{"host": "pki-root1002.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2929, "only_in_self": ["Class[Nftables]", "Class[Profile::Firewall::Nftables_base_sets]", "Class[Role::Insetup::Infrastructure_foundations_nftables]", "Exec[systemd daemon-reload for nftables.service (nftables)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]", "Exec[unmask_nftables.service]", "File[/etc/logrotate.d/prometheus-node-textfile-check-nft]", "File[/etc/nftables.conf]", "File[/etc/nftables/100_base_puppet.nft]", "File[/etc/nftables/]", "File[/etc/nftables/forward]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]", "File[/etc/nftables/input/10_ssh-from-bastion.nft]", "File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]", "File[/etc/nftables/input]", "File[/etc/nftables/main.nft]", "File[/etc/nftables/notrack]", "File[/etc/nftables/output]", "File[/etc/nftables/postrouting]", "File[/etc/nftables/prerouting]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/CACHES_ipv4.nft]", "File[/etc/nftables/sets/CACHES_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/INTERNAL_ipv4.nft]", "File[/etc/nftables/sets/INTERNAL_ipv6.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]", "File[/etc/nftables/sets]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]", "File[/etc/systemd/system/nftables.service.d/puppet-override.conf]", "File[/etc/systemd/system/nftables.service.d]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]", "File[/usr/local/bin/check-nft]", "File[/var/log/prometheus-node-textfile-check-nft]", "Logrotate::Conf[prometheus-node-textfile-check-nft]", "Motd::Message[insetup::infrastructure_foundations_nftables]", "Motd::Script[insetup::infrastructure_foundations_nftables]", "Nftables::File[base]", "Nftables::Service[full-monitoring-metrics-access-tcp]", "Nftables::Service[full-monitoring-metrics-access-udp]", "Nftables::Service[ssh-from-bastion]", "Nftables::Service[ssh-from-cumin-masters]", "Nftables::Set[ANALYTICS_NETWORKS]", "Nftables::Set[AUX_KUBEPODS_NETWORKS]", "Nftables::Set[BASTION_HOSTS]", "Nftables::Set[CACHES]", "Nftables::Set[CLOUD_NETWORKS]", "Nftables::Set[CLOUD_NETWORKS_PUBLIC]", "Nftables::Set[CLOUD_PRIVATE_NETWORKS]", "Nftables::Set[CUMIN_MASTERS]", "Nftables::Set[DEPLOYMENT_HOSTS]", "Nftables::Set[DOMAIN_NETWORKS]", "Nftables::Set[DRUID_PUBLIC_HOSTS]", "Nftables::Set[DSE_KUBEPODS_NETWORKS]", "Nftables::Set[FRACK_NETWORKS]", "Nftables::Set[INSTALL_HOSTS]", "Nftables::Set[INTERNAL]", "Nftables::Set[KAFKAMON_HOSTS]", "Nftables::Set[KAFKA_BROKERS_JUMBO]", "Nftables::Set[KAFKA_BROKERS_LOGGING]", "Nftables::Set[KAFKA_BROKERS_MAIN]", "Nftables::Set[LABSTORE_HOSTS]", "Nftables::Set[LABS_NETWORKS]", "Nftables::Set[LINK_LOCAL]", "Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]", "Nftables::Set[MGMT_NETWORKS]", "Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]", "Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]", "Nftables::Set[MONITORING_HOSTS]", "Nftables::Set[MW_APPSERVER_NETWORKS]", "Nftables::Set[MYSQL_ROOT_CLIENTS]", "Nftables::Set[NETWORK_INFRA]", "Nftables::Set[PRODUCTION_NETWORKS]", "Nftables::Set[PROMETHEUS_HOSTS]", "Nftables::Set[SANDBOX_NETWORKS]", "Nftables::Set[STAGING_KUBEPODS_NETWORKS]", "Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]", "Nftables::Set[ZOOKEEPER_FLINK_HOSTS]", "Nftables::Set[ZOOKEEPER_HOSTS_MAIN]", "Node[__node_regexp__pki-root1002.eqiad.]", "Package[nftables]", "Prometheus::Node_textfile[check-nft]", "Rsyslog::Conf[prometheus-node-textfile-check-nft]", "Service[nftables]", "Service[prometheus-node-textfile-check-nft.timer]", "Systemd::Service[nftables]", "Systemd::Service[prometheus-node-textfile-check-nft]", "Systemd::Syslog[prometheus-node-textfile-check-nft]", "Systemd::Timer::Job[prometheus-node-textfile-check-nft]", "Systemd::Timer[prometheus-node-textfile-check-nft]", "Systemd::Unit[nftables]", "Systemd::Unit[prometheus-node-textfile-check-nft.service]", "Systemd::Unit[prometheus-node-textfile-check-nft.timer]", "Systemd::Unmask[nftables.service]"], "only_in_other": ["Alternatives::Select[ip6tables]", "Alternatives::Select[iptables]", "Apt::Package_from_component[bacula-trixie]", "Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Backup::Set[pki-root-cfssl]", "Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad]", "Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "Cfssl::Cert[aux]", "Cfssl::Cert[aux_front_proxy]", "Cfssl::Cert[cassandra]", "Cfssl::Cert[cloud_wmnet_ca]", "Cfssl::Cert[debmonitor]", "Cfssl::Cert[discovery2026]", "Cfssl::Cert[dse]", "Cfssl::Cert[dse_front_proxy]", "Cfssl::Cert[etcd]", "Cfssl::Cert[kafka]", "Cfssl::Cert[mlserve]", "Cfssl::Cert[mlserve_front_proxy]", "Cfssl::Cert[mlserve_staging]", "Cfssl::Cert[mlserve_staging_front_proxy]", "Cfssl::Cert[network_devices]", "Cfssl::Cert[puppet]", "Cfssl::Cert[puppet_rsa]", "Cfssl::Cert[syslog]", "Cfssl::Cert[wikikube]", "Cfssl::Cert[wikikube_front_proxy]", "Cfssl::Cert[wikikube_staging]", "Cfssl::Cert[wikikube_staging_front_proxy]", "Cfssl::Cert[zuul]", "Cfssl::Config[Wikimedia_Internal_Root_CA]", "Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]", "Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "Cfssl::Csr[/etc/cfssl/csr/aux.csr]", "Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]", "Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]", "Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/etcd.