10.64.32.15 2620:0:861:103:10:64:32:15 10.64.32.65 2620:0:861:103:10:64:32:65 10.64.48.16 2620:0:861:107:10:64:48:16 10.64.48.41 2620:0:861:107:10:64:48:41 10.64.48.27 2620:0:861:107:10:64:48:27 10.64.48.28 2620:0:861:107:10:64:48:28 10.192.23.26 2620:0:860:113:10:192:23:26 10.192.6.20 2620:0:860:107:10:192:6:20 10.192.12.35 2620:0:860:10d:10:192:12:35 10.192.14.25 2620:0:860:10f:10:192:14:25 10.192.4.22 2620:0:860:100:10:192:4:22 10.192.29.26 2620:0:860:116:10:192:29:26 10.192.30.29 2620:0:860:119:10:192:30:29 10.192.36.19 2620:0:860:11b:10:192:36:19 10.192.40.25 2620:0:860:11f:10:192:40:25 10.192.41.21 2620:0:860:120:10:192:41:21 10.192.56.3 2620:0:860:12b:10:192:56:3 10.192.56.4 2620:0:860:12b:10:192:56:4 10.192.57.3 2620:0:860:12c:10:192:57:3 10.192.58.2 2620:0:860:12d:10:192:58:2 10.192.58.3 2620:0:860:12d:10:192:58:3 10.192.59.2 2620:0:860:12e:10:192:59:2 10.80.0.14 2a02:ec80:300:101:10:80:0:14 10.80.1.11 2a02:ec80:300:102:10:80:1:11 10.80.0.13 2a02:ec80:300:101:10:80:0:13 10.80.1.9 2a02:ec80:300:102:10:80:1:9 10.80.0.12 2a02:ec80:300:101:10:80:0:12 10.80.1.7 2a02:ec80:300:102:10:80:1:7 10.80.0.11 2a02:ec80:300:101:10:80:0:11 10.80.1.6 2a02:ec80:300:102:10:80:1:6 10.80.0.10 2a02:ec80:300:101:10:80:0:10 10.80.1.5 2a02:ec80:300:102:10:80:1:5 10.80.0.8 2a02:ec80:300:101:10:80:0:8 10.80.1.4 2a02:ec80:300:102:10:80:1:4 10.80.0.7 2a02:ec80:300:101:10:80:0:7 10.80.1.3 2a02:ec80:300:102:10:80:1:3 10.80.0.6 2a02:ec80:300:101:10:80:0:6 10.80.1.2 2a02:ec80:300:102:10:80:1:2 10.128.0.19 2620:0:863:101:10:128:0:19 10.128.1.27 2620:0:863:102:10:128:1:27 10.128.0.22 2620:0:863:101:10:128:0:22 10.128.1.28 2620:0:863:102:10:128:1:28 10.128.0.25 2620:0:863:101:10:128:0:25 10.128.1.29 2620:0:863:102:10:128:1:29 10.128.0.26 2620:0:863:101:10:128:0:26 10.128.1.31 2620:0:863:102:10:128:1:31 10.128.0.14 2620:0:863:101:10:128:0:14 10.128.1.35 2620:0:863:102:10:128:1:35 10.128.0.21 2620:0:863:101:10:128:0:21 10.128.1.36 2620:0:863:102:10:128:1:36 10.128.0.24 2620:0:863:101:10:128:0:24 10.128.1.10 2620:0:863:102:10:128:1:10 10.128.0.37 2620:0:863:101:10:128:0:37 10.128.1.12 2620:0:863:102:10:128:1:12 10.132.0.17 2001:df2:e500:101:10:132:0:17 10.132.0.18 2001:df2:e500:101:10:132:0:18 10.132.0.19 2001:df2:e500:101:10:132:0:19 10.132.0.24 2001:df2:e500:101:10:132:0:24 10.132.0.29 2001:df2:e500:101:10:132:0:29 10.132.0.30 2001:df2:e500:101:10:132:0:30 10.132.0.34 2001:df2:e500:101:10:132:0:34 10.132.0.35 2001:df2:e500:101:10:132:0:35 10.132.0.36 2001:df2:e500:101:10:132:0:36 10.132.0.37 2001:df2:e500:101:10:132:0:37 10.132.0.38 2001:df2:e500:101:10:132:0:38 10.132.0.25 2001:df2:e500:101:10:132:0:25 10.132.0.26 2001:df2:e500:101:10:132:0:26 10.132.0.27 2001:df2:e500:101:10:132:0:27 10.132.0.28 2001:df2:e500:101:10:132:0:28 10.132.0.16 2001:df2:e500:101:10:132:0:16 10.136.0.6 2a02:ec80:600:101:10:136:0:6 10.136.1.6 2a02:ec80:600:102:10:136:1:6 10.136.0.7 2a02:ec80:600:101:10:136:0:7 10.136.1.7 2a02:ec80:600:102:10:136:1:7 10.136.0.8 2a02:ec80:600:101:10:136:0:8 10.136.1.8 2a02:ec80:600:102:10:136:1:8 10.136.0.9 2a02:ec80:600:101:10:136:0:9 10.136.1.9 2a02:ec80:600:102:10:136:1:9 10.136.0.10 2a02:ec80:600:101:10:136:0:10 10.136.1.10 2a02:ec80:600:102:10:136:1:10 10.136.0.11 2a02:ec80:600:101:10:136:0:11 10.136.1.11 2a02:ec80:600:102:10:136:1:11 10.136.0.12 2a02:ec80:600:101:10:136:0:12 10.136.1.12 2a02:ec80:600:102:10:136:1:12 10.136.0.13 2a02:ec80:600:101:10:136:0:13 10.136.1.13 2a02:ec80:600:102:10:136:1:13 10.140.0.3 2a02:ec80:700:101:10:140:0:3 10.140.1.4 2a02:ec80:700:102:10:140:1:4 10.140.0.4 2a02:ec80:700:101:10:140:0:4 10.140.1.5 2a02:ec80:700:102:10:140:1:5 10.140.0.5 2a02:ec80:700:101:10:140:0:5 10.140.1.6 2a02:ec80:700:102:10:140:1:6 10.140.0.6 2a02:ec80:700:101:10:140:0:6 10.140.1.7 2a02:ec80:700:102:10:140:1:7 10.140.0.7 2a02:ec80:700:101:10:140:0:7 10.140.1.8 2a02:ec80:700:102:10:140:1:8 10.140.0.8 2a02:ec80:700:101:10:140:0:8 10.140.1.9 2a02:ec80:700:102:10:140:1:9 10.140.0.9 2a02:ec80:700:101:10:140:0:9 10.140.1.10 2a02:ec80:700:102:10:140:1:10 10.140.0.10 2a02:ec80:700:101:10:140:0:10 10.140.1.11 2a02:ec80:700:102:10:140:1:11 );
+@def $LOAD_BALANCER_HEALTH_CHECKS = (10.64.0.136 10.64.16.60 10.64.158.19 10.64.166.19 10.64.133.19 10.64.141.19 10.64.169.19 10.64.171.19 10.64.173.19 10.64.175.19 10.64.177.19 10.64.179.19 10.64.181.19 10.64.183.19 10.64.185.19 10.64.187.19 10.64.189.19 10.64.48.72 10.64.37.17 10.64.1.17 10.64.17.17 10.64.33.17 10.64.130.20 10.64.131.20 10.64.132.20 10.64.134.20 10.64.135.20 10.64.136.20 10.64.158.20 10.64.166.20 10.64.133.20 10.64.141.20 10.64.169.20 10.64.171.20 10.64.173.20 10.64.175.20 10.64.177.20 10.64.179.20 10.64.181.20 10.64.183.20 10.64.185.20 10.64.187.20 10.64.189.20 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:107::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:119::/64 2620:0:861:10c::/64 2620:0:861:113::/64 2620:0:861:119::/64 2620:0:861:131::/64 2620:0:861:133::/64 2620:0:861:135::/64 2620:0:861:137::/64 2620:0:861:139::/64 2620:0:861:13b::/64 2620:0:861:13d::/64 2620:0:861:13f::/64 2620:0:861:142::/64 2620:0:861:144::/64 10.192.23.8 10.192.0.29 10.192.17.8 10.192.33.8 10.192.49.8 10.192.23.2 10.192.5.2 10.192.6.2 10.192.7.2 10.192.8.2 10.192.9.2 10.192.10.2 10.192.11.2 10.192.12.2 10.192.13.2 10.192.14.2 10.192.15.2 10.192.21.2 10.192.22.2 10.192.4.2 10.192.26.2 10.192.27.2 10.192.28.2 10.192.29.2 10.192.30.2 10.192.31.2 10.192.36.2 10.192.37.2 10.192.38.2 10.192.39.2 10.192.40.2 10.192.41.2 10.192.42.2 10.192.43.2 10.192.11.8 10.192.16.140 10.192.1.8 10.192.33.9 10.192.49.9 10.192.23.3 10.192.5.3 10.192.6.3 10.192.7.3 10.192.8.3 10.192.9.3 10.192.10.3 10.192.11.3 10.192.12.3 10.192.13.3 10.192.14.3 10.192.15.3 10.192.21.3 10.192.22.3 10.192.4.3 10.192.26.3 10.192.27.3 10.192.28.3 10.192.29.3 10.192.30.3 10.192.31.3 10.192.36.3 10.192.37.3 10.192.38.3 10.192.39.4 10.192.40.3 10.192.41.3 10.192.42.3 10.192.43.3 10.192.32.14 10.192.1.9 10.192.17.9 10.192.49.10 10.192.23.4 10.192.5.4 10.192.6.4 10.192.7.4 10.192.8.4 10.192.9.4 10.192.10.4 10.192.11.4 10.192.12.4 10.192.13.4 10.192.14.4 10.192.15.4 10.192.21.4 10.192.22.4 10.192.4.5 10.192.26.5 10.192.27.5 10.192.28.5 10.192.29.5 10.192.30.5 10.192.31.5 10.192.36.5 10.192.37.5 10.192.38.5 10.192.39.6 10.192.40.5 10.192.41.5 10.192.42.5 10.192.43.5 10.192.48.213 10.192.1.13 10.192.17.10 10.192.33.10 10.192.23.5 10.192.5.8 10.192.6.5 10.192.7.5 10.192.8.5 10.192.9.5 10.192.10.5 10.192.11.5 10.192.12.5 10.192.13.5 10.192.14.5 10.192.15.5 10.192.21.5 10.192.22.5 10.192.4.5 10.192.26.5 10.192.27.5 10.192.28.5 10.192.29.5 10.192.30.5 10.192.31.5 10.192.36.5 10.192.37.5 10.192.38.5 10.192.39.6 10.192.40.5 10.192.41.5 10.192.42.5 10.192.43.5 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 10.80.0.3 10.80.1.8 10.80.1.14 10.80.0.9 10.80.0.2 10.80.1.10 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 10.128.1.18 10.128.0.9 10.128.1.11 2620:0:863:101::/64 2620:0:863:102::/64 10.132.0.39 10.132.0.6 10.132.0.7 2001:df2:e500:101::/64 10.136.0.16 10.136.1.19 10.136.1.15 10.136.0.19 10.136.0.17 10.136.1.20 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 10.140.0.13 10.140.1.2 10.140.1.14 10.140.0.2 10.140.0.14 10.140.1.3 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 );
+@def $KAFKA_BROKERS_MAIN = (10.192.5.9 2620:0:860:106:10:192:5:9 10.192.22.6 2620:0:860:112:10:192:22:6 10.192.32.4 2620:0:860:103:10:192:32:4 10.192.48.33 2620:0:860:104:10:192:48:33 10.192.48.35 2620:0:860:104:10:192:48:35 10.64.0.101 2620:0:861:101:10:64:0:101 10.64.16.30 2620:0:861:102:10:64:16:30 10.64.32.45 2620:0:861:103:10:64:32:45 10.64.48.37 2620:0:861:107:10:64:48:37 10.64.152.5 2620:0:861:120:10:64:152:5 );
+@def $KAFKA_BROKERS_JUMBO = (10.64.130.10 2620:0:861:109:10:64:130:10 10.64.131.16 2620:0:861:10a:10:64:131:16 10.64.132.21 2620:0:861:10b:10:64:132:21 10.64.134.9 2620:0:861:10d:10:64:134:9 10.64.135.16 2620:0:861:10e:10:64:135:16 10.64.136.11 2620:0:861:10f:10:64:136:11 10.64.154.15 2620:0:861:122:10:64:154:15 10.64.160.16 2620:0:861:128:10:64:160:16 10.64.0.126 2620:0:861:101:10:64:0:126 );
+@def $KAFKA_BROKERS_LOGGING = (10.64.16.205 2620:0:861:102:10:64:16:205 10.64.133.11 2620:0:861:10c:10:64:133:11 10.64.183.12 2620:0:861:13d:10:64:183:12 10.64.131.13 2620:0:861:10a:10:64:131:13 10.64.135.13 2620:0:861:10e:10:64:135:13 10.192.23.29 2620:0:860:113:10:192:23:29 10.192.11.28 2620:0:860:10c:10:192:11:28 10.192.26.22 2620:0:860:105:10:192:26:22 10.192.11.27 2620:0:860:10c:10:192:11:27 10.192.39.25 2620:0:860:11e:10:192:39:25 );
+@def $KAFKAMON_HOSTS = (10.64.32.11 2620:0:861:103:10:64:32:11 10.192.16.139 2620:0:860:102:10:192:16:139 );
+@def $ZOOKEEPER_HOSTS_MAIN = (10.64.0.207 2620:0:861:101:10:64:0:207 10.64.16.110 2620:0:861:102:10:64:16:110 10.64.48.154 2620:0:861:107:10:64:48:154 10.192.16.45 2620:0:860:102:10:192:16:45 10.192.32.52 2620:0:860:103:10:192:32:52 10.192.48.59 2620:0:860:104:10:192:48:59 );
+@def $ZOOKEEPER_FLINK_HOSTS = (10.64.16.9 2620:0:861:102:10:64:16:9 10.64.0.8 2620:0:861:101:10:64:0:8 10.64.32.41 2620:0:861:103:10:64:32:41 10.192.16.227 2620:0:860:102:10:192:16:227 10.192.32.179 2620:0:860:103:10:192:32:179 10.192.48.219 2620:0:860:104:10:192:48:219 );
+@def $DRUID_PUBLIC_HOSTS = (10.64.131.9 2620:0:861:10a:10:64:131:9 10.64.132.12 2620:0:861:10b:10:64:132:12 10.64.135.9 2620:0:861:10e:10:64:135:9 10.64.32.101 2620:0:861:103:10:64:32:101 10.64.48.185 2620:0:861:107:10:64:48:185 );
+@def $LABSTORE_HOSTS = (208.80.154.142 2620:0:861:2:208:80:154:142 208.80.154.71 2620:0:861:3:208:80:154:71 );
+@def $MYSQL_ROOT_CLIENTS = (10.64.16.90 10.192.16.191 10.64.16.154 10.192.32.49 208.80.154.9 10.64.0.20 );
+
+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-codfw-bgp-private-vips
+@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV4 = (172.20.254.0/24);
+@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV6 = (2a02:ec80:a100:2ff::/64);
+@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS = ($CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV4 $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV6 );
+
+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-flat3-codfw
+@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV4 = (172.16.129.0/24);
+@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV6 = (2a02:ec80:a100:1::/64);
+@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV6 );
+
+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-octavia-lb-mgmt-net-codfw1dev
+@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV4 = (172.16.131.0/24);
+@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV6 = (2a02:ec80:a100:100::/64);
+@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV = ($CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV4 $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV6 );
+
+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-vxlan-ipv4-only-codfw
+@def $CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW_IPV4 = (172.16.130.0/24);
+@def $CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW_IPV4 );
+
+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances2-b-codfw
+@def $CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW_IPV4 = (172.16.128.0/24);
+@def $CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW_IPV4 );
+
+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-private-b1-codfw
+@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV4 = (172.20.5.0/24);
+@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV6 = (2a02:ec80:a100:205::/64);
+@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW = ($CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV6 );
+
+# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-bgp-public-vips
+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV4 = (185.15.57.24/29);
+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV6 = (2a02:ec80:a100:4000::/64);
+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV4 $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV6 );
+
+# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-floating
+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_IPV4 = (185.15.57.0/29);
+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_IPV4 );
+
+# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-floating-additional
+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL_IPV4 = (185.15.57.16/29);
+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL_IPV4 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-eqiad-bgp-private-vips
+@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV4 = (172.20.255.0/24);
+@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV6 = (2a02:ec80:a000:2ff::/64);
+@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS = ($EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV4 $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV6 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-octavia-lb-mgmt-net-eqiad1
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV4 = (172.16.24.0/24);
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV6 = (2a02:ec80:a000:100::/64);
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1 = ($EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV4 $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV6 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-vxlan-dualstack-eqiad
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV4 = (172.16.16.0/21);
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV6 = (2a02:ec80:a000:1::/64);
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV6 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-vxlan-v4only-eqiad
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD_IPV4 = (172.16.8.0/21);
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD_IPV4 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances2-b-eqiad
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD_IPV4 = (172.16.0.0/21);
+@def $EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD_IPV4 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-c8-eqiad
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV4 = (172.20.1.0/24);
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV6 = (2a02:ec80:a000:201::/64);
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV6 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-d5-eqiad
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV4 = (172.20.2.0/24);
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV6 = (2a02:ec80:a000:202::/64);
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV6 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-e4-eqiad
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV4 = (172.20.3.0/24);
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV6 = (2a02:ec80:a000:203::/64);
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV6 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-f4-eqiad
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV4 = (172.20.4.0/24);
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV6 = (2a02:ec80:a000:204::/64);
+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV6 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: public, # Network: cloud-eqiad1-bgp-public-vips
+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV4 = (185.15.56.160/28);
+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV6 = (2a02:ec80:a000:4000::/64);
+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS = ($EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV4 $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV6 );
+
+# Realm: cloud, # Site: eqiad, # Sphere: public, # Network: cloud-eqiad1-floating
+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING_IPV4 = (185.15.56.0/25);
+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING = ($EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING_IPV4 );
+
+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-administration-codfw
+@def $CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW_IPV4 = (10.195.0.64/28);
+@def $CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW = ($CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW_IPV4 );
+
+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-bastion-codfw
+@def $CODFW_PRIVATE_FRACK_BASTION_CODFW_IPV4 = (10.195.0.128/29);
+@def $CODFW_PRIVATE_FRACK_BASTION_CODFW = ($CODFW_PRIVATE_FRACK_BASTION_CODFW_IPV4 );
+
+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-fundraising-codfw
+@def $CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW_IPV4 = (10.195.0.32/27);
+@def $CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW = ($CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW_IPV4 );
+
+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-listenerdmz-codfw
+@def $CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW_IPV4 = (10.195.0.80/29);
+@def $CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW = ($CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW_IPV4 );
+
+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-management-codfw
+@def $CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW_IPV4 = (10.195.1.0/25);
+@def $CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW = ($CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW_IPV4 );
+
+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-management-legacy-codfw
+@def $CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW_IPV4 = (10.195.0.96/27);
+@def $CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW = ($CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW_IPV4 );
+
+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-payments-codfw
+@def $CODFW_PRIVATE_FRACK_PAYMENTS_CODFW_IPV4 = (10.195.0.0/27);
+@def $CODFW_PRIVATE_FRACK_PAYMENTS_CODFW = ($CODFW_PRIVATE_FRACK_PAYMENTS_CODFW_IPV4 );
+
+# Realm: frack, # Site: codfw, # Sphere: public, # Network: frack-external-codfw
+@def $CODFW_PUBLIC_FRACK_EXTERNAL_CODFW_IPV4 = (208.80.152.224/28);
+@def $CODFW_PUBLIC_FRACK_EXTERNAL_CODFW = ($CODFW_PUBLIC_FRACK_EXTERNAL_CODFW_IPV4 );
+
+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-administration1-e15-eqiad
+@def $EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD_IPV4 = (10.64.40.64/27);
+@def $EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD_IPV4 );
+
+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-bastion1-e15-eqiad
+@def $EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD_IPV4 = (10.64.40.32/27);
+@def $EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD_IPV4 );
+
+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-fundraising1-e16-eqiad
+@def $EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD_IPV4 = (10.64.40.96/27);
+@def $EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD = ($EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD_IPV4 );
+
+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-listenerdmz1-e15-eqiad
+@def $EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD_IPV4 = (10.64.40.160/27);
+@def $EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD_IPV4 );
+
+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-management1-eqiad
+@def $EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD_IPV4 = (10.64.40.192/26);
+@def $EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD = ($EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD_IPV4 );
+
+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-payments1-e15-eqiad
+@def $EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD_IPV4 = (10.64.40.0/27);
+@def $EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD_IPV4 );
+
+# Realm: frack, # Site: eqiad, # Sphere: public, # Network: frack-external1-eqiad
+@def $EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD_IPV4 = (208.80.155.0/27);
+@def $EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD = ($EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD_IPV4 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: cloud-hosts1-b1-codfw
+@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV4 = (10.192.20.0/24);
+@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV6 = (2620:0:860:118::/64);
+@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW = ($CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a-codfw
+@def $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV4 = (10.192.0.0/22);
+@def $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV6 = (2620:0:860:101::/64);
+@def $CODFW_PRIVATE_PRIVATE1_A_CODFW = ($CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a2-codfw
+@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV4 = (10.192.23.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV6 = (2620:0:860:113::/64);
+@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW = ($CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a3-codfw
+@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV4 = (10.192.5.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV6 = (2620:0:860:106::/64);
+@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW = ($CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a4-codfw
+@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV4 = (10.192.6.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV6 = (2620:0:860:107::/64);
+@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW = ($CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a5-codfw
+@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV4 = (10.192.7.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV6 = (2620:0:860:108::/64);
+@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW = ($CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a6-codfw
+@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV4 = (10.192.8.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV6 = (2620:0:860:109::/64);
+@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW = ($CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a7-codfw
+@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV4 = (10.192.9.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV6 = (2620:0:860:10a::/64);
+@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW = ($CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a8-codfw
+@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV4 = (10.192.10.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV6 = (2620:0:860:10b::/64);
+@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW = ($CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-aux-kubepods-codfw
+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV4 = (10.194.80.0/21);
+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV6 = (2620:0:860:305::/64);
+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-aux-kubesvc-codfw
+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV4 = (10.194.64.0/20);
+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV6 = (2620:0:860:304::/64);
+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b-codfw
+@def $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV4 = (10.192.16.0/22);
+@def $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV6 = (2620:0:860:102::/64);
+@def $CODFW_PRIVATE_PRIVATE1_B_CODFW = ($CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b2-codfw
+@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV4 = (10.192.11.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV6 = (2620:0:860:10c::/64);
+@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW = ($CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b3-codfw
+@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV4 = (10.192.12.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV6 = (2620:0:860:10d::/64);
+@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW = ($CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b4-codfw
+@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV4 = (10.192.13.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV6 = (2620:0:860:10e::/64);
+@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW = ($CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b5-codfw
+@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV4 = (10.192.14.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV6 = (2620:0:860:10f::/64);
+@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW = ($CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b6-codfw
+@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV4 = (10.192.15.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV6 = (2620:0:860:110::/64);
+@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW = ($CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b7-codfw
+@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV4 = (10.192.21.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV6 = (2620:0:860:111::/64);
+@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW = ($CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b8-codfw
+@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV4 = (10.192.22.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV6 = (2620:0:860:112::/64);
+@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW = ($CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c-codfw
+@def $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV4 = (10.192.32.0/22);
+@def $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV6 = (2620:0:860:103::/64);
+@def $CODFW_PRIVATE_PRIVATE1_C_CODFW = ($CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c1-codfw
+@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV4 = (10.192.4.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV6 = (2620:0:860:100::/64);
+@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW = ($CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c2-codfw
+@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV4 = (10.192.26.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV6 = (2620:0:860:105::/64);
+@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW = ($CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c3-codfw
+@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV4 = (10.192.27.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV6 = (2620:0:860:114::/64);
+@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW = ($CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c4-codfw
+@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV4 = (10.192.28.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV6 = (2620:0:860:115::/64);
+@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW = ($CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c5-codfw
+@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV4 = (10.192.29.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV6 = (2620:0:860:116::/64);
+@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW = ($CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c6-codfw
+@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV4 = (10.192.30.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV6 = (2620:0:860:119::/64);
+@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW = ($CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c7-codfw
+@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV4 = (10.192.31.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV6 = (2620:0:860:11a::/64);
+@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW = ($CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV4 = (10.192.48.0/22);
+@def $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV6 = (2620:0:860:104::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D_CODFW = ($CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d1-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV4 = (10.192.36.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV6 = (2620:0:860:11b::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW = ($CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d2-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV4 = (10.192.37.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV6 = (2620:0:860:11c::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW = ($CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d3-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV4 = (10.192.38.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV6 = (2620:0:860:11d::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW = ($CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d4-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV4 = (10.192.39.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV6 = (2620:0:860:11e::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW = ($CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d5-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV4 = (10.192.40.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV6 = (2620:0:860:11f::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW = ($CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d6-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV4 = (10.192.41.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV6 = (2620:0:860:120::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW = ($CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d7-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV4 = (10.192.42.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV6 = (2620:0:860:121::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW = ($CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d8-codfw
+@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV4 = (10.192.43.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV6 = (2620:0:860:122::/64);
+@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW = ($CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-dse-kubepods-codfw
+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV4 = (10.192.96.0/21);
+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV6 = (2620:0:860:308::/64);
+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-dse-kubesvc-codfw
+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV4 = (10.192.80.0/20);
+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV6 = (2620:0:860:307::/64);
+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e1-codfw
+@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV4 = (10.192.56.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV6 = (2620:0:860:12b::/64);
+@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW = ($CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e2-codfw
+@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV4 = (10.192.44.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV6 = (2620:0:860:123::/64);
+@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW = ($CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e3-codfw
+@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV4 = (10.192.57.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV6 = (2620:0:860:12c::/64);
+@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW = ($CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e4-codfw
+@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV4 = (10.192.45.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV6 = (2620:0:860:124::/64);
+@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW = ($CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e5-codfw
+@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV4 = (10.192.46.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV6 = (2620:0:860:125::/64);
+@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW = ($CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f1-codfw
+@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV4 = (10.192.58.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV6 = (2620:0:860:12d::/64);
+@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW = ($CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f2-codfw
+@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV4 = (10.192.47.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV6 = (2620:0:860:126::/64);
+@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW = ($CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f3-codfw
+@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV4 = (10.192.59.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV6 = (2620:0:860:12e::/64);
+@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW = ($CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f4-codfw
+@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV4 = (10.192.52.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV6 = (2620:0:860:127::/64);
+@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW = ($CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-lvs-codfw
+@def $CODFW_PRIVATE_PRIVATE1_LVS_CODFW_IPV4 = (10.2.1.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_LVS_CODFW = ($CODFW_PRIVATE_PRIVATE1_LVS_CODFW_IPV4 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlserve-kubepods-codfw
+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV4 = (10.194.16.0/21);
+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV6 = (2620:0:860:300::/64);
+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlserve-kubesvc-codfw
+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV4 = (10.194.0.0/20);
+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV6 = (2620:0:860:301::/64);
+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlstage-kubepods-codfw
+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV4 = (10.194.61.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV6 = (2620:0:860:302::/64);
+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlstage-kubesvc-codfw
+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV4 = (10.194.62.0/23);
+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV6 = (2620:0:860:303::/64);
+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-services-kubepods-codfw
+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV4 = (10.194.128.0/17);
+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV6 = (2620:0:860:cabe::/64);
+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-services-kubesvc-codfw
+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV4 = (10.192.72.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV6 = (2620:0:860:cabf::/64);
+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-staging-kubepods-codfw
+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV4 = (10.192.64.0/21);
+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV6 = (2620:0:860:babe::/64);
+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-staging-kubesvc-codfw
+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV4 = (10.192.76.0/24);
+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV6 = (2620:0:860:babf::/64);
+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-virtual-codfw
+@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV4 = (10.192.24.0/23);
+@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV6 = (2620:0:860:140::/64);
+@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW = ($CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-a-codfw
+@def $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV4 = (208.80.153.0/27);
+@def $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV6 = (2620:0:860:1::/64);
+@def $CODFW_PUBLIC_PUBLIC1_A_CODFW = ($CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-b-codfw
+@def $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV4 = (208.80.153.32/27);
+@def $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV6 = (2620:0:860:2::/64);
+@def $CODFW_PUBLIC_PUBLIC1_B_CODFW = ($CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-c-codfw
+@def $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV4 = (208.80.153.64/27);
+@def $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV6 = (2620:0:860:3::/64);
+@def $CODFW_PUBLIC_PUBLIC1_C_CODFW = ($CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-d-codfw
+@def $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV4 = (208.80.153.96/27);
+@def $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV6 = (2620:0:860:4::/64);
+@def $CODFW_PUBLIC_PUBLIC1_D_CODFW = ($CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-lvs-codfw
+@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV4 = (208.80.153.224/27);
+@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV6 = (2620:0:860:ed1a::/64);
+@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW = ($CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV6 );
+
+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-virtual-codfw
+@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV4 = (208.80.152.128/27);
+@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV6 = (2620:0:860:5::/64);
+@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW = ($CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV6 );
+
+# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-b12-drmrs
+@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV4 = (10.136.0.0/24);
+@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV6 = (2a02:ec80:600:101::/64);
+@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV4 $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV6 );
+
+# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-b13-drmrs
+@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV4 = (10.136.1.0/24);
+@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV6 = (2a02:ec80:600:102::/64);
+@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV4 $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV6 );
+
+# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-lvs-drmrs
+@def $DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS_IPV4 = (10.2.6.0/24);
+@def $DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS_IPV4 );
+
+# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-b12-drmrs
+@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV4 = (185.15.58.0/27);
+@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV6 = (2a02:ec80:600:1::/64);
+@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV6 );
+
+# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-b13-drmrs
+@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV4 = (185.15.58.32/27);
+@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV6 = (2a02:ec80:600:2::/64);
+@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV6 );
+
+# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-lvs-drmrs
+@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV4 = (185.15.58.224/27);
+@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV6 = (2a02:ec80:600:ed1a::/64);
+@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-a-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV4 = (10.64.5.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV6 = (2620:0:861:104::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-b-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV4 = (10.64.21.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV6 = (2620:0:861:105::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV4 = (10.64.36.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV6 = (2620:0:861:106::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c2-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV4 = (10.64.137.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV6 = (2620:0:861:110::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c3-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV4 = (10.64.145.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV6 = (2620:0:861:117::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c4-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV4 = (10.64.170.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV6 = (2620:0:861:11a::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c5-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV4 = (10.64.172.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV6 = (2620:0:861:132::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c6-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV4 = (10.64.174.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV6 = (2620:0:861:134::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c7-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV4 = (10.64.176.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV6 = (2620:0:861:136::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV4 = (10.64.53.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV6 = (2620:0:861:108::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d1-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV4 = (10.64.178.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV6 = (2620:0:861:138::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d2-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV4 = (10.64.180.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV6 = (2620:0:861:13a::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d3-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV4 = (10.64.182.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV6 = (2620:0:861:13c::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d4-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV4 = (10.64.184.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV6 = (2620:0:861:13e::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d6-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV4 = (10.64.186.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV6 = (2620:0:861:141::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d7-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV4 = (10.64.188.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV6 = (2620:0:861:143::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d8-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV4 = (10.64.190.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV6 = (2620:0:861:145::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e1-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV4 = (10.64.138.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV6 = (2620:0:861:100::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e2-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV4 = (10.64.139.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV6 = (2620:0:861:111::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e3-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV4 = (10.64.140.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV6 = (2620:0:861:112::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e5-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV4 = (10.64.153.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV6 = (2620:0:861:121::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e6-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV4 = (10.64.155.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV6 = (2620:0:861:123::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e7-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV4 = (10.64.157.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV6 = (2620:0:861:125::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e8-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV4 = (10.64.159.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV6 = (2620:0:861:127::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f1-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV4 = (10.64.142.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV6 = (2620:0:861:114::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f2-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV4 = (10.64.143.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV6 = (2620:0:861:115::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f3-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV4 = (10.64.144.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV6 = (2620:0:861:116::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f5-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV4 = (10.64.161.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV6 = (2620:0:861:129::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f6-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV4 = (10.64.163.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV6 = (2620:0:861:12b::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f7-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV4 = (10.64.165.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV6 = (2620:0:861:12d::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f8-eqiad
+@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV4 = (10.64.167.0/24);
+@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV6 = (2620:0:861:12f::/64);
+@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-c8-eqiad
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV4 = (10.64.151.0/24);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV6 = (2620:0:861:11f::/64);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-d5-eqiad
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV4 = (10.64.150.0/24);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV6 = (2620:0:861:11e::/64);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-e4-eqiad
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV4 = (10.64.148.0/24);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV6 = (2620:0:861:11c::/64);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-eqiad
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV4 = (10.64.20.0/24);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV6 = (2620:0:861:118::/64);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-f4-eqiad
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV4 = (10.64.149.0/24);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV6 = (2620:0:861:11d::/64);
+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-a-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV4 = (10.64.0.0/22);
+@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV6 = (2620:0:861:101::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-aux-kubepods-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV4 = (10.67.80.0/21);
+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV6 = (2620:0:861:305::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-aux-kubesvc-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV4 = (10.67.64.0/20);
+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV6 = (2620:0:861:304::/116);
+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-b-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV4 = (10.64.16.0/22);
+@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV6 = (2620:0:861:102::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV4 = (10.64.32.0/22);
+@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV6 = (2620:0:861:103::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c2-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV4 = (10.64.133.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV6 = (2620:0:861:10c::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c3-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV4 = (10.64.141.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV6 = (2620:0:861:113::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c4-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV4 = (10.64.169.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV6 = (2620:0:861:119::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c5-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV4 = (10.64.171.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV6 = (2620:0:861:131::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c6-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV4 = (10.64.173.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV6 = (2620:0:861:133::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c7-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV4 = (10.64.175.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV6 = (2620:0:861:135::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV4 = (10.64.48.0/22);
+@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV6 = (2620:0:861:107::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d1-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV4 = (10.64.177.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV6 = (2620:0:861:137::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d2-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV4 = (10.64.179.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV6 = (2620:0:861:139::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d3-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV4 = (10.64.181.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV6 = (2620:0:861:13b::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d4-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV4 = (10.64.183.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV6 = (2620:0:861:13d::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d6-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV4 = (10.64.185.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV6 = (2620:0:861:13f::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d7-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV4 = (10.64.187.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV6 = (2620:0:861:142::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d8-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV4 = (10.64.189.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV6 = (2620:0:861:144::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-dse-kubepods-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV4 = (10.67.24.0/21);
+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV6 = (2620:0:861:302::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-dse-kubesvc-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV4 = (10.67.32.0/20);
+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV6 = (2620:0:861:303::/116);
+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e1-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV4 = (10.64.130.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV6 = (2620:0:861:109::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e2-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV4 = (10.64.131.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV6 = (2620:0:861:10a::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e3-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV4 = (10.64.132.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV6 = (2620:0:861:10b::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e5-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV4 = (10.64.152.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV6 = (2620:0:861:120::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e6-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV4 = (10.64.154.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV6 = (2620:0:861:122::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e7-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV4 = (10.64.156.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV6 = (2620:0:861:124::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e8-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV4 = (10.64.158.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV6 = (2620:0:861:126::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f1-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV4 = (10.64.134.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV6 = (2620:0:861:10d::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f2-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV4 = (10.64.135.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV6 = (2620:0:861:10e::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f3-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV4 = (10.64.136.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV6 = (2620:0:861:10f::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f5-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV4 = (10.64.160.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV6 = (2620:0:861:128::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f6-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV4 = (10.64.162.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV6 = (2620:0:861:12a::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f7-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV4 = (10.64.164.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV6 = (2620:0:861:12c::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f8-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV4 = (10.64.166.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV6 = (2620:0:861:12e::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-lvs-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD_IPV4 = (10.2.2.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD_IPV4 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-mlserve-kubepods-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV4 = (10.67.16.0/21);
+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV6 = (2620:0:861:300::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-mlserve-kubesvc-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV4 = (10.67.0.0/20);
+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV6 = (2620:0:861:301::/116);
+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-services-kubepods-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV4 = (10.67.128.0/17);
+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV6 = (2620:0:861:cabe::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-services-kubesvc-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV4 = (10.64.72.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV6 = (2620:0:861:cabf::/116);
+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-staging-kubepods-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV4 = (10.64.64.0/21);
+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV6 = (2620:0:861:babe::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-staging-kubesvc-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV4 = (10.64.76.0/24);
+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV6 = (2620:0:861:babf::/116);
+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-virtual-eqiad
+@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV4 = (10.64.24.0/23);
+@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV6 = (2620:0:861:140::/64);
+@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-a-eqiad
+@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV4 = (208.80.154.0/26);
+@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV6 = (2620:0:861:1::/64);
+@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-b-eqiad
+@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV4 = (208.80.154.128/26);
+@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV6 = (2620:0:861:2::/64);
+@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-c-eqiad
+@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV4 = (208.80.154.64/26);
+@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV6 = (2620:0:861:3::/64);
+@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-d-eqiad
+@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV4 = (208.80.155.96/27);
+@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV6 = (2620:0:861:4::/64);
+@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-lvs-eqiad
+@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV4 = (208.80.154.224/27);
+@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV6 = (2620:0:861:ed1a::/64);
+@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV6 );
+
+# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-eqsin
+@def $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV4 = (10.132.0.0/24);
+@def $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV6 = (2001:df2:e500:101::/64);
+@def $EQSIN_PRIVATE_PRIVATE1_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV4 $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV6 );
+
+# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-lvs-eqsin
+@def $EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN_IPV4 = (10.2.5.0/24);
+@def $EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN_IPV4 );
+
+# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-virtual-eqsin
+@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV4 = (10.132.2.0/24);
+@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:103::/64);
+@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV4 $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV6 );
+
+# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-eqsin
+@def $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV4 = (103.102.166.0/28);
+@def $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV6 = (2001:df2:e500:1::/64);
+@def $EQSIN_PUBLIC_PUBLIC1_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV6 );
+
+# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-lvs-eqsin
+@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV4 = (103.102.166.224/27);
+@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV6 = (2001:df2:e500:ed1a::/64);
+@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV6 );
+
+# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-virtual-eqsin
+@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV4 = (103.102.166.96/27);
+@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:3::/64);
+@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV6 );
+
+# Realm: production, # Site: esams, # Sphere: private, # Network: private1-bw27-esams
+@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV4 = (10.80.0.0/24);
+@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV6 = (2a02:ec80:300:101::/64);
+@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV6 );
+
+# Realm: production, # Site: esams, # Sphere: private, # Network: private1-by27-esams
+@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV4 = (10.80.1.0/24);
+@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV6 = (2a02:ec80:300:102::/64);
+@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV6 );
+
+# Realm: production, # Site: esams, # Sphere: private, # Network: private1-lvs-esams
+@def $ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS_IPV4 = (10.2.3.0/24);
+@def $ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS_IPV4 );
+
+# Realm: production, # Site: esams, # Sphere: private, # Network: private1-virtual-esams
+@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV4 = (10.80.2.0/24);
+@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:103::/64);
+@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV6 );
+
+# Realm: production, # Site: esams, # Sphere: public, # Network: public1-bw27-esams
+@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV4 = (185.15.59.0/27);
+@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV6 = (2a02:ec80:300:1::/64);
+@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV6 );
+
+# Realm: production, # Site: esams, # Sphere: public, # Network: public1-by27-esams
+@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV4 = (185.15.59.32/27);
+@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV6 = (2a02:ec80:300:2::/64);
+@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV6 );
+
+# Realm: production, # Site: esams, # Sphere: public, # Network: public1-lvs-esams
+@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV4 = (185.15.59.224/27);
+@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV6 = (2a02:ec80:300:ed1a::/64);
+@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV6 );
+
+# Realm: production, # Site: esams, # Sphere: public, # Network: public1-virtual-esams
+@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV4 = (185.15.59.96/27);
+@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:3::/64);
+@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV6 );
+
+# Realm: production, # Site: magru, # Sphere: private, # Network: private1-b3-magru
+@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV4 = (10.140.0.0/24);
+@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV6 = (2a02:ec80:700:101::/64);
+@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV6 );
+
+# Realm: production, # Site: magru, # Sphere: private, # Network: private1-b4-magru
+@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV4 = (10.140.1.0/24);
+@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV6 = (2a02:ec80:700:102::/64);
+@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV6 );
+
+# Realm: production, # Site: magru, # Sphere: private, # Network: private1-lvs-magru
+@def $MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU_IPV4 = (10.2.7.0/24);
+@def $MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU_IPV4 );
+
+# Realm: production, # Site: magru, # Sphere: private, # Network: private1-virtual-magru
+@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV4 = (10.140.2.0/24);
+@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:103::/64);
+@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV6 );
+
+# Realm: production, # Site: magru, # Sphere: public, # Network: public1-b3-magru
+@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV4 = (195.200.68.0/27);
+@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV6 = (2a02:ec80:700:1::/64);
+@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV6 );
+
+# Realm: production, # Site: magru, # Sphere: public, # Network: public1-b4-magru
+@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV4 = (195.200.68.32/27);
+@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV6 = (2a02:ec80:700:2::/64);
+@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV6 );
+
+# Realm: production, # Site: magru, # Sphere: public, # Network: public1-lvs-magru
+@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV4 = (195.200.68.224/27);
+@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV6 = (2a02:ec80:700:ed1a::/64);
+@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV6 );
+
+# Realm: production, # Site: magru, # Sphere: public, # Network: public1-virtual-magru
+@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV4 = (195.200.68.96/27);
+@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:3::/64);
+@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV6 );
+
+# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-22-ulsfo
+@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV4 = (10.128.0.0/24);
+@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV6 = (2620:0:863:101::/64);
+@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV6 );
+
+# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-23-ulsfo
+@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV4 = (10.128.1.0/24);
+@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV6 = (2620:0:863:102::/64);
+@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV6 );
+
+# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-lvs-ulsfo
+@def $ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO_IPV4 = (10.2.4.0/24);
+@def $ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO_IPV4 );
+
+# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-virtual-ulsfo
+@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV4 = (10.128.2.0/24);
+@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV6 = (2620:0:863:103::/64);
+@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV6 );
+
+# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-22-ulsfo
+@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV4 = (198.35.26.0/27);
+@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV6 = (2620:0:863:1::/64);
+@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV6 );
+
+# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-23-ulsfo
+@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV4 = (198.35.26.32/27);
+@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV6 = (2620:0:863:2::/64);
+@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV6 );
+
+# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-lvs-ulsfo
+@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV4 = (198.35.26.96/27);
+@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV6 = (2620:0:863:ed1a::/64);
+@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV6 );
+
+# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-virtual-ulsfo
+@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV4 = (198.35.26.96/27);
+@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV6 = (2620:0:863:3::/64);
+@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV6 );
+
+# Realm: sandbox, # Site: codfw, # Sphere: public, # Network: sandbox1-a-codfw
+@def $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV4 = (208.80.152.240/28);
+@def $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV6 = (2620:0:860:201::/64);
+@def $CODFW_PUBLIC_SANDBOX1_A_CODFW = ($CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV4 $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV6 );
+
+# Realm: sandbox, # Site: eqiad, # Sphere: public, # Network: sandbox1-b-eqiad
+@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV4 = (208.80.155.64/28);
+@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV6 = (2620:0:861:202::/64);
+@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD = ($EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV4 $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV6 );
+
+# Realm: sandbox, # Site: eqsin, # Sphere: public, # Network: sandbox1-virtual-eqsin
+@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV4 = (103.102.166.72/29);
+@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:202::/64);
+@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN = ($EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV4 $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV6 );
+
+# Realm: sandbox, # Site: esams, # Sphere: public, # Network: sandbox1-virtual-esams
+@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV4 = (185.15.59.72/29);
+@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:202::/64);
+@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS = ($ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV4 $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV6 );
+
+# Realm: sandbox, # Site: magru, # Sphere: public, # Network: sandbox1-virtual-magru
+@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV4 = (195.200.68.64/29);
+@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:201::/64);
+@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU = ($MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV4 $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV6 );
+
+# Realm: sandbox, # Site: ulsfo, # Sphere: public, # Network: sandbox1-ulsfo
+@def $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV4 = (198.35.26.240/28);
+@def $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV6 = (2620:0:863:201::/64);
+@def $ULSFO_PUBLIC_SANDBOX1_ULSFO = ($ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV4 $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV6 );