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka.csr]", "Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]", "Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]", "Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]", "Cfssl::Csr[/etc/cfssl/csr/puppet.csr]", "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]", "Cfssl::Csr[/etc/cfssl/csr/syslog.csr]", "Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]", "Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]", "Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/zuul.csr]", "Cfssl::Db[Wikimedia_Internal_Root_CA]", "Cfssl::Signer[Wikimedia_Internal_Root_CA]", "Class[Bacula::Client]", "Class[Profile::Backup::Host]", "Class[Profile::Firewall::Log::Ferm]", "Class[Profile::Pki::Root_ca]", "Class[Role::Pki::Root]", "Class[Ulogd]", "Concat::Fragment[/etc/bacula_puppet_agent_cert]", "Concat::Fragment[/etc/bacula_puppet_ca_chain]", "Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]", "Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]", "Concat[/etc/bacula/ssl/cert.pem]", "Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]", "Concat_file[/etc/bacula/ssl/cert.pem]", "Concat_fragment[/etc/bacula_puppet_agent_cert]", "Concat_fragment[/etc/bacula_puppet_ca_chain]", "Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]", "Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh]", "Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "Exec[Generate cert aux refresh]", "Exec[Generate cert aux]", "Exec[Generate cert aux_front_proxy refresh]", "Exec[Generate cert aux_front_proxy]", "Exec[Generate cert cassandra refresh]", "Exec[Generate cert cassandra]", "Exec[Generate cert cloud_wmnet_ca refresh]", "Exec[Generate cert cloud_wmnet_ca]", "Exec[Generate cert debmonitor refresh]", "Exec[Generate cert debmonitor]", "Exec[Generate cert discovery2026 refresh]", "Exec[Generate cert discovery2026]", "Exec[Generate cert dse refresh]", "Exec[Generate cert dse]", "Exec[Generate cert dse_front_proxy refresh]", "Exec[Generate cert dse_front_proxy]", "Exec[Generate cert etcd refresh]", "Exec[Generate cert etcd]", "Exec[Generate cert kafka refresh]", "Exec[Generate cert kafka]", "Exec[Generate cert mlserve refresh]", "Exec[Generate cert mlserve]", "Exec[Generate cert mlserve_front_proxy refresh]", "Exec[Generate cert mlserve_front_proxy]", "Exec[Generate cert mlserve_staging refresh]", "Exec[Generate cert mlserve_staging]", "Exec[Generate cert mlserve_staging_front_proxy refresh]", "Exec[Generate cert mlserve_staging_front_proxy]", "Exec[Generate cert network_devices refresh]", "Exec[Generate cert network_devices]", "Exec[Generate cert puppet refresh]", "Exec[Generate cert puppet]", "Exec[Generate cert puppet_rsa refresh]", "Exec[Generate cert puppet_rsa]", "Exec[Generate cert syslog refresh]", "Exec[Generate cert syslog]", "Exec[Generate cert wikikube refresh]", "Exec[Generate cert wikikube]", "Exec[Generate cert wikikube_front_proxy refresh]", "Exec[Generate cert wikikube_front_proxy]", "Exec[Generate cert wikikube_staging refresh]", "Exec[Generate cert wikikube_staging]", "Exec[Generate cert wikikube_staging_front_proxy refresh]", "Exec[Generate cert wikikube_staging_front_proxy]", "Exec[Generate cert zuul refresh]", "Exec[Generate cert zuul]", "Exec[apt_package_from_component_bacula-trixie]", "Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Exec[create-/etc/bacula-keypair]", "Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "Exec[renew certificate - aux]", "Exec[renew certificate - aux_front_proxy]", "Exec[renew certificate - cassandra]", "Exec[renew certificate - cloud_wmnet_ca]", "Exec[renew certificate - debmonitor]", "Exec[renew certificate - discovery2026]", "Exec[renew certificate - dse]", "Exec[renew certificate - dse_front_proxy]", "Exec[renew certificate - etcd]", "Exec[renew certificate - kafka]", "Exec[renew certificate - mlserve]", "Exec[renew certificate - mlserve_front_proxy]", "Exec[renew certificate - mlserve_staging]", "Exec[renew certificate - mlserve_staging_front_proxy]", "Exec[renew certificate - network_devices]", "Exec[renew certificate - puppet]", "Exec[renew certificate - puppet_rsa]", "Exec[renew certificate - syslog]", "Exec[renew certificate - wikikube]", "Exec[renew certificate - wikikube_front_proxy]", "Exec[renew certificate - wikikube_staging]", "Exec[renew certificate - wikikube_staging_front_proxy]", "Exec[renew certificate - zuul]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]", "Exec[update_alternative_ip6tables]", "Exec[update_alternative_iptables]", "Ferm::Conf[defs]", "Ferm::Conf[main]", "Ferm::Filter_log[filter-bootp]", "Ferm::Rule[drop-blocked-nets]", "Ferm::Rule[dscp-default]", "Ferm::Rule[filter_log_filter-bootp]", "Ferm::Rule[log-everything]", "Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "Ferm::Service[full_monitoring_metrics_access_tcp]", "Ferm::Service[full_monitoring_metrics_access_udp]", "Ferm::Service[ssh_from_bastion]", "Ferm::Service[ssh_from_cumin_masters]", "File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list]", "File[/etc/bacula/bacula-fd.conf]", "File[/etc/bacula/ssl/server-keypair.pem]", "File[/etc/bacula/ssl/server.key]", "File[/etc/bacula/ssl/server.p12]", "File[/etc/bacula/ssl]", "File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]", "File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "File[/etc/cfssl/csr/aux.csr]", "File[/etc/cfssl/csr/aux_front_proxy.csr]", "File[/etc/cfssl/csr/cassandra.csr]", "File[/etc/cfssl/csr/cloud_wmnet_ca.csr]", "File[/etc/cfssl/csr/debmonitor.csr]", "File[/etc/cfssl/csr/discovery2026.csr]", "File[/etc/cfssl/csr/dse.csr]", "File[/etc/cfssl/csr/dse_front_proxy.csr]", "File[/etc/cfssl/csr/etcd.csr]", "File[/etc/cfssl/csr/kafka.csr]", "File[/etc/cfssl/csr/mlserve.csr]", "File[/etc/cfssl/csr/mlserve_front_proxy.csr]", "File[/etc/cfssl/csr/mlserve_staging.csr]", "File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]", "File[/etc/cfssl/csr/network_devices.csr]", "File[/etc/cfssl/csr/puppet.csr]", "File[/etc/cfssl/csr/puppet_rsa.csr]", "File[/etc/cfssl/csr/syslog.csr]", "File[/etc/cfssl/csr/wikikube.csr]", "File[/etc/cfssl/csr/wikikube_front_proxy.csr]", "File[/etc/cfssl/csr/wikikube_staging.csr]", "File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]", "File[/etc/cfssl/csr/zuul.csr]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "File[/etc/cfssl/ssl/aux/aux-key.pem]", "File[/etc/cfssl/ssl/aux/aux.csr]", "File[/etc/cfssl/ssl/aux/aux.pem]", "File[/etc/cfssl/ssl/aux]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem]", "File[/etc/cfssl/ssl/aux_front_proxy]", "File[/etc/cfssl/ssl/cassandra/cassandra-key.pem]", "File[/etc/cfssl/ssl/cassandra/cassandra.csr]", "File[/etc/cfssl/ssl/cassandra/cassandra.pem]", "File[/etc/cfssl/ssl/cassandra]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/ssl/cloud_wmnet_ca]", "File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem]", "File[/etc/cfssl/ssl/debmonitor/debmonitor.csr]", "File[/etc/cfssl/ssl/debmonitor/debmonitor.pem]", "File[/etc/cfssl/ssl/debmonitor]", "File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]", "File[/etc/cfssl/ssl/discovery2026]", "File[/etc/cfssl/ssl/dse/dse-key.pem]", "File[/etc/cfssl/ssl/dse/dse.csr]", "File[/etc/cfssl/ssl/dse/dse.pem]", "File[/etc/cfssl/ssl/dse]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem]", "File[/etc/cfssl/ssl/dse_front_proxy]", "File[/etc/cfssl/ssl/etcd/etcd-key.pem]", "File[/etc/cfssl/ssl/etcd/etcd.csr]", "File[/etc/cfssl/ssl/etcd/etcd.pem]", "File[/etc/cfssl/ssl/etcd]", "File[/etc/cfssl/ssl/kafka/kafka-key.pem]", "File[/etc/cfssl/ssl/kafka/kafka.csr]", "File[/etc/cfssl/ssl/kafka/kafka.pem]", "File[/etc/cfssl/ssl/kafka]", "File[/etc/cfssl/ssl/mlserve/mlserve-key.pem]", "File[/etc/cfssl/ssl/mlserve/mlserve.csr]", "File[/etc/cfssl/ssl/mlserve/mlserve.pem]", "File[/etc/cfssl/ssl/mlserve]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem]", "File[/etc/cfssl/ssl/mlserve_front_proxy]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem]", "File[/etc/cfssl/ssl/mlserve_staging]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy]", "File[/etc/cfssl/ssl/network_devices/network_devices-key.pem]", "File[/etc/cfssl/ssl/network_devices/network_devices.csr]", "File[/etc/cfssl/ssl/network_devices/network_devices.pem]", "File[/etc/cfssl/ssl/network_devices]", "File[/etc/cfssl/ssl/puppet/puppet-key.pem]", "File[/etc/cfssl/ssl/puppet/puppet.csr]", "File[/etc/cfssl/ssl/puppet/puppet.pem]", "File[/etc/cfssl/ssl/puppet]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem]", "File[/etc/cfssl/ssl/puppet_rsa]", "File[/etc/cfssl/ssl/syslog/syslog-key.pem]", "File[/etc/cfssl/ssl/syslog/syslog.csr]", "File[/etc/cfssl/ssl/syslog/syslog.pem]", "File[/etc/cfssl/ssl/syslog]", "File[/etc/cfssl/ssl/wikikube/wikikube-key.pem]", "File[/etc/cfssl/ssl/wikikube/wikikube.csr]", "File[/etc/cfssl/ssl/wikikube/wikikube.pem]", "File[/etc/cfssl/ssl/wikikube]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem]", "File[/etc/cfssl/ssl/wikikube_front_proxy]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem]", "File[/etc/cfssl/ssl/wikikube_staging]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy]", "File[/etc/cfssl/ssl/zuul/zuul-key.pem]", "File[/etc/cfssl/ssl/zuul/zuul.csr]", "File[/etc/cfssl/ssl/zuul/zuul.pem]", "File[/etc/cfssl/ssl/zuul]", "File[/etc/default/ferm]", "File[/etc/ferm/conf.d/00_defs]", "File[/etc/ferm/conf.d/01_drop-blocked-nets]", "File[/etc/ferm/conf.d/02_main]", "File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]", "File[/etc/ferm/conf.d/10_ssh_from_bastion]", "File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]", "File[/etc/ferm/conf.d/98_filter_log_filter-bootp]", "File[/etc/ferm/conf.d/98_log-everything]", "File[/etc/ferm/conf.d/99_dscp-default]", "File[/etc/ferm/conf.d]", "File[/etc/ferm/ferm.conf]", "File[/etc/ferm/functions.conf]", "File[/etc/logrotate.d/ulogd]", "File[/etc/logrotate.d/wmf_auto_restart_ulogd2]", "File[/etc/nagios/nrpe.d/check_ferm_active.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]", "File[/etc/rsyslog.d/40-ulogd.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]", "File[/etc/sudoers.d/nrpe-check_ferm_active]", "File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]", "File[/etc/systemd/system/ferm.service.d]", "File[/etc/ulogd.conf]", "File[/etc/update-motd.d/05-pki--root]", "File[/etc/update-motd.d/06-backups-pki-root-cfssl]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]", "File[/usr/local/lib/nagios/plugins/check_ferm]", "File[/var/log/ulogd]", "File[/var/log/wmf_auto_restart_ulogd2]", "File_line[auto_restart_file_presence_ulogd2]", "Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "Logrotate::Conf[ulogd]", "Logrotate::Conf[wmf_auto_restart_ulogd2]", "Monitoring::Exported_nagios_service[pki-root1002 