File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem].orig
+++ File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Monitoring::Exported_nagios_service[pki-root1002 raid_md]

Parameters differences:

--- Monitoring::Exported_nagios_service[pki-root1002 raid_md].orig
+++ Monitoring::Exported_nagios_service[pki-root1002 raid_md]

@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => pki_eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf].orig
+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]

-    notify => Service[rsyslog]
-    mode   => 0444
-    group  => root
-    ensure => present
-    owner  => root

Content differences:

--- /etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf.orig
+++ /etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf
@@ -1,10 +0,0 @@
-# rsyslog.conf(5) configuration file for services.
-# This file is managed by Puppet.
-if $programname startswith "prometheus-node-textfile-check-nft" then {
-    action(
-        type="omfile" file="/var/log/prometheus-node-textfile-check-nft/syslog.log"
-        fileOwner="root" fileGroup="root"
-        fileCreateMode="0644"
-    )
-    & stop
-}

File[/etc/nftables/]

Parameters differences:

--- File[/etc/nftables/].orig
+++ File[/etc/nftables/]

-    path    => /etc/nftables
-    recurse => True
-    group   => root
-    ensure  => directory
-    owner   => root
-    purge   => True

File[/etc/cfssl/ssl/cassandra/cassandra.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/cassandra/cassandra.pem].orig
+++ File[/etc/cfssl/ssl/cassandra/cassandra.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Exec[Generate cert aux]

Parameters differences:

--- Exec[Generate cert aux].orig
+++ Exec[Generate cert aux]

+    require     => Cfssl::Csr[/etc/cfssl/csr/aux.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/aux.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux/aux

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/aux/aux.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/aux/aux-key.pem 2>&1)"

Rsyslog::Conf[wmf_auto_restart_ulogd2]

Parameters differences:

--- Rsyslog::Conf[wmf_auto_restart_ulogd2].orig
+++ Rsyslog::Conf[wmf_auto_restart_ulogd2]

+    ensure   => present
+    priority => 40
+    mode     => 0444
+    require  => File[/var/log/wmf_auto_restart_ulogd2]

Exec[Generate cert mlserve_front_proxy]

Parameters differences:

--- Exec[Generate cert mlserve_front_proxy].orig
+++ Exec[Generate cert mlserve_front_proxy]

+    require     => Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/mlserve_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem 2>&1)"

Nftables::Set[MONITORING_HOSTS]

Parameters differences:

--- Nftables::Set[MONITORING_HOSTS].orig
+++ Nftables::Set[MONITORING_HOSTS]

-    ensure => present
-    hosts  => ['208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']

Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)].orig
+++ Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]

+    refreshonly => True
+    before      => ['Service[wmf_auto_restart_ulogd2.timer]']
+    command     => /bin/systemctl daemon-reload

Cfssl::Cert[aux_front_proxy]

Parameters differences:

--- Cfssl::Cert[aux_front_proxy].orig
+++ Cfssl::Cert[aux_front_proxy]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => aux_front_proxy
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Exec[renew certificate - discovery2026]

Parameters differences:

--- Exec[renew certificate - discovery2026].orig
+++ Exec[renew certificate - discovery2026]

+    require     => Exec[Generate cert discovery2026]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/discovery2026/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/discovery2026/discovery2026.pem -checkend 952200

Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]

+    ensure      => present
+    common_name => Wikimedia_Internal_Root_CA_ocsp_signing_cert
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 256}
+    hosts       => []

File[/etc/cfssl/ssl/kafka]

Parameters differences:

--- File[/etc/cfssl/ssl/kafka].orig
+++ File[/etc/cfssl/ssl/kafka]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Systemd::Unit[nrpe2nodexp-ferm_active.service]

Parameters differences:

--- Systemd::Unit[nrpe2nodexp-ferm_active.service].orig
+++ Systemd::Unit[nrpe2nodexp-ferm_active.service]

+    override          => False
+    require           => ['Class[Systemd]']
+    ensure            => present
+    unit              => nrpe2nodexp-ferm_active.service
+    restart           => False
+    override_filename => puppet-override.conf

Class[Nftables]

Parameters differences:

--- Class[Nftables].orig
+++ Class[Nftables]

-    ensure => present

File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]

Parameters differences:

--- File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml].orig
+++ File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]

@@
-    ensure => absent
+    ensure => present

Ferm::Rule[filter_log_filter-bootp]

Parameters differences:

--- Ferm::Rule[filter_log_filter-bootp].orig
+++ Ferm::Rule[filter_log_filter-bootp]

+    rule   => proto udp  daddr 255.255.255.255 sport 67 dport 68 DROP;
+    domain => (ip ip6)
+    chain  => INPUT
+    ensure => present
+    table  => filter
+    desc   => 
+    prio   => 98

Exec[Generate cert syslog refresh]

Parameters differences:

--- Exec[Generate cert syslog refresh].orig
+++ Exec[Generate cert syslog refresh]

+    subscribe   => File[/etc/cfssl/csr/syslog.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/syslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/syslog/syslog

Exec[renew certificate - network_devices]

Parameters differences:

--- Exec[renew certificate - network_devices].orig
+++ Exec[renew certificate - network_devices]

+    require     => Exec[Generate cert network_devices]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/network_devices/network_devices.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/network_devices/network_devices

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/network_devices/network_devices.pem -checkend 952200

Ferm::Service[full_monitoring_metrics_access_tcp]

Parameters differences:

--- Ferm::Service[full_monitoring_metrics_access_tcp].orig
+++ Ferm::Service[full_monitoring_metrics_access_tcp]

+    desc                => 
+    prio                => 10
+    proto               => tcp
+    srange              => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet', '208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']
+    unrestricted_access => False
+    notrack             => False
+    port_range          => [1, 65535]
+    ensure              => present

Monitoring::Exported_nagios_service[pki-root1002 ssh]

Parameters differences:

--- Monitoring::Exported_nagios_service[pki-root1002 ssh].orig
+++ Monitoring::Exported_nagios_service[pki-root1002 ssh]

@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => pki_eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

Nftables::Set[INSTALL_HOSTS]

Parameters differences:

--- Nftables::Set[INSTALL_HOSTS].orig
+++ Nftables::Set[INSTALL_HOSTS]

-    ensure => present
-    hosts  => ['208.80.154.134', '208.80.153.70', '185.15.59.101', '198.35.26.98', '103.102.166.104', '185.15.58.7', '195.200.68.100', '2620:0:861:2:208:80:154:134', '2620:0:860:3:208:80:153:70', '2a02:ec80:300:3:185:15:59:101', '2620:0:863:3:198:35:26:98', '2001:df2:e500:3:103:102:166:104', '2a02:ec80:600:1:185:15:58:7', '2a02:ec80:700:3:195:200:68:100']

Systemd::Syslog[wmf_auto_restart_ulogd2]

Parameters differences:

--- Systemd::Syslog[wmf_auto_restart_ulogd2].orig
+++ Systemd::Syslog[wmf_auto_restart_ulogd2]

+    base_dir               => /var/log
+    log_filename           => syslog.log
+    force_stop             => True
+    owner                  => root
+    programname_comparison => startswith
+    readable_by            => all
+    group                  => root
+    ensure                 => present

File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft
@@ -1,10 +0,0 @@
-# Autogenerated by puppet
-set DRUID_PUBLIC_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.131.9,
-             10.64.132.12,
-             10.64.135.9,
-             10.64.32.101,
-             10.64.48.185
-    }
-}

Concat::Fragment[/etc/bacula_puppet_ca_chain]

Parameters differences:

--- Concat::Fragment[/etc/bacula_puppet_ca_chain].orig
+++ Concat::Fragment[/etc/bacula_puppet_ca_chain]

+    target => /etc/bacula/ssl/cert.pem
+    order  => 02
+    source => /var/lib/puppet/ssl/certs/ca.pem

Class[Ulogd]

Parameters differences:

--- Class[Ulogd].orig
+++ Class[Ulogd]

+    json_logfile        => /var/log/ulog/ulogd.json
+    gprint_logfile      => /var/log/ulog/gprint.log
+    config_file         => /etc/ulogd.conf
+    xml_directory       => /var/log/ulog/
+    nfct                => []
+    nflog               => ['SYSLOG']
+    ensure              => present
+    syslog_level        => info
+    logemu_logfile      => /var/log/ulog/syslogemu.log
+    json_nfct_logfile   => /var/log/ulog/ulogd_nfct.json
+    oprint_logfile      => /var/log/ulog/oprint.log
+    syslog_facility     => local7
+    pcap_file           => /var/log/ulog/ulogd.pcap
+    acct                => []
+    nacct_file          => /var/log/ulog/nacct.log
+    sync                => True
+    logemu_nfct_logfile => /var/log/ulog/syslogemu_nfct.log
+    log_level           => info
+    logfile             => syslog

Class[Ferm]

Parameters differences:

--- Class[Ferm].orig
+++ Class[Ferm]

@@
-    ensure => absent
+    ensure => present

File[/etc/cfssl/csr/debmonitor.csr]

Parameters differences:

--- File[/etc/cfssl/csr/debmonitor.csr].orig
+++ File[/etc/cfssl/csr/debmonitor.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/debmonitor.csr.orig
+++ /etc/cfssl/csr/debmonitor.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "debmonitor",
+  "hosts": [
+    "debmonitor"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/cfssl/csr/aux_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/csr/aux_front_proxy.csr].orig
+++ File[/etc/cfssl/csr/aux_front_proxy.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/aux_front_proxy.csr.orig
+++ /etc/cfssl/csr/aux_front_proxy.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "aux_front_proxy",
+  "hosts": [
+    "aux_front_proxy"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem].orig
+++ File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Nftables::Set[CACHES]

Parameters differences:

--- Nftables::Set[CACHES].orig
+++ Nftables::Set[CACHES]

-    ensure => present
-    hosts  => ['10.64.0.79', '2620:0:861:101:10:64:0:79', '10.64.0.229', '2620:0:861:101:10:64:0:229', '10.64.0.14', '2620:0:861:101:10:64:0:14', '10.64.0.51', '2620:0:861:101:10:64:0:51', '10.64.16.241', '2620:0:861:102:10:64:16:241', '10.64.16.94', '2620:0:861:102:10:64:16:94', '10.64.16.95', '2620:0:861:102:10:64:16:95', '10.64.16.240', '2620:0:861:102:10:64:16:240', '10.64.32.14', '2620:0:861:103:10:64:32:14', '10.64.32.60', '2620:0:861:103:10:64:32:60', '10.64.32.15', '2620:0:861:103:10:64:32:15', '10.64.32.65', '2620:0:861:103:10:64:32:65', '10.64.48.16', '2620:0:861:107:10:64:48:16', '10.64.48.41', '2620:0:861:107:10:64:48:41', '10.64.48.27', '2620:0:861:107:10:64:48:27', '10.64.48.28', '2620:0:861:107:10:64:48:28', '10.192.23.26', '2620:0:860:113:10:192:23:26', '10.192.6.20', '2620:0:860:107:10:192:6:20', '10.192.12.35', '2620:0:860:10d:10:192:12:35', '10.192.14.25', '2620:0:860:10f:10:192:14:25', '10.192.4.22', '2620:0:860:100:10:192:4:22', '10.192.29.26', '2620:0:860:116:10:192:29:26', '10.192.30.29', '2620:0:860:119:10:192:30:29', '10.192.36.19', '2620:0:860:11b:10:192:36:19', '10.192.40.25', '2620:0:860:11f:10:192:40:25', '10.192.41.21', '2620:0:860:120:10:192:41:21', '10.192.56.3', '2620:0:860:12b:10:192:56:3', '10.192.56.4', '2620:0:860:12b:10:192:56:4', '10.192.57.3', '2620:0:860:12c:10:192:57:3', '10.192.58.2', '2620:0:860:12d:10:192:58:2', '10.192.58.3', '2620:0:860:12d:10:192:58:3', '10.192.59.2', '2620:0:860:12e:10:192:59:2', '10.80.0.14', '2a02:ec80:300:101:10:80:0:14', '10.80.1.11', '2a02:ec80:300:102:10:80:1:11', '10.80.0.13', '2a02:ec80:300:101:10:80:0:13', '10.80.1.9', '2a02:ec80:300:102:10:80:1:9', '10.80.0.12', '2a02:ec80:300:101:10:80:0:12', '10.80.1.7', '2a02:ec80:300:102:10:80:1:7', '10.80.0.11', '2a02:ec80:300:101:10:80:0:11', '10.80.1.6', '2a02:ec80:300:102:10:80:1:6', '10.80.0.10', '2a02:ec80:300:101:10:80:0:10', '10.80.1.5', '2a02:ec80:300:102:10:80:1:5', '10.80.0.8', '2a02:ec80:300:101:10:80:0:8', '10.80.1.4', '2a02:ec80:300:102:10:80:1:4', '10.80.0.7', '2a02:ec80:300:101:10:80:0:7', '10.80.1.3', '2a02:ec80:300:102:10:80:1:3', '10.80.0.6', '2a02:ec80:300:101:10:80:0:6', '10.80.1.2', '2a02:ec80:300:102:10:80:1:2', '10.128.0.19', '2620:0:863:101:10:128:0:19', '10.128.1.27', '2620:0:863:102:10:128:1:27', '10.128.0.22', '2620:0:863:101:10:128:0:22', '10.128.1.28', '2620:0:863:102:10:128:1:28', '10.128.0.25', '2620:0:863:101:10:128:0:25', '10.128.1.29', '2620:0:863:102:10:128:1:29', '10.128.0.26', '2620:0:863:101:10:128:0:26', '10.128.1.31', '2620:0:863:102:10:128:1:31', '10.128.0.14', '2620:0:863:101:10:128:0:14', '10.128.1.35', '2620:0:863:102:10:128:1:35', '10.128.0.21', '2620:0:863:101:10:128:0:21', '10.128.1.36', '2620:0:863:102:10:128:1:36', '10.128.0.24', '2620:0:863:101:10:128:0:24', '10.128.1.10', '2620:0:863:102:10:128:1:10', '10.128.0.37', '2620:0:863:101:10:128:0:37', '10.128.1.12', '2620:0:863:102:10:128:1:12', '10.132.0.17', '2001:df2:e500:101:10:132:0:17', '10.132.0.18', '2001:df2:e500:101:10:132:0:18', '10.132.0.19', '2001:df2:e500:101:10:132:0:19', '10.132.0.24', '2001:df2:e500:101:10:132:0:24', '10.132.0.29', '2001:df2:e500:101:10:132:0:29', '10.132.0.30', '2001:df2:e500:101:10:132:0:30', '10.132.0.34', '2001:df2:e500:101:10:132:0:34', '10.132.0.35', '2001:df2:e500:101:10:132:0:35', '10.132.0.36', '2001:df2:e500:101:10:132:0:36', '10.132.0.37', '2001:df2:e500:101:10:132:0:37', '10.132.0.38', '2001:df2:e500:101:10:132:0:38', '10.132.0.25', '2001:df2:e500:101:10:132:0:25', '10.132.0.26', '2001:df2:e500:101:10:132:0:26', '10.132.0.27', '2001:df2:e500:101:10:132:0:27', '10.132.0.28', '2001:df2:e500:101:10:132:0:28', '10.132.0.16', '2001:df2:e500:101:10:132:0:16', '10.136.0.6', '2a02:ec80:600:101:10:136:0:6', '10.136.1.6', '2a02:ec80:600:102:10:136:1:6', '10.136.0.7', '2a02:ec80:600:101:10:136:0:7', '10.136.1.7', '2a02:ec80:600:102:10:136:1:7', '10.136.0.8', '2a02:ec80:600:101:10:136:0:8', '10.136.1.8', '2a02:ec80:600:102:10:136:1:8', '10.136.0.9', '2a02:ec80:600:101:10:136:0:9', '10.136.1.9', '2a02:ec80:600:102:10:136:1:9', '10.136.0.10', '2a02:ec80:600:101:10:136:0:10', '10.136.1.10', '2a02:ec80:600:102:10:136:1:10', '10.136.0.11', '2a02:ec80:600:101:10:136:0:11', '10.136.1.11', '2a02:ec80:600:102:10:136:1:11', '10.136.0.12', '2a02:ec80:600:101:10:136:0:12', '10.136.1.12', '2a02:ec80:600:102:10:136:1:12', '10.136.0.13', '2a02:ec80:600:101:10:136:0:13', '10.136.1.13', '2a02:ec80:600:102:10:136:1:13', '10.140.0.3', '2a02:ec80:700:101:10:140:0:3', '10.140.1.4', '2a02:ec80:700:102:10:140:1:4', '10.140.0.4', '2a02:ec80:700:101:10:140:0:4', '10.140.1.5', '2a02:ec80:700:102:10:140:1:5', '10.140.0.5', '2a02:ec80:700:101:10:140:0:5', '10.140.1.6', '2a02:ec80:700:102:10:140:1:6', '10.140.0.6', '2a02:ec80:700:101:10:140:0:6', '10.140.1.7', '2a02:ec80:700:102:10:140:1:7', '10.140.0.7', '2a02:ec80:700:101:10:140:0:7', '10.140.1.8', '2a02:ec80:700:102:10:140:1:8', '10.140.0.8', '2a02:ec80:700:101:10:140:0:8', '10.140.1.9', '2a02:ec80:700:102:10:140:1:9', '10.140.0.9', '2a02:ec80:700:101:10:140:0:9', '10.140.1.10', '2a02:ec80:700:102:10:140:1:10', '10.140.0.10', '2a02:ec80:700:101:10:140:0:10', '10.140.1.11', '2a02:ec80:700:102:10:140:1:11']

Cfssl::Cert[mlserve]

Parameters differences:

--- Cfssl::Cert[mlserve].orig
+++ Cfssl::Cert[mlserve]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => mlserve
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/cfssl/ssl/wikikube/wikikube-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube/wikikube-key.pem].orig
+++ File[/etc/cfssl/ssl/wikikube/wikikube-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Service[bacula-fd]

Parameters differences:

--- Service[bacula-fd].orig
+++ Service[bacula-fd]

+    ensure  => running
+    require => Package[bacula-fd]

File[/etc/nftables/prerouting]

Parameters differences:

--- File[/etc/nftables/prerouting].orig
+++ File[/etc/nftables/prerouting]

-    recurse => True
-    group   => root
-    ensure  => directory
-    owner   => root
-    purge   => True

Rsyslog::Conf[prometheus-node-textfile-check-nft]

Parameters differences:

--- Rsyslog::Conf[prometheus-node-textfile-check-nft].orig
+++ Rsyslog::Conf[prometheus-node-textfile-check-nft]

-    ensure   => present
-    priority => 40
-    mode     => 0444
-    require  => File[/var/log/prometheus-node-textfile-check-nft]

Cfssl::Csr[/etc/cfssl/csr/puppet.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/puppet.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/puppet.csr]

+    ensure      => present
+    common_name => puppet
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MGMT_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/MGMT_NETWORKS_ipv6.nft
@@ -1,4 +0,0 @@
-# Autogenerated by puppet
-set MGMT_NETWORKS_ipv6 {
-    type ipv6_addr
-}

Exec[Generate cert aux_front_proxy]

Parameters differences:

--- Exec[Generate cert aux_front_proxy].orig
+++ Exec[Generate cert aux_front_proxy]

+    require     => Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/aux_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem 2>&1)"

Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/network_devices.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]

+    ensure      => present
+    common_name => network_devices
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]

+    ensure      => present
+    common_name => mlserve_staging
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Exec[renew certificate - cloud_wmnet_ca]

Parameters differences:

--- Exec[renew certificate - cloud_wmnet_ca].orig
+++ Exec[renew certificate - cloud_wmnet_ca]

+    require     => Exec[Generate cert cloud_wmnet_ca]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem -checkend 952200

File[/etc/ferm]

Parameters differences:

--- File[/etc/ferm].orig
+++ File[/etc/ferm]

@@
-    ensure => absent
+    ensure => directory

Systemd::Timer[prometheus-node-textfile-check-nft]

Parameters differences:

--- Systemd::Timer[prometheus-node-textfile-check-nft].orig
+++ Systemd::Timer[prometheus-node-textfile-check-nft]

-    fixed_random_delay => False
-    ensure             => present
-    splay              => 0
-    unit_name          => prometheus-node-textfile-check-nft.service
-    accuracy           => 15sec
-    timer_intervals    => [{'start': 'OnCalendar', 'interval': '*:0/30'}]

Class[Adduser]

Parameters differences:

--- Class[Adduser].orig
+++ Class[Adduser]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[bacula-fd]', 'Package[bacula-common]']

Exec[Generate cert dse]

Parameters differences:

--- Exec[Generate cert dse].orig
+++ Exec[Generate cert dse]

+    require     => Cfssl::Csr[/etc/cfssl/csr/dse.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/dse.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse/dse

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/dse/dse.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/dse/dse-key.pem 2>&1)"

File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/INSTALL_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/INSTALL_HOSTS_ipv4.nft
@@ -1,12 +0,0 @@
-# Autogenerated by puppet
-set INSTALL_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 208.80.154.134,
-             208.80.153.70,
-             185.15.59.101,
-             198.35.26.98,
-             103.102.166.104,
-             185.15.58.7,
-             195.200.68.100
-    }
-}

Class[Profile::Base::Production]

Parameters differences:

--- Class[Profile::Base::Production].orig
+++ Class[Profile::Base::Production]

@@
-    role_description => Host being setup by Infrastructure Foundations SREs with ntables
+    role_description => PKI RootCA

Exec[Generate cert mlserve refresh]

Parameters differences:

--- Exec[Generate cert mlserve refresh].orig
+++ Exec[Generate cert mlserve refresh]

+    subscribe   => File[/etc/cfssl/csr/mlserve.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/mlserve.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve/mlserve

Motd::Script[pki::root]

Parameters differences:

--- Motd::Script[pki::root].orig
+++ Motd::Script[pki::root]

+    ensure   => present
+    priority => 5

File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft
@@ -1,20 +0,0 @@
-# Autogenerated by puppet
-set CLOUD_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2a02:ec80:a000:100::/64,
-             2a02:ec80:a000:1::/64,
-             2a02:ec80:a000:201::/64,
-             2a02:ec80:a000:202::/64,
-             2a02:ec80:a000:203::/64,
-             2a02:ec80:a000:204::/64,
-             2a02:ec80:a000:2ff::/64,
-             2a02:ec80:a000:4000::/64,
-             2a02:ec80:a100:100::/64,
-             2a02:ec80:a100:1::/64,
-             2a02:ec80:a100:205::/64,
-             2a02:ec80:a100:2ff::/64,
-             2a02:ec80:a100:4000::/64
-    }
-}

Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]

Parameters differences:

--- Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia].orig
+++ Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]

+    refreshonly => True
+    command     => /usr/bin/apt-get update

File[/etc/ferm/conf.d/00_defs_requestctl]

Parameters differences:

--- File[/etc/ferm/conf.d/00_defs_requestctl].orig
+++ File[/etc/ferm/conf.d/00_defs_requestctl]

@@
-    ensure => absent
+    ensure => file

Profile::Auto_restarts::Service[ulogd2]