ferm_active]", "Monitoring::Service[ferm_active]", "Motd::Message[pki::root]", "Motd::Script[backups-pki-root-cfssl]", "Motd::Script[pki::root]", "Node[__node_regexp__pki-root10012.eqiad.]", "Nrpe::Check[check_ferm_active]", "Nrpe::Monitor_service[ferm_active]", "Nrpe::Plugin[check_ferm]", "Package[bacula-common]", "Package[bacula-fd]", "Package[ulogd2]", "Profile::Auto_restarts::Service[ulogd2]", "Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]", "Puppet::Expose_agent_certs[/etc/bacula]", "Rsyslog::Conf[nrpe2nodexp-ferm_active]", "Rsyslog::Conf[ulogd]", "Rsyslog::Conf[wmf_auto_restart_ulogd2]", "Service[bacula-fd]", "Service[ferm]", "Service[nrpe2nodexp-ferm_active.timer]", "Service[ulogd2]", "Service[wmf_auto_restart_ulogd2.timer]", "Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]", "Sudo::User[nrpe-check_ferm_active]", "Systemd::Override[ferm-service-status-restart]", "Systemd::Service[nrpe2nodexp-ferm_active]", "Systemd::Service[wmf_auto_restart_ulogd2]", "Systemd::Syslog[ulogd]", "Systemd::Syslog[wmf_auto_restart_ulogd2]", "Systemd::Timer::Job[nrpe2nodexp-ferm_active]", "Systemd::Timer::Job[wmf_auto_restart_ulogd2]", "Systemd::Timer[nrpe2nodexp-ferm_active]", "Systemd::Timer[wmf_auto_restart_ulogd2]", "Systemd::Unit[ferm-ferm-service-status-restart]", "Systemd::Unit[nrpe2nodexp-ferm_active.service]", "Systemd::Unit[nrpe2nodexp-ferm_active.timer]", "Systemd::Unit[wmf_auto_restart_ulogd2.service]", "Systemd::Unit[wmf_auto_restart_ulogd2.timer]"], "resource_diffs": [{"resource": "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft\n@@ -1,183 +0,0 @@\n-# Autogenerated by puppet\n-set PRODUCTION_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2001:df2:e500:101::/64,\n- 2001:df2:e500:103::/64,\n- 2001:df2:e500:1::/64,\n- 2001:df2:e500:3::/64,\n- 2001:df2:e500:ed1a::/64,\n- 2620:0:860:100::/64,\n- 2620:0:860:101::/64,\n- 2620:0:860:102::/64,\n- 2620:0:860:103::/64,\n- 2620:0:860:104::/64,\n- 2620:0:860:105::/64,\n- 2620:0:860:106::/64,\n- 2620:0:860:107::/64,\n- 2620:0:860:108::/64,\n- 2620:0:860:109::/64,\n- 2620:0:860:10a::/64,\n- 2620:0:860:10b::/64,\n- 2620:0:860:10c::/64,\n- 2620:0:860:10d::/64,\n- 2620:0:860:10e::/64,\n- 2620:0:860:10f::/64,\n- 2620:0:860:110::/64,\n- 2620:0:860:111::/64,\n- 2620:0:860:112::/64,\n- 2620:0:860:113::/64,\n- 2620:0:860:114::/64,\n- 2620:0:860:115::/64,\n- 2620:0:860:116::/64,\n- 2620:0:860:118::/64,\n- 2620:0:860:119::/64,\n- 2620:0:860:11a::/64,\n- 2620:0:860:11b::/64,\n- 2620:0:860:11c::/64,\n- 2620:0:860:11d::/64,\n- 2620:0:860:11e::/64,\n- 2620:0:860:11f::/64,\n- 2620:0:860:120::/64,\n- 2620:0:860:121::/64,\n- 2620:0:860:122::/64,\n- 2620:0:860:123::/64,\n- 2620:0:860:124::/64,\n- 2620:0:860:125::/64,\n- 2620:0:860:126::/64,\n- 2620:0:860:127::/64,\n- 2620:0:860:12b::/64,\n- 2620:0:860:12c::/64,\n- 2620:0:860:12d::/64,\n- 2620:0:860:12e::/64,\n- 2620:0:860:140::/64,\n- 2620:0:860:1::/64,\n- 2620:0:860:2::/64,\n- 2620:0:860:300::/64,\n- 2620:0:860:301::/64,\n- 2620:0:860:302::/64,\n- 2620:0:860:303::/64,\n- 2620:0:860:304::/64,\n- 2620:0:860:305::/64,\n- 2620:0:860:307::/64,\n- 2620:0:860:308::/64,\n- 2620:0:860:3::/64,\n- 2620:0:860:4::/64,\n- 2620:0:860:5::/64,\n- 2620:0:860:babe::/64,\n- 2620:0:860:babf::/64,\n- 2620:0:860:cabe::/64,\n- 2620:0:860:cabf::/64,\n- 2620:0:860:ed1a::/64,\n- 2620:0:861:100::/64,\n- 2620:0:861:101::/64,\n- 2620:0:861:102::/64,\n- 2620:0:861:103::/64,\n- 2620:0:861:104::/64,\n- 2620:0:861:105::/64,\n- 2620:0:861:106::/64,\n- 2620:0:861:107::/64,\n- 2620:0:861:108::/64,\n- 2620:0:861:109::/64,\n- 2620:0:861:10a::/64,\n- 2620:0:861:10b::/64,\n- 2620:0:861:10c::/64,\n- 2620:0:861:10d::/64,\n- 2620:0:861:10e::/64,\n- 2620:0:861:10f::/64,\n- 2620:0:861:110::/64,\n- 2620:0:861:111::/64,\n- 2620:0:861:112::/64,\n- 2620:0:861:113::/64,\n- 2620:0:861:114::/64,\n- 2620:0:861:115::/64,\n- 2620:0:861:116::/64,\n- 2620:0:861:117::/64,\n- 2620:0:861:118::/64,\n- 2620:0:861:119::/64,\n- 2620:0:861:11a::/64,\n- 2620:0:861:11c::/64,\n- 2620:0:861:11d::/64,\n- 2620:0:861:11e::/64,\n- 2620:0:861:11f::/64,\n- 2620:0:861:120::/64,\n- 2620:0:861:121::/64,\n- 2620:0:861:122::/64,\n- 2620:0:861:123::/64,\n- 2620:0:861:124::/64,\n- 2620:0:861:125::/64,\n- 2620:0:861:126::/64,\n- 2620:0:861:127::/64,\n- 2620:0:861:128::/64,\n- 2620:0:861:129::/64,\n- 2620:0:861:12a::/64,\n- 2620:0:861:12b::/64,\n- 2620:0:861:12c::/64,\n- 2620:0:861:12d::/64,\n- 2620:0:861:12e::/64,\n- 2620:0:861:12f::/64,\n- 2620:0:861:131::/64,\n- 2620:0:861:132::/64,\n- 2620:0:861:133::/64,\n- 2620:0:861:134::/64,\n- 2620:0:861:135::/64,\n- 2620:0:861:136::/64,\n- 2620:0:861:137::/64,\n- 2620:0:861:138::/64,\n- 2620:0:861:139::/64,\n- 2620:0:861:13a::/64,\n- 2620:0:861:13b::/64,\n- 2620:0:861:13c::/64,\n- 2620:0:861:13d::/64,\n- 2620:0:861:13e::/64,\n- 2620:0:861:13f::/64,\n- 2620:0:861:140::/64,\n- 2620:0:861:141::/64,\n- 2620:0:861:142::/64,\n- 2620:0:861:143::/64,\n- 2620:0:861:144::/64,\n- 2620:0:861:145::/64,\n- 2620:0:861:1::/64,\n- 2620:0:861:2::/64,\n- 2620:0:861:300::/64,\n- 2620:0:861:301::/116,\n- 2620:0:861:302::/64,\n- 2620:0:861:303::/116,\n- 2620:0:861:304::/116,\n- 2620:0:861:305::/64,\n- 2620:0:861:3::/64,\n- 2620:0:861:4::/64,\n- 2620:0:861:babe::/64,\n- 2620:0:861:babf::/116,\n- 2620:0:861:cabe::/64,\n- 2620:0:861:cabf::/116,\n- 2620:0:861:ed1a::/64,\n- 2620:0:863:101::/64,\n- 2620:0:863:102::/64,\n- 2620:0:863:103::/64,\n- 2620:0:863:1::/64,\n- 2620:0:863:2::/64,\n- 2620:0:863:3::/64,\n- 2620:0:863:ed1a::/64,\n- 2a02:ec80:300:101::/64,\n- 2a02:ec80:300:102::/64,\n- 2a02:ec80:300:103::/64,\n- 2a02:ec80:300:1::/64,\n- 2a02:ec80:300:2::/64,\n- 2a02:ec80:300:3::/64,\n- 2a02:ec80:300:ed1a::/64,\n- 2a02:ec80:600:101::/64,\n- 2a02:ec80:600:102::/64,\n- 2a02:ec80:600:1::/64,\n- 2a02:ec80:600:2::/64,\n- 2a02:ec80:600:ed1a::/64,\n- 2a02:ec80:700:101::/64,\n- 2a02:ec80:700:102::/64,\n- 2a02:ec80:700:103::/64,\n- 2a02:ec80:700:1::/64,\n- 2a02:ec80:700:2::/64,\n- 2a02:ec80:700:3::/64,\n- 2a02:ec80:700:ed1a::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/csr/syslog.csr]", "content": "--- /etc/cfssl/csr/syslog.csr.orig\n+++ /etc/cfssl/csr/syslog.