Parameters differences:

--- Profile::Auto_restarts::Service[ulogd2].orig
+++ Profile::Auto_restarts::Service[ulogd2]

+    ensure => present

Confd::File[/etc/ferm/conf.d/00_defs_requestctl]

Parameters differences:

--- Confd::File[/etc/ferm/conf.d/00_defs_requestctl].orig
+++ Confd::File[/etc/ferm/conf.d/00_defs_requestctl]

@@
-    ensure => absent
+    ensure => present

File[/etc/cfssl/ssl/syslog]

Parameters differences:

--- File[/etc/cfssl/ssl/syslog].orig
+++ File[/etc/cfssl/ssl/syslog]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Class[Profile::Firewall]

Parameters differences:

--- Class[Profile::Firewall].orig
+++ Class[Profile::Firewall]

@@
-    provider => nftables
+    provider => ferm

Class[Profile::Monitoring]

Parameters differences:

--- Class[Profile::Monitoring].orig
+++ Class[Profile::Monitoring]

@@
-    nagios_group          => insetup_eqiad
+    nagios_group          => pki_eqiad
@@
-    cluster               => insetup
+    cluster               => pki
@@
-    notifications_enabled => False
+    notifications_enabled => True

Cfssl::Cert[etcd]

Parameters differences:

--- Cfssl::Cert[etcd].orig
+++ Cfssl::Cert[etcd]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => etcd
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/nftables/sets/CACHES_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/CACHES_ipv6.nft].orig
+++ File[/etc/nftables/sets/CACHES_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CACHES_ipv6.nft.orig
+++ /etc/nftables/sets/CACHES_ipv6.nft
@@ -1,117 +0,0 @@
-# Autogenerated by puppet
-set CACHES_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:101:10:64:0:79,
-             2620:0:861:101:10:64:0:229,
-             2620:0:861:101:10:64:0:14,
-             2620:0:861:101:10:64:0:51,
-             2620:0:861:102:10:64:16:241,
-             2620:0:861:102:10:64:16:94,
-             2620:0:861:102:10:64:16:95,
-             2620:0:861:102:10:64:16:240,
-             2620:0:861:103:10:64:32:14,
-             2620:0:861:103:10:64:32:60,
-             2620:0:861:103:10:64:32:15,
-             2620:0:861:103:10:64:32:65,
-             2620:0:861:107:10:64:48:16,
-             2620:0:861:107:10:64:48:41,
-             2620:0:861:107:10:64:48:27,
-             2620:0:861:107:10:64:48:28,
-             2620:0:860:113:10:192:23:26,
-             2620:0:860:107:10:192:6:20,
-             2620:0:860:10d:10:192:12:35,
-             2620:0:860:10f:10:192:14:25,
-             2620:0:860:100:10:192:4:22,
-             2620:0:860:116:10:192:29:26,
-             2620:0:860:119:10:192:30:29,
-             2620:0:860:11b:10:192:36:19,
-             2620:0:860:11f:10:192:40:25,
-             2620:0:860:120:10:192:41:21,
-             2620:0:860:12b:10:192:56:3,
-             2620:0:860:12b:10:192:56:4,
-             2620:0:860:12c:10:192:57:3,
-             2620:0:860:12d:10:192:58:2,
-             2620:0:860:12d:10:192:58:3,
-             2620:0:860:12e:10:192:59:2,
-             2a02:ec80:300:101:10:80:0:14,
-             2a02:ec80:300:102:10:80:1:11,
-             2a02:ec80:300:101:10:80:0:13,
-             2a02:ec80:300:102:10:80:1:9,
-             2a02:ec80:300:101:10:80:0:12,
-             2a02:ec80:300:102:10:80:1:7,
-             2a02:ec80:300:101:10:80:0:11,
-             2a02:ec80:300:102:10:80:1:6,
-             2a02:ec80:300:101:10:80:0:10,
-             2a02:ec80:300:102:10:80:1:5,
-             2a02:ec80:300:101:10:80:0:8,
-             2a02:ec80:300:102:10:80:1:4,
-             2a02:ec80:300:101:10:80:0:7,
-             2a02:ec80:300:102:10:80:1:3,
-             2a02:ec80:300:101:10:80:0:6,
-             2a02:ec80:300:102:10:80:1:2,
-             2620:0:863:101:10:128:0:19,
-             2620:0:863:102:10:128:1:27,
-             2620:0:863:101:10:128:0:22,
-             2620:0:863:102:10:128:1:28,
-             2620:0:863:101:10:128:0:25,
-             2620:0:863:102:10:128:1:29,
-             2620:0:863:101:10:128:0:26,
-             2620:0:863:102:10:128:1:31,
-             2620:0:863:101:10:128:0:14,
-             2620:0:863:102:10:128:1:35,
-             2620:0:863:101:10:128:0:21,
-             2620:0:863:102:10:128:1:36,
-             2620:0:863:101:10:128:0:24,
-             2620:0:863:102:10:128:1:10,
-             2620:0:863:101:10:128:0:37,
-             2620:0:863:102:10:128:1:12,
-             2001:df2:e500:101:10:132:0:17,
-             2001:df2:e500:101:10:132:0:18,
-             2001:df2:e500:101:10:132:0:19,
-             2001:df2:e500:101:10:132:0:24,
-             2001:df2:e500:101:10:132:0:29,
-             2001:df2:e500:101:10:132:0:30,
-             2001:df2:e500:101:10:132:0:34,
-             2001:df2:e500:101:10:132:0:35,
-             2001:df2:e500:101:10:132:0:36,
-             2001:df2:e500:101:10:132:0:37,
-             2001:df2:e500:101:10:132:0:38,
-             2001:df2:e500:101:10:132:0:25,
-             2001:df2:e500:101:10:132:0:26,
-             2001:df2:e500:101:10:132:0:27,
-             2001:df2:e500:101:10:132:0:28,
-             2001:df2:e500:101:10:132:0:16,
-             2a02:ec80:600:101:10:136:0:6,
-             2a02:ec80:600:102:10:136:1:6,
-             2a02:ec80:600:101:10:136:0:7,
-             2a02:ec80:600:102:10:136:1:7,
-             2a02:ec80:600:101:10:136:0:8,
-             2a02:ec80:600:102:10:136:1:8,
-             2a02:ec80:600:101:10:136:0:9,
-             2a02:ec80:600:102:10:136:1:9,
-             2a02:ec80:600:101:10:136:0:10,
-             2a02:ec80:600:102:10:136:1:10,
-             2a02:ec80:600:101:10:136:0:11,
-             2a02:ec80:600:102:10:136:1:11,
-             2a02:ec80:600:101:10:136:0:12,
-             2a02:ec80:600:102:10:136:1:12,
-             2a02:ec80:600:101:10:136:0:13,
-             2a02:ec80:600:102:10:136:1:13,
-             2a02:ec80:700:101:10:140:0:3,
-             2a02:ec80:700:102:10:140:1:4,
-             2a02:ec80:700:101:10:140:0:4,
-             2a02:ec80:700:102:10:140:1:5,
-             2a02:ec80:700:101:10:140:0:5,
-             2a02:ec80:700:102:10:140:1:6,
-             2a02:ec80:700:101:10:140:0:6,
-             2a02:ec80:700:102:10:140:1:7,
-             2a02:ec80:700:101:10:140:0:7,
-             2a02:ec80:700:102:10:140:1:8,
-             2a02:ec80:700:101:10:140:0:8,
-             2a02:ec80:700:102:10:140:1:9,
-             2a02:ec80:700:101:10:140:0:9,
-             2a02:ec80:700:102:10:140:1:10,
-             2a02:ec80:700:101:10:140:0:10,
-             2a02:ec80:700:102:10:140:1:11
-    }
-}

File[/etc/cfssl/ssl/mlserve_front_proxy]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_front_proxy].orig
+++ File[/etc/cfssl/ssl/mlserve_front_proxy]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set LABSTORE_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 208.80.154.142,
-             208.80.154.71
-    }
-}

File_line[auto_restart_file_presence_ulogd2]

Parameters differences:

--- File_line[auto_restart_file_presence_ulogd2].orig
+++ File_line[auto_restart_file_presence_ulogd2]

+    ensure  => present
+    path    => /etc/debdeploy-client/autorestarts.conf
+    require => File[/etc/debdeploy-client/autorestarts.conf]
+    line    => ulogd2

Nftables::Set[CLOUD_NETWORKS_PUBLIC]

Parameters differences:

--- Nftables::Set[CLOUD_NETWORKS_PUBLIC].orig
+++ Nftables::Set[CLOUD_NETWORKS_PUBLIC]

-    ensure => present
-    hosts  => ['185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:4000::/64']

Class[Profile::Backup::Host]

Parameters differences:

--- Class[Profile::Backup::Host].orig
+++ Class[Profile::Backup::Host]

+    client_version => 9
+    director_seed  => changeme
+    days           => ['Sat', 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri']
+    pool           => productionEqiad
+    director       => backup1014.eqiad.wmnet
+    enable         => True

Cfssl::Cert[wikikube]

Parameters differences:

--- Cfssl::Cert[wikikube].orig
+++ Cfssl::Cert[wikikube]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => wikikube
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Systemd::Unit[nftables]

Parameters differences:

--- Systemd::Unit[nftables].orig
+++ Systemd::Unit[nftables]

-    override          => True
-    require           => ['Class[Systemd]']
-    ensure            => present
-    unit              => nftables
-    restart           => False
-    override_filename => puppet-override.conf

Exec[renew certificate - mlserve]

Parameters differences:

--- Exec[renew certificate - mlserve].orig
+++ Exec[renew certificate - mlserve]

+    require     => Exec[Generate cert mlserve]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/mlserve/mlserve.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve/mlserve

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve/mlserve.pem -checkend 952200

Exec[renew certificate - debmonitor]

Parameters differences:

--- Exec[renew certificate - debmonitor].orig
+++ Exec[renew certificate - debmonitor]

+    require     => Exec[Generate cert debmonitor]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/debmonitor/debmonitor.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/debmonitor/debmonitor

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/debmonitor/debmonitor.pem -checkend 952200

File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem].orig
+++ File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft].orig
+++ File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft.orig
+++ /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft
@@ -1,14 +0,0 @@
-# Autogenerated by puppet
-set KAFKA_BROKERS_JUMBO_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:109:10:64:130:10,
-             2620:0:861:10a:10:64:131:16,
-             2620:0:861:10b:10:64:132:21,
-             2620:0:861:10d:10:64:134:9,
-             2620:0:861:10e:10:64:135:16,
-             2620:0:861:10f:10:64:136:11,
-             2620:0:861:122:10:64:154:15,
-             2620:0:861:128:10:64:160:16,
-             2620:0:861:101:10:64:0:126
-    }
-}

File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/BASTION_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/BASTION_HOSTS_ipv4.nft
@@ -1,12 +0,0 @@
-# Autogenerated by puppet
-set BASTION_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 208.80.154.7,
-             208.80.153.110,
-             185.15.59.99,
-             198.35.26.104,
-             103.102.166.103,
-             185.15.58.6,
-             195.200.68.99
-    }
-}

Exec[apt_package_from_component_bacula-trixie]

Parameters differences:

--- Exec[apt_package_from_component_bacula-trixie].orig
+++ Exec[apt_package_from_component_bacula-trixie]

+    subscribe   => Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]
+    refreshonly => True
+    before      => ['Package[bacula-fd]', 'Package[bacula-common]']
+    command     => /usr/bin/apt-get update

Rsyslog::Conf[nrpe2nodexp-ferm_active]

Parameters differences:

--- Rsyslog::Conf[nrpe2nodexp-ferm_active].orig
+++ Rsyslog::Conf[nrpe2nodexp-ferm_active]

+    ensure   => present
+    priority => 25
+    mode     => 0444

File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft].orig
+++ File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/NETWORK_INFRA_ipv4.nft.orig
+++ /etc/nftables/sets/NETWORK_INFRA_ipv4.nft
@@ -1,19 +0,0 @@
-# Autogenerated by puppet
-set NETWORK_INFRA_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 185.15.59.128/27,
-             198.35.26.128/27,
-             208.80.153.192/27,
-             10.192.255.0/24,
-             10.192.253.0/24,
-             208.80.154.192/27,
-             10.64.146.0/24,
-             10.64.168.0/24,
-             10.64.147.0/24,
-             103.102.166.128/27,
-             185.15.58.128/27,
-             195.200.68.128/27
-    }
-}

Exec[Generate cert puppet]

Parameters differences:

--- Exec[Generate cert puppet].orig
+++ Exec[Generate cert puppet]

+    require     => Cfssl::Csr[/etc/cfssl/csr/puppet.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/puppet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet/puppet

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet/puppet.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/puppet/puppet-key.pem 2>&1)"

File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem].orig
+++ File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft
@@ -1,13 +0,0 @@
-# Autogenerated by puppet
-set SANDBOX_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 103.102.166.72/29,
-             185.15.59.72/29,
-             195.200.68.64/29,
-             198.35.26.240/28,
-             208.80.152.240/28,
-             208.80.155.64/28
-    }
-}

File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem].orig
+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/cfssl/ssl/kafka/kafka-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/kafka/kafka-key.pem].orig
+++ File[/etc/cfssl/ssl/kafka/kafka-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft].orig
+++ File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft.orig
+++ /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft
@@ -1,12 +0,0 @@
-# Autogenerated by puppet
-set CLOUD_NETWORKS_PUBLIC_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 185.15.56.0/25,
-             185.15.56.160/28,
-             185.15.57.0/29,
-             185.15.57.16/29,
-             185.15.57.24/29
-    }
-}

File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft].orig
+++ File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft.orig
+++ /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft
@@ -1,15 +0,0 @@
-# Autogenerated by puppet
-set KAFKA_BROKERS_MAIN_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:860:106:10:192:5:9,
-             2620:0:860:112:10:192:22:6,
-             2620:0:860:103:10:192:32:4,
-             2620:0:860:104:10:192:48:33,
-             2620:0:860:104:10:192:48:35,
-             2620:0:861:101:10:64:0:101,
-             2620:0:861:102:10:64:16:30,
-             2620:0:861:103:10:64:32:45,
-             2620:0:861:107:10:64:48:37,
-             2620:0:861:120:10:64:152:5
-    }
-}

Prometheus::Node_textfile[check-nft]

Parameters differences:

--- Prometheus::Node_textfile[check-nft].orig
+++ Prometheus::Node_textfile[check-nft]

-    run_cmd        => /usr/local/bin/check-nft
-    extra_packages => []
-    interval       => *:0/30
-    ensure         => present
-    filesource     => puppet:///modules/profile/firewall/check_nftables.py
-    user           => root
-    environment    => {}

File[/etc/ferm/ferm.conf]

Parameters differences:

--- File[/etc/ferm/ferm.conf].orig
+++ File[/etc/ferm/ferm.conf]

+    require => Package[ferm]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => file
+    owner   => root
+    source  => puppet:///modules/ferm/ferm.conf

Nftables::Set[FRACK_NETWORKS]

Parameters differences:

--- Nftables::Set[FRACK_NETWORKS].orig
+++ Nftables::Set[FRACK_NETWORKS]

-    ensure => present
-    hosts  => ['10.195.0.0/27', '10.195.0.128/29', '10.195.0.32/27', '10.195.0.64/28', '10.195.0.80/29', '10.195.0.96/27', '10.195.1.0/25', '10.64.40.0/27', '10.64.40.160/27', '10.64.40.192/26', '10.64.40.32/27', '10.64.40.64/27', '10.64.40.96/27', '208.80.152.224/28', '208.80.155.0/27']

Exec[renew certificate - dse_front_proxy]

Parameters differences:

--- Exec[renew certificate - dse_front_proxy].orig
+++ Exec[renew certificate - dse_front_proxy]

+    require     => Exec[Generate cert dse_front_proxy]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem -checkend 952200

File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA]

Parameters differences:

--- File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA].orig
+++ File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA]

+    require => ['Package[golang-cfssl]']
+    mode    => 0550
+    group   => root
+    ensure  => directory
+    owner   => root

Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)].orig
+++ Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]

-    refreshonly => True
-    command     => /bin/systemctl daemon-reload

File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft].orig
+++ File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft.orig
+++ /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft
@@ -1,15 +0,0 @@
-# Autogenerated by puppet
-set KAFKA_BROKERS_MAIN_ipv4 {
-    type ipv4_addr
-    elements = { 10.192.5.9,
-             10.192.22.6,
-             10.192.32.4,
-             10.192.48.33,
-             10.192.48.35,
-             10.64.0.101,
-             10.64.16.30,
-             10.64.32.45,
-             10.64.48.37,
-             10.64.152.5
-    }
-}

Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]

Parameters differences:

--- Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header].orig
+++ Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]

+    target => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources
+    order  => 01
+    source => puppet:///modules/apt/sources-deb822-header.txt

Systemd::Service[nftables]

Parameters differences:

--- Systemd::Service[nftables].orig
+++ Systemd::Service[nftables]

-    override                 => True
-    unit_type                => service
-    restart                  => False
-    service_params           => {'hasrestart': True, 'restart': '/usr/bin/systemctl reload nftables'}
-    migration_task           => T407130
-    monitoring_enabled       => False
-    monitoring_contact_group => admins
-    ensure                   => present
-    monitoring_critical      => False

File[/etc/cfssl/csr/dse.csr]

Parameters differences:

--- File[/etc/cfssl/csr/dse.csr].orig
+++ File[/etc/cfssl/csr/dse.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/dse.csr.orig
+++ /etc/cfssl/csr/dse.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "dse",
+  "hosts": [
+    "dse"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set PROMETHEUS_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:101:10:64:0:82,
-             2620:0:861:102:10:64:16:62,
-             2620:0:861:107:10:64:48:171,
-             2620:0:861:103:10:64:32:85
-    }
-}

File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr].orig
+++ File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]

Parameters differences:

--- File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp].orig
+++ File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp.orig
+++ /etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 1:65535, (10.64.0.82 10.64.16.62 10.64.32.85 10.64.48.171 208.80.153.42 208.80.154.78 2620:0:860:2:208:80:153:42 2620:0:861:101:10:64:0:82 2620:0:861:102:10:64:16:62 2620:0:861:103:10:64:32:85 2620:0:861:107:10:64:48:171 2620:0:861:3:208:80:154:78));
+
+

Service[ferm]

Parameters differences:

--- Service[ferm].orig
+++ Service[ferm]

+    ensure  => running
+    restart => /bin/systemctl reload-or-restart ferm

File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft.orig
+++ /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft
@@ -1,191 +0,0 @@
-# Autogenerated by puppet
-set LOAD_BALANCER_HEALTH_CHECKS_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.0.136,
-             10.64.16.60,
-             10.64.158.19,
-             10.64.166.19,
-             10.64.133.19,
-             10.64.141.19,
-             10.64.169.19,
-             10.64.171.19,
-             10.64.173.19,
-             10.64.175.19,
-             10.64.177.19,
-             10.64.179.19,
-             10.64.181.19,
-             10.64.183.19,
-             10.64.185.19,
-             10.64.187.19,
-             10.64.189.19,
-             10.64.48.72,
-             10.64.37.17,
-             10.64.1.17,
-             10.64.17.17,
-             10.64.33.17,
-             10.64.130.20,
-             10.64.131.20,
-             10.64.132.20,
-             10.64.134.20,
-             10.64.135.20,
-             10.64.136.20,
-             10.64.158.20,
-             10.64.166.20,
-             10.64.133.20,
-             10.64.141.20,
-             10.64.169.20,
-             10.64.171.20,
-             10.64.173.20,
-             10.64.175.20,
-             10.64.177.20,
-             10.64.179.20,
-             10.64.181.20,
-             10.64.183.20,
-             10.64.185.20,
-             10.64.187.20,
-             10.64.189.20,
-             10.192.23.8,
-             10.192.0.29,
-             10.192.17.8,
-             10.192.33.8,
-             10.192.49.8,
-             10.192.23.2,
-             10.192.5.2,
-             10.192.6.2,
-             10.192.7.2,
-             10.192.8.2,
-             10.192.9.2,
-             10.192.10.2,
-             10.192.11.2,
-             10.192.12.2,
-             10.192.13.2,
-             10.192.14.2,
-             10.192.15.2,
-             10.192.21.2,
-             10.192.22.2,
-             10.192.4.2,
-             10.192.26.2,
-             10.192.27.2,
-             10.192.28.2,
-             10.192.29.2,
-             10.192.30.2,
-             10.192.31.2,
-             10.192.36.2,
-             10.192.37.2,
-             10.192.38.2,
-             10.192.39.2,
-             10.192.40.2,
-             10.192.41.2,
-             10.192.42.2,
-             10.192.43.2,
-             10.192.11.8,
-             10.192.16.140,
-             10.192.1.8,
-             10.192.33.9,
-             10.192.49.9,
-             10.192.23.3,
-             10.192.5.3,
-             10.192.6.3,
-             10.192.7.3,
-             10.192.8.3,
-             10.192.9.3,
-             10.192.10.3,
-             10.192.11.3,
-             10.192.12.3,
-             10.192.13.3,
-             10.192.14.3,
-             10.192.15.3,
-             10.192.21.3,
-             10.192.22.3,
-             10.192.4.3,
-             10.192.26.3,
-             10.192.27.3,
-             10.192.28.3,
-             10.192.29.3,
-             10.192.30.3,
-             10.192.31.3,
-             10.192.36.3,
-             10.192.37.3,
-             10.192.38.3,
-             10.192.39.4,
-             10.192.40.3,
-             10.192.41.3,
-             10.192.42.3,
-             10.192.43.3,
-             10.192.32.14,
-             10.192.1.9,
-             10.192.17.9,
-             10.192.49.10,
-             10.192.23.4,
-             10.192.5.4,
-             10.192.6.4,
-             10.192.7.4,
-             10.192.8.4,
-             10.192.9.4,
-             10.192.10.4,
-             10.192.11.4,
-             10.192.12.4,
-             10.192.13.4,
-             10.192.14.4,
-             10.192.15.4,
-             10.192.21.4,
-             10.192.22.4,
-             10.192.4.5,
-             10.192.26.5,
-             10.192.27.5,
-             10.192.28.5,
-             10.192.29.5,
-             10.192.30.5,
-             10.192.31.5,
-             10.192.36.5,
-             10.192.37.5,
-             10.192.38.5,
-             10.192.39.6,
-             10.192.40.5,
-             10.192.41.5,
-             10.192.42.5,
-             10.192.43.5,
-             10.192.48.213,
-             10.192.1.13,
-             10.192.17.10,
-             10.192.33.10,
-             10.192.23.5,
-             10.192.5.8,
-             10.192.6.5,
-             10.192.7.5,
-             10.192.8.5,
-             10.192.9.5,
-             10.192.10.5,
-             10.192.11.5,
-             10.192.12.5,
-             10.192.13.5,
-             10.192.14.5,
-             10.192.15.5,
-             10.192.21.5,
-             10.192.22.5,
-             10.80.0.3,
-             10.80.1.8,
-             10.80.1.14,
-             10.80.0.9,
-             10.80.0.2,
-             10.80.1.10,
-             10.128.1.18,
-             10.128.0.9,
-             10.128.1.11,
-             10.132.0.39,
-             10.132.0.6,
-             10.132.0.7,
-             10.136.0.16,
-             10.136.1.19,
-             10.136.1.15,
-             10.136.0.19,
-             10.136.0.17,
-             10.136.1.20,
-             10.140.0.13,
-             10.140.1.2,
-             10.140.1.14,
-             10.140.0.2,
-             10.140.0.14,
-             10.140.1.3
-    }
-}

Nrpe::Check[check_ferm_active]

Parameters differences:

--- Nrpe::Check[check_ferm_active].orig
+++ Nrpe::Check[check_ferm_active]

+    ensure    => present
+    before    => Monitoring::Service[ferm_active]
+    command   => /usr/local/lib/nagios/plugins/check_ferm
+    sudo_user => root

Nftables::Set[ZOOKEEPER_HOSTS_MAIN]

Parameters differences:

--- Nftables::Set[ZOOKEEPER_HOSTS_MAIN].orig
+++ Nftables::Set[ZOOKEEPER_HOSTS_MAIN]

-    ensure => present
-    hosts  => ['10.64.0.207', '2620:0:861:101:10:64:0:207', '10.64.16.110', '2620:0:861:102:10:64:16:110', '10.64.48.154', '2620:0:861:107:10:64:48:154', '10.192.16.45', '2620:0:860:102:10:192:16:45', '10.192.32.52', '2620:0:860:103:10:192:32:52', '10.192.48.59', '2620:0:860:104:10:192:48:59']

File[/etc/systemd/system/ferm.service.d]

Parameters differences:

--- File[/etc/systemd/system/ferm.service.d].orig
+++ File[/etc/systemd/system/ferm.service.d]

+    ensure => directory
+    mode   => 0555
+    owner  => root
+    group  => root

Exec[unmask_nftables.service]

Parameters differences:

--- Exec[unmask_nftables.service].orig
+++ Exec[unmask_nftables.service]

-    refreshonly => False
-    onlyif      => /bin/readlink -f /etc/systemd/system/nftables.service | grep -q /dev/null
-    command     => /bin/systemctl unmask nftables.service

File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]

Parameters differences:

--- File[/lib/systemd/system/wmf_auto_restart_ulogd2.service].orig
+++ File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]

+    notify => Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]
+    mode   => 0444
+    group  => root
+    ensure => present
+    owner  => root

Content differences:

--- /lib/systemd/system/wmf_auto_restart_ulogd2.service.orig
+++ /lib/systemd/system/wmf_auto_restart_ulogd2.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Auto restart job: ulogd2
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/sbin/wmf-auto-restart -s ulogd2

File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/LABS_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/LABS_NETWORKS_ipv4.nft
@@ -1,27 +0,0 @@
-# Autogenerated by puppet
-set LABS_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 172.16.0.0/21,
-             172.16.128.0/24,
-             172.16.129.0/24,
-             172.16.130.0/24,
-             172.16.131.0/24,
-             172.16.16.0/21,
-             172.16.24.0/24,
-             172.16.8.0/21,
-             172.20.1.0/24,
-             172.20.2.0/24,
-             172.20.254.0/24,
-             172.20.255.0/24,
-             172.20.3.0/24,
-             172.20.4.0/24,
-             172.20.5.0/24,
-             185.15.56.0/25,
-             185.15.56.160/28,
-             185.15.57.0/29,
-             185.15.57.16/29,
-             185.15.57.24/29
-    }
-}

File[/etc/cfssl/csr/network_devices.csr]

Parameters differences:

--- File[/etc/cfssl/csr/network_devices.csr].orig
+++ File[/etc/cfssl/csr/network_devices.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/network_devices.csr.orig
+++ /etc/cfssl/csr/network_devices.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "network_devices",
+  "hosts": [
+    "network_devices"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Motd::Message[insetup::infrastructure_foundations_nftables]

Parameters differences:

--- Motd::Message[insetup::infrastructure_foundations_nftables].orig
+++ Motd::Message[insetup::infrastructure_foundations_nftables]

-    ensure   => present
-    message  => pki-root1002 is a Host being setup by Infrastructure Foundations SREs with ntables (insetup::infrastructure_foundations_nftables)
-    priority => 5

Nftables::Set[MYSQL_ROOT_CLIENTS]

Parameters differences:

--- Nftables::Set[MYSQL_ROOT_CLIENTS].orig
+++ Nftables::Set[MYSQL_ROOT_CLIENTS]

-    ensure => present
-    hosts  => ['10.64.16.90', '10.192.16.191', '10.64.16.154', '10.192.32.49', '208.80.154.9', '10.64.0.20']

Exec[renew certificate - wikikube_staging_front_proxy]

Parameters differences:

--- Exec[renew certificate - wikikube_staging_front_proxy].orig
+++ Exec[renew certificate - wikikube_staging_front_proxy]

+    require     => Exec[Generate cert wikikube_staging_front_proxy]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem -checkend 952200

Concat::Fragment[main contacts]

Apt::Package_from_component[bacula-trixie]

Parameters differences:

--- Apt::Package_from_component[bacula-trixie].orig
+++ Apt::Package_from_component[bacula-trixie]

+    distro          => trixie-wikimedia
+    priority        => 1001
+    uri             => http://apt.wikimedia.org/wikimedia
+    ensure          => present
+    packages        => ['bacula-fd', 'bacula-common']
+    component       => component/bacula9
+    ensure_packages => True

File[/etc/cfssl/ssl/syslog/syslog.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/syslog/syslog.csr].orig
+++ File[/etc/cfssl/ssl/syslog/syslog.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]

+    ensure      => present
+    common_name => Wikimedia_Internal_Root_CA
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Exec[Generate cert zuul]

Parameters differences:

--- Exec[Generate cert zuul].orig
+++ Exec[Generate cert zuul]

+    require     => Cfssl::Csr[/etc/cfssl/csr/zuul.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul/zuul

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul/zuul.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/zuul/zuul-key.pem 2>&1)"

Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]

+    ensure      => present
+    common_name => discovery2026
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Exec[Generate cert etcd refresh]

Parameters differences:

--- Exec[Generate cert etcd refresh].orig
+++ Exec[Generate cert etcd refresh]

+    subscribe   => File[/etc/cfssl/csr/etcd.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/etcd.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/etcd/etcd

File[/etc/cfssl/ssl/dse]

Parameters differences:

--- File[/etc/cfssl/ssl/dse].orig
+++ File[/etc/cfssl/ssl/dse]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Cfssl::Cert[cloud_wmnet_ca]

Parameters differences:

--- Cfssl::Cert[cloud_wmnet_ca].orig
+++ Cfssl::Cert[cloud_wmnet_ca]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => cloud_wmnet_ca
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/bacula/bacula-fd.conf]

Parameters differences:

--- File[/etc/bacula/bacula-fd.conf].orig
+++ File[/etc/bacula/bacula-fd.conf]

+    require => ['Package[bacula-fd]']
+    notify  => Service[bacula-fd]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    owner   => root

Content differences:

--- /etc/bacula/bacula-fd.conf.orig
+++ /etc/bacula/bacula-fd.conf
@@ -0,0 +1,47 @@
+# This file has been autogenerated by puppet. Don't edit by hand
+
+# The directors allowed to connect to us
+Director {
+    Name = "backup1014.eqiad.wmnet"
+    Password = "oNZaIQDn8JhLclLcIISdelhD8xIolFuV"
+    # Have the Control channel encrypted
+    TLS Enable = yes
+    TLS Require = yes
+    TLS CA Certificate File = "/etc/ssl/certs/wmf-ca-certificates.crt"
+    TLS Verify Peer = yes
+    TLS Certificate = "/etc/bacula/ssl/cert.pem"
+    TLS Key = "/etc/bacula/ssl/server.key"
+}
+
+#
+# "Global" File daemon configuration specifications
+#
+FileDaemon {
+    Name = "pki-root1002.eqiad.wmnet-fd"
+    FDport = 9102
+    WorkingDirectory = /var/lib/bacula
+    Pid Directory = /var/run/bacula
+    Maximum Concurrent Jobs = 1
+    Plugin Directory = "/usr/lib/bacula"
+    # Have all data stored encrypted
+    PKI Encryption = Yes
+    PKI Signatures = Yes
+    PKI Keypair = "/etc/bacula/ssl/server-keypair.pem"
+    PKI Master Key = "/var/lib/puppet/ssl/certs/ca.pem"
+    # Do enable Data channel encryption.
+    TLS Enable = yes
+    TLS Require = yes
+    TLS Certificate = "/etc/bacula/ssl/cert.pem"
+    TLS Key = "/etc/bacula/ssl/server.key"
+    TLS CA Certificate File = "/etc/ssl/certs/wmf-ca-certificates.crt"
+    # Heartbeat inverval = 0 # in secs
+    # FDAddresses = # For director connections
+    # FDSourceAddress = # For connecting to SD
+    # Maximum Bandwidth Per Job =
+}
+
+# Send all messages except skipped files back to Director
+Messages {
+    Name = Standard
+    director = "backup1014.eqiad.wmnet" = all, !skipped, !restored
+}

File[/etc/cfssl/ssl/mlserve/mlserve-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve/mlserve-key.pem].orig
+++ File[/etc/cfssl/ssl/mlserve/mlserve-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Nftables::Set[DSE_KUBEPODS_NETWORKS]

Parameters differences:

--- Nftables::Set[DSE_KUBEPODS_NETWORKS].orig
+++ Nftables::Set[DSE_KUBEPODS_NETWORKS]

-    ensure => present
-    hosts  => ['10.67.24.0/21', '2620:0:861:302::/64', '10.192.96.0/21', '2620:0:860:308::/64']

Class[Profile::Pki::Root_ca]

Parameters differences:

--- Class[Profile::Pki::Root_ca].orig
+++ Class[Profile::Pki::Root_ca]

+    vhost             => pki.discovery.wmnet
+    bootstrap         => False
+    key_params        => {'algo': 'ecdsa', 'size': 521}
+    common_name       => Wikimedia_Internal_Root_CA
+    profiles          => {'intermediate': {'usages': ['cert sign', 'crl sign'], 'ca_constraint': {'is_ca': True, 'max_path_len': 1}, 'expiry': '43800h'}, 'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}}
+    db_host           => m1-master.eqiad.wmnet
+    rsa_intermediates => ['puppet_rsa']
+    intermediates     => ['debmonitor', 'discovery2026', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']
+    auth_keys         => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}}
+    db_driver         => mysql
+    db_name           => pki
+    names             => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    db_pass           => changeme
+    db_user           => pki

File[/etc/cfssl/ssl/syslog/syslog-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/syslog/syslog-key.pem].orig
+++ File[/etc/cfssl/ssl/syslog/syslog-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/LABS_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/LABS_NETWORKS_ipv6.nft
@@ -1,20 +0,0 @@
-# Autogenerated by puppet
-set LABS_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2a02:ec80:a000:100::/64,
-             2a02:ec80:a000:1::/64,
-             2a02:ec80:a000:201::/64,
-             2a02:ec80:a000:202::/64,
-             2a02:ec80:a000:203::/64,
-             2a02:ec80:a000:204::/64,
-             2a02:ec80:a000:2ff::/64,
-             2a02:ec80:a000:4000::/64,
-             2a02:ec80:a100:100::/64,
-             2a02:ec80:a100:1::/64,
-             2a02:ec80:a100:205::/64,
-             2a02:ec80:a100:2ff::/64,
-             2a02:ec80:a100:4000::/64
-    }
-}

File[/etc/ferm/conf.d/02_main]

Parameters differences:

--- File[/etc/ferm/conf.d/02_main].orig
+++ File[/etc/ferm/conf.d/02_main]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    owner   => root
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    source  => puppet:///modules/base/firewall/main-input-default-drop.conf

File[/etc/logrotate.d/prometheus-node-textfile-check-nft]

Parameters differences:

--- File[/etc/logrotate.d/prometheus-node-textfile-check-nft].orig
+++ File[/etc/logrotate.d/prometheus-node-textfile-check-nft]

-    ensure => present
-    mode   => 0444
-    owner  => root
-    group  => root

Content differences:

--- /etc/logrotate.d/prometheus-node-textfile-check-nft.orig
+++ /etc/logrotate.d/prometheus-node-textfile-check-nft
@@ -1,12 +0,0 @@
-# logrotate(8) config for prometheus-node-textfile-check-nft
-
-/var/log/prometheus-node-textfile-check-nft/*.log {
-    daily
-    copytruncate
-    missingok
-    compress
-    delaycompress
-    notifempty
-    rotate 15
-    size 256M
-}

Systemd::Timer::Job[nrpe2nodexp-ferm_active]

Parameters differences:

--- Systemd::Timer::Job[nrpe2nodexp-ferm_active].orig
+++ Systemd::Timer::Job[nrpe2nodexp-ferm_active]

+    user                      => nagios
+    send_mail_only_on_error   => True
+    logging_enabled           => False
+    syslog_match_startswith   => True
+    logfile_basedir           => /var/log
+    logfile_perms             => all
+    ensure                    => present
+    send_mail                 => False
+    splay                     => 600
+    logfile_group             => root
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash "bba0a2572329bb500b832470e08b381c" --timeout 10 --check-command "check_ferm_active"
+    private_tmp               => False
+    fixed_random_delay        => True
+    ignore_errors             => True
+    syslog_identifier         => nrpe2nodexp-ferm_active
+    syslog_force_stop         => True
+    logfile_name              => syslog.log
+    description               => execution of nrpe2nodexp for the check_ferm_active command.
+    monitoring_enabled        => False
+    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '10min'}]
+    monitoring_contact_groups => admins
+    group                     => prometheus-node-exporter
+    environment               => {}
+    send_mail_to              => root@pki-root1002.eqiad.wmnet
+    success_exit_status       => []

File[/etc/cfssl/ssl/wikikube_staging]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_staging].orig
+++ File[/etc/cfssl/ssl/wikikube_staging]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Exec[Generate cert debmonitor refresh]

Parameters differences:

--- Exec[Generate cert debmonitor refresh].orig
+++ Exec[Generate cert debmonitor refresh]

+    subscribe   => File[/etc/cfssl/csr/debmonitor.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/debmonitor.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/debmonitor/debmonitor

File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem].orig
+++ File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/systemd/system/nftables.service.d]

Parameters differences:

--- File[/etc/systemd/system/nftables.service.d].orig
+++ File[/etc/systemd/system/nftables.service.d]

-    ensure => directory
-    mode   => 0555
-    owner  => root
-    group  => root

Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]

Parameters differences:

--- Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS].orig
+++ Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]

-    ensure => present
-    hosts  => ['10.64.0.136', '10.64.16.60', '10.64.158.19', '10.64.166.19', '10.64.133.19', '10.64.141.19', '10.64.169.19', '10.64.171.19', '10.64.173.19', '10.64.175.19', '10.64.177.19', '10.64.179.19', '10.64.181.19', '10.64.183.19', '10.64.185.19', '10.64.187.19', '10.64.189.19', '10.64.48.72', '10.64.37.17', '10.64.1.17', '10.64.17.17', '10.64.33.17', '10.64.130.20', '10.64.131.20', '10.64.132.20', '10.64.134.20', '10.64.135.20', '10.64.136.20', '10.64.158.20', '10.64.166.20', '10.64.133.20', '10.64.141.20', '10.64.169.20', '10.64.171.20', '10.64.173.20', '10.64.175.20', '10.64.177.20', '10.64.179.20', '10.64.181.20', '10.64.183.20', '10.64.185.20', '10.64.187.20', '10.64.189.20', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:119::/64', '2620:0:861:10c::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.23.8', '10.192.0.29', '10.192.17.8', '10.192.33.8', '10.192.49.8', '10.192.23.2', '10.192.5.2', '10.192.6.2', '10.192.7.2', '10.192.8.2', '10.192.9.2', '10.192.10.2', '10.192.11.2', '10.192.12.2', '10.192.13.2', '10.192.14.2', '10.192.15.2', '10.192.21.2', '10.192.22.2', '10.192.4.2', '10.192.26.2', '10.192.27.2', '10.192.28.2', '10.192.29.2', '10.192.30.2', '10.192.31.2', '10.192.36.2', '10.192.37.2', '10.192.38.2', '10.192.39.2', '10.192.40.2', '10.192.41.2', '10.192.42.2', '10.192.43.2', '10.192.11.8', '10.192.16.140', '10.192.1.8', '10.192.33.9', '10.192.49.9', '10.192.23.3', '10.192.5.3', '10.192.6.3', '10.192.7.3', '10.192.8.3', '10.192.9.3', '10.192.10.3', '10.192.11.3', '10.192.12.3', '10.192.13.3', '10.192.14.3', '10.192.15.3', '10.192.21.3', '10.192.22.3', '10.192.4.3', '10.192.26.3', '10.192.27.3', '10.192.28.3', '10.192.29.3', '10.192.30.3', '10.192.31.3', '10.192.36.3', '10.192.37.3', '10.192.38.3', '10.192.39.4', '10.192.40.3', '10.192.41.3', '10.192.42.3', '10.192.43.3', '10.192.32.14', '10.192.1.9', '10.192.17.9', '10.192.49.10', '10.192.23.4', '10.192.5.4', '10.192.6.4', '10.192.7.4', '10.192.8.4', '10.192.9.4', '10.192.10.4', '10.192.11.4', '10.192.12.4', '10.192.13.4', '10.192.14.4', '10.192.15.4', '10.192.21.4', '10.192.22.4', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '10.192.48.213', '10.192.1.13', '10.192.17.10', '10.192.33.10', '10.192.23.5', '10.192.5.8', '10.192.6.5', '10.192.7.5', '10.192.8.5', '10.192.9.5', '10.192.10.5', '10.192.11.5', '10.192.12.5', '10.192.13.5', '10.192.14.5', '10.192.15.5', '10.192.21.5', '10.192.22.5', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '10.80.0.3', '10.80.1.8', '10.80.1.14', '10.80.0.9', '10.80.0.2', '10.80.1.10', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '10.128.1.18', '10.128.0.9', '10.128.1.11', '2620:0:863:101::/64', '2620:0:863:102::/64', '10.132.0.39', '10.132.0.6', '10.132.0.7', '2001:df2:e500:101::/64', '10.136.0.16', '10.136.1.19', '10.136.1.15', '10.136.0.19', '10.136.0.17', '10.136.1.20', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '10.140.0.13', '10.140.1.2', '10.140.1.14', '10.140.0.2', '10.140.0.14', '10.140.1.3', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64']

File[/var/lib/prometheus/node.d/role_owner.prom]

Content differences:

--- /var/lib/prometheus/node.d/role_owner.prom.orig
+++ /var/lib/prometheus/node.d/role_owner.prom
@@ -1,3 +1,3 @@
 # HELP role_owner The team owner of the server role
 # TYPE role_owner gauge
-role_owner{team="infrastructure-foundations",role="insetup::infrastructure_foundations_nftables",cluster="insetup"} 1.0
+role_owner{team="infrastructure-foundations",role="pki::root",cluster="pki"} 1.0

Exec[Generate cert network_devices refresh]

Parameters differences:

--- Exec[Generate cert network_devices refresh].orig
+++ Exec[Generate cert network_devices refresh]

+    subscribe   => File[/etc/cfssl/csr/network_devices.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/network_devices.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/network_devices/network_devices

File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft
@@ -1,8 +0,0 @@
-# Autogenerated by puppet
-set MLSTAGE_KUBEPODS_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.194.61.0/24
-    }
-}

File[/etc/nftables/input]

Parameters differences:

--- File[/etc/nftables/input].orig
+++ File[/etc/nftables/input]

-    recurse => True
-    group   => root
-    ensure  => directory
-    owner   => root
-    purge   => True

File[/etc/cfssl/csr/puppet_rsa.csr]

Parameters differences:

--- File[/etc/cfssl/csr/puppet_rsa.csr].orig
+++ File[/etc/cfssl/csr/puppet_rsa.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/puppet_rsa.csr.orig
+++ /etc/cfssl/csr/puppet_rsa.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "puppet_rsa",
+  "hosts": [
+    "puppet_rsa"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 4096
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Nftables::Set[AUX_KUBEPODS_NETWORKS]

Parameters differences:

--- Nftables::Set[AUX_KUBEPODS_NETWORKS].orig
+++ Nftables::Set[AUX_KUBEPODS_NETWORKS]

-    ensure => present
-    hosts  => ['10.67.80.0/21', '2620:0:861:305::/64', '10.194.80.0/21', '2620:0:860:305::/64']

File[/etc/nftables/sets/INTERNAL_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/INTERNAL_ipv4.nft].orig
+++ File[/etc/nftables/sets/INTERNAL_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/INTERNAL_ipv4.nft.orig
+++ /etc/nftables/sets/INTERNAL_ipv4.nft
@@ -1,8 +0,0 @@
-# Autogenerated by puppet
-set INTERNAL_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.0.0.0/8
-    }
-}

File[/etc/cfssl/ssl/etcd/etcd.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/etcd/etcd.csr].orig
+++ File[/etc/cfssl/ssl/etcd/etcd.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Systemd::Timer::Job[prometheus-node-textfile-check-nft]

Parameters differences:

--- Systemd::Timer::Job[prometheus-node-textfile-check-nft].orig
+++ Systemd::Timer::Job[prometheus-node-textfile-check-nft]

-    user                      => root
-    send_mail_only_on_error   => True
-    logging_enabled           => True
-    syslog_match_startswith   => True
-    logfile_basedir           => /var/log
-    logfile_perms             => all
-    ensure                    => present
-    send_mail                 => False
-    logfile_group             => root
-    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
-    command                   => /usr/local/bin/check-nft
-    private_tmp               => False
-    fixed_random_delay        => False
-    syslog_force_stop         => True
-    ignore_errors             => False
-    logfile_name              => syslog.log
-    description               => Systemd timer to gather node metrics for check-nft
-    monitoring_enabled        => False
-    interval                  => {'start': 'OnCalendar', 'interval': '*:0/30'}
-    monitoring_contact_groups => admins
-    environment               => {}
-    send_mail_to              => root@pki-root1002.eqiad.wmnet
-    success_exit_status       => []

File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft
@@ -1,8 +0,0 @@
-# Autogenerated by puppet
-set MLSTAGE_KUBEPODS_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:860:302::/64
-    }
-}

Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]

+    ensure      => present
+    common_name => dse_front_proxy
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft].orig
+++ File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/NETWORK_INFRA_ipv6.nft.orig
+++ /etc/nftables/sets/NETWORK_INFRA_ipv6.nft
@@ -1,18 +0,0 @@
-# Autogenerated by puppet
-set NETWORK_INFRA_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2a02:ec80:300:fe00::/55,
-             2620:0:863:fe00::/55,
-             2620:0:860:fe00::/55,
-             2620:0:860:13f::/64,
-             2620:0:860:139::/64,
-             2620:0:861:fe00::/55,
-             2620:0:861:11b::/128,
-             2620:0:861:130::/64,
-             2001:df2:e500:fe00::/55,
-             2a02:ec80:600:fe00::/55,
-             2a02:ec80:700:fe00::/55
-    }
-}

Cfssl::Cert[puppet]

Parameters differences:

--- Cfssl::Cert[puppet].orig
+++ Cfssl::Cert[puppet]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => puppet
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]

+    ensure      => present
+    common_name => aux_front_proxy
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Exec[renew certificate - etcd]

Parameters differences:

--- Exec[renew certificate - etcd].orig
+++ Exec[renew certificate - etcd]

+    require     => Exec[Generate cert etcd]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/etcd/etcd.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/etcd/etcd

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/etcd/etcd.pem -checkend 952200

File[/etc/cfssl/ssl/dse/dse.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/dse/dse.pem].orig
+++ File[/etc/cfssl/ssl/dse/dse.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Exec[update_alternative_ip6tables]

Parameters differences:

--- Exec[update_alternative_ip6tables].orig
+++ Exec[update_alternative_ip6tables]

+    command => /usr/bin/update-alternatives --force --set ip6tables /usr/sbin/ip6tables-legacy
+    unless  => /usr/bin/update-alternatives --query ip6tables | /bin/grep 'Value: /usr/sbin/ip6tables-legacy'

Nftables::Set[PRODUCTION_NETWORKS]

Parameters differences:

--- Nftables::Set[PRODUCTION_NETWORKS].orig
+++ Nftables::Set[PRODUCTION_NETWORKS]

-    ensure => present
-    hosts  => ['10.128.0.0/24', '10.128.1.0/24', '10.128.2.0/24', '10.132.0.0/24', '10.132.2.0/24', '10.136.0.0/24', '10.136.1.0/24', '10.140.0.0/24', '10.140.1.0/24', '10.140.2.0/24', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.20.0/24', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.24.0/23', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.64.0/21', '10.192.7.0/24', '10.192.72.0/24', '10.192.76.0/24', '10.192.8.0/24', '10.192.80.0/20', '10.192.9.0/24', '10.192.96.0/21', '10.194.0.0/20', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.62.0/23', '10.194.64.0/20', '10.194.80.0/21', '10.2.1.0/24', '10.2.2.0/24', '10.2.3.0/24', '10.2.4.0/24', '10.2.5.0/24', '10.2.6.0/24', '10.2.7.0/24', '10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.141.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.148.0/24', '10.64.149.0/24', '10.64.150.0/24', '10.64.151.0/24', '10.64.152.0/24', '10.64.153.0/24', '10.64.154.0/24', '10.64.155.0/24', '10.64.156.0/24', '10.64.157.0/24', '10.64.158.0/24', '10.64.159.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.161.0/24', '10.64.162.0/24', '10.64.163.0/24', '10.64.164.0/24', '10.64.165.0/24', '10.64.166.0/24', '10.64.167.0/24', '10.64.169.0/24', '10.64.170.0/24', '10.64.171.0/24', '10.64.172.0/24', '10.64.173.0/24', '10.64.174.0/24', '10.64.175.0/24', '10.64.176.0/24', '10.64.177.0/24', '10.64.178.0/24', '10.64.179.0/24', '10.64.180.0/24', '10.64.181.0/24', '10.64.182.0/24', '10.64.183.0/24', '10.64.184.0/24', '10.64.185.0/24', '10.64.186.0/24', '10.64.187.0/24', '10.64.188.0/24', '10.64.189.0/24', '10.64.190.0/24', '10.64.20.0/24', '10.64.21.0/24', '10.64.24.0/23', '10.64.32.0/22', '10.64.36.0/24', '10.64.48.0/22', '10.64.5.0/24', '10.64.53.0/24', '10.64.64.0/21', '10.64.72.0/24', '10.64.76.0/24', '10.67.0.0/20', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.32.0/20', '10.67.64.0/20', '10.67.80.0/21', '10.80.0.0/24', '10.80.1.0/24', '10.80.2.0/24', '103.102.166.0/28', '103.102.166.224/27', '103.102.166.96/27', '185.15.58.0/27', '185.15.58.224/27', '185.15.58.32/27', '185.15.59.0/27', '185.15.59.224/27', '185.15.59.32/27', '185.15.59.96/27', '195.200.68.0/27', '195.200.68.224/27', '195.200.68.32/27', '195.200.68.96/27', '198.35.26.0/27', '198.35.26.32/27', '198.35.26.96/27', '198.35.26.96/27', '2001:df2:e500:101::/64', '2001:df2:e500:103::/64', '2001:df2:e500:1::/64', '2001:df2:e500:3::/64', '2001:df2:e500:ed1a::/64', '208.80.152.128/27', '208.80.153.0/27', '208.80.153.224/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.224/27', '208.80.154.64/26', '208.80.155.96/27', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:118::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '2620:0:860:140::/64', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:300::/64', '2620:0:860:301::/64', '2620:0:860:302::/64', '2620:0:860:303::/64', '2620:0:860:304::/64', '2620:0:860:305::/64', '2620:0:860:307::/64', '2620:0:860:308::/64', '2620:0:860:3::/64', '2620:0:860:4::/64', '2620:0:860:5::/64', '2620:0:860:babe::/64', '2620:0:860:babf::/64', '2620:0:860:cabe::/64', '2620:0:860:cabf::/64', '2620:0:860:ed1a::/64', '2620:0:861:100::/64', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:107::/64', '2620:0:861:108::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:113::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:118::/64', '2620:0:861:119::/64', '2620:0:861:11a::/64', '2620:0:861:11c::/64', '2620:0:861:11d::/64', '2620:0:861:11e::/64', '2620:0:861:11f::/64', '2620:0:861:120::/64', '2620:0:861:121::/64', '2620:0:861:122::/64', '2620:0:861:123::/64', '2620:0:861:124::/64', '2620:0:861:125::/64', '2620:0:861:126::/64', '2620:0:861:127::/64', '2620:0:861:128::/64', '2620:0:861:129::/64', '2620:0:861:12a::/64', '2620:0:861:12b::/64', '2620:0:861:12c::/64', '2620:0:861:12d::/64', '2620:0:861:12e::/64', '2620:0:861:12f::/64', '2620:0:861:131::/64', '2620:0:861:132::/64', '2620:0:861:133::/64', '2620:0:861:134::/64', '2620:0:861:135::/64', '2620:0:861:136::/64', '2620:0:861:137::/64', '2620:0:861:138::/64', '2620:0:861:139::/64', '2620:0:861:13a::/64', '2620:0:861:13b::/64', '2620:0:861:13c::/64', '2620:0:861:13d::/64', '2620:0:861:13e::/64', '2620:0:861:13f::/64', '2620:0:861:140::/64', '2620:0:861:141::/64', '2620:0:861:142::/64', '2620:0:861:143::/64', '2620:0:861:144::/64', '2620:0:861:145::/64', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:300::/64', '2620:0:861:301::/116', '2620:0:861:302::/64', '2620:0:861:303::/116', '2620:0:861:304::/116', '2620:0:861:305::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '2620:0:861:babe::/64', '2620:0:861:babf::/116', '2620:0:861:cabe::/64', '2620:0:861:cabf::/116', '2620:0:861:ed1a::/64', '2620:0:863:101::/64', '2620:0:863:102::/64', '2620:0:863:103::/64', '2620:0:863:1::/64', '2620:0:863:2::/64', '2620:0:863:3::/64', '2620:0:863:ed1a::/64', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '2a02:ec80:300:103::/64', '2a02:ec80:300:1::/64', '2a02:ec80:300:2::/64', '2a02:ec80:300:3::/64', '2a02:ec80:300:ed1a::/64', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '2a02:ec80:600:1::/64', '2a02:ec80:600:2::/64', '2a02:ec80:600:ed1a::/64', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64', '2a02:ec80:700:103::/64', '2a02:ec80:700:1::/64', '2a02:ec80:700:2::/64', '2a02:ec80:700:3::/64', '2a02:ec80:700:ed1a::/64']

File[/etc/cfssl/ssl/etcd/etcd.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/etcd/etcd.pem].orig
+++ File[/etc/cfssl/ssl/etcd/etcd.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/cfssl/ssl/aux]

Parameters differences:

--- File[/etc/cfssl/ssl/aux].orig
+++ File[/etc/cfssl/ssl/aux]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Exec[systemd daemon-reload for nftables.service (nftables)]

Parameters differences:

--- Exec[systemd daemon-reload for nftables.service (nftables)].orig
+++ Exec[systemd daemon-reload for nftables.service (nftables)]

-    refreshonly => True
-    before      => ['Service[nftables]']
-    command     => /bin/systemctl daemon-reload

Exec[Generate cert etcd]

Parameters differences:

--- Exec[Generate cert etcd].orig
+++ Exec[Generate cert etcd]

+    require     => Cfssl::Csr[/etc/cfssl/csr/etcd.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/etcd.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/etcd/etcd

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/etcd/etcd.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/etcd/etcd-key.pem 2>&1)"

File[/etc/cfssl/ssl/etcd]

Parameters differences:

--- File[/etc/cfssl/ssl/etcd].orig
+++ File[/etc/cfssl/ssl/etcd]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/cfssl/ssl/debmonitor/debmonitor.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/debmonitor/debmonitor.csr].orig
+++ File[/etc/cfssl/ssl/debmonitor/debmonitor.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid]

Parameters differences:

--- Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid].orig
+++ Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid]

@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => pki_eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft
@@ -1,99 +0,0 @@
-# Autogenerated by puppet
-set MW_APPSERVER_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:861:101::/64,
-             2620:0:861:102::/64,
-             2620:0:861:103::/64,
-             2620:0:861:107::/64,
-             2620:0:861:109::/64,
-             2620:0:861:10a::/64,
-             2620:0:861:10b::/64,
-             2620:0:861:10c::/64,
-             2620:0:861:10d::/64,
-             2620:0:861:10e::/64,
-             2620:0:861:10f::/64,
-             2620:0:861:113::/64,
-             2620:0:861:119::/64,
-             2620:0:861:120::/64,
-             2620:0:861:122::/64,
-             2620:0:861:124::/64,
-             2620:0:861:126::/64,
-             2620:0:861:128::/64,
-             2620:0:861:12a::/64,
-             2620:0:861:12c::/64,
-             2620:0:861:12e::/64,
-             2620:0:861:131::/64,
-             2620:0:861:133::/64,
-             2620:0:861:135::/64,
-             2620:0:861:137::/64,
-             2620:0:861:139::/64,
-             2620:0:861:13b::/64,
-             2620:0:861:13d::/64,
-             2620:0:861:13f::/64,
-             2620:0:861:142::/64,
-             2620:0:861:144::/64,
-             2620:0:860:100::/64,
-             2620:0:860:101::/64,
-             2620:0:860:102::/64,
-             2620:0:860:103::/64,
-             2620:0:860:104::/64,
-             2620:0:860:105::/64,
-             2620:0:860:106::/64,
-             2620:0:860:107::/64,
-             2620:0:860:108::/64,
-             2620:0:860:109::/64,
-             2620:0:860:10a::/64,
-             2620:0:860:10b::/64,
-             2620:0:860:10c::/64,
-             2620:0:860:10d::/64,
-             2620:0:860:10e::/64,
-             2620:0:860:10f::/64,
-             2620:0:860:110::/64,
-             2620:0:860:111::/64,
-             2620:0:860:112::/64,
-             2620:0:860:113::/64,
-             2620:0:860:114::/64,
-             2620:0:860:115::/64,
-             2620:0:860:116::/64,
-             2620:0:860:119::/64,
-             2620:0:860:11a::/64,
-             2620:0:860:11b::/64,
-             2620:0:860:11c::/64,
-             2620:0:860:11d::/64,
-             2620:0:860:11e::/64,
-             2620:0:860:11f::/64,
-             2620:0:860:120::/64,
-             2620:0:860:121::/64,
-             2620:0:860:122::/64,
-             2620:0:860:123::/64,
-             2620:0:860:124::/64,
-             2620:0:860:125::/64,
-             2620:0:860:126::/64,
-             2620:0:860:127::/64,
-             2620:0:860:12b::/64,
-             2620:0:860:12c::/64,
-             2620:0:860:12d::/64,
-             2620:0:860:12e::/64,
-             2620:0:860:300::/64,
-             2620:0:860:302::/64,
-             2620:0:860:305::/64,
-             2620:0:860:308::/64,
-             2620:0:860:babe::/64,
-             2620:0:860:cabe::/64,
-             2620:0:861:300::/64,
-             2620:0:861:302::/64,
-             2620:0:861:305::/64,
-             2620:0:861:babe::/64,
-             2620:0:861:cabe::/64,
-             2620:0:861:1::/64,
-             2620:0:861:2::/64,
-             2620:0:861:3::/64,
-             2620:0:861:4::/64,
-             2620:0:860:1::/64,
-             2620:0:860:2::/64,
-             2620:0:860:3::/64,
-             2620:0:860:4::/64
-    }
-}

Class[Profile::Apt]

Parameters differences:

--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[bacula-fd]', 'Package[bacula-common]']

File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set DSE_KUBEPODS_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.67.24.0/21,
-             10.192.96.0/21
-    }
-}

File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set WIKIKUBE_KUBEPODS_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.67.128.0/17,
-             10.194.128.0/17
-    }
-}

Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]

Parameters differences:

--- Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula].orig
+++ Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]

+    outfile     => /etc/bacula/ssl/server.p12
+    group       => bacula
+    private_key => /var/lib/puppet/ssl/private_keys/pki-root1002.eqiad.wmnet.pem
+    certfile    => /var/lib/puppet/ssl/certs/ca.pem
+    ensure      => absent
+    public_key  => /var/lib/puppet/ssl/certs/pki-root1002.eqiad.wmnet.pem
+    owner       => bacula

File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set STAGING_KUBEPODS_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.64.64.0/21,
-             10.192.64.0/21
-    }
-}

File[/etc/cfssl/csr/cloud_wmnet_ca.csr]

Parameters differences:

--- File[/etc/cfssl/csr/cloud_wmnet_ca.csr].orig
+++ File[/etc/cfssl/csr/cloud_wmnet_ca.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/cloud_wmnet_ca.csr.orig
+++ /etc/cfssl/csr/cloud_wmnet_ca.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "cloud_wmnet_ca",
+  "hosts": [
+    "cloud_wmnet_ca"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]

+    ensure      => present
+    common_name => wikikube_staging_front_proxy
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Service[nrpe2nodexp-ferm_active.timer]

Parameters differences:

--- Service[nrpe2nodexp-ferm_active.timer].orig
+++ Service[nrpe2nodexp-ferm_active.timer]

+    ensure   => running
+    provider => systemd
+    enable   => True

Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]

+    ensure      => present
+    common_name => puppet_rsa
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'rsa', 'size': 4096}
+    hosts       => []

Exec[Generate cert debmonitor]

Parameters differences:

--- Exec[Generate cert debmonitor].orig
+++ Exec[Generate cert debmonitor]

+    require     => Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/debmonitor.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/debmonitor/debmonitor

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/debmonitor/debmonitor.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/debmonitor/debmonitor-key.pem 2>&1)"

Cfssl::Cert[zuul]

Parameters differences:

--- Cfssl::Cert[zuul].orig
+++ Cfssl::Cert[zuul]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => zuul
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Nftables::Set[BASTION_HOSTS]

Parameters differences:

--- Nftables::Set[BASTION_HOSTS].orig
+++ Nftables::Set[BASTION_HOSTS]

-    ensure => present
-    hosts  => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']

Nftables::Set[DOMAIN_NETWORKS]

Parameters differences:

--- Nftables::Set[DOMAIN_NETWORKS].orig
+++ Nftables::Set[DOMAIN_NETWORKS]

-    ensure => present
-    hosts  => ['10.128.0.0/24', '10.128.1.0/24', '10.128.2.0/24', '10.132.0.0/24', '10.132.2.0/24', '10.136.0.0/24', '10.136.1.0/24', '10.140.0.0/24', '10.140.1.0/24', '10.140.2.0/24', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.20.0/24', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.24.0/23', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.64.0/21', '10.192.7.0/24', '10.192.72.0/24', '10.192.76.0/24', '10.192.8.0/24', '10.192.80.0/20', '10.192.9.0/24', '10.192.96.0/21', '10.194.0.0/20', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.62.0/23', '10.194.64.0/20', '10.194.80.0/21', '10.2.1.0/24', '10.2.2.0/24', '10.2.3.0/24', '10.2.4.0/24', '10.2.5.0/24', '10.2.6.0/24', '10.2.7.0/24', '10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.141.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.148.0/24', '10.64.149.0/24', '10.64.150.0/24', '10.64.151.0/24', '10.64.152.0/24', '10.64.153.0/24', '10.64.154.0/24', '10.64.155.0/24', '10.64.156.0/24', '10.64.157.0/24', '10.64.158.0/24', '10.64.159.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.161.0/24', '10.64.162.0/24', '10.64.163.0/24', '10.64.164.0/24', '10.64.165.0/24', '10.64.166.0/24', '10.64.167.0/24', '10.64.169.0/24', '10.64.170.0/24', '10.64.171.0/24', '10.64.172.0/24', '10.64.173.0/24', '10.64.174.0/24', '10.64.175.0/24', '10.64.176.0/24', '10.64.177.0/24', '10.64.178.0/24', '10.64.179.0/24', '10.64.180.0/24', '10.64.181.0/24', '10.64.182.0/24', '10.64.183.0/24', '10.64.184.0/24', '10.64.185.0/24', '10.64.186.0/24', '10.64.187.0/24', '10.64.188.0/24', '10.64.189.0/24', '10.64.190.0/24', '10.64.20.0/24', '10.64.21.0/24', '10.64.24.0/23', '10.64.32.0/22', '10.64.36.0/24', '10.64.48.0/22', '10.64.5.0/24', '10.64.53.0/24', '10.64.64.0/21', '10.64.72.0/24', '10.64.76.0/24', '10.67.0.0/20', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.32.0/20', '10.67.64.0/20', '10.67.80.0/21', '10.80.0.0/24', '10.80.1.0/24', '10.80.2.0/24', '103.102.166.0/28', '103.102.166.224/27', '103.102.166.96/27', '185.15.58.0/27', '185.15.58.224/27', '185.15.58.32/27', '185.15.59.0/27', '185.15.59.224/27', '185.15.59.32/27', '185.15.59.96/27', '195.200.68.0/27', '195.200.68.224/27', '195.200.68.32/27', '195.200.68.96/27', '198.35.26.0/27', '198.35.26.32/27', '198.35.26.96/27', '198.35.26.96/27', '2001:df2:e500:101::/64', '2001:df2:e500:103::/64', '2001:df2:e500:1::/64', '2001:df2:e500:3::/64', '2001:df2:e500:ed1a::/64', '208.80.152.128/27', '208.80.153.0/27', '208.80.153.224/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.224/27', '208.80.154.64/26', '208.80.155.96/27', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:118::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '2620:0:860:140::/64', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:300::/64', '2620:0:860:301::/64', '2620:0:860:302::/64', '2620:0:860:303::/64', '2620:0:860:304::/64', '2620:0:860:305::/64', '2620:0:860:307::/64', '2620:0:860:308::/64', '2620:0:860:3::/64', '2620:0:860:4::/64', '2620:0:860:5::/64', '2620:0:860:babe::/64', '2620:0:860:babf::/64', '2620:0:860:cabe::/64', '2620:0:860:cabf::/64', '2620:0:860:ed1a::/64', '2620:0:861:100::/64', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:107::/64', '2620:0:861:108::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:113::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:118::/64', '2620:0:861:119::/64', '2620:0:861:11a::/64', '2620:0:861:11c::/64', '2620:0:861:11d::/64', '2620:0:861:11e::/64', '2620:0:861:11f::/64', '2620:0:861:120::/64', '2620:0:861:121::/64', '2620:0:861:122::/64', '2620:0:861:123::/64', '2620:0:861:124::/64', '2620:0:861:125::/64', '2620:0:861:126::/64', '2620:0:861:127::/64', '2620:0:861:128::/64', '2620:0:861:129::/64', '2620:0:861:12a::/64', '2620:0:861:12b::/64', '2620:0:861:12c::/64', '2620:0:861:12d::/64', '2620:0:861:12e::/64', '2620:0:861:12f::/64', '2620:0:861:131::/64', '2620:0:861:132::/64', '2620:0:861:133::/64', '2620:0:861:134::/64', '2620:0:861:135::/64', '2620:0:861:136::/64', '2620:0:861:137::/64', '2620:0:861:138::/64', '2620:0:861:139::/64', '2620:0:861:13a::/64', '2620:0:861:13b::/64', '2620:0:861:13c::/64', '2620:0:861:13d::/64', '2620:0:861:13e::/64', '2620:0:861:13f::/64', '2620:0:861:140::/64', '2620:0:861:141::/64', '2620:0:861:142::/64', '2620:0:861:143::/64', '2620:0:861:144::/64', '2620:0:861:145::/64', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:300::/64', '2620:0:861:301::/116', '2620:0:861:302::/64', '2620:0:861:303::/116', '2620:0:861:304::/116', '2620:0:861:305::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '2620:0:861:babe::/64', '2620:0:861:babf::/116', '2620:0:861:cabe::/64', '2620:0:861:cabf::/116', '2620:0:861:ed1a::/64', '2620:0:863:101::/64', '2620:0:863:102::/64', '2620:0:863:103::/64', '2620:0:863:1::/64', '2620:0:863:2::/64', '2620:0:863:3::/64', '2620:0:863:ed1a::/64', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '2a02:ec80:300:103::/64', '2a02:ec80:300:1::/64', '2a02:ec80:300:2::/64', '2a02:ec80:300:3::/64', '2a02:ec80:300:ed1a::/64', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '2a02:ec80:600:1::/64', '2a02:ec80:600:2::/64', '2a02:ec80:600:ed1a::/64', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64', '2a02:ec80:700:103::/64', '2a02:ec80:700:1::/64', '2a02:ec80:700:2::/64', '2a02:ec80:700:3::/64', '2a02:ec80:700:ed1a::/64']