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"syslog\",\n+ \"hosts\": [\n+ \"syslog\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/syslog.csr].orig\n+++ File[/etc/cfssl/csr/syslog.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[MLSERVE_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]\n\n- ensure => present\n- hosts => ['10.67.16.0/21', '2620:0:861:300::/64', '10.194.16.0/21', '2620:0:860:300::/64']\n"}, {"resource": "Exec[renew certificate - mlserve_staging]", "parameters": "--- Exec[renew certificate - mlserve_staging].orig\n+++ Exec[renew certificate - mlserve_staging]\n\n+ require => Exec[Generate cert mlserve_staging]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging/mlserve_staging\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem -checkend 952200\n"}, {"resource": "Exec[Generate cert aux refresh]", "parameters": "--- Exec[Generate cert aux refresh].orig\n+++ Exec[Generate cert aux refresh]\n\n+ subscribe => File[/etc/cfssl/csr/aux.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/aux.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux/aux\n\n"}, {"resource": "File[/etc/cfssl/ssl/zuul/zuul.csr]", "parameters": "--- File[/etc/cfssl/ssl/zuul/zuul.csr].orig\n+++ File[/etc/cfssl/ssl/zuul/zuul.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n- cluster => insetup\n+ cluster => pki\n"}, {"resource": "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr]", "parameters": "--- File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr].orig\n+++ File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/aux.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/aux.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/aux.csr]\n\n+ ensure => present\n+ common_name => aux\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem].orig\n+++ File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n- nagios_group => insetup_eqiad\n+ nagios_group => pki_eqiad\n@@\n- cluster => insetup\n+ cluster => pki\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n"}, {"resource": "File[/etc/cfssl/ssl/cassandra/cassandra-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/cassandra/cassandra-key.pem].orig\n+++ File[/etc/cfssl/ssl/cassandra/cassandra-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]", "content": "--- /etc/ferm/conf.d/10_ssh_from_cumin_masters.orig\n+++ /etc/ferm/conf.d/10_ssh_from_cumin_masters\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 22, $CUMIN_MASTERS);\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_ssh_from_cumin_masters].orig\n+++ File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "Exec[Generate cert cassandra]", "parameters": "--- Exec[Generate cert cassandra].orig\n+++ Exec[Generate cert cassandra]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/cassandra.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cassandra/cassandra\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/cassandra/cassandra.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/cassandra/cassandra-key.pem 2>&1)\"\n\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]", "content": "--- /lib/systemd/system/prometheus-node-textfile-check-nft.service.orig\n+++ /lib/systemd/system/prometheus-node-textfile-check-nft.service\n@@ -1,8 +0,0 @@\n-[Unit]\n-Description=Systemd timer to gather node metrics for check-nft\n-Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n-\n-[Service]\n-Type=oneshot\n-User=root\n-ExecStart=/usr/local/bin/check-nft", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-check-nft.service].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]\n\n- notify => Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]\n- mode => 0444\n- group => root\n- ensure => present\n- owner => root\n"}, {"resource": "Cfssl::Config[Wikimedia_Internal_Root_CA]", "parameters": "--- Cfssl::Config[Wikimedia_Internal_Root_CA].orig\n+++ Cfssl::Config[Wikimedia_Internal_Root_CA]\n\n+ default_ocsp_url => http://pki.discovery.wmnet/ocsp/Wikimedia_Internal_Root_CA\n+ default_crl_url => http://pki.discovery.wmnet/crl/Wikimedia_Internal_Root_CA\n+ profiles => {'intermediate': {'usages': ['cert sign', 'crl sign'], 'ca_constraint': {'is_ca': True, 'max_path_len': 1}, 'expiry': '43800h'}, 'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}}\n+ default_auth_key => default_auth\n+ path => /etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf\n+ default_auth_remote => {}\n+ remotes => {}\n+ ensure => present\n+ default_usages => ['signing', 'key encipherment', 'client auth']\n+ default_expiry => 672h\n+ auth_keys => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}}\n"}, {"resource": "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "parameters": "--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr].orig\n+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]", "content": "--- /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft.orig\n+++ /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set CLOUD_NETWORKS_PUBLIC_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2a02:ec80:a000:4000::/64,\n- 2a02:ec80:a100:4000::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[renew certificate - puppet]", "parameters": "--- Exec[renew certificate - puppet].orig\n+++ Exec[renew certificate - puppet]\n\n+ require => Exec[Generate cert puppet]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/puppet/puppet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet/puppet\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet/puppet.pem -checkend 952200\n"}, {"resource": "File[/etc/cfssl/csr/wikikube_staging.csr]", "content": "--- /etc/cfssl/csr/wikikube_staging.csr.orig\n+++ /etc/cfssl/csr/wikikube_staging.