File[/etc/cfssl/ssl/zuul/zuul-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/zuul/zuul-key.pem].orig
+++ File[/etc/cfssl/ssl/zuul/zuul-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/cfssl/ssl/cassandra]

Parameters differences:

--- File[/etc/cfssl/ssl/cassandra].orig
+++ File[/etc/cfssl/ssl/cassandra]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/update-motd.d/05-pki--root]

Parameters differences:

--- File[/etc/update-motd.d/05-pki--root].orig
+++ File[/etc/update-motd.d/05-pki--root]

+    ensure => present
+    owner  => root
+    mode   => 0555
+    group  => root

Content differences:

--- /etc/update-motd.d/05-pki--root.orig
+++ /etc/update-motd.d/05-pki--root
@@ -0,0 +1,2 @@
+#!/bin/sh
+printf "%s\n" "pki-root1002 is a PKI RootCA (pki::root)"

Exec[renew certificate - mlserve_staging_front_proxy]

Parameters differences:

--- Exec[renew certificate - mlserve_staging_front_proxy].orig
+++ Exec[renew certificate - mlserve_staging_front_proxy]

+    require     => Exec[Generate cert mlserve_staging_front_proxy]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem -checkend 952200

Nftables::Set[ANALYTICS_NETWORKS]

Parameters differences:

--- Nftables::Set[ANALYTICS_NETWORKS].orig
+++ Nftables::Set[ANALYTICS_NETWORKS]

-    ensure => present
-    hosts  => ['10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.153.0/24', '10.64.155.0/24', '10.64.157.0/24', '10.64.159.0/24', '10.64.161.0/24', '10.64.163.0/24', '10.64.165.0/24', '10.64.167.0/24', '10.64.170.0/24', '10.64.172.0/24', '10.64.174.0/24', '10.64.176.0/24', '10.64.178.0/24', '10.64.180.0/24', '10.64.182.0/24', '10.64.184.0/24', '10.64.186.0/24', '10.64.188.0/24', '10.64.190.0/24', '10.64.21.0/24', '10.64.36.0/24', '10.64.5.0/24', '10.64.53.0/24', '2620:0:861:100::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:108::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:11a::/64', '2620:0:861:121::/64', '2620:0:861:123::/64', '2620:0:861:125::/64', '2620:0:861:127::/64', '2620:0:861:129::/64', '2620:0:861:12b::/64', '2620:0:861:12d::/64', '2620:0:861:12f::/64', '2620:0:861:132::/64', '2620:0:861:134::/64', '2620:0:861:136::/64', '2620:0:861:138::/64', '2620:0:861:13a::/64', '2620:0:861:13c::/64', '2620:0:861:13e::/64', '2620:0:861:141::/64', '2620:0:861:143::/64', '2620:0:861:145::/64']

Cfssl::Signer[Wikimedia_Internal_Root_CA]

Parameters differences:

--- Cfssl::Signer[Wikimedia_Internal_Root_CA].orig
+++ Cfssl::Signer[Wikimedia_Internal_Root_CA]

+    default_ocsp_url => http://pki.discovery.wmnet/ocsp/Wikimedia_Internal_Root_CA
+    manage_services  => False
+    default_crl_url  => http://pki.discovery.wmnet/crl/Wikimedia_Internal_Root_CA
+    listen_addr      => pki-root1002.eqiad.wmnet
+    manage_db        => True
+    default_usages   => ['signing', 'key encipherment', 'client auth']
+    db_name          => pki
+    log_level        => info
+    db_user          => pki
+    listen_port      => 8888
+    profiles         => {'intermediate': {'usages': ['cert sign', 'crl sign'], 'ca_constraint': {'is_ca': True, 'max_path_len': 1}, 'expiry': '43800h'}, 'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}}
+    db_host          => m1-master.eqiad.wmnet
+    default_auth_key => default_auth
+    serve_ensure     => absent
+    db_driver        => mysql
+    default_expiry   => 672h
+    db_pass          => changeme
+    auth_keys        => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}}

Nftables::Set[DEPLOYMENT_HOSTS]

Parameters differences:

--- Nftables::Set[DEPLOYMENT_HOSTS].orig
+++ Nftables::Set[DEPLOYMENT_HOSTS]

-    ensure => present
-    hosts  => ['10.64.16.93', '2620:0:861:102:10:64:16:93', '10.192.32.7', '2620:0:860:103:10:192:32:7']

Package[ulogd2]

Parameters differences:

--- Package[ulogd2].orig
+++ Package[ulogd2]

+    ensure   => installed
+    provider => apt

Exec[Generate cert wikikube_staging_front_proxy]

Parameters differences:

--- Exec[Generate cert wikikube_staging_front_proxy].orig
+++ Exec[Generate cert wikikube_staging_front_proxy]

+    require     => Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/wikikube_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem 2>&1)"

File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft].orig
+++ File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft.orig
+++ /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft
@@ -1,11 +0,0 @@
-# Autogenerated by puppet
-set ZOOKEEPER_HOSTS_MAIN_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.0.207,
-             10.64.16.110,
-             10.64.48.154,
-             10.192.16.45,
-             10.192.32.52,
-             10.192.48.59
-    }
-}

File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft].orig
+++ File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/LINK_LOCAL_ipv4.nft.orig
+++ /etc/nftables/sets/LINK_LOCAL_ipv4.nft
@@ -1,8 +0,0 @@
-# Autogenerated by puppet
-set LINK_LOCAL_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 169.254.0.0/16
-    }
-}

Exec[Generate cert mlserve]

Parameters differences:

--- Exec[Generate cert mlserve].orig
+++ Exec[Generate cert mlserve]

+    require     => Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/mlserve.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve/mlserve

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve/mlserve.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/mlserve/mlserve-key.pem 2>&1)"

Systemd::Service[wmf_auto_restart_ulogd2]

Parameters differences:

--- Systemd::Service[wmf_auto_restart_ulogd2].orig
+++ Systemd::Service[wmf_auto_restart_ulogd2]

+    override                 => False
+    require                  => Systemd::Unit[wmf_auto_restart_ulogd2.service]
+    unit_type                => timer
+    restart                  => False
+    service_params           => {}
+    migration_task           => T407130
+    monitoring_enabled       => False
+    monitoring_contact_group => admins
+    ensure                   => present
+    monitoring_critical      => False

File[/etc/ferm/conf.d/98_log-everything]

Parameters differences:

--- File[/etc/ferm/conf.d/98_log-everything].orig
+++ File[/etc/ferm/conf.d/98_log-everything]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/98_log-everything.orig
+++ /etc/ferm/conf.d/98_log-everything
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 98_log-everything: 
+
+domain (ip ip6) {
+	table filter {
+		chain INPUT {
+			NFLOG mod limit limit 1/second limit-burst 5 nflog-prefix "[fw-in-drop]";
+		}
+	}
+}

File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem].orig
+++ File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Exec[renew certificate - wikikube]

Parameters differences:

--- Exec[renew certificate - wikikube].orig
+++ Exec[renew certificate - wikikube]

+    require     => Exec[Generate cert wikikube]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/wikikube/wikikube.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube/wikikube

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube/wikikube.pem -checkend 952200

File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/INSTALL_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/INSTALL_HOSTS_ipv6.nft
@@ -1,12 +0,0 @@
-# Autogenerated by puppet
-set INSTALL_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:2:208:80:154:134,
-             2620:0:860:3:208:80:153:70,
-             2a02:ec80:300:3:185:15:59:101,
-             2620:0:863:3:198:35:26:98,
-             2001:df2:e500:3:103:102:166:104,
-             2a02:ec80:600:1:185:15:58:7,
-             2a02:ec80:700:3:195:200:68:100
-    }
-}

File[/etc/cfssl/ssl/network_devices/network_devices-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/network_devices/network_devices-key.pem].orig
+++ File[/etc/cfssl/ssl/network_devices/network_devices-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/bacula/ssl/server.key]

Parameters differences:

--- File[/etc/bacula/ssl/server.key].orig
+++ File[/etc/bacula/ssl/server.key]

+    show_diff => False
+    mode      => 0400
+    group     => bacula
+    ensure    => present
+    owner     => bacula
+    source    => /var/lib/puppet/ssl/private_keys/pki-root1002.eqiad.wmnet.pem

File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft
@@ -1,189 +0,0 @@
-# Autogenerated by puppet
-set DOMAIN_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.128.0.0/24,
-             10.128.1.0/24,
-             10.128.2.0/24,
-             10.132.0.0/24,
-             10.132.2.0/24,
-             10.136.0.0/24,
-             10.136.1.0/24,
-             10.140.0.0/24,
-             10.140.1.0/24,
-             10.140.2.0/24,
-             10.192.0.0/22,
-             10.192.10.0/24,
-             10.192.11.0/24,
-             10.192.12.0/24,
-             10.192.13.0/24,
-             10.192.14.0/24,
-             10.192.15.0/24,
-             10.192.16.0/22,
-             10.192.20.0/24,
-             10.192.21.0/24,
-             10.192.22.0/24,
-             10.192.23.0/24,
-             10.192.24.0/23,
-             10.192.26.0/24,
-             10.192.27.0/24,
-             10.192.28.0/24,
-             10.192.29.0/24,
-             10.192.30.0/24,
-             10.192.31.0/24,
-             10.192.32.0/22,
-             10.192.36.0/24,
-             10.192.37.0/24,
-             10.192.38.0/24,
-             10.192.39.0/24,
-             10.192.4.0/24,
-             10.192.40.0/24,
-             10.192.41.0/24,
-             10.192.42.0/24,
-             10.192.43.0/24,
-             10.192.44.0/24,
-             10.192.45.0/24,
-             10.192.46.0/24,
-             10.192.47.0/24,
-             10.192.48.0/22,
-             10.192.5.0/24,
-             10.192.52.0/24,
-             10.192.56.0/24,
-             10.192.57.0/24,
-             10.192.58.0/24,
-             10.192.59.0/24,
-             10.192.6.0/24,
-             10.192.64.0/21,
-             10.192.7.0/24,
-             10.192.72.0/24,
-             10.192.76.0/24,
-             10.192.8.0/24,
-             10.192.80.0/20,
-             10.192.9.0/24,
-             10.192.96.0/21,
-             10.194.0.0/20,
-             10.194.128.0/17,
-             10.194.16.0/21,
-             10.194.61.0/24,
-             10.194.62.0/23,
-             10.194.64.0/20,
-             10.194.80.0/21,
-             10.2.1.0/24,
-             10.2.2.0/24,
-             10.2.3.0/24,
-             10.2.4.0/24,
-             10.2.5.0/24,
-             10.2.6.0/24,
-             10.2.7.0/24,
-             10.64.0.0/22,
-             10.64.130.0/24,
-             10.64.131.0/24,
-             10.64.132.0/24,
-             10.64.133.0/24,
-             10.64.134.0/24,
-             10.64.135.0/24,
-             10.64.136.0/24,
-             10.64.137.0/24,
-             10.64.138.0/24,
-             10.64.139.0/24,
-             10.64.140.0/24,
-             10.64.141.0/24,
-             10.64.142.0/24,
-             10.64.143.0/24,
-             10.64.144.0/24,
-             10.64.145.0/24,
-             10.64.148.0/24,
-             10.64.149.0/24,
-             10.64.150.0/24,
-             10.64.151.0/24,
-             10.64.152.0/24,
-             10.64.153.0/24,
-             10.64.154.0/24,
-             10.64.155.0/24,
-             10.64.156.0/24,
-             10.64.157.0/24,
-             10.64.158.0/24,
-             10.64.159.0/24,
-             10.64.16.0/22,
-             10.64.160.0/24,
-             10.64.161.0/24,
-             10.64.162.0/24,
-             10.64.163.0/24,
-             10.64.164.0/24,
-             10.64.165.0/24,
-             10.64.166.0/24,
-             10.64.167.0/24,
-             10.64.169.0/24,
-             10.64.170.0/24,
-             10.64.171.0/24,
-             10.64.172.0/24,
-             10.64.173.0/24,
-             10.64.174.0/24,
-             10.64.175.0/24,
-             10.64.176.0/24,
-             10.64.177.0/24,
-             10.64.178.0/24,
-             10.64.179.0/24,
-             10.64.180.0/24,
-             10.64.181.0/24,
-             10.64.182.0/24,
-             10.64.183.0/24,
-             10.64.184.0/24,
-             10.64.185.0/24,
-             10.64.186.0/24,
-             10.64.187.0/24,
-             10.64.188.0/24,
-             10.64.189.0/24,
-             10.64.190.0/24,
-             10.64.20.0/24,
-             10.64.21.0/24,
-             10.64.24.0/23,
-             10.64.32.0/22,
-             10.64.36.0/24,
-             10.64.48.0/22,
-             10.64.5.0/24,
-             10.64.53.0/24,
-             10.64.64.0/21,
-             10.64.72.0/24,
-             10.64.76.0/24,
-             10.67.0.0/20,
-             10.67.128.0/17,
-             10.67.16.0/21,
-             10.67.24.0/21,
-             10.67.32.0/20,
-             10.67.64.0/20,
-             10.67.80.0/21,
-             10.80.0.0/24,
-             10.80.1.0/24,
-             10.80.2.0/24,
-             103.102.166.0/28,
-             103.102.166.224/27,
-             103.102.166.96/27,
-             185.15.58.0/27,
-             185.15.58.224/27,
-             185.15.58.32/27,
-             185.15.59.0/27,
-             185.15.59.224/27,
-             185.15.59.32/27,
-             185.15.59.96/27,
-             195.200.68.0/27,
-             195.200.68.224/27,
-             195.200.68.32/27,
-             195.200.68.96/27,
-             198.35.26.0/27,
-             198.35.26.32/27,
-             198.35.26.96/27,
-             208.80.152.128/27,
-             208.80.153.0/27,
-             208.80.153.224/27,
-             208.80.153.32/27,
-             208.80.153.64/27,
-             208.80.153.96/27,
-             208.80.154.0/26,
-             208.80.154.128/26,
-             208.80.154.224/27,
-             208.80.154.64/26,
-             208.80.155.96/27
-    }
-}

File[/etc/cfssl/csr/mlserve.csr]

Parameters differences:

--- File[/etc/cfssl/csr/mlserve.csr].orig
+++ File[/etc/cfssl/csr/mlserve.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/mlserve.csr.orig
+++ /etc/cfssl/csr/mlserve.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "mlserve",
+  "hosts": [
+    "mlserve"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft
@@ -1,10 +0,0 @@
-# Autogenerated by puppet
-set DRUID_PUBLIC_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:10a:10:64:131:9,
-             2620:0:861:10b:10:64:132:12,
-             2620:0:861:10e:10:64:135:9,
-             2620:0:861:103:10:64:32:101,
-             2620:0:861:107:10:64:48:185
-    }
-}

File[/etc/cfssl/ssl/wikikube]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube].orig
+++ File[/etc/cfssl/ssl/wikikube]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem].orig
+++ File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Logrotate::Conf[prometheus-node-textfile-check-nft]

Parameters differences:

--- Logrotate::Conf[prometheus-node-textfile-check-nft].orig
+++ Logrotate::Conf[prometheus-node-textfile-check-nft]

-    ensure => present

Exec[Generate cert puppet_rsa]

Parameters differences:

--- Exec[Generate cert puppet_rsa].orig
+++ Exec[Generate cert puppet_rsa]

+    require     => Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/puppet_rsa.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa/puppet_rsa

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem 2>&1)"

File[/etc/cfssl/csr/puppet.csr]

Parameters differences:

--- File[/etc/cfssl/csr/puppet.csr].orig
+++ File[/etc/cfssl/csr/puppet.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/puppet.csr.orig
+++ /etc/cfssl/csr/puppet.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "puppet",
+  "hosts": [
+    "puppet"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/cfssl/ssl/debmonitor]

Parameters differences:

--- File[/etc/cfssl/ssl/debmonitor].orig
+++ File[/etc/cfssl/ssl/debmonitor]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr].orig
+++ File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/mlserve_staging_front_proxy.csr.orig
+++ /etc/cfssl/csr/mlserve_staging_front_proxy.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "mlserve_staging_front_proxy",
+  "hosts": [
+    "mlserve_staging_front_proxy"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft].orig
+++ File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft.orig
+++ /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft
@@ -1,11 +0,0 @@
-# Autogenerated by puppet
-set ZOOKEEPER_HOSTS_MAIN_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:101:10:64:0:207,
-             2620:0:861:102:10:64:16:110,
-             2620:0:861:107:10:64:48:154,
-             2620:0:860:102:10:192:16:45,
-             2620:0:860:103:10:192:32:52,
-             2620:0:860:104:10:192:48:59
-    }
-}

File[/etc/cfssl/ssl/mlserve/mlserve.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve/mlserve.pem].orig
+++ File[/etc/cfssl/ssl/mlserve/mlserve.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft
@@ -1,12 +0,0 @@
-# Autogenerated by puppet
-set CLOUD_PRIVATE_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2a02:ec80:a000:201::/64,
-             2a02:ec80:a000:202::/64,
-             2a02:ec80:a000:203::/64,
-             2a02:ec80:a000:204::/64,
-             2a02:ec80:a100:205::/64
-    }
-}

Exec[Generate cert wikikube_front_proxy]

Parameters differences:

--- Exec[Generate cert wikikube_front_proxy].orig
+++ Exec[Generate cert wikikube_front_proxy]

+    require     => Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/wikikube_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem 2>&1)"

File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set KAFKAMON_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:103:10:64:32:11,
-             2620:0:860:102:10:192:16:139
-    }
-}

Exec[Generate cert mlserve_front_proxy refresh]

Parameters differences:

--- Exec[Generate cert mlserve_front_proxy refresh].orig
+++ Exec[Generate cert mlserve_front_proxy refresh]

+    subscribe   => File[/etc/cfssl/csr/mlserve_front_proxy.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/mlserve_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy

File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf]

Parameters differences:

--- File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf].orig
+++ File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf]

+    show_diff => False
+    mode      => 0440
+    group     => root
+    ensure    => present
+    owner     => root

Content differences:

--- /etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf.orig
+++ /etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf
@@ -0,0 +1,43 @@
+{
+  "auth_keys": {
+    "default_auth": {
+      "key": "aaaabbbbccccdddd",
+      "type": "standard"
+    }
+  },
+  "signing": {
+    "default": {
+      "auth_key": "default_auth",
+      "usages": [
+        "signing",
+        "key encipherment",
+        "client auth"
+      ],
+      "expiry": "672h",
+      "crl_url": "http://pki.discovery.wmnet/crl/Wikimedia_Internal_Root_CA",
+      "ocsp_url": "http://pki.discovery.wmnet/ocsp/Wikimedia_Internal_Root_CA"
+    },
+    "profiles": {
+      "intermediate": {
+        "auth_key": "default_auth",
+        "expiry": "43800h",
+        "usages": [
+          "cert sign",
+          "crl sign"
+        ],
+        "ca_constraint": {
+          "is_ca": true,
+          "max_path_len": 1
+        }
+      },
+      "ocsp": {
+        "auth_key": "default_auth",
+        "expiry": "43800h",
+        "usages": [
+          "digital signature",
+          "ocsp signing"
+        ]
+      }
+    }
+  }
+}

File[/etc/nftables/forward]

Parameters differences:

--- File[/etc/nftables/forward].orig
+++ File[/etc/nftables/forward]

-    recurse => True
-    group   => root
-    ensure  => directory
-    owner   => root
-    purge   => True

File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]

Parameters differences:

--- File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl].orig
+++ File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]

@@
-    ensure => absent
+    ensure => present

File[/etc/cfssl/ssl/kafka/kafka.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/kafka/kafka.csr].orig
+++ File[/etc/cfssl/ssl/kafka/kafka.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Ferm::Conf[main]

Parameters differences:

--- Ferm::Conf[main].orig
+++ Ferm::Conf[main]

+    ensure => present
+    prio   => 02
+    source => puppet:///modules/base/firewall/main-input-default-drop.conf

File[/etc/cfssl/ssl/dse/dse.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/dse/dse.csr].orig
+++ File[/etc/cfssl/ssl/dse/dse.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Alternatives::Select[iptables]

Parameters differences:

--- Alternatives::Select[iptables].orig
+++ Alternatives::Select[iptables]

+    path    => /usr/sbin/iptables-legacy
+    require => Package[iptables]

File[/etc/ferm/conf.d/10_ssh_from_bastion]

Parameters differences:

--- File[/etc/ferm/conf.d/10_ssh_from_bastion].orig
+++ File[/etc/ferm/conf.d/10_ssh_from_bastion]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_ssh_from_bastion.orig
+++ /etc/ferm/conf.d/10_ssh_from_bastion
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 22, (103.102.166.103 185.15.58.6 185.15.59.99 195.200.68.99 198.35.26.104 2001:df2:e500:3:103:102:166:103 208.80.153.110 208.80.154.7 2620:0:860:4:208:80:153:110 2620:0:861:1:208:80:154:7 2620:0:863:3:198:35:26:104 2a02:ec80:300:3:185:15:59:99 2a02:ec80:600:1:185:15:58:6 2a02:ec80:700:3:195:200:68:99));
+
+

File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft
@@ -1,189 +0,0 @@
-# Autogenerated by puppet
-set PRODUCTION_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.128.0.0/24,
-             10.128.1.0/24,
-             10.128.2.0/24,
-             10.132.0.0/24,
-             10.132.2.0/24,
-             10.136.0.0/24,
-             10.136.1.0/24,
-             10.140.0.0/24,
-             10.140.1.0/24,
-             10.140.2.0/24,
-             10.192.0.0/22,
-             10.192.10.0/24,
-             10.192.11.0/24,
-             10.192.12.0/24,
-             10.192.13.0/24,
-             10.192.14.0/24,
-             10.192.15.0/24,
-             10.192.16.0/22,
-             10.192.20.0/24,
-             10.192.21.0/24,
-             10.192.22.0/24,
-             10.192.23.0/24,
-             10.192.24.0/23,
-             10.192.26.0/24,
-             10.192.27.0/24,
-             10.192.28.0/24,
-             10.192.29.0/24,
-             10.192.30.0/24,
-             10.192.31.0/24,
-             10.192.32.0/22,
-             10.192.36.0/24,
-             10.192.37.0/24,
-             10.192.38.0/24,
-             10.192.39.0/24,
-             10.192.4.0/24,
-             10.192.40.0/24,
-             10.192.41.0/24,
-             10.192.42.0/24,
-             10.192.43.0/24,
-             10.192.44.0/24,
-             10.192.45.0/24,
-             10.192.46.0/24,
-             10.192.47.0/24,
-             10.192.48.0/22,
-             10.192.5.0/24,
-             10.192.52.0/24,
-             10.192.56.0/24,
-             10.192.57.0/24,
-             10.192.58.0/24,
-             10.192.59.0/24,
-             10.192.6.0/24,
-             10.192.64.0/21,
-             10.192.7.0/24,
-             10.192.72.0/24,
-             10.192.76.0/24,
-             10.192.8.0/24,
-             10.192.80.0/20,
-             10.192.9.0/24,
-             10.192.96.0/21,
-             10.194.0.0/20,
-             10.194.128.0/17,
-             10.194.16.0/21,
-             10.194.61.0/24,
-             10.194.62.0/23,
-             10.194.64.0/20,
-             10.194.80.0/21,
-             10.2.1.0/24,
-             10.2.2.0/24,
-             10.2.3.0/24,
-             10.2.4.0/24,
-             10.2.5.0/24,
-             10.2.6.0/24,
-             10.2.7.0/24,
-             10.64.0.0/22,
-             10.64.130.0/24,
-             10.64.131.0/24,
-             10.64.132.0/24,
-             10.64.133.0/24,
-             10.64.134.0/24,
-             10.64.135.0/24,
-             10.64.136.0/24,
-             10.64.137.0/24,
-             10.64.138.0/24,
-             10.64.139.0/24,
-             10.64.140.0/24,
-             10.64.141.0/24,
-             10.64.142.0/24,
-             10.64.143.0/24,
-             10.64.144.0/24,
-             10.64.145.0/24,
-             10.64.148.0/24,
-             10.64.149.0/24,
-             10.64.150.0/24,
-             10.64.151.0/24,
-             10.64.152.0/24,
-             10.64.153.0/24,
-             10.64.154.0/24,
-             10.64.155.0/24,
-             10.64.156.0/24,
-             10.64.157.0/24,
-             10.64.158.0/24,
-             10.64.159.0/24,
-             10.64.16.0/22,
-             10.64.160.0/24,
-             10.64.161.0/24,
-             10.64.162.0/24,
-             10.64.163.0/24,
-             10.64.164.0/24,
-             10.64.165.0/24,
-             10.64.166.0/24,
-             10.64.167.0/24,
-             10.64.169.0/24,
-             10.64.170.0/24,
-             10.64.171.0/24,
-             10.64.172.0/24,
-             10.64.173.0/24,
-             10.64.174.0/24,
-             10.64.175.0/24,
-             10.64.176.0/24,
-             10.64.177.0/24,
-             10.64.178.0/24,
-             10.64.179.0/24,
-             10.64.180.0/24,
-             10.64.181.0/24,
-             10.64.182.0/24,
-             10.64.183.0/24,
-             10.64.184.0/24,
-             10.64.185.0/24,
-             10.64.186.0/24,
-             10.64.187.0/24,
-             10.64.188.0/24,
-             10.64.189.0/24,
-             10.64.190.0/24,
-             10.64.20.0/24,
-             10.64.21.0/24,
-             10.64.24.0/23,
-             10.64.32.0/22,
-             10.64.36.0/24,
-             10.64.48.0/22,
-             10.64.5.0/24,
-             10.64.53.0/24,
-             10.64.64.0/21,
-             10.64.72.0/24,
-             10.64.76.0/24,
-             10.67.0.0/20,
-             10.67.128.0/17,
-             10.67.16.0/21,
-             10.67.24.0/21,
-             10.67.32.0/20,
-             10.67.64.0/20,
-             10.67.80.0/21,
-             10.80.0.0/24,
-             10.80.1.0/24,
-             10.80.2.0/24,
-             103.102.166.0/28,
-             103.102.166.224/27,
-             103.102.166.96/27,
-             185.15.58.0/27,
-             185.15.58.224/27,
-             185.15.58.32/27,
-             185.15.59.0/27,
-             185.15.59.224/27,
-             185.15.59.32/27,
-             185.15.59.96/27,
-             195.200.68.0/27,
-             195.200.68.224/27,
-             195.200.68.32/27,
-             195.200.68.96/27,
-             198.35.26.0/27,
-             198.35.26.32/27,
-             198.35.26.96/27,
-             208.80.152.128/27,
-             208.80.153.0/27,
-             208.80.153.224/27,
-             208.80.153.32/27,
-             208.80.153.64/27,
-             208.80.153.96/27,
-             208.80.154.0/26,
-             208.80.154.128/26,
-             208.80.154.224/27,
-             208.80.154.64/26,
-             208.80.155.96/27
-    }
-}

Systemd::Syslog[ulogd]

Parameters differences:

--- Systemd::Syslog[ulogd].orig
+++ Systemd::Syslog[ulogd]

+    base_dir               => /var/log
+    log_filename           => syslog.log
+    force_stop             => True
+    owner                  => root
+    programname_comparison => startswith
+    readable_by            => user
+    group                  => root
+    ensure                 => present

Exec[renew certificate - aux]

Parameters differences:

--- Exec[renew certificate - aux].orig
+++ Exec[renew certificate - aux]

+    require     => Exec[Generate cert aux]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/aux/aux.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux/aux

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/aux/aux.pem -checkend 952200

File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr].orig
+++ File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/cfssl/ssl/puppet]

Parameters differences:

--- File[/etc/cfssl/ssl/puppet].orig
+++ File[/etc/cfssl/ssl/puppet]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set STAGING_KUBEPODS_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:861:babe::/64,
-             2620:0:860:babe::/64
-    }
-}

File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem].orig
+++ File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf].orig
+++ File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]

+    notify => Service[rsyslog]
+    mode   => 0444
+    group  => root
+    ensure => present
+    owner  => root

Content differences:

--- /etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf.orig
+++ /etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "wmf_auto_restart_ulogd2" then {
+    action(
+        type="omfile" file="/var/log/wmf_auto_restart_ulogd2/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0644"
+    )
+    & stop
+}

Class[Cumin::Selector]

Parameters differences:

--- Class[Cumin::Selector].orig
+++ Class[Cumin::Selector]

@@
-    cluster => insetup
+    cluster => pki

File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]

Parameters differences:

--- File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables].orig
+++ File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]

-    ensure => present
-    owner  => root
-    mode   => 0555
-    group  => root

Content differences:

--- /etc/update-motd.d/05-insetup--infrastructure-foundations-nftables.orig
+++ /etc/update-motd.d/05-insetup--infrastructure-foundations-nftables
@@ -1,2 +0,0 @@
-#!/bin/sh
-printf "%s\n" "pki-root1002 is a Host being setup by Infrastructure Foundations SREs with ntables (insetup::infrastructure_foundations_nftables)"

Cfssl::Cert[debmonitor]

Parameters differences:

--- Cfssl::Cert[debmonitor].orig
+++ Cfssl::Cert[debmonitor]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => debmonitor
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/cfssl/ssl/zuul]

Parameters differences:

--- File[/etc/cfssl/ssl/zuul].orig
+++ File[/etc/cfssl/ssl/zuul]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Cfssl::Cert[aux]

Parameters differences:

--- Cfssl::Cert[aux].orig
+++ Cfssl::Cert[aux]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => aux
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Exec[Generate cert mlserve_staging refresh]

Parameters differences:

--- Exec[Generate cert mlserve_staging refresh].orig
+++ Exec[Generate cert mlserve_staging refresh]

+    subscribe   => File[/etc/cfssl/csr/mlserve_staging.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/mlserve_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging/mlserve_staging

File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet]

Parameters differences:

--- File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet].orig
+++ File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet.orig
+++ /etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 9102, (10.64.183.10 2620:0:861:13d:10:64:183:10));
+
+

Package[iptables]

Parameters differences:

--- Package[iptables].orig
+++ Package[iptables]

@@
-    ensure => absent
+    ensure => installed

Nftables::File[base]

Parameters differences:

--- Nftables::File[base].orig
+++ Nftables::File[base]

-    ensure => present
-    order  => 100

Exec[renew certificate - zuul]

Parameters differences:

--- Exec[renew certificate - zuul].orig
+++ Exec[renew certificate - zuul]

+    require     => Exec[Generate cert zuul]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/zuul/zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul/zuul

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul/zuul.pem -checkend 952200

Cfssl::Cert[mlserve_staging_front_proxy]

Parameters differences:

--- Cfssl::Cert[mlserve_staging_front_proxy].orig
+++ Cfssl::Cert[mlserve_staging_front_proxy]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => mlserve_staging_front_proxy
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Exec[renew certificate - aux_front_proxy]

Parameters differences:

--- Exec[renew certificate - aux_front_proxy].orig
+++ Exec[renew certificate - aux_front_proxy]

+    require     => Exec[Generate cert aux_front_proxy]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem -checkend 952200

Motd::Script[insetup::infrastructure_foundations_nftables]

Parameters differences:

--- Motd::Script[insetup::infrastructure_foundations_nftables].orig
+++ Motd::Script[insetup::infrastructure_foundations_nftables]

-    ensure   => present
-    priority => 5

File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft.orig
+++ /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft
@@ -1,4 +0,0 @@
-# Autogenerated by puppet
-set MYSQL_ROOT_CLIENTS_ipv6 {
-    type ipv6_addr
-}

Systemd::Syslog[prometheus-node-textfile-check-nft]

Parameters differences:

--- Systemd::Syslog[prometheus-node-textfile-check-nft].orig
+++ Systemd::Syslog[prometheus-node-textfile-check-nft]

-    base_dir               => /var/log
-    log_filename           => syslog.log
-    force_stop             => True
-    owner                  => root
-    programname_comparison => startswith
-    readable_by            => all
-    group                  => root
-    ensure                 => present

File[/etc/bacula/ssl/server.p12]

Parameters differences:

--- File[/etc/bacula/ssl/server.p12].orig
+++ File[/etc/bacula/ssl/server.p12]

+    ensure => absent
+    mode   => 0440
+    owner  => bacula
+    group  => bacula

Nrpe::Plugin[check_ferm]

Parameters differences:

--- Nrpe::Plugin[check_ferm].orig
+++ Nrpe::Plugin[check_ferm]

+    ensure => present
+    source => puppet:///modules/base/firewall/check_ferm

File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem].orig
+++ File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Class[Profile::Firewall::Log::Ferm]

Parameters differences:

--- Class[Profile::Firewall::Log::Ferm].orig
+++ Class[Profile::Firewall::Log::Ferm]

+    separate_file => True
+    log_burst     => 5
+    log_rate      => 1/second

File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]

Parameters differences:

--- File[/etc/nftables/input/10_ssh-from-cumin-masters.nft].orig
+++ File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]

-    require => ['Nftables::Set[CUMIN_MASTERS]']
-    notify  => ['Service[nftables]']
-    mode    => 0444
-    group   => root
-    ensure  => present
-    tag     => nft
-    owner   => root

Content differences:

--- /etc/nftables/input/10_ssh-from-cumin-masters.nft.orig
+++ /etc/nftables/input/10_ssh-from-cumin-masters.nft
@@ -1,4 +0,0 @@
-# Managed by puppet
-# 
-ip saddr @CUMIN_MASTERS_ipv4 tcp dport { 22 } accept
-ip6 saddr @CUMIN_MASTERS_ipv6 tcp dport { 22 } accept

File[/etc/cfssl/ssl/puppet/puppet-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/puppet/puppet-key.pem].orig
+++ File[/etc/cfssl/ssl/puppet/puppet-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Ferm::Rule[dscp-default]

Parameters differences:

--- Ferm::Rule[dscp-default].orig
+++ Ferm::Rule[dscp-default]

+    rule   => DSCP set-dscp-class CS0;
+    domain => (ip ip6)
+    chain  => POSTROUTING
+    ensure => present
+    table  => mangle
+    desc   => 
+    prio   => 99

File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set WIKIKUBE_KUBEPODS_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:861:cabe::/64,
-             2620:0:860:cabe::/64
-    }
-}

Exec[Generate cert aux_front_proxy refresh]

Parameters differences:

--- Exec[Generate cert aux_front_proxy refresh].orig
+++ Exec[Generate cert aux_front_proxy refresh]

+    subscribe   => File[/etc/cfssl/csr/aux_front_proxy.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/aux_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy

File[/etc/cfssl/ssl/wikikube_front_proxy]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_front_proxy].orig
+++ File[/etc/cfssl/ssl/wikikube_front_proxy]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Nftables::Set[MW_APPSERVER_NETWORKS]

Parameters differences:

--- Nftables::Set[MW_APPSERVER_NETWORKS].orig
+++ Nftables::Set[MW_APPSERVER_NETWORKS]

-    ensure => present
-    hosts  => ['10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.141.0/24', '10.64.152.0/24', '10.64.154.0/24', '10.64.156.0/24', '10.64.158.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.162.0/24', '10.64.164.0/24', '10.64.166.0/24', '10.64.169.0/24', '10.64.171.0/24', '10.64.173.0/24', '10.64.175.0/24', '10.64.177.0/24', '10.64.179.0/24', '10.64.181.0/24', '10.64.183.0/24', '10.64.185.0/24', '10.64.187.0/24', '10.64.189.0/24', '10.64.32.0/22', '10.64.48.0/22', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:120::/64', '2620:0:861:122::/64', '2620:0:861:124::/64', '2620:0:861:126::/64', '2620:0:861:128::/64', '2620:0:861:12a::/64', '2620:0:861:12c::/64', '2620:0:861:12e::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.7.0/24', '10.192.8.0/24', '10.192.9.0/24', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '10.192.64.0/21', '10.192.96.0/21', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.80.0/21', '10.64.64.0/21', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.80.0/21', '2620:0:860:300::/64', '2620:0:860:302::/64', '2620:0:860:305::/64', '2620:0:860:308::/64', '2620:0:860:babe::/64', '2620:0:860:cabe::/64', '2620:0:861:300::/64', '2620:0:861:302::/64', '2620:0:861:305::/64', '2620:0:861:babe::/64', '2620:0:861:cabe::/64', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.64/26', '208.80.155.96/27', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '208.80.153.0/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:3::/64', '2620:0:860:4::/64']

File[/var/log/prometheus-node-textfile-check-nft]

Parameters differences:

--- File[/var/log/prometheus-node-textfile-check-nft].orig
+++ File[/var/log/prometheus-node-textfile-check-nft]

-    mode   => 0755
-    backup => False
-    group  => root
-    ensure => directory
-    owner  => root
-    force  => True

File[/etc/cfssl/ssl/etcd/etcd-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/etcd/etcd-key.pem].orig
+++ File[/etc/cfssl/ssl/etcd/etcd-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr].orig
+++ File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft
@@ -1,99 +0,0 @@
-# Autogenerated by puppet
-set MW_APPSERVER_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.64.0.0/22,
-             10.64.130.0/24,
-             10.64.131.0/24,
-             10.64.132.0/24,
-             10.64.133.0/24,
-             10.64.134.0/24,
-             10.64.135.0/24,
-             10.64.136.0/24,
-             10.64.141.0/24,
-             10.64.152.0/24,
-             10.64.154.0/24,
-             10.64.156.0/24,
-             10.64.158.0/24,
-             10.64.16.0/22,
-             10.64.160.0/24,
-             10.64.162.0/24,
-             10.64.164.0/24,
-             10.64.166.0/24,
-             10.64.169.0/24,
-             10.64.171.0/24,
-             10.64.173.0/24,
-             10.64.175.0/24,
-             10.64.177.0/24,
-             10.64.179.0/24,
-             10.64.181.0/24,
-             10.64.183.0/24,
-             10.64.185.0/24,
-             10.64.187.0/24,
-             10.64.189.0/24,
-             10.64.32.0/22,
-             10.64.48.0/22,
-             10.192.0.0/22,
-             10.192.10.0/24,
-             10.192.11.0/24,
-             10.192.12.0/24,
-             10.192.13.0/24,
-             10.192.14.0/24,
-             10.192.15.0/24,
-             10.192.16.0/22,
-             10.192.21.0/24,
-             10.192.22.0/24,
-             10.192.23.0/24,
-             10.192.26.0/24,
-             10.192.27.0/24,
-             10.192.28.0/24,
-             10.192.29.0/24,
-             10.192.30.0/24,
-             10.192.31.0/24,
-             10.192.32.0/22,
-             10.192.36.0/24,
-             10.192.37.0/24,
-             10.192.38.0/24,
-             10.192.39.0/24,
-             10.192.4.0/24,
-             10.192.40.0/24,
-             10.192.41.0/24,
-             10.192.42.0/24,
-             10.192.43.0/24,
-             10.192.44.0/24,
-             10.192.45.0/24,
-             10.192.46.0/24,
-             10.192.47.0/24,
-             10.192.48.0/22,
-             10.192.5.0/24,
-             10.192.52.0/24,
-             10.192.56.0/24,
-             10.192.57.0/24,
-             10.192.58.0/24,
-             10.192.59.0/24,
-             10.192.6.0/24,
-             10.192.7.0/24,
-             10.192.8.0/24,
-             10.192.9.0/24,
-             10.192.64.0/21,
-             10.192.96.0/21,
-             10.194.128.0/17,
-             10.194.16.0/21,
-             10.194.61.0/24,
-             10.194.80.0/21,
-             10.64.64.0/21,
-             10.67.128.0/17,
-             10.67.16.0/21,
-             10.67.24.0/21,
-             10.67.80.0/21,
-             208.80.154.0/26,
-             208.80.154.128/26,
-             208.80.154.64/26,
-             208.80.155.96/27,
-             208.80.153.0/27,
-             208.80.153.32/27,
-             208.80.153.64/27,
-             208.80.153.96/27
-    }
-}

File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set PROMETHEUS_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.0.82,
-             10.64.16.62,
-             10.64.48.171,
-             10.64.32.85
-    }
-}

Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert]

Parameters differences:

--- Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert].orig
+++ Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert]

+    require     => Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile ocsp /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem -checkend 952200

Exec[update_alternative_iptables]

Parameters differences:

--- Exec[update_alternative_iptables].orig
+++ Exec[update_alternative_iptables]

+    command => /usr/bin/update-alternatives --force --set iptables /usr/sbin/iptables-legacy
+    unless  => /usr/bin/update-alternatives --query iptables | /bin/grep 'Value: /usr/sbin/iptables-legacy'

Ferm::Rule[log-everything]

Parameters differences:

--- Ferm::Rule[log-everything].orig
+++ Ferm::Rule[log-everything]

+    rule   => NFLOG mod limit limit 1/second limit-burst 5 nflog-prefix "[fw-in-drop]";
+    domain => (ip ip6)
+    chain  => INPUT
+    ensure => present
+    table  => filter
+    desc   => 
+    prio   => 98

Nftables::Service[full-monitoring-metrics-access-tcp]

Parameters differences:

--- Nftables::Service[full-monitoring-metrics-access-tcp].orig
+++ Nftables::Service[full-monitoring-metrics-access-tcp]

-    desc                => 
-    prio                => 10
-    proto               => tcp
-    unrestricted_access => False
-    notrack             => False
-    port_range          => [1, 65535]
-    ensure              => present
-    src_ips             => ['10.64.0.82', '10.64.16.62', '10.64.32.85', '10.64.48.171', '208.80.153.42', '208.80.154.78', '2620:0:860:2:208:80:153:42', '2620:0:861:101:10:64:0:82', '2620:0:861:102:10:64:16:62', '2620:0:861:103:10:64:32:85', '2620:0:861:107:10:64:48:171', '2620:0:861:3:208:80:154:78']

Nftables::Set[INTERNAL]

Parameters differences:

--- Nftables::Set[INTERNAL].orig
+++ Nftables::Set[INTERNAL]

-    ensure => present
-    hosts  => ['10.0.0.0/8', '2620:0:860:100::/56', '2620:0:861:100::/56', '2620:0:863:100::/56', '2a02:ec80:300:100::/56', '2a02:ec80:600:100::/56', '2a02:ec80:700:100::/56', '2001:df2:e500:100::/56', '2a02:ec80:ff00:100::/56']

File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem].orig
+++ File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Cfssl::Cert[mlserve_front_proxy]

Parameters differences:

--- Cfssl::Cert[mlserve_front_proxy].orig
+++ Cfssl::Cert[mlserve_front_proxy]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => mlserve_front_proxy
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set KAFKAMON_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.32.11,
-             10.192.16.139
-    }
-}

Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]

Parameters differences:

--- Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources].orig
+++ Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]

+    show_diff      => True
+    backup         => puppet
+    replace        => True
+    format         => plain
+    ensure_newline => False
+    owner          => root
+    force          => False
+    mode           => 0444
+    group          => root
+    tag            => _etc_apt_sources.list.d_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources
+    order          => alpha

File[/etc/bacula/ssl]

Parameters differences:

--- File[/etc/bacula/ssl].orig
+++ File[/etc/bacula/ssl]

+    ensure => directory
+    mode   => 0555
+    owner  => bacula
+    group  => bacula

Exec[Generate cert mlserve_staging_front_proxy]

Parameters differences:

--- Exec[Generate cert mlserve_staging_front_proxy].orig
+++ Exec[Generate cert mlserve_staging_front_proxy]

+    require     => Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/mlserve_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem 2>&1)"

Package[nftables]

Parameters differences:

--- Package[nftables].orig
+++ Package[nftables]

-    ensure   => present
-    provider => apt

Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]

+    ensure      => present
+    common_name => cloud_wmnet_ca
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/cfssl/ssl/mlserve_staging_front_proxy]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_staging_front_proxy].orig
+++ File[/etc/cfssl/ssl/mlserve_staging_front_proxy]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem].orig
+++ File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem].orig
+++ File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]

Parameters differences:

--- File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft].orig
+++ File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft.orig
+++ /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft
@@ -1,4 +0,0 @@
-# Managed by puppet
-# 
-ip saddr { 10.64.0.82, 10.64.16.62, 10.64.32.85, 10.64.48.171, 208.80.153.42, 208.80.154.78 } tcp dport 1-65535 accept
-ip6 saddr { 2620:0:860:2:208:80:153:42, 2620:0:861:101:10:64:0:82, 2620:0:861:102:10:64:16:62, 2620:0:861:103:10:64:32:85, 2620:0:861:107:10:64:48:171, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept

File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft].orig
+++ File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CUMIN_MASTERS_ipv6.nft.orig
+++ /etc/nftables/sets/CUMIN_MASTERS_ipv6.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set CUMIN_MASTERS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:102:10:64:16:154,
-             2620:0:860:103:10:192:32:49
-    }
-}

File[/etc/ferm/conf.d/98_filter_log_filter-bootp]

Parameters differences:

--- File[/etc/ferm/conf.d/98_filter_log_filter-bootp].orig
+++ File[/etc/ferm/conf.d/98_filter_log_filter-bootp]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/98_filter_log_filter-bootp.orig
+++ /etc/ferm/conf.d/98_filter_log_filter-bootp
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 98_filter_log_filter-bootp: 
+
+domain (ip ip6) {
+	table filter {
+		chain INPUT {
+			proto udp  daddr 255.255.255.255 sport 67 dport 68 DROP;
+		}
+	}
+}

Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]

Parameters differences:

--- Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert].orig
+++ Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]

+    require     => Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile ocsp /etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem 2>&1)"

Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]

+    refreshonly => True
+    before      => ['Service[nrpe2nodexp-ferm_active.timer]']
+    command     => /bin/systemctl daemon-reload

File[/etc/nftables/output]

Parameters differences:

--- File[/etc/nftables/output].orig
+++ File[/etc/nftables/output]

-    recurse => True
-    group   => root
-    ensure  => directory
-    owner   => root
-    purge   => True

File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]

Parameters differences:

--- File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft].orig
+++ File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/input/10_full-monitoring-metrics-access-udp.nft.orig
+++ /etc/nftables/input/10_full-monitoring-metrics-access-udp.nft
@@ -1,4 +0,0 @@
-# Managed by puppet
-# 
-ip saddr { 10.64.0.82, 10.64.16.62, 10.64.32.85, 10.64.48.171, 208.80.153.42, 208.80.154.78 } udp dport 1-65535 accept
-ip6 saddr { 2620:0:860:2:208:80:153:42, 2620:0:861:101:10:64:0:82, 2620:0:861:102:10:64:16:62, 2620:0:861:103:10:64:32:85, 2620:0:861:107:10:64:48:171, 2620:0:861:3:208:80:154:78 } udp dport 1-65535 accept

Cfssl::Cert[wikikube_staging]

Parameters differences:

--- Cfssl::Cert[wikikube_staging].orig
+++ Cfssl::Cert[wikikube_staging]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => wikikube_staging
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/usr/local/sbin/ferm-status]

Parameters differences:

--- File[/usr/local/sbin/ferm-status].orig
+++ File[/usr/local/sbin/ferm-status]

@@
-    ensure => absent
+    ensure => file

Systemd::Timer[nrpe2nodexp-ferm_active]

Parameters differences:

--- Systemd::Timer[nrpe2nodexp-ferm_active].orig
+++ Systemd::Timer[nrpe2nodexp-ferm_active]

+    fixed_random_delay => True
+    ensure             => present
+    splay              => 600
+    unit_name          => nrpe2nodexp-ferm_active.service
+    accuracy           => 15sec
+    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '10min'}, {'interval': '1s', 'start': 'OnActiveSec'}]

File[/etc/logrotate.d/ulogd]

Parameters differences:

--- File[/etc/logrotate.d/ulogd].orig
+++ File[/etc/logrotate.d/ulogd]

+    ensure => present
+    mode   => 0444
+    owner  => root
+    group  => root

Content differences:

--- /etc/logrotate.d/ulogd.orig
+++ /etc/logrotate.d/ulogd
@@ -0,0 +1,12 @@
+# logrotate(8) config for ulogd
+
+/var/log/ulogd/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft
@@ -1,11 +0,0 @@
-# Autogenerated by puppet
-set ZOOKEEPER_FLINK_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:102:10:64:16:9,
-             2620:0:861:101:10:64:0:8,
-             2620:0:861:103:10:64:32:41,
-             2620:0:860:102:10:192:16:227,
-             2620:0:860:103:10:192:32:179,
-             2620:0:860:104:10:192:48:219
-    }
-}

Nftables::Set[KAFKAMON_HOSTS]

Parameters differences:

--- Nftables::Set[KAFKAMON_HOSTS].orig
+++ Nftables::Set[KAFKAMON_HOSTS]

-    ensure => present
-    hosts  => ['10.64.32.11', '2620:0:861:103:10:64:32:11', '10.192.16.139', '2620:0:860:102:10:192:16:139']

Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]

+    ensure      => present
+    common_name => wikikube_staging
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft
@@ -1,183 +0,0 @@
-# Autogenerated by puppet
-set DOMAIN_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2001:df2:e500:101::/64,
-             2001:df2:e500:103::/64,
-             2001:df2:e500:1::/64,
-             2001:df2:e500:3::/64,
-             2001:df2:e500:ed1a::/64,
-             2620:0:860:100::/64,
-             2620:0:860:101::/64,
-             2620:0:860:102::/64,
-             2620:0:860:103::/64,
-             2620:0:860:104::/64,
-             2620:0:860:105::/64,
-             2620:0:860:106::/64,
-             2620:0:860:107::/64,
-             2620:0:860:108::/64,
-             2620:0:860:109::/64,
-             2620:0:860:10a::/64,
-             2620:0:860:10b::/64,
-             2620:0:860:10c::/64,
-             2620:0:860:10d::/64,
-             2620:0:860:10e::/64,
-             2620:0:860:10f::/64,
-             2620:0:860:110::/64,
-             2620:0:860:111::/64,
-             2620:0:860:112::/64,
-             2620:0:860:113::/64,
-             2620:0:860:114::/64,
-             2620:0:860:115::/64,
-             2620:0:860:116::/64,
-             2620:0:860:118::/64,
-             2620:0:860:119::/64,
-             2620:0:860:11a::/64,
-             2620:0:860:11b::/64,
-             2620:0:860:11c::/64,
-             2620:0:860:11d::/64,
-             2620:0:860:11e::/64,
-             2620:0:860:11f::/64,
-             2620:0:860:120::/64,
-             2620:0:860:121::/64,
-             2620:0:860:122::/64,
-             2620:0:860:123::/64,
-             2620:0:860:124::/64,
-             2620:0:860:125::/64,
-             2620:0:860:126::/64,
-             2620:0:860:127::/64,
-             2620:0:860:12b::/64,
-             2620:0:860:12c::/64,
-             2620:0:860:12d::/64,
-             2620:0:860:12e::/64,
-             2620:0:860:140::/64,
-             2620:0:860:1::/64,
-             2620:0:860:2::/64,
-             2620:0:860:300::/64,
-             2620:0:860:301::/64,
-             2620:0:860:302::/64,
-             2620:0:860:303::/64,
-             2620:0:860:304::/64,
-             2620:0:860:305::/64,
-             2620:0:860:307::/64,
-             2620:0:860:308::/64,
-             2620:0:860:3::/64,
-             2620:0:860:4::/64,
-             2620:0:860:5::/64,
-             2620:0:860:babe::/64,
-             2620:0:860:babf::/64,
-             2620:0:860:cabe::/64,
-             2620:0:860:cabf::/64,
-             2620:0:860:ed1a::/64,
-             2620:0:861:100::/64,
-             2620:0:861:101::/64,
-             2620:0:861:102::/64,
-             2620:0:861:103::/64,
-             2620:0:861:104::/64,
-             2620:0:861:105::/64,
-             2620:0:861:106::/64,
-             2620:0:861:107::/64,
-             2620:0:861:108::/64,
-             2620:0:861:109::/64,
-             2620:0:861:10a::/64,
-             2620:0:861:10b::/64,
-             2620:0:861:10c::/64,
-             2620:0:861:10d::/64,
-             2620:0:861:10e::/64,
-             2620:0:861:10f::/64,
-             2620:0:861:110::/64,
-             2620:0:861:111::/64,
-             2620:0:861:112::/64,
-             2620:0:861:113::/64,
-             2620:0:861:114::/64,
-             2620:0:861:115::/64,
-             2620:0:861:116::/64,
-             2620:0:861:117::/64,
-             2620:0:861:118::/64,
-             2620:0:861:119::/64,
-             2620:0:861:11a::/64,
-             2620:0:861:11c::/64,
-             2620:0:861:11d::/64,
-             2620:0:861:11e::/64,
-             2620:0:861:11f::/64,
-             2620:0:861:120::/64,
-             2620:0:861:121::/64,
-             2620:0:861:122::/64,
-             2620:0:861:123::/64,
-             2620:0:861:124::/64,
-             2620:0:861:125::/64,
-             2620:0:861:126::/64,
-             2620:0:861:127::/64,
-             2620:0:861:128::/64,
-             2620:0:861:129::/64,
-             2620:0:861:12a::/64,
-             2620:0:861:12b::/64,
-             2620:0:861:12c::/64,
-             2620:0:861:12d::/64,
-             2620:0:861:12e::/64,
-             2620:0:861:12f::/64,
-             2620:0:861:131::/64,
-             2620:0:861:132::/64,
-             2620:0:861:133::/64,
-             2620:0:861:134::/64,
-             2620:0:861:135::/64,
-             2620:0:861:136::/64,
-             2620:0:861:137::/64,
-             2620:0:861:138::/64,
-             2620:0:861:139::/64,
-             2620:0:861:13a::/64,
-             2620:0:861:13b::/64,
-             2620:0:861:13c::/64,
-             2620:0:861:13d::/64,
-             2620:0:861:13e::/64,
-             2620:0:861:13f::/64,
-             2620:0:861:140::/64,
-             2620:0:861:141::/64,
-             2620:0:861:142::/64,
-             2620:0:861:143::/64,
-             2620:0:861:144::/64,
-             2620:0:861:145::/64,
-             2620:0:861:1::/64,
-             2620:0:861:2::/64,
-             2620:0:861:300::/64,
-             2620:0:861:301::/116,
-             2620:0:861:302::/64,
-             2620:0:861:303::/116,
-             2620:0:861:304::/116,
-             2620:0:861:305::/64,
-             2620:0:861:3::/64,
-             2620:0:861:4::/64,
-             2620:0:861:babe::/64,
-             2620:0:861:babf::/116,
-             2620:0:861:cabe::/64,
-             2620:0:861:cabf::/116,
-             2620:0:861:ed1a::/64,
-             2620:0:863:101::/64,
-             2620:0:863:102::/64,
-             2620:0:863:103::/64,
-             2620:0:863:1::/64,
-             2620:0:863:2::/64,
-             2620:0:863:3::/64,
-             2620:0:863:ed1a::/64,
-             2a02:ec80:300:101::/64,
-             2a02:ec80:300:102::/64,
-             2a02:ec80:300:103::/64,
-             2a02:ec80:300:1::/64,
-             2a02:ec80:300:2::/64,
-             2a02:ec80:300:3::/64,
-             2a02:ec80:300:ed1a::/64,
-             2a02:ec80:600:101::/64,
-             2a02:ec80:600:102::/64,
-             2a02:ec80:600:1::/64,
-             2a02:ec80:600:2::/64,
-             2a02:ec80:600:ed1a::/64,
-             2a02:ec80:700:101::/64,
-             2a02:ec80:700:102::/64,
-             2a02:ec80:700:103::/64,
-             2a02:ec80:700:1::/64,
-             2a02:ec80:700:2::/64,
-             2a02:ec80:700:3::/64,
-             2a02:ec80:700:ed1a::/64
-    }
-}

Systemd::Override[ferm-service-status-restart]

Parameters differences:

--- Systemd::Override[ferm-service-status-restart].orig
+++ Systemd::Override[ferm-service-status-restart]

+    ensure  => present
+    restart => False
+    unit    => ferm
+    source  => puppet:///modules/ferm/ferm_systemd_override

File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr].orig
+++ File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/wikikube_staging_front_proxy.csr.orig
+++ /etc/cfssl/csr/wikikube_staging_front_proxy.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "wikikube_staging_front_proxy",
+  "hosts": [
+    "wikikube_staging_front_proxy"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/var/log/ulogd]

Parameters differences:

--- File[/var/log/ulogd].orig
+++ File[/var/log/ulogd]

+    mode   => 0755
+    backup => False
+    group  => root
+    ensure => directory
+    owner  => root
+    force  => True

Nftables::Set[PROMETHEUS_HOSTS]

Parameters differences:

--- Nftables::Set[PROMETHEUS_HOSTS].orig
+++ Nftables::Set[PROMETHEUS_HOSTS]

-    ensure => present
-    hosts  => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet']

Systemd::Unit[prometheus-node-textfile-check-nft.timer]

Parameters differences:

--- Systemd::Unit[prometheus-node-textfile-check-nft.timer].orig
+++ Systemd::Unit[prometheus-node-textfile-check-nft.timer]

-    override          => False
-    require           => ['Class[Systemd]']
-    ensure            => present
-    unit              => prometheus-node-textfile-check-nft.timer
-    restart           => False
-    override_filename => puppet-override.conf

File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca]

Parameters differences:

--- File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca].orig
+++ File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca]

+    require => ['Package[golang-cfssl]']
+    mode    => 0550
+    group   => root
+    ensure  => directory
+    owner   => root

File[/etc/default/ferm]

Parameters differences:

--- File[/etc/default/ferm].orig
+++ File[/etc/default/ferm]

+    require => Package[ferm]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => file
+    owner   => root
+    source  => puppet:///modules/ferm/ferm.default

Package[bacula-fd]

Parameters differences:

--- Package[bacula-fd].orig
+++ Package[bacula-fd]

+    ensure   => installed
+    provider => apt

Cfssl::Csr[/etc/cfssl/csr/etcd.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/etcd.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/etcd.csr]

+    ensure      => present
+    common_name => etcd
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/cfssl/ssl/zuul/zuul.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/zuul/zuul.pem].orig
+++ File[/etc/cfssl/ssl/zuul/zuul.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Cfssl::Cert[cassandra]

Parameters differences:

--- Cfssl::Cert[cassandra].orig
+++ Cfssl::Cert[cassandra]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => cassandra
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set AUX_KUBEPODS_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.67.80.0/21,
-             10.194.80.0/21
-    }
-}

Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]

Parameters differences:

--- Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia].orig
+++ Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]

+    order  => 10
+    target => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources

File[/etc/cfssl/ssl/wikikube/wikikube.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube/wikikube.csr].orig
+++ File[/etc/cfssl/ssl/wikikube/wikikube.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/cfssl/ssl/debmonitor/debmonitor.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/debmonitor/debmonitor.pem].orig
+++ File[/etc/cfssl/ssl/debmonitor/debmonitor.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Nftables::Set[MGMT_NETWORKS]

Parameters differences:

--- Nftables::Set[MGMT_NETWORKS].orig
+++ Nftables::Set[MGMT_NETWORKS]

-    ensure => present
-    hosts  => ['10.65.0.0/16', '10.128.128.0/17', '10.193.0.0/16', '10.80.128.0/17', '10.132.128.0/17', '10.136.128.0/17', '10.140.128.0/17']

Logrotate::Conf[ulogd]

Parameters differences:

--- Logrotate::Conf[ulogd].orig
+++ Logrotate::Conf[ulogd]

+    ensure => present

Exec[renew certificate - wikikube_front_proxy]

Parameters differences:

--- Exec[renew certificate - wikikube_front_proxy].orig
+++ Exec[renew certificate - wikikube_front_proxy]

+    require     => Exec[Generate cert wikikube_front_proxy]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem -checkend 952200

Nftables::Service[full-monitoring-metrics-access-udp]

Parameters differences:

--- Nftables::Service[full-monitoring-metrics-access-udp].orig
+++ Nftables::Service[full-monitoring-metrics-access-udp]

-    desc                => 
-    prio                => 10
-    proto               => udp
-    unrestricted_access => False
-    notrack             => False
-    port_range          => [1, 65535]
-    ensure              => present
-    src_ips             => ['10.64.0.82', '10.64.16.62', '10.64.32.85', '10.64.48.171', '208.80.153.42', '208.80.154.78', '2620:0:860:2:208:80:153:42', '2620:0:861:101:10:64:0:82', '2620:0:861:102:10:64:16:62', '2620:0:861:103:10:64:32:85', '2620:0:861:107:10:64:48:171', '2620:0:861:3:208:80:154:78']

File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MONITORING_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/MONITORING_HOSTS_ipv4.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set MONITORING_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 208.80.154.78,
-             208.80.153.42
-    }
-}

File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]

Parameters differences:

--- File[/lib/systemd/system/nrpe2nodexp-ferm_active.service].orig
+++ File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]

+    notify => Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]
+    mode   => 0444
+    group  => root
+    ensure => present
+    owner  => root

Content differences:

--- /lib/systemd/system/nrpe2nodexp-ferm_active.service.orig
+++ /lib/systemd/system/nrpe2nodexp-ferm_active.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=execution of nrpe2nodexp for the check_ferm_active command.
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=nagios
+
+Group=prometheus-node-exporter
+SyslogIdentifier=nrpe2nodexp-ferm_active
+ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash "bba0a2572329bb500b832470e08b381c" --timeout 10 --check-command "check_ferm_active"

Nftables::Set[SANDBOX_NETWORKS]

Parameters differences:

--- Nftables::Set[SANDBOX_NETWORKS].orig
+++ Nftables::Set[SANDBOX_NETWORKS]

-    ensure => present
-    hosts  => ['103.102.166.72/29', '185.15.59.72/29', '195.200.68.64/29', '198.35.26.240/28', '2001:df2:e500:202::/64', '208.80.152.240/28', '208.80.155.64/28', '2620:0:860:201::/64', '2620:0:861:202::/64', '2620:0:863:201::/64', '2a02:ec80:300:202::/64', '2a02:ec80:700:201::/64']

Cfssl::Cert[mlserve_staging]

Parameters differences:

--- Cfssl::Cert[mlserve_staging].orig
+++ Cfssl::Cert[mlserve_staging]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => mlserve_staging
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/MONITORING_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/MONITORING_HOSTS_ipv6.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set MONITORING_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:3:208:80:154:78,
-             2620:0:860:2:208:80:153:42
-    }
-}

Nftables::Set[CLOUD_PRIVATE_NETWORKS]

Parameters differences:

--- Nftables::Set[CLOUD_PRIVATE_NETWORKS].orig
+++ Nftables::Set[CLOUD_PRIVATE_NETWORKS]

-    ensure => present
-    hosts  => ['172.20.1.0/24', '172.20.2.0/24', '172.20.3.0/24', '172.20.4.0/24', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '172.20.5.0/24', '2a02:ec80:a100:205::/64']

File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft
@@ -1,38 +0,0 @@
-# Autogenerated by puppet
-set ANALYTICS_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:861:100::/64,
-             2620:0:861:104::/64,
-             2620:0:861:105::/64,
-             2620:0:861:106::/64,
-             2620:0:861:108::/64,
-             2620:0:861:110::/64,
-             2620:0:861:111::/64,
-             2620:0:861:112::/64,
-             2620:0:861:114::/64,
-             2620:0:861:115::/64,
-             2620:0:861:116::/64,
-             2620:0:861:117::/64,
-             2620:0:861:11a::/64,
-             2620:0:861:121::/64,
-             2620:0:861:123::/64,
-             2620:0:861:125::/64,
-             2620:0:861:127::/64,
-             2620:0:861:129::/64,
-             2620:0:861:12b::/64,
-             2620:0:861:12d::/64,
-             2620:0:861:12f::/64,
-             2620:0:861:132::/64,
-             2620:0:861:134::/64,
-             2620:0:861:136::/64,
-             2620:0:861:138::/64,
-             2620:0:861:13a::/64,
-             2620:0:861:13c::/64,
-             2620:0:861:13e::/64,
-             2620:0:861:141::/64,
-             2620:0:861:143::/64,
-             2620:0:861:145::/64
-    }
-}

File[/etc/update-motd.d/06-backups-pki-root-cfssl]

Parameters differences:

--- File[/etc/update-motd.d/06-backups-pki-root-cfssl].orig
+++ File[/etc/update-motd.d/06-backups-pki-root-cfssl]

+    ensure => present
+    owner  => root
+    mode   => 0555
+    group  => root

Content differences:

--- /etc/update-motd.d/06-backups-pki-root-cfssl.orig
+++ /etc/update-motd.d/06-backups-pki-root-cfssl
@@ -0,0 +1,2 @@
+#!/bin/sh
+echo "Backed up on this host: pki-root-cfssl"

Exec[renew certificate - mlserve_front_proxy]

Parameters differences:

--- Exec[renew certificate - mlserve_front_proxy].orig
+++ Exec[renew certificate - mlserve_front_proxy]

+    require     => Exec[Generate cert mlserve_front_proxy]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem -checkend 952200

File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft
@@ -1,11 +0,0 @@
-# Autogenerated by puppet
-set ZOOKEEPER_FLINK_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.16.9,
-             10.64.0.8,
-             10.64.32.41,
-             10.192.16.227,
-             10.192.32.179,
-             10.192.48.219
-    }
-}

Cfssl::Cert[kafka]

Parameters differences:

--- Cfssl::Cert[kafka].orig
+++ Cfssl::Cert[kafka]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => kafka
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr].orig
+++ File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]

Parameters differences:

--- Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c].orig
+++ Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]

+    instance           => ops
+    team               => observability
+    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_ferm_active))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))
+    alert_name         => nrpe_Check_whether_ferm_is_active_by_checking_the_default_input_chain
+    for                => 32m
+    dashboard          => TODO
+    def_label_whitelst => ['team', 'severity']
+    summary            => NRPE CHECK: Check whether ferm is active by checking the default input chain
+    site               => eqiad
+    severity           => info
+    expr               => (nagios_nrpe_check_result{alert_rule_hash="bba0a2572329bb500b832470e08b381c",check_name="check_ferm_active", status=~"(WARNING|CRITICAL)", severity=~"(warning|critical)"} > 0) * on (instance) group_left (team) role_owner
+    description        => NRPE CHECK: Check whether ferm is active by checking the default input chain
+    group              => nrpechecks
+    ensure             => present
+    runbook            => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm

File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft
@@ -1,9 +0,0 @@
-# Autogenerated by puppet
-set DSE_KUBEPODS_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:861:302::/64,
-             2620:0:860:308::/64
-    }
-}

Ferm::Rule[drop-blocked-nets]

Parameters differences:

--- Ferm::Rule[drop-blocked-nets].orig
+++ Ferm::Rule[drop-blocked-nets]

+    rule   => saddr $BLOCKED_NETS DROP;
+    domain => (ip ip6)
+    chain  => INPUT
+    ensure => present
+    table  => filter
+    desc   => drop abuse/blocked_nets.yaml defined in the requestctl private repo
+    prio   => 01

File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem].orig
+++ File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem].orig
+++ File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/nftables/notrack]

Parameters differences:

--- File[/etc/nftables/notrack].orig
+++ File[/etc/nftables/notrack]