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"wikikube_staging\",\n+ \"hosts\": [\n+ \"wikikube_staging\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/wikikube_staging.csr].orig\n+++ File[/etc/cfssl/csr/wikikube_staging.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]", "content": "--- /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft.orig\n+++ /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet\n-set MYSQL_ROOT_CLIENTS_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.16.90,\n- 10.192.16.191,\n- 10.64.16.154,\n- 10.192.32.49,\n- 208.80.154.9,\n- 10.64.0.20\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_ulogd2]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_ulogd2].orig\n+++ Logrotate::Conf[wmf_auto_restart_ulogd2]\n\n+ ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/dse_front_proxy]", "parameters": "--- File[/etc/cfssl/ssl/dse_front_proxy].orig\n+++ File[/etc/cfssl/ssl/dse_front_proxy]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Service[wmf_auto_restart_ulogd2.timer]", "parameters": "--- Service[wmf_auto_restart_ulogd2.timer].orig\n+++ Service[wmf_auto_restart_ulogd2.timer]\n\n+ ensure => running\n+ provider => systemd\n+ enable => True\n"}, {"resource": "Exec[Generate cert wikikube_front_proxy refresh]", "parameters": "--- Exec[Generate cert wikikube_front_proxy refresh].orig\n+++ Exec[Generate cert wikikube_front_proxy refresh]\n\n+ subscribe => File[/etc/cfssl/csr/wikikube_front_proxy.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/wikikube_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy\n\n"}, {"resource": "Nftables::Set[CLOUD_NETWORKS]", "parameters": "--- Nftables::Set[CLOUD_NETWORKS].orig\n+++ Nftables::Set[CLOUD_NETWORKS]\n\n- ensure => present\n- hosts => ['172.16.0.0/21', '172.16.128.0/24', '172.16.129.0/24', '172.16.130.0/24', '172.16.131.0/24', '172.16.16.0/21', '172.16.24.0/24', '172.16.8.0/21', '172.20.1.0/24', '172.20.2.0/24', '172.20.254.0/24', '172.20.255.0/24', '172.20.3.0/24', '172.20.4.0/24', '172.20.5.0/24', '185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:100::/64', '2a02:ec80:a000:1::/64', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '2a02:ec80:a000:2ff::/64', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:100::/64', '2a02:ec80:a100:1::/64', '2a02:ec80:a100:205::/64', '2a02:ec80:a100:2ff::/64', '2a02:ec80:a100:4000::/64']\n"}, {"resource": "Alternatives::Select[ip6tables]", "parameters": "--- Alternatives::Select[ip6tables].orig\n+++ Alternatives::Select[ip6tables]\n\n+ path => /usr/sbin/ip6tables-legacy\n+ require => Package[iptables]\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/mlserve.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]\n\n+ ensure => present\n+ common_name => mlserve\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/MGMT_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/MGMT_NETWORKS_ipv4.nft\n@@ -1,14 +0,0 @@\n-# Autogenerated by puppet\n-set MGMT_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.65.0.0/16,\n- 10.128.128.0/17,\n- 10.193.0.0/16,\n- 10.80.128.0/17,\n- 10.132.128.0/17,\n- 10.136.128.0/17,\n- 10.140.128.0/17\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/cassandra/cassandra.csr]", "parameters": "--- File[/etc/cfssl/ssl/cassandra/cassandra.csr].orig\n+++ File[/etc/cfssl/ssl/cassandra/cassandra.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set MLSERVE_KUBEPODS_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:861:300::/64,\n- 2620:0:860:300::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[renew certificate - puppet_rsa]", "parameters": "--- Exec[renew certificate - puppet_rsa].orig\n+++ Exec[renew certificate - puppet_rsa]\n\n+ require => Exec[Generate cert puppet_rsa]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa/puppet_rsa\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem -checkend 952200\n"}, {"resource": "Nftables::Service[ssh-from-cumin-masters]", "parameters": "--- Nftables::Service[ssh-from-cumin-masters].orig\n+++ Nftables::Service[ssh-from-cumin-masters]\n\n- src_sets => ['CUMIN_MASTERS']\n- desc => \n- prio => 10\n- proto => tcp\n- unrestricted_access => False\n- notrack => False\n- ensure => present\n- port => 22\n"}, {"resource": "Nftables::Set[LABS_NETWORKS]", "parameters": "--- Nftables::Set[LABS_NETWORKS].orig\n+++ Nftables::Set[LABS_NETWORKS]\n\n- ensure => present\n- hosts => ['172.16.0.0/21', '172.16.128.0/24', '172.16.129.0/24', '172.16.130.0/24', '172.16.131.0/24', '172.16.16.0/21', '172.16.24.0/24', '172.16.8.0/21', '172.20.1.0/24', '172.20.2.0/24', '172.20.254.0/24', '172.20.255.0/24', '172.20.3.0/24', '172.20.4.0/24', '172.20.5.0/24', '185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:100::/64', '2a02:ec80:a000:1::/64', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '2a02:ec80:a000:2ff::/64', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:100::/64', '2a02:ec80:a100:1::/64', '2a02:ec80:a100:205::/64', '2a02:ec80:a100:2ff::/64', '2a02:ec80:a100:4000::/64']\n"}, {"resource": "File[/etc/cfssl/ssl/network_devices/network_devices.csr]", "parameters": "--- File[/etc/cfssl/ssl/network_devices/network_devices.csr].orig\n+++ File[/etc/cfssl/ssl/network_devices/network_devices.