-    recurse => True
-    group   => root
-    ensure  => directory
-    owner   => root
-    purge   => True

Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]

Parameters differences:

--- Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS].orig
+++ Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]

-    ensure => present
-    hosts  => ['10.67.128.0/17', '2620:0:861:cabe::/64', '10.194.128.0/17', '2620:0:860:cabe::/64']

Systemd::Unit[wmf_auto_restart_ulogd2.timer]

Parameters differences:

--- Systemd::Unit[wmf_auto_restart_ulogd2.timer].orig
+++ Systemd::Unit[wmf_auto_restart_ulogd2.timer]

+    override          => False
+    require           => ['Class[Systemd]']
+    ensure            => present
+    unit              => wmf_auto_restart_ulogd2.timer
+    restart           => False
+    override_filename => puppet-override.conf

File[/etc/cfssl/ssl/mlserve]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve].orig
+++ File[/etc/cfssl/ssl/mlserve]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Cfssl::Cert[puppet_rsa]

Parameters differences:

--- Cfssl::Cert[puppet_rsa].orig
+++ Cfssl::Cert[puppet_rsa]

+    notify_services => []
+    key             => {'algo': 'rsa', 'size': 4096}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => puppet_rsa
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Systemd::Timer::Job[wmf_auto_restart_ulogd2]

Parameters differences:

--- Systemd::Timer::Job[wmf_auto_restart_ulogd2].orig
+++ Systemd::Timer::Job[wmf_auto_restart_ulogd2]

+    user                      => root
+    send_mail_only_on_error   => True
+    logging_enabled           => True
+    syslog_match_startswith   => True
+    logfile_basedir           => /var/log
+    logfile_perms             => all
+    ensure                    => present
+    send_mail                 => False
+    require                   => File[/usr/local/sbin/wmf-auto-restart]
+    logfile_group             => root
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    command                   => /usr/local/sbin/wmf-auto-restart -s ulogd2
+    private_tmp               => False
+    fixed_random_delay        => False
+    syslog_force_stop         => True
+    ignore_errors             => False
+    logfile_name              => syslog.log
+    description               => Auto restart job: ulogd2
+    monitoring_enabled        => False
+    interval                  => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 0:9:00'}
+    monitoring_contact_groups => admins
+    environment               => {}
+    send_mail_to              => root@pki-root1002.eqiad.wmnet
+    success_exit_status       => []

File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/FRACK_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/FRACK_NETWORKS_ipv6.nft
@@ -1,4 +0,0 @@
-# Autogenerated by puppet
-set FRACK_NETWORKS_ipv6 {
-    type ipv6_addr
-}

File[/usr/local/bin/check-nft]

Parameters differences:

--- File[/usr/local/bin/check-nft].orig
+++ File[/usr/local/bin/check-nft]

-    mode   => 0555
-    group  => root
-    ensure => present
-    owner  => root
-    source => puppet:///modules/profile/firewall/check_nftables.py

Monitoring::Exported_nagios_host[pki-root1002]

Parameters differences:

--- Monitoring::Exported_nagios_host[pki-root1002].orig
+++ Monitoring::Exported_nagios_host[pki-root1002]

@@
-    hostgroups            => insetup_eqiad,asw2-b-eqiad
+    hostgroups            => pki_eqiad,asw2-b-eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]

Parameters differences:

--- Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia].orig
+++ Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]

+    tag    => _etc_apt_sources.list.d_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources
+    order  => 10
+    target => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources

Content differences:

--- component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.orig
+++ component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia
@@ -0,0 +1,5 @@
+Types: deb deb-src
+URIs: http://apt.wikimedia.org/wikimedia
+Suites: trixie-wikimedia
+Components: component/bacula9
+Signed-By: /etc/apt/keyrings/wikimedia-archive-keyring.gpg

File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]

Parameters differences:

--- File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf].orig
+++ File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]

+    notify => Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]
+    mode   => 0444
+    group  => root
+    ensure => present
+    owner  => root
+    source => puppet:///modules/ferm/ferm_systemd_override

File[/etc/cfssl/ssl/cloud_wmnet_ca]

Parameters differences:

--- File[/etc/cfssl/ssl/cloud_wmnet_ca].orig
+++ File[/etc/cfssl/ssl/cloud_wmnet_ca]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]

+    ensure      => present
+    common_name => debmonitor
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Cfssl::Cert[wikikube_front_proxy]

Parameters differences:

--- Cfssl::Cert[wikikube_front_proxy].orig
+++ Cfssl::Cert[wikikube_front_proxy]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => wikikube_front_proxy
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

Nftables::Set[KAFKA_BROKERS_MAIN]

Parameters differences:

--- Nftables::Set[KAFKA_BROKERS_MAIN].orig
+++ Nftables::Set[KAFKA_BROKERS_MAIN]

-    ensure => present
-    hosts  => ['10.192.5.9', '2620:0:860:106:10:192:5:9', '10.192.22.6', '2620:0:860:112:10:192:22:6', '10.192.32.4', '2620:0:860:103:10:192:32:4', '10.192.48.33', '2620:0:860:104:10:192:48:33', '10.192.48.35', '2620:0:860:104:10:192:48:35', '10.64.0.101', '2620:0:861:101:10:64:0:101', '10.64.16.30', '2620:0:861:102:10:64:16:30', '10.64.32.45', '2620:0:861:103:10:64:32:45', '10.64.48.37', '2620:0:861:107:10:64:48:37', '10.64.152.5', '2620:0:861:120:10:64:152:5']

File[/etc/cfssl/ssl/aux/aux-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/aux/aux-key.pem].orig
+++ File[/etc/cfssl/ssl/aux/aux-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/modules-load.d/conntrack.conf]

Parameters differences:

--- File[/etc/modules-load.d/conntrack.conf].orig
+++ File[/etc/modules-load.d/conntrack.conf]

@@
-    ensure => absent
+    ensure => file

Cfssl::Cert[dse]

Parameters differences:

--- Cfssl::Cert[dse].orig
+++ Cfssl::Cert[dse]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => dse
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/cfssl/ssl/network_devices/network_devices.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/network_devices/network_devices.pem].orig
+++ File[/etc/cfssl/ssl/network_devices/network_devices.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Nftables::Set[KAFKA_BROKERS_JUMBO]

Parameters differences:

--- Nftables::Set[KAFKA_BROKERS_JUMBO].orig
+++ Nftables::Set[KAFKA_BROKERS_JUMBO]

-    ensure => present
-    hosts  => ['10.64.130.10', '2620:0:861:109:10:64:130:10', '10.64.131.16', '2620:0:861:10a:10:64:131:16', '10.64.132.21', '2620:0:861:10b:10:64:132:21', '10.64.134.9', '2620:0:861:10d:10:64:134:9', '10.64.135.16', '2620:0:861:10e:10:64:135:16', '10.64.136.11', '2620:0:861:10f:10:64:136:11', '10.64.154.15', '2620:0:861:122:10:64:154:15', '10.64.160.16', '2620:0:861:128:10:64:160:16', '10.64.0.126', '2620:0:861:101:10:64:0:126']

Systemd::Unit[nrpe2nodexp-ferm_active.timer]

Parameters differences:

--- Systemd::Unit[nrpe2nodexp-ferm_active.timer].orig
+++ Systemd::Unit[nrpe2nodexp-ferm_active.timer]

+    override          => False
+    require           => ['Class[Systemd]']
+    ensure            => present
+    unit              => nrpe2nodexp-ferm_active.timer
+    restart           => False
+    override_filename => puppet-override.conf

Nftables::Set[NETWORK_INFRA]

Parameters differences:

--- Nftables::Set[NETWORK_INFRA].orig
+++ Nftables::Set[NETWORK_INFRA]

-    ensure => present
-    hosts  => ['185.15.59.128/27', '2a02:ec80:300:fe00::/55', '198.35.26.128/27', '2620:0:863:fe00::/55', '208.80.153.192/27', '2620:0:860:fe00::/55', '10.192.255.0/24', '2620:0:860:13f::/64', '10.192.253.0/24', '2620:0:860:139::/64', '208.80.154.192/27', '2620:0:861:fe00::/55', '10.64.146.0/24', '2620:0:861:11b::/128', '10.64.168.0/24', '2620:0:861:130::/64', '10.64.147.0/24', '103.102.166.128/27', '2001:df2:e500:fe00::/55', '185.15.58.128/27', '2a02:ec80:600:fe00::/55', '195.200.68.128/27', '2a02:ec80:700:fe00::/55']

File[/etc/cfssl/ssl/puppet_rsa]

Parameters differences:

--- File[/etc/cfssl/ssl/puppet_rsa].orig
+++ File[/etc/cfssl/ssl/puppet_rsa]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Nftables::Set[LABSTORE_HOSTS]

Parameters differences:

--- Nftables::Set[LABSTORE_HOSTS].orig
+++ Nftables::Set[LABSTORE_HOSTS]

-    ensure => present
-    hosts  => ['208.80.154.142', '2620:0:861:2:208:80:154:142', '208.80.154.71', '2620:0:861:3:208:80:154:71']

Exec[Generate cert puppet_rsa refresh]

Parameters differences:

--- Exec[Generate cert puppet_rsa refresh].orig
+++ Exec[Generate cert puppet_rsa refresh]

+    subscribe   => File[/etc/cfssl/csr/puppet_rsa.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/puppet_rsa.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa/puppet_rsa

Concat_fragment[/etc/bacula_puppet_agent_cert]

Parameters differences:

--- Concat_fragment[/etc/bacula_puppet_agent_cert].orig
+++ Concat_fragment[/etc/bacula_puppet_agent_cert]

+    tag    => _etc_bacula_ssl_cert.pem
+    source => /var/lib/puppet/ssl/certs/pki-root1002.eqiad.wmnet.pem
+    order  => 01
+    target => /etc/bacula/ssl/cert.pem

Class[Bacula::Client]

Parameters differences:

--- Class[Bacula::Client].orig
+++ Class[Bacula::Client]

+    directorpassword => oNZaIQDn8JhLclLcIISdelhD8xIolFuV
+    client_version   => 9
+    fdport           => 9102
+    file_retention   => 90 days
+    catalog          => production
+    job_retention    => 90 days
+    director         => backup1014.eqiad.wmnet

File[/etc/nagios/nrpe.d/check_ferm_active.cfg]

Parameters differences:

--- File[/etc/nagios/nrpe.d/check_ferm_active.cfg].orig
+++ File[/etc/nagios/nrpe.d/check_ferm_active.cfg]

+    require => Package[nagios-nrpe-server]
+    notify  => Service[nagios-nrpe-server]
+    mode    => 0444
+    group   => root
+    ensure  => present
+    tag     => nrpe::check
+    owner   => root

Content differences:

--- /etc/nagios/nrpe.d/check_ferm_active.cfg.orig
+++ /etc/nagios/nrpe.d/check_ferm_active.cfg
@@ -0,0 +1,2 @@
+# File generated by puppet. DO NOT edit by hand
+command[check_ferm_active]=/usr/bin/sudo /usr/local/lib/nagios/plugins/check_ferm

Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]

+    ensure      => present
+    common_name => wikikube_front_proxy
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Service[nftables]

Parameters differences:

--- Service[nftables].orig
+++ Service[nftables]

-    ensure     => running
-    restart    => /usr/bin/systemctl reload nftables
-    hasrestart => True
-    enable     => True

File[/etc/nftables/main.nft]

Parameters differences:

--- File[/etc/nftables/main.nft].orig
+++ File[/etc/nftables/main.nft]

-    require => File[/etc/nftables]
-    notify  => Service[nftables]
-    group   => root
-    ensure  => present
-    owner   => root
-    source  => puppet:///modules/nftables/main.nft

Monitoring::Service[ferm_active]

Parameters differences:

--- Monitoring::Service[ferm_active].orig
+++ Monitoring::Service[ferm_active]

+    contact_group  => admins
+    config_dir     => /etc/nagios
+    critical       => False
+    freshness      => 36000
+    notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm
+    retries        => 3
+    passive        => False
+    check_command  => nrpe_check!check_ferm_active!10
+    check_interval => 30
+    description    => Check whether ferm is active by checking the default input chain
+    migration_task => T350694
+    ensure         => present
+    host           => pki-root1002
+    retry_interval => 1

Exec[Generate cert zuul refresh]

Parameters differences:

--- Exec[Generate cert zuul refresh].orig
+++ Exec[Generate cert zuul refresh]

+    subscribe   => File[/etc/cfssl/csr/zuul.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul/zuul

File[/etc/logrotate.d/wmf_auto_restart_ulogd2]

Parameters differences:

--- File[/etc/logrotate.d/wmf_auto_restart_ulogd2].orig
+++ File[/etc/logrotate.d/wmf_auto_restart_ulogd2]

+    ensure => present
+    mode   => 0444
+    owner  => root
+    group  => root

Content differences:

--- /etc/logrotate.d/wmf_auto_restart_ulogd2.orig
+++ /etc/logrotate.d/wmf_auto_restart_ulogd2
@@ -0,0 +1,12 @@
+# logrotate(8) config for wmf_auto_restart_ulogd2
+
+/var/log/wmf_auto_restart_ulogd2/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr].orig
+++ File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Nrpe::Monitor_service[ferm_active]

Parameters differences:

--- Nrpe::Monitor_service[ferm_active].orig
+++ Nrpe::Monitor_service[ferm_active]

+    nrpe2nodexp_parse_perf_data => False
+    nrpe_command                => /usr/local/lib/nagios/plugins/check_ferm
+    critical                    => False
+    notes_url                   => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm
+    check_interval              => 30
+    migration_task              => T350694
+    ensure                      => present
+    enable_nrpe2nodexp          => True
+    retry_interval              => 1
+    contact_group               => admins
+    enable_icinga_check         => True
+    retries                     => 3
+    timeout                     => 10
+    description                 => Check whether ferm is active by checking the default input chain
+    sudo_user                   => root
+    alertmanager_team           => observability

File[/etc/cfssl/ssl/puppet/puppet.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/puppet/puppet.csr].orig
+++ File[/etc/cfssl/ssl/puppet/puppet.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]

Parameters differences:

--- File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer].orig
+++ File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]

+    notify => Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]
+    mode   => 0444
+    group  => root
+    ensure => present
+    owner  => root

Content differences:

--- /lib/systemd/system/nrpe2nodexp-ferm_active.timer.orig
+++ /lib/systemd/system/nrpe2nodexp-ferm_active.timer
@@ -0,0 +1,14 @@
+[Unit]
+Description=Periodic execution of nrpe2nodexp-ferm_active.service
+
+[Timer]
+Unit=nrpe2nodexp-ferm_active.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnUnitInactiveSec=10min
+OnActiveSec=1s
+RandomizedDelaySec=600
+FixedRandomDelay=true
+
+[Install]
+WantedBy=multi-user.target

Ferm::Service[ssh_from_cumin_masters]

Parameters differences:

--- Ferm::Service[ssh_from_cumin_masters].orig
+++ Ferm::Service[ssh_from_cumin_masters]

+    src_sets            => ['CUMIN_MASTERS']
+    desc                => 
+    prio                => 10
+    proto               => tcp
+    unrestricted_access => False
+    notrack             => False
+    ensure              => present
+    port                => 22

Cfssl::Csr[/etc/cfssl/csr/syslog.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/syslog.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/syslog.csr]

+    ensure      => present
+    common_name => syslog
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Sudo::User[nrpe-check_ferm_active]

Parameters differences:

--- Sudo::User[nrpe-check_ferm_active].orig
+++ Sudo::User[nrpe-check_ferm_active]

+    require    => ['Class[Sudo]']
+    ensure     => present
+    user       => nagios
+    privileges => ['ALL = (root) NOPASSWD: /usr/local/lib/nagios/plugins/check_ferm']
+    tag        => nrpe::check

Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]

Parameters differences:

--- Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)].orig
+++ Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]

+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

Systemd::Unit[wmf_auto_restart_ulogd2.service]

Parameters differences:

--- Systemd::Unit[wmf_auto_restart_ulogd2.service].orig
+++ Systemd::Unit[wmf_auto_restart_ulogd2.service]

+    override          => False
+    require           => ['Class[Systemd]']
+    ensure            => present
+    unit              => wmf_auto_restart_ulogd2.service
+    restart           => False
+    override_filename => puppet-override.conf

Exec[Generate cert kafka]

Parameters differences:

--- Exec[Generate cert kafka].orig
+++ Exec[Generate cert kafka]

+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/kafka.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/kafka/kafka

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/kafka/kafka.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/kafka/kafka-key.pem 2>&1)"

Class[Profile::Firewall::Nftables_base_sets]

Parameters differences:

--- Class[Profile::Firewall::Nftables_base_sets].orig
+++ Class[Profile::Firewall::Nftables_base_sets]

-    druid_public_hosts    => ['10.64.131.9', '2620:0:861:10a:10:64:131:9', '10.64.132.12', '2620:0:861:10b:10:64:132:12', '10.64.135.9', '2620:0:861:10e:10:64:135:9', '10.64.32.101', '2620:0:861:103:10:64:32:101', '10.64.48.185', '2620:0:861:107:10:64:48:185']
-    kafkamon_hosts        => ['10.64.32.11', '2620:0:861:103:10:64:32:11', '10.192.16.139', '2620:0:860:102:10:192:16:139']
-    monitoring_hosts      => ['208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']
-    deployment_hosts      => ['10.64.16.93', '2620:0:861:102:10:64:16:93', '10.192.32.7', '2620:0:860:103:10:192:32:7']
-    zookeeper_flink_hosts => ['10.64.16.9', '2620:0:861:102:10:64:16:9', '10.64.0.8', '2620:0:861:101:10:64:0:8', '10.64.32.41', '2620:0:861:103:10:64:32:41', '10.192.16.227', '2620:0:860:102:10:192:16:227', '10.192.32.179', '2620:0:860:103:10:192:32:179', '10.192.48.219', '2620:0:860:104:10:192:48:219']
-    zookeeper_hosts_main  => ['10.64.0.207', '2620:0:861:101:10:64:0:207', '10.64.16.110', '2620:0:861:102:10:64:16:110', '10.64.48.154', '2620:0:861:107:10:64:48:154', '10.192.16.45', '2620:0:860:102:10:192:16:45', '10.192.32.52', '2620:0:860:103:10:192:32:52', '10.192.48.59', '2620:0:860:104:10:192:48:59']
-    lb_health_checks      => ['10.64.0.136', '10.64.16.60', '10.64.158.19', '10.64.166.19', '10.64.133.19', '10.64.141.19', '10.64.169.19', '10.64.171.19', '10.64.173.19', '10.64.175.19', '10.64.177.19', '10.64.179.19', '10.64.181.19', '10.64.183.19', '10.64.185.19', '10.64.187.19', '10.64.189.19', '10.64.48.72', '10.64.37.17', '10.64.1.17', '10.64.17.17', '10.64.33.17', '10.64.130.20', '10.64.131.20', '10.64.132.20', '10.64.134.20', '10.64.135.20', '10.64.136.20', '10.64.158.20', '10.64.166.20', '10.64.133.20', '10.64.141.20', '10.64.169.20', '10.64.171.20', '10.64.173.20', '10.64.175.20', '10.64.177.20', '10.64.179.20', '10.64.181.20', '10.64.183.20', '10.64.185.20', '10.64.187.20', '10.64.189.20', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:119::/64', '2620:0:861:10c::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.23.8', '10.192.0.29', '10.192.17.8', '10.192.33.8', '10.192.49.8', '10.192.23.2', '10.192.5.2', '10.192.6.2', '10.192.7.2', '10.192.8.2', '10.192.9.2', '10.192.10.2', '10.192.11.2', '10.192.12.2', '10.192.13.2', '10.192.14.2', '10.192.15.2', '10.192.21.2', '10.192.22.2', '10.192.4.2', '10.192.26.2', '10.192.27.2', '10.192.28.2', '10.192.29.2', '10.192.30.2', '10.192.31.2', '10.192.36.2', '10.192.37.2', '10.192.38.2', '10.192.39.2', '10.192.40.2', '10.192.41.2', '10.192.42.2', '10.192.43.2', '10.192.11.8', '10.192.16.140', '10.192.1.8', '10.192.33.9', '10.192.49.9', '10.192.23.3', '10.192.5.3', '10.192.6.3', '10.192.7.3', '10.192.8.3', '10.192.9.3', '10.192.10.3', '10.192.11.3', '10.192.12.3', '10.192.13.3', '10.192.14.3', '10.192.15.3', '10.192.21.3', '10.192.22.3', '10.192.4.3', '10.192.26.3', '10.192.27.3', '10.192.28.3', '10.192.29.3', '10.192.30.3', '10.192.31.3', '10.192.36.3', '10.192.37.3', '10.192.38.3', '10.192.39.4', '10.192.40.3', '10.192.41.3', '10.192.42.3', '10.192.43.3', '10.192.32.14', '10.192.1.9', '10.192.17.9', '10.192.49.10', '10.192.23.4', '10.192.5.4', '10.192.6.4', '10.192.7.4', '10.192.8.4', '10.192.9.4', '10.192.10.4', '10.192.11.4', '10.192.12.4', '10.192.13.4', '10.192.14.4', '10.192.15.4', '10.192.21.4', '10.192.22.4', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '10.192.48.213', '10.192.1.13', '10.192.17.10', '10.192.33.10', '10.192.23.5', '10.192.5.8', '10.192.6.5', '10.192.7.5', '10.192.8.5', '10.192.9.5', '10.192.10.5', '10.192.11.5', '10.192.12.5', '10.192.13.5', '10.192.14.5', '10.192.15.5', '10.192.21.5', '10.192.22.5', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '10.80.0.3', '10.80.1.8', '10.80.1.14', '10.80.0.9', '10.80.0.2', '10.80.1.10', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '10.128.1.18', '10.128.0.9', '10.128.1.11', '2620:0:863:101::/64', '2620:0:863:102::/64', '10.132.0.39', '10.132.0.6', '10.132.0.7', '2001:df2:e500:101::/64', '10.136.0.16', '10.136.1.19', '10.136.1.15', '10.136.0.19', '10.136.0.17', '10.136.1.20', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '10.140.0.13', '10.140.1.2', '10.140.1.14', '10.140.0.2', '10.140.0.14', '10.140.1.3', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64']
-    cache_hosts           => ['10.64.0.79', '2620:0:861:101:10:64:0:79', '10.64.0.229', '2620:0:861:101:10:64:0:229', '10.64.0.14', '2620:0:861:101:10:64:0:14', '10.64.0.51', '2620:0:861:101:10:64:0:51', '10.64.16.241', '2620:0:861:102:10:64:16:241', '10.64.16.94', '2620:0:861:102:10:64:16:94', '10.64.16.95', '2620:0:861:102:10:64:16:95', '10.64.16.240', '2620:0:861:102:10:64:16:240', '10.64.32.14', '2620:0:861:103:10:64:32:14', '10.64.32.60', '2620:0:861:103:10:64:32:60', '10.64.32.15', '2620:0:861:103:10:64:32:15', '10.64.32.65', '2620:0:861:103:10:64:32:65', '10.64.48.16', '2620:0:861:107:10:64:48:16', '10.64.48.41', '2620:0:861:107:10:64:48:41', '10.64.48.27', '2620:0:861:107:10:64:48:27', '10.64.48.28', '2620:0:861:107:10:64:48:28', '10.192.23.26', '2620:0:860:113:10:192:23:26', '10.192.6.20', '2620:0:860:107:10:192:6:20', '10.192.12.35', '2620:0:860:10d:10:192:12:35', '10.192.14.25', '2620:0:860:10f:10:192:14:25', '10.192.4.22', '2620:0:860:100:10:192:4:22', '10.192.29.26', '2620:0:860:116:10:192:29:26', '10.192.30.29', '2620:0:860:119:10:192:30:29', '10.192.36.19', '2620:0:860:11b:10:192:36:19', '10.192.40.25', '2620:0:860:11f:10:192:40:25', '10.192.41.21', '2620:0:860:120:10:192:41:21', '10.192.56.3', '2620:0:860:12b:10:192:56:3', '10.192.56.4', '2620:0:860:12b:10:192:56:4', '10.192.57.3', '2620:0:860:12c:10:192:57:3', '10.192.58.2', '2620:0:860:12d:10:192:58:2', '10.192.58.3', '2620:0:860:12d:10:192:58:3', '10.192.59.2', '2620:0:860:12e:10:192:59:2', '10.80.0.14', '2a02:ec80:300:101:10:80:0:14', '10.80.1.11', '2a02:ec80:300:102:10:80:1:11', '10.80.0.13', '2a02:ec80:300:101:10:80:0:13', '10.80.1.9', '2a02:ec80:300:102:10:80:1:9', '10.80.0.12', '2a02:ec80:300:101:10:80:0:12', '10.80.1.7', '2a02:ec80:300:102:10:80:1:7', '10.80.0.11', '2a02:ec80:300:101:10:80:0:11', '10.80.1.6', '2a02:ec80:300:102:10:80:1:6', '10.80.0.10', '2a02:ec80:300:101:10:80:0:10', '10.80.1.5', '2a02:ec80:300:102:10:80:1:5', '10.80.0.8', '2a02:ec80:300:101:10:80:0:8', '10.80.1.4', '2a02:ec80:300:102:10:80:1:4', '10.80.0.7', '2a02:ec80:300:101:10:80:0:7', '10.80.1.3', '2a02:ec80:300:102:10:80:1:3', '10.80.0.6', '2a02:ec80:300:101:10:80:0:6', '10.80.1.2', '2a02:ec80:300:102:10:80:1:2', '10.128.0.19', '2620:0:863:101:10:128:0:19', '10.128.1.27', '2620:0:863:102:10:128:1:27', '10.128.0.22', '2620:0:863:101:10:128:0:22', '10.128.1.28', '2620:0:863:102:10:128:1:28', '10.128.0.25', '2620:0:863:101:10:128:0:25', '10.128.1.29', '2620:0:863:102:10:128:1:29', '10.128.0.26', '2620:0:863:101:10:128:0:26', '10.128.1.31', '2620:0:863:102:10:128:1:31', '10.128.0.14', '2620:0:863:101:10:128:0:14', '10.128.1.35', '2620:0:863:102:10:128:1:35', '10.128.0.21', '2620:0:863:101:10:128:0:21', '10.128.1.36', '2620:0:863:102:10:128:1:36', '10.128.0.24', '2620:0:863:101:10:128:0:24', '10.128.1.10', '2620:0:863:102:10:128:1:10', '10.128.0.37', '2620:0:863:101:10:128:0:37', '10.128.1.12', '2620:0:863:102:10:128:1:12', '10.132.0.17', '2001:df2:e500:101:10:132:0:17', '10.132.0.18', '2001:df2:e500:101:10:132:0:18', '10.132.0.19', '2001:df2:e500:101:10:132:0:19', '10.132.0.24', '2001:df2:e500:101:10:132:0:24', '10.132.0.29', '2001:df2:e500:101:10:132:0:29', '10.132.0.30', '2001:df2:e500:101:10:132:0:30', '10.132.0.34', '2001:df2:e500:101:10:132:0:34', '10.132.0.35', '2001:df2:e500:101:10:132:0:35', '10.132.0.36', '2001:df2:e500:101:10:132:0:36', '10.132.0.37', '2001:df2:e500:101:10:132:0:37', '10.132.0.38', '2001:df2:e500:101:10:132:0:38', '10.132.0.25', '2001:df2:e500:101:10:132:0:25', '10.132.0.26', '2001:df2:e500:101:10:132:0:26', '10.132.0.27', '2001:df2:e500:101:10:132:0:27', '10.132.0.28', '2001:df2:e500:101:10:132:0:28', '10.132.0.16', '2001:df2:e500:101:10:132:0:16', '10.136.0.6', '2a02:ec80:600:101:10:136:0:6', '10.136.1.6', '2a02:ec80:600:102:10:136:1:6', '10.136.0.7', '2a02:ec80:600:101:10:136:0:7', '10.136.1.7', '2a02:ec80:600:102:10:136:1:7', '10.136.0.8', '2a02:ec80:600:101:10:136:0:8', '10.136.1.8', '2a02:ec80:600:102:10:136:1:8', '10.136.0.9', '2a02:ec80:600:101:10:136:0:9', '10.136.1.9', '2a02:ec80:600:102:10:136:1:9', '10.136.0.10', '2a02:ec80:600:101:10:136:0:10', '10.136.1.10', '2a02:ec80:600:102:10:136:1:10', '10.136.0.11', '2a02:ec80:600:101:10:136:0:11', '10.136.1.11', '2a02:ec80:600:102:10:136:1:11', '10.136.0.12', '2a02:ec80:600:101:10:136:0:12', '10.136.1.12', '2a02:ec80:600:102:10:136:1:12', '10.136.0.13', '2a02:ec80:600:101:10:136:0:13', '10.136.1.13', '2a02:ec80:600:102:10:136:1:13', '10.140.0.3', '2a02:ec80:700:101:10:140:0:3', '10.140.1.4', '2a02:ec80:700:102:10:140:1:4', '10.140.0.4', '2a02:ec80:700:101:10:140:0:4', '10.140.1.5', '2a02:ec80:700:102:10:140:1:5', '10.140.0.5', '2a02:ec80:700:101:10:140:0:5', '10.140.1.6', '2a02:ec80:700:102:10:140:1:6', '10.140.0.6', '2a02:ec80:700:101:10:140:0:6', '10.140.1.7', '2a02:ec80:700:102:10:140:1:7', '10.140.0.7', '2a02:ec80:700:101:10:140:0:7', '10.140.1.8', '2a02:ec80:700:102:10:140:1:8', '10.140.0.8', '2a02:ec80:700:101:10:140:0:8', '10.140.1.9', '2a02:ec80:700:102:10:140:1:9', '10.140.0.9', '2a02:ec80:700:101:10:140:0:9', '10.140.1.10', '2a02:ec80:700:102:10:140:1:10', '10.140.0.10', '2a02:ec80:700:101:10:140:0:10', '10.140.1.11', '2a02:ec80:700:102:10:140:1:11']
-    mysql_root_clients    => ['10.64.16.90', '10.192.16.191', '10.64.16.154', '10.192.32.49', '208.80.154.9', '10.64.0.20']
-    bastion_hosts         => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']
-    kafka_brokers_main    => ['10.192.5.9', '2620:0:860:106:10:192:5:9', '10.192.22.6', '2620:0:860:112:10:192:22:6', '10.192.32.4', '2620:0:860:103:10:192:32:4', '10.192.48.33', '2620:0:860:104:10:192:48:33', '10.192.48.35', '2620:0:860:104:10:192:48:35', '10.64.0.101', '2620:0:861:101:10:64:0:101', '10.64.16.30', '2620:0:861:102:10:64:16:30', '10.64.32.45', '2620:0:861:103:10:64:32:45', '10.64.48.37', '2620:0:861:107:10:64:48:37', '10.64.152.5', '2620:0:861:120:10:64:152:5']
-    cumin_masters         => ['10.64.16.154', '2620:0:861:102:10:64:16:154', '10.192.32.49', '2620:0:860:103:10:192:32:49']
-    kafka_brokers_jumbo   => ['10.64.130.10', '2620:0:861:109:10:64:130:10', '10.64.131.16', '2620:0:861:10a:10:64:131:16', '10.64.132.21', '2620:0:861:10b:10:64:132:21', '10.64.134.9', '2620:0:861:10d:10:64:134:9', '10.64.135.16', '2620:0:861:10e:10:64:135:16', '10.64.136.11', '2620:0:861:10f:10:64:136:11', '10.64.154.15', '2620:0:861:122:10:64:154:15', '10.64.160.16', '2620:0:861:128:10:64:160:16', '10.64.0.126', '2620:0:861:101:10:64:0:126']
-    kafka_brokers_logging => ['10.64.16.205', '2620:0:861:102:10:64:16:205', '10.64.133.11', '2620:0:861:10c:10:64:133:11', '10.64.183.12', '2620:0:861:13d:10:64:183:12', '10.64.131.13', '2620:0:861:10a:10:64:131:13', '10.64.135.13', '2620:0:861:10e:10:64:135:13', '10.192.23.29', '2620:0:860:113:10:192:23:29', '10.192.11.28', '2620:0:860:10c:10:192:11:28', '10.192.26.22', '2620:0:860:105:10:192:26:22', '10.192.11.27', '2620:0:860:10c:10:192:11:27', '10.192.39.25', '2620:0:860:11e:10:192:39:25']
-    prometheus_nodes      => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet']
-    install_hosts         => {'eqiad': '208.80.154.134', 'codfw': '208.80.153.70', 'esams': '185.15.59.101', 'ulsfo': '198.35.26.98', 'eqsin': '103.102.166.104', 'drmrs': '185.15.58.7', 'magru': '195.200.68.100'}
-    install_hosts6        => {'eqiad': '2620:0:861:2:208:80:154:134', 'codfw': '2620:0:860:3:208:80:153:70', 'esams': '2a02:ec80:300:3:185:15:59:101', 'ulsfo': '2620:0:863:3:198:35:26:98', 'eqsin': '2001:df2:e500:3:103:102:166:104', 'drmrs': '2a02:ec80:600:1:185:15:58:7', 'magru': '2a02:ec80:700:3:195:200:68:100'}
-    labstore_hosts        => ['208.80.154.142', '2620:0:861:2:208:80:154:142', '208.80.154.71', '2620:0:861:3:208:80:154:71']

Systemd::Unit[prometheus-node-textfile-check-nft.service]

Parameters differences:

--- Systemd::Unit[prometheus-node-textfile-check-nft.service].orig
+++ Systemd::Unit[prometheus-node-textfile-check-nft.service]

-    override          => False
-    require           => ['Class[Systemd]']
-    ensure            => present
-    unit              => prometheus-node-textfile-check-nft.service
-    restart           => False
-    override_filename => puppet-override.conf

Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]

Parameters differences:

--- Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia].orig
+++ Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]

+    components               => component/bacula9
+    dist                     => trixie-wikimedia
+    bin                      => True
+    allow_releaseinfo_change => False
+    trust_repo               => False
+    keyfile                  => puppet:///modules/install_server/autoinstall/keyring/wikimedia-archive-keyring.gpg
+    ensure                   => present
+    uri                      => http://apt.wikimedia.org/wikimedia
+    source                   => True

File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set DEPLOYMENT_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:102:10:64:16:93,
-             2620:0:860:103:10:192:32:7
-    }
-}

Ferm::Service[full_monitoring_metrics_access_udp]

Parameters differences:

--- Ferm::Service[full_monitoring_metrics_access_udp].orig
+++ Ferm::Service[full_monitoring_metrics_access_udp]

+    desc                => 
+    prio                => 10
+    proto               => udp
+    srange              => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet', '208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']
+    unrestricted_access => False
+    notrack             => False
+    port_range          => [1, 65535]
+    ensure              => present

File[/etc/cfssl/ssl/mlserve_staging]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_staging].orig
+++ File[/etc/cfssl/ssl/mlserve_staging]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Exec[Generate cert kafka refresh]

Parameters differences:

--- Exec[Generate cert kafka refresh].orig
+++ Exec[Generate cert kafka refresh]

+    subscribe   => File[/etc/cfssl/csr/kafka.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/kafka.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/kafka/kafka

File[/etc/cfssl/ssl/network_devices]

Parameters differences:

--- File[/etc/cfssl/ssl/network_devices].orig
+++ File[/etc/cfssl/ssl/network_devices]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Exec[Generate cert syslog]

Parameters differences:

--- Exec[Generate cert syslog].orig
+++ Exec[Generate cert syslog]

+    require     => Cfssl::Csr[/etc/cfssl/csr/syslog.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/syslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/syslog/syslog

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/syslog/syslog.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/syslog/syslog-key.pem 2>&1)"

File[/etc/cfssl/csr/kafka.csr]

Parameters differences:

--- File[/etc/cfssl/csr/kafka.csr].orig
+++ File[/etc/cfssl/csr/kafka.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/kafka.csr.orig
+++ /etc/cfssl/csr/kafka.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "kafka",
+  "hosts": [
+    "kafka"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/nftables/sets/INTERNAL_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/INTERNAL_ipv6.nft].orig
+++ File[/etc/nftables/sets/INTERNAL_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/INTERNAL_ipv6.nft.orig
+++ /etc/nftables/sets/INTERNAL_ipv6.nft
@@ -1,15 +0,0 @@
-# Autogenerated by puppet
-set INTERNAL_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2620:0:860:100::/56,
-             2620:0:861:100::/56,
-             2620:0:863:100::/56,
-             2a02:ec80:300:100::/56,
-             2a02:ec80:600:100::/56,
-             2a02:ec80:700:100::/56,
-             2001:df2:e500:100::/56,
-             2a02:ec80:ff00:100::/56
-    }
-}

Monitoring::Exported_nagios_service[pki-root1002 disk_space]

Parameters differences:

--- Monitoring::Exported_nagios_service[pki-root1002 disk_space].orig
+++ Monitoring::Exported_nagios_service[pki-root1002 disk_space]

@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => pki_eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

Exec[Generate cert mlserve_staging_front_proxy refresh]

Parameters differences:

--- Exec[Generate cert mlserve_staging_front_proxy refresh].orig
+++ Exec[Generate cert mlserve_staging_front_proxy refresh]

+    subscribe   => File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/mlserve_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy

File[/etc/cfssl/csr/zuul.csr]

Parameters differences:

--- File[/etc/cfssl/csr/zuul.csr].orig
+++ File[/etc/cfssl/csr/zuul.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/zuul.csr.orig
+++ /etc/cfssl/csr/zuul.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "zuul",
+  "hosts": [
+    "zuul"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/nftables/sets]

Parameters differences:

--- File[/etc/nftables/sets].orig
+++ File[/etc/nftables/sets]

-    recurse => True
-    group   => root
-    ensure  => directory
-    owner   => root
-    purge   => True

Concat_file[/etc/bacula/ssl/cert.pem]

Parameters differences:

--- Concat_file[/etc/bacula/ssl/cert.pem].orig
+++ Concat_file[/etc/bacula/ssl/cert.pem]

+    show_diff      => True
+    backup         => puppet
+    replace        => True
+    format         => plain
+    ensure_newline => False
+    force          => False
+    mode           => 0644
+    tag            => _etc_bacula_ssl_cert.pem
+    order          => alpha

File[/etc/nftables/sets/CACHES_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/CACHES_ipv4.nft].orig
+++ File[/etc/nftables/sets/CACHES_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CACHES_ipv4.nft.orig
+++ /etc/nftables/sets/CACHES_ipv4.nft
@@ -1,117 +0,0 @@
-# Autogenerated by puppet
-set CACHES_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.0.79,
-             10.64.0.229,
-             10.64.0.14,
-             10.64.0.51,
-             10.64.16.241,
-             10.64.16.94,
-             10.64.16.95,
-             10.64.16.240,
-             10.64.32.14,
-             10.64.32.60,
-             10.64.32.15,
-             10.64.32.65,
-             10.64.48.16,
-             10.64.48.41,
-             10.64.48.27,
-             10.64.48.28,
-             10.192.23.26,
-             10.192.6.20,
-             10.192.12.35,
-             10.192.14.25,
-             10.192.4.22,
-             10.192.29.26,
-             10.192.30.29,
-             10.192.36.19,
-             10.192.40.25,
-             10.192.41.21,
-             10.192.56.3,
-             10.192.56.4,
-             10.192.57.3,
-             10.192.58.2,
-             10.192.58.3,
-             10.192.59.2,
-             10.80.0.14,
-             10.80.1.11,
-             10.80.0.13,
-             10.80.1.9,
-             10.80.0.12,
-             10.80.1.7,
-             10.80.0.11,
-             10.80.1.6,
-             10.80.0.10,
-             10.80.1.5,
-             10.80.0.8,
-             10.80.1.4,
-             10.80.0.7,
-             10.80.1.3,
-             10.80.0.6,
-             10.80.1.2,
-             10.128.0.19,
-             10.128.1.27,
-             10.128.0.22,
-             10.128.1.28,
-             10.128.0.25,
-             10.128.1.29,
-             10.128.0.26,
-             10.128.1.31,
-             10.128.0.14,
-             10.128.1.35,
-             10.128.0.21,
-             10.128.1.36,
-             10.128.0.24,
-             10.128.1.10,
-             10.128.0.37,
-             10.128.1.12,
-             10.132.0.17,
-             10.132.0.18,
-             10.132.0.19,
-             10.132.0.24,
-             10.132.0.29,
-             10.132.0.30,
-             10.132.0.34,
-             10.132.0.35,
-             10.132.0.36,
-             10.132.0.37,
-             10.132.0.38,
-             10.132.0.25,
-             10.132.0.26,
-             10.132.0.27,
-             10.132.0.28,
-             10.132.0.16,
-             10.136.0.6,
-             10.136.1.6,
-             10.136.0.7,
-             10.136.1.7,
-             10.136.0.8,
-             10.136.1.8,
-             10.136.0.9,
-             10.136.1.9,
-             10.136.0.10,
-             10.136.1.10,
-             10.136.0.11,
-             10.136.1.11,
-             10.136.0.12,
-             10.136.1.12,
-             10.136.0.13,
-             10.136.1.13,
-             10.140.0.3,
-             10.140.1.4,
-             10.140.0.4,
-             10.140.1.5,
-             10.140.0.5,
-             10.140.1.6,
-             10.140.0.6,
-             10.140.1.7,
-             10.140.0.7,
-             10.140.1.8,
-             10.140.0.8,
-             10.140.1.9,
-             10.140.0.9,
-             10.140.1.10,
-             10.140.0.10,
-             10.140.1.11
-    }
-}

File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf]

Parameters differences:

--- File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf].orig
+++ File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf]

+    show_diff => False
+    require   => ['Package[golang-cfssl]']
+    mode      => 0440
+    group     => root
+    ensure    => file
+    owner     => root

Content differences:

--- /etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf.orig
+++ /etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf
@@ -0,0 +1 @@
+{"driver":"mysql","data_source":"pki:changeme@tcp(m1-master.eqiad.wmnet:3306)/pki?parseTime=true&tls=skip-verify"}

File[/etc/cfssl/csr/cassandra.csr]

Parameters differences:

--- File[/etc/cfssl/csr/cassandra.csr].orig
+++ File[/etc/cfssl/csr/cassandra.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/cassandra.csr.orig
+++ /etc/cfssl/csr/cassandra.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "cassandra",
+  "hosts": [
+    "cassandra"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Package[ferm]

Parameters differences:

--- Package[ferm].orig
+++ Package[ferm]

@@
-    ensure => purged
+    ensure => installed

File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft
@@ -1,38 +0,0 @@
-# Autogenerated by puppet
-set ANALYTICS_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 10.64.137.0/24,
-             10.64.138.0/24,
-             10.64.139.0/24,
-             10.64.140.0/24,
-             10.64.142.0/24,
-             10.64.143.0/24,
-             10.64.144.0/24,
-             10.64.145.0/24,
-             10.64.153.0/24,
-             10.64.155.0/24,
-             10.64.157.0/24,
-             10.64.159.0/24,
-             10.64.161.0/24,
-             10.64.163.0/24,
-             10.64.165.0/24,
-             10.64.167.0/24,
-             10.64.170.0/24,
-             10.64.172.0/24,
-             10.64.174.0/24,
-             10.64.176.0/24,
-             10.64.178.0/24,
-             10.64.180.0/24,
-             10.64.182.0/24,
-             10.64.184.0/24,
-             10.64.186.0/24,
-             10.64.188.0/24,
-             10.64.190.0/24,
-             10.64.21.0/24,
-             10.64.36.0/24,
-             10.64.5.0/24,
-             10.64.53.0/24
-    }
-}

Concat_fragment[main contacts]

Content differences:

--- main contacts.orig
+++ main contacts
@@ -1,3 +1,3 @@
 ---
-role::insetup::infrastructure_foundations_nftables:
+role::pki::root:
 - Infrastructure Foundations

Nftables::Set[CUMIN_MASTERS]

Parameters differences:

--- Nftables::Set[CUMIN_MASTERS].orig
+++ Nftables::Set[CUMIN_MASTERS]

-    ensure => present
-    hosts  => ['10.64.16.154', '2620:0:861:102:10:64:16:154', '10.192.32.49', '2620:0:860:103:10:192:32:49']

File[/etc/cfssl/ssl/discovery2026]

Parameters differences:

--- File[/etc/cfssl/ssl/discovery2026].orig
+++ File[/etc/cfssl/ssl/discovery2026]

+    recurse => True
+    mode    => 0740
+    group   => root
+    ensure  => directory
+    owner   => root

Exec[Generate cert cloud_wmnet_ca]

Parameters differences:

--- Exec[Generate cert cloud_wmnet_ca].orig
+++ Exec[Generate cert cloud_wmnet_ca]

+    require     => Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/cloud_wmnet_ca.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem 2>&1)"

File[/etc/cfssl/ssl/mlserve/mlserve.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve/mlserve.csr].orig
+++ File[/etc/cfssl/ssl/mlserve/mlserve.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/sudoers.d/nrpe-check_ferm_active]

Parameters differences:

--- File[/etc/sudoers.d/nrpe-check_ferm_active].orig
+++ File[/etc/sudoers.d/nrpe-check_ferm_active]

+    require      => Package[nagios-nrpe-server]
+    mode         => 0440
+    group        => root
+    validate_cmd => /usr/sbin/visudo -cqf %
+    ensure       => present
+    owner        => root

Content differences:

--- /etc/sudoers.d/nrpe-check_ferm_active.orig
+++ /etc/sudoers.d/nrpe-check_ferm_active
@@ -0,0 +1,3 @@
+# This file is managed by Puppet!
+
+nagios ALL = (root) NOPASSWD: /usr/local/lib/nagios/plugins/check_ferm

Ferm::Service[ssh_from_bastion]

Parameters differences:

--- Ferm::Service[ssh_from_bastion].orig
+++ Ferm::Service[ssh_from_bastion]

+    desc                => 
+    prio                => 10
+    proto               => tcp
+    srange              => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']
+    unrestricted_access => False
+    notrack             => False
+    ensure              => present
+    port                => 22

File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem].orig
+++ File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft].orig
+++ File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft.orig
+++ /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft
@@ -1,15 +0,0 @@
-# Autogenerated by puppet
-set KAFKA_BROKERS_LOGGING_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.16.205,
-             10.64.133.11,
-             10.64.183.12,
-             10.64.131.13,
-             10.64.135.13,
-             10.192.23.29,
-             10.192.11.28,
-             10.192.26.22,
-             10.192.11.27,
-             10.192.39.25
-    }
-}

File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem].orig
+++ File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

Exec[Generate cert dse_front_proxy]

Parameters differences:

--- Exec[Generate cert dse_front_proxy].orig
+++ Exec[Generate cert dse_front_proxy]

+    require     => Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/dse_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem 2>&1)"

File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]

Parameters differences:

--- File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr].orig
+++ File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr.orig
+++ /etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "Wikimedia_Internal_Root_CA_ocsp_signing_cert",
+  "hosts": [
+    "Wikimedia_Internal_Root_CA_ocsp_signing_cert"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Nftables::Set[KAFKA_BROKERS_LOGGING]

Parameters differences:

--- Nftables::Set[KAFKA_BROKERS_LOGGING].orig
+++ Nftables::Set[KAFKA_BROKERS_LOGGING]

-    ensure => present
-    hosts  => ['10.64.16.205', '2620:0:861:102:10:64:16:205', '10.64.133.11', '2620:0:861:10c:10:64:133:11', '10.64.183.12', '2620:0:861:13d:10:64:183:12', '10.64.131.13', '2620:0:861:10a:10:64:131:13', '10.64.135.13', '2620:0:861:10e:10:64:135:13', '10.192.23.29', '2620:0:860:113:10:192:23:29', '10.192.11.28', '2620:0:860:10c:10:192:11:28', '10.192.26.22', '2620:0:860:105:10:192:26:22', '10.192.11.27', '2620:0:860:10c:10:192:11:27', '10.192.39.25', '2620:0:860:11e:10:192:39:25']

File[/etc/cfssl/ssl/kafka/kafka.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/kafka/kafka.pem].orig
+++ File[/etc/cfssl/ssl/kafka/kafka.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/nftables/postrouting]

Parameters differences:

--- File[/etc/nftables/postrouting].orig
+++ File[/etc/nftables/postrouting]

-    recurse => True
-    group   => root
-    ensure  => directory
-    owner   => root
-    purge   => True

Exec[Generate cert cloud_wmnet_ca refresh]

Parameters differences:

--- Exec[Generate cert cloud_wmnet_ca refresh].orig
+++ Exec[Generate cert cloud_wmnet_ca refresh]

+    subscribe   => File[/etc/cfssl/csr/cloud_wmnet_ca.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/cloud_wmnet_ca.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca

Systemd::Service[prometheus-node-textfile-check-nft]

Parameters differences:

--- Systemd::Service[prometheus-node-textfile-check-nft].orig
+++ Systemd::Service[prometheus-node-textfile-check-nft]

-    override                 => False
-    require                  => Systemd::Unit[prometheus-node-textfile-check-nft.service]
-    unit_type                => timer
-    restart                  => False
-    service_params           => {}
-    migration_task           => T407130
-    monitoring_enabled       => False
-    monitoring_contact_group => admins
-    ensure                   => present
-    monitoring_critical      => False

File[/etc/rsyslog.d/40-ulogd.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-ulogd.conf].orig
+++ File[/etc/rsyslog.d/40-ulogd.conf]

+    notify => Service[rsyslog]
+    mode   => 0444
+    group  => root
+    ensure => present
+    owner  => root

Content differences:

--- /etc/rsyslog.d/40-ulogd.conf.orig
+++ /etc/rsyslog.d/40-ulogd.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "ulogd" then {
+    action(
+        type="omfile" file="/var/log/ulogd/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0600"
+    )
+    & stop
+}

Concat_fragment[/etc/bacula_puppet_ca_chain]

Parameters differences:

--- Concat_fragment[/etc/bacula_puppet_ca_chain].orig
+++ Concat_fragment[/etc/bacula_puppet_ca_chain]

+    tag    => _etc_bacula_ssl_cert.pem
+    source => /var/lib/puppet/ssl/certs/ca.pem
+    order  => 02
+    target => /etc/bacula/ssl/cert.pem

Systemd::Service[nrpe2nodexp-ferm_active]

Parameters differences:

--- Systemd::Service[nrpe2nodexp-ferm_active].orig
+++ Systemd::Service[nrpe2nodexp-ferm_active]

+    override                 => False
+    require                  => Systemd::Unit[nrpe2nodexp-ferm_active.service]
+    unit_type                => timer
+    restart                  => False
+    service_params           => {}
+    migration_task           => T407130
+    monitoring_enabled       => False
+    monitoring_contact_group => admins
+    ensure                   => present
+    monitoring_critical      => False

Exec[renew certificate - kafka]

Parameters differences:

--- Exec[renew certificate - kafka].orig
+++ Exec[renew certificate - kafka]

+    require     => Exec[Generate cert kafka]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/kafka/kafka.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/kafka/kafka

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/kafka/kafka.pem -checkend 952200

File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr].orig
+++ File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Package[bacula-common]

Parameters differences:

--- Package[bacula-common].orig
+++ Package[bacula-common]

+    ensure   => installed
+    provider => apt

File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem].orig
+++ File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/cassandra.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]

+    ensure      => present
+    common_name => cassandra
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Nftables::Set[STAGING_KUBEPODS_NETWORKS]

Parameters differences:

--- Nftables::Set[STAGING_KUBEPODS_NETWORKS].orig
+++ Nftables::Set[STAGING_KUBEPODS_NETWORKS]

-    ensure => present
-    hosts  => ['10.64.64.0/21', '2620:0:861:babe::/64', '10.192.64.0/21', '2620:0:860:babe::/64']

File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem].orig
+++ File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem]

+    show_diff => False
+    mode      => 0440
+    backup    => False
+    group     => root
+    ensure    => file
+    owner     => root

File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft].orig
+++ File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/LINK_LOCAL_ipv6.nft.orig
+++ /etc/nftables/sets/LINK_LOCAL_ipv6.nft
@@ -1,8 +0,0 @@
-# Autogenerated by puppet
-set LINK_LOCAL_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { fe80::/10
-    }
-}

Class[Firewall]

Parameters differences:

--- Class[Firewall].orig
+++ Class[Firewall]

@@
-    provider => nftables
+    provider => ferm

File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft].orig
+++ File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft.orig
+++ /etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft
@@ -1,13 +0,0 @@
-# Autogenerated by puppet
-set SANDBOX_NETWORKS_ipv6 {
-    type ipv6_addr
-    flags interval
-    auto-merge
-    elements = { 2001:df2:e500:202::/64,
-             2620:0:860:201::/64,
-             2620:0:861:202::/64,
-             2620:0:863:201::/64,
-             2a02:ec80:300:202::/64,
-             2a02:ec80:700:201::/64
-    }
-}

Concat::Fragment[/etc/bacula_puppet_agent_cert]

Parameters differences:

--- Concat::Fragment[/etc/bacula_puppet_agent_cert].orig
+++ Concat::Fragment[/etc/bacula_puppet_agent_cert]

+    target => /etc/bacula/ssl/cert.pem
+    order  => 01
+    source => /var/lib/puppet/ssl/certs/pki-root1002.eqiad.wmnet.pem

File[/etc/cfssl/ssl/syslog/syslog.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/syslog/syslog.pem].orig
+++ File[/etc/cfssl/ssl/syslog/syslog.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Exec[renew certificate - wikikube_staging]

Parameters differences:

--- Exec[renew certificate - wikikube_staging].orig
+++ Exec[renew certificate - wikikube_staging]

+    require     => Exec[Generate cert wikikube_staging]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging/wikikube_staging

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem -checkend 952200

Exec[Generate cert network_devices]

Parameters differences:

--- Exec[Generate cert network_devices].orig
+++ Exec[Generate cert network_devices]

+    require     => Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/network_devices.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/network_devices/network_devices

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/network_devices/network_devices.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/network_devices/network_devices-key.pem 2>&1)"

Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert]

Parameters differences:

--- Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert].orig
+++ Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 256}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => Wikimedia_Internal_Root_CA_ocsp_signing_cert
+    owner           => root
+    profile         => ocsp
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr].orig
+++ File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Nftables::Set[LINK_LOCAL]

Parameters differences:

--- Nftables::Set[LINK_LOCAL].orig
+++ Nftables::Set[LINK_LOCAL]

-    ensure => present
-    hosts  => ['169.254.0.0/16', 'fe80::/10']

File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem].orig
+++ File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft].orig
+++ File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft.orig
+++ /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set DEPLOYMENT_HOSTS_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.16.93,
-             10.192.32.7
-    }
-}

Exec[renew certificate - syslog]

Parameters differences:

--- Exec[renew certificate - syslog].orig
+++ Exec[renew certificate - syslog]

+    require     => Exec[Generate cert syslog]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/syslog/syslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/syslog/syslog

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/syslog/syslog.pem -checkend 952200

Exec[Generate cert discovery2026]

Parameters differences:

--- Exec[Generate cert discovery2026].orig
+++ Exec[Generate cert discovery2026]

+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/discovery2026/discovery2026.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/discovery2026/discovery2026-key.pem 2>&1)"

File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft].orig
+++ File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CUMIN_MASTERS_ipv4.nft.orig
+++ /etc/nftables/sets/CUMIN_MASTERS_ipv4.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set CUMIN_MASTERS_ipv4 {
-    type ipv4_addr
-    elements = { 10.64.16.154,
-             10.192.32.49
-    }
-}

File[/etc/cfssl/csr/mlserve_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/csr/mlserve_front_proxy.csr].orig
+++ File[/etc/cfssl/csr/mlserve_front_proxy.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/mlserve_front_proxy.csr.orig
+++ /etc/cfssl/csr/mlserve_front_proxy.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "mlserve_front_proxy",
+  "hosts": [
+    "mlserve_front_proxy"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/discovery2026/discovery2026.pem].orig
+++ File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

File[/etc/cfssl/csr/wikikube_front_proxy.csr]

Parameters differences:

--- File[/etc/cfssl/csr/wikikube_front_proxy.csr].orig
+++ File[/etc/cfssl/csr/wikikube_front_proxy.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/wikikube_front_proxy.csr.orig
+++ /etc/cfssl/csr/wikikube_front_proxy.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "wikikube_front_proxy",
+  "hosts": [
+    "wikikube_front_proxy"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]

Parameters differences:

--- File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft].orig
+++ File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft.orig
+++ /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft
@@ -1,12 +0,0 @@
-# Autogenerated by puppet
-set CLOUD_PRIVATE_NETWORKS_ipv4 {
-    type ipv4_addr
-    flags interval
-    auto-merge
-    elements = { 172.20.1.0/24,
-             172.20.2.0/24,
-             172.20.3.0/24,
-             172.20.4.0/24,
-             172.20.5.0/24
-    }
-}

Nftables::Service[ssh-from-bastion]

Parameters differences:

--- Nftables::Service[ssh-from-bastion].orig
+++ Nftables::Service[ssh-from-bastion]

-    desc                => 
-    prio                => 10
-    proto               => tcp
-    unrestricted_access => False
-    notrack             => False
-    ensure              => present
-    port                => 22
-    src_ips             => ['103.102.166.103', '185.15.58.6', '185.15.59.99', '195.200.68.99', '198.35.26.104', '2001:df2:e500:3:103:102:166:103', '208.80.153.110', '208.80.154.7', '2620:0:860:4:208:80:153:110', '2620:0:861:1:208:80:154:7', '2620:0:863:3:198:35:26:104', '2a02:ec80:300:3:185:15:59:99', '2a02:ec80:600:1:185:15:58:6', '2a02:ec80:700:3:195:200:68:99']

Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]

Parameters differences:

--- Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet].orig
+++ Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]

+    desc                => 
+    prio                => 10
+    proto               => tcp
+    srange              => ['backup1014.eqiad.wmnet']
+    unrestricted_access => False
+    notrack             => False
+    ensure              => present
+    port                => 9102

File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]

Parameters differences:

--- File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp].orig
+++ File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]

+    require => File[/etc/ferm/conf.d]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => present
+    tag     => ferm
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_full_monitoring_metrics_access_udp.orig
+++ /etc/ferm/conf.d/10_full_monitoring_metrics_access_udp
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(udp, 1:65535, (10.64.0.82 10.64.16.62 10.64.32.85 10.64.48.171 208.80.153.42 208.80.154.78 2620:0:860:2:208:80:153:42 2620:0:861:101:10:64:0:82 2620:0:861:102:10:64:16:62 2620:0:861:103:10:64:32:85 2620:0:861:107:10:64:48:171 2620:0:861:3:208:80:154:78));
+
+

Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/wikikube.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]

+    ensure      => present
+    common_name => wikikube
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]

+    ensure      => present
+    common_name => mlserve_staging_front_proxy
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

Puppet::Expose_agent_certs[/etc/bacula]

Parameters differences:

--- Puppet::Expose_agent_certs[/etc/bacula].orig
+++ Puppet::Expose_agent_certs[/etc/bacula]

+    provide_private => True
+    require         => Package[bacula-fd]
+    notify          => Service[bacula-fd]
+    provide_p12     => False
+    user            => bacula
+    ssldir          => /var/lib/puppet/ssl
+    provide_keypair => True
+    group           => bacula
+    ensure          => present
+    provide_pem     => True

Exec[Generate cert dse refresh]

Parameters differences:

--- Exec[Generate cert dse refresh].orig
+++ Exec[Generate cert dse refresh]

+    subscribe   => File[/etc/cfssl/csr/dse.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/dse.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse/dse

Exec[renew certificate - cassandra]

Parameters differences:

--- Exec[renew certificate - cassandra].orig
+++ Exec[renew certificate - cassandra]

+    require     => Exec[Generate cert cassandra]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/ssl/cassandra/cassandra.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cassandra/cassandra

+    unless      => /usr/bin/openssl x509 -in /etc/cfssl/ssl/cassandra/cassandra.pem -checkend 952200

Exec[create-/etc/bacula-keypair]

Parameters differences:

--- Exec[create-/etc/bacula-keypair].orig
+++ Exec[create-/etc/bacula-keypair]

+    creates => /etc/bacula/ssl/server-keypair.pem
+    before  => File[/etc/bacula/ssl/server-keypair.pem]
+    command => /bin/cat                          /var/lib/puppet/ssl/private_keys/pki-root1002.eqiad.wmnet.pem                          /var/lib/puppet/ssl/certs/pki-root1002.eqiad.wmnet.pem                         > /etc/bacula/ssl/server-keypair.pem
+    require => File[/etc/bacula/ssl]

File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/BASTION_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/BASTION_HOSTS_ipv6.nft
@@ -1,12 +0,0 @@
-# Autogenerated by puppet
-set BASTION_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:1:208:80:154:7,
-             2a02:ec80:300:3:185:15:59:99,
-             2620:0:860:4:208:80:153:110,
-             2620:0:863:3:198:35:26:104,
-             2001:df2:e500:3:103:102:166:103,
-             2a02:ec80:600:1:185:15:58:6,
-             2a02:ec80:700:3:195:200:68:99
-    }
-}

File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]

Parameters differences:

--- File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft].orig
+++ File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]

-    notify => ['Service[nftables]']
-    mode   => 0444
-    group  => root
-    ensure => present
-    tag    => nft
-    owner  => root

Content differences:

--- /etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft.orig
+++ /etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft
@@ -1,7 +0,0 @@
-# Autogenerated by puppet
-set LABSTORE_HOSTS_ipv6 {
-    type ipv6_addr
-    elements = { 2620:0:861:2:208:80:154:142,
-             2620:0:861:3:208:80:154:71
-    }
-}

File[/etc/ferm/functions.conf]

Parameters differences:

--- File[/etc/ferm/functions.conf].orig
+++ File[/etc/ferm/functions.conf]

+    require => Package[ferm]
+    notify  => Service[ferm]
+    mode    => 0400
+    group   => root
+    ensure  => file
+    owner   => root
+    source  => puppet:///modules/ferm/functions.conf

Ferm::Filter_log[filter-bootp]

Parameters differences:

--- Ferm::Filter_log[filter-bootp].orig
+++ Ferm::Filter_log[filter-bootp]

+    dport  => 68
+    daddr  => 255.255.255.255
+    ensure => present
+    sport  => 67
+    proto  => udp

Systemd::Unmask[nftables.service]

Parameters differences:

--- Systemd::Unmask[nftables.service].orig
+++ Systemd::Unmask[nftables.service]

-    refreshonly => False
-    unit        => nftables.service

Cfssl::Cert[wikikube_staging_front_proxy]

Parameters differences:

--- Cfssl::Cert[wikikube_staging_front_proxy].orig
+++ Cfssl::Cert[wikikube_staging_front_proxy]

+    notify_services => []
+    key             => {'algo': 'ecdsa', 'size': 521}
+    signer_config   => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}
+    common_name     => wikikube_staging_front_proxy
+    owner           => root
+    profile         => intermediate
+    mode            => 0740
+    ensure          => present
+    names           => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    provide_chain   => False
+    require         => Cfssl::Signer[Wikimedia_Internal_Root_CA]
+    before_services => []
+    group           => root
+    renew_seconds   => 952200
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    auto_renew      => True
+    hosts           => []

File[/etc/nftables.conf]

Parameters differences:

--- File[/etc/nftables.conf].orig
+++ File[/etc/nftables.conf]

-    ensure => absent
-    owner  => root
-    group  => root

Rsyslog::Conf[ulogd]

Parameters differences:

--- Rsyslog::Conf[ulogd].orig
+++ Rsyslog::Conf[ulogd]

+    ensure   => present
+    priority => 40
+    mode     => 0444
+    require  => File[/var/log/ulogd]

File[/etc/cfssl/ssl/aux/aux.pem]

Parameters differences:

--- File[/etc/cfssl/ssl/aux/aux.pem].orig
+++ File[/etc/cfssl/ssl/aux/aux.pem]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Service[prometheus-node-textfile-check-nft.timer]

Parameters differences:

--- Service[prometheus-node-textfile-check-nft.timer].orig
+++ Service[prometheus-node-textfile-check-nft.timer]

-    ensure   => running
-    provider => systemd
-    enable   => True

File[/etc/bacula/ssl/server-keypair.pem]

Parameters differences:

--- File[/etc/bacula/ssl/server-keypair.pem].orig
+++ File[/etc/bacula/ssl/server-keypair.pem]

+    ensure => present
+    mode   => 0400
+    owner  => bacula
+    group  => bacula

File[/etc/cfssl/ssl/aux/aux.csr]

Parameters differences:

--- File[/etc/cfssl/ssl/aux/aux.csr].orig
+++ File[/etc/cfssl/ssl/aux/aux.csr]

+    ensure => file
+    mode   => 0440
+    owner  => root
+    group  => root

Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)].orig
+++ Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]

-    refreshonly => True
-    before      => ['Service[prometheus-node-textfile-check-nft.timer]']
-    command     => /bin/systemctl daemon-reload

Exec[Generate cert puppet refresh]

Parameters differences:

--- Exec[Generate cert puppet refresh].orig
+++ Exec[Generate cert puppet refresh]

+    subscribe   => File[/etc/cfssl/csr/puppet.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/puppet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet/puppet

Motd::Message[pki::root]

Parameters differences:

--- Motd::Message[pki::root].orig
+++ Motd::Message[pki::root]

+    ensure   => present
+    message  => pki-root1002 is a PKI RootCA (pki::root)
+    priority => 5

Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]

Parameters differences:

--- Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)].orig
+++ Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]

+    refreshonly => True
+    before      => ['Service[ferm]']
+    command     => /bin/systemctl daemon-reload

File[/usr/local/lib/nagios/plugins/check_ferm]

Parameters differences:

--- File[/usr/local/lib/nagios/plugins/check_ferm].orig
+++ File[/usr/local/lib/nagios/plugins/check_ferm]

+    require => File[/usr/local/lib/nagios/plugins/]
+    mode    => 0555
+    group   => root
+    ensure  => file
+    tag     => nrpe::plugin
+    owner   => root
+    source  => puppet:///modules/base/firewall/check_ferm

Cfssl::Csr[/etc/cfssl/csr/kafka.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/kafka.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/kafka.csr]

+    ensure      => present
+    common_name => kafka
+    names       => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]
+    key         => {'algo': 'ecdsa', 'size': 521}
+    hosts       => []

File[/etc/cfssl/csr/mlserve_staging.csr]

Parameters differences:

--- File[/etc/cfssl/csr/mlserve_staging.csr].orig
+++ File[/etc/cfssl/csr/mlserve_staging.csr]

+    ensure => file
+    mode   => 0400
+    owner  => root
+    group  => root

Content differences:

--- /etc/cfssl/csr/mlserve_staging.csr.orig
+++ /etc/cfssl/csr/mlserve_staging.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "mlserve_staging",
+  "hosts": [
+    "mlserve_staging"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 521
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Wikimedia Foundation, Inc",
+      "OU": "SRE Foundations",
+      "S": "California"
+    }
+  ]
+}

Exec[Generate cert wikikube_staging]

Parameters differences:

--- Exec[Generate cert wikikube_staging].orig
+++ Exec[Generate cert wikikube_staging]

+    require     => Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']
+    command     => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf  -profile intermediate /etc/cfssl/csr/wikikube_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging/wikikube_staging

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem 2>&1)"

Compilation results for pki-root1002.eqiad.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

Resources only in the old catalog

Resources modified

Relevant files