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[Generate cert wikikube_staging refresh]", "parameters": "--- Exec[Generate cert wikikube_staging refresh].orig\n+++ Exec[Generate cert wikikube_staging refresh]\n\n+ subscribe => File[/etc/cfssl/csr/wikikube_staging.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/wikikube_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging/wikikube_staging\n\n"}, {"resource": "Service[ulogd2]", "parameters": "--- Service[ulogd2].orig\n+++ Service[ulogd2]\n\n+ ensure => running\n+ require => Package[ulogd2]\n+ enable => True\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n- cluster => insetup\n+ cluster => pki\n"}, {"resource": "Nftables::Set[ZOOKEEPER_FLINK_HOSTS]", "parameters": "--- Nftables::Set[ZOOKEEPER_FLINK_HOSTS].orig\n+++ Nftables::Set[ZOOKEEPER_FLINK_HOSTS]\n\n- ensure => present\n- hosts => ['10.64.16.9', '2620:0:861:102:10:64:16:9', '10.64.0.8', '2620:0:861:101:10:64:0:8', '10.64.32.41', '2620:0:861:103:10:64:32:41', '10.192.16.227', '2620:0:860:102:10:192:16:227', '10.192.32.179', '2620:0:860:103:10:192:32:179', '10.192.48.219', '2620:0:860:104:10:192:48:219']\n"}, {"resource": "Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]", "parameters": "--- Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header].orig\n+++ Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]\n\n+ tag => _etc_apt_sources.list.d_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources\n+ source => puppet:///modules/apt/sources-deb822-header.txt\n+ order => 01\n+ target => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources\n"}, {"resource": "Concat[/etc/bacula/ssl/cert.pem]", "parameters": "--- Concat[/etc/bacula/ssl/cert.pem].orig\n+++ Concat[/etc/bacula/ssl/cert.pem]\n\n+ show_diff => True\n+ backup => puppet\n+ replace => True\n+ format => plain\n+ ensure_newline => False\n+ force => False\n+ path => /etc/bacula/ssl/cert.pem\n+ warn => False\n+ mode => 0644\n+ ensure => present\n+ order => alpha\n"}, {"resource": "File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/FRACK_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/FRACK_NETWORKS_ipv4.nft\n@@ -1,22 +0,0 @@\n-# Autogenerated by puppet\n-set FRACK_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.195.0.0/27,\n- 10.195.0.128/29,\n- 10.195.0.32/27,\n- 10.195.0.64/28,\n- 10.195.0.80/29,\n- 10.195.0.96/27,\n- 10.195.1.0/25,\n- 10.64.40.0/27,\n- 10.64.40.160/27,\n- 10.64.40.192/26,\n- 10.64.40.32/27,\n- 10.64.40.64/27,\n- 10.64.40.96/27,\n- 208.80.152.224/28,\n- 208.80.155.0/27\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list]", "parameters": "--- File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list].orig\n+++ File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list]\n\n+ ensure => absent\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_staging_front_proxy]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_staging_front_proxy].orig\n+++ File[/etc/cfssl/ssl/wikikube_staging_front_proxy]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/csr/aux.csr]", "content": "--- /etc/cfssl/csr/aux.csr.orig\n+++ /etc/cfssl/csr/aux.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"aux\",\n+ \"hosts\": [\n+ \"aux\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/aux.csr].orig\n+++ File[/etc/cfssl/csr/aux.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft\n@@ -1,27 +0,0 @@\n-# Autogenerated by puppet\n-set CLOUD_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 172.16.0.0/21,\n- 172.16.128.0/24,\n- 172.16.129.0/24,\n- 172.16.130.0/24,\n- 172.16.131.0/24,\n- 172.16.16.0/21,\n- 172.16.24.0/24,\n- 172.16.8.0/21,\n- 172.20.1.0/24,\n- 172.20.2.0/24,\n- 172.20.254.0/24,\n- 172.20.255.0/24,\n- 172.20.3.0/24,\n- 172.20.4.0/24,\n- 172.20.5.0/24,\n- 185.15.56.0/25,\n- 185.15.56.160/28,\n- 185.15.57.0/29,\n- 185.15.57.16/29,\n- 185.15.57.24/29\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/systemd/system/nftables.service.d/puppet-override.conf]", "content": "--- /etc/systemd/system/nftables.service.d/puppet-override.conf.orig\n+++ /etc/systemd/system/nftables.service.d/puppet-override.conf\n@@ -1,5 +0,0 @@\n-[Service]\n-ExecStart=\n-ExecStart=/usr/sbin/nft -f /etc/nftables/main.nft\n-ExecReload=\n-ExecReload=/usr/sbin/nft -f /etc/nftables/main.nft", "parameters": "--- File[/etc/systemd/system/nftables.service.d/puppet-override.conf].orig\n+++ File[/etc/systemd/system/nftables.service.d/puppet-override.conf]\n\n- notify => Exec[systemd daemon-reload for nftables.service (nftables)]\n- mode => 0444\n- group => root\n- ensure => present\n- owner => root\n"}, {"resource": "Cfssl::Cert[dse_front_proxy]", "parameters": "--- Cfssl::Cert[dse_front_proxy].orig\n+++ Cfssl::Cert[dse_front_proxy]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => dse_front_proxy\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Exec[Generate cert mlserve_staging]", "parameters": "--- Exec[Generate cert mlserve_staging].orig\n+++ Exec[Generate cert mlserve_staging]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/mlserve_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging/mlserve_staging\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem 2>&1)\"\n\n"}, {"resource": "Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]\n\n- ensure => present\n- hosts => ['10.194.61.0/24', '2620:0:860:302::/64']\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n- cluster => insetup\n+ cluster => pki\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]\n\n+ ensure => present\n+ common_name => mlserve_front_proxy\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Cfssl::Cert[discovery2026]", "parameters": "--- Cfssl::Cert[discovery2026].orig\n+++ Cfssl::Cert[discovery2026]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => discovery2026\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set MLSERVE_KUBEPODS_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.67.16.0/21,\n- 10.194.16.0/21\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Systemd::Unit[ferm-ferm-service-status-restart]", "parameters": "--- Systemd::Unit[ferm-ferm-service-status-restart].orig\n+++ Systemd::Unit[ferm-ferm-service-status-restart]\n\n+ override => True\n+ require => ['Class[Systemd]']\n+ source => puppet:///modules/ferm/ferm_systemd_override\n+ ensure => present\n+ unit => ferm\n+ restart => False\n+ override_filename => ferm-service-status-restart\n"}, {"resource": "File[/etc/ferm/conf.d/99_dscp-default]", "content": "--- /etc/ferm/conf.d/99_dscp-default.orig\n+++ /etc/ferm/conf.d/99_dscp-default\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 99_dscp-default: \n+\n+domain (ip ip6) {\n+\ttable mangle {\n+\t\tchain POSTROUTING {\n+\t\t\tDSCP set-dscp-class CS0;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/99_dscp-default].orig\n+++ File[/etc/ferm/conf.d/99_dscp-default]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "parameters": "--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert].orig\n+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Cfssl::Db[Wikimedia_Internal_Root_CA]", "parameters": "--- Cfssl::Db[Wikimedia_Internal_Root_CA].orig\n+++ Cfssl::Db[Wikimedia_Internal_Root_CA]\n\n+ username => pki\n+ dbname => pki\n+ password => changeme\n+ sqlite_path => /etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.db\n+ driver => mysql\n+ dbcharset => utf8mb4\n+ python_config => False\n+ host => m1-master.eqiad.wmnet\n+ ssl_checkhostname => False\n+ conf_file => /etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf\n+ port => 3306\n"}, {"resource": "File[/etc/cfssl/csr/dse_front_proxy.csr]", "content": "--- /etc/cfssl/csr/dse_front_proxy.csr.orig\n+++ /etc/cfssl/csr/dse_front_proxy.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"dse_front_proxy\",\n+ \"hosts\": [\n+ \"dse_front_proxy\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse_front_proxy.csr].orig\n+++ File[/etc/cfssl/csr/dse_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[Generate cert dse_front_proxy refresh]", "parameters": "--- Exec[Generate cert dse_front_proxy refresh].orig\n+++ Exec[Generate cert dse_front_proxy refresh]\n\n+ subscribe => File[/etc/cfssl/csr/dse_front_proxy.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/dse_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy\n\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf\n@@ -0,0 +1,10 @@\n+# SPDX-License-Identifier: Apache-2.0\n+if $programname contains \"nrpe2nodexp-ferm_active\" then {\n+ if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n+ # Send logs to kafka\n+ set $.log_outputs = \"kafka ecs_170 local\";\n+ } else {\n+ # Filter out non-relevant nrpe2nodexp messages\n+ stop\n+ }\n+}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/csr/etcd.csr]", "content": "--- /etc/cfssl/csr/etcd.csr.orig\n+++ /etc/cfssl/csr/etcd.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"etcd\",\n+ \"hosts\": [\n+ \"etcd\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/etcd.csr].orig\n+++ File[/etc/cfssl/csr/etcd.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[renew certificate - dse]", "parameters": "--- Exec[renew certificate - dse].orig\n+++ Exec[renew certificate - dse]\n\n+ require => Exec[Generate cert dse]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/dse/dse.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse/dse\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/dse/dse.pem -checkend 952200\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft\n@@ -1,15 +0,0 @@\n-# Autogenerated by puppet\n-set KAFKA_BROKERS_LOGGING_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:102:10:64:16:205,\n- 2620:0:861:10c:10:64:133:11,\n- 2620:0:861:13d:10:64:183:12,\n- 2620:0:861:10a:10:64:131:13,\n- 2620:0:861:10e:10:64:135:13,\n- 2620:0:860:113:10:192:23:29,\n- 2620:0:860:10c:10:192:11:28,\n- 2620:0:860:105:10:192:26:22,\n- 2620:0:860:10c:10:192:11:27,\n- 2620:0:860:11e:10:192:39:25\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Cfssl::Cert[network_devices]", "parameters": "--- Cfssl::Cert[network_devices].orig\n+++ Cfssl::Cert[network_devices]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => network_devices\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Exec[Generate cert discovery2026 refresh]", "parameters": "--- Exec[Generate cert discovery2026 refresh].orig\n+++ Exec[Generate cert discovery2026 refresh]\n\n+ subscribe => File[/etc/cfssl/csr/discovery2026.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026\n\n"}, {"resource": "File[/etc/nftables/input/10_ssh-from-bastion.nft]", "content": "--- /etc/nftables/input/10_ssh-from-bastion.nft.orig\n+++ /etc/nftables/input/10_ssh-from-bastion.nft\n@@ -1,4 +0,0 @@\n-# Managed by puppet\n-# \n-ip saddr { 103.102.166.103, 185.15.58.6, 185.15.59.99, 195.200.68.99, 198.35.26.104, 208.80.153.110, 208.80.154.7 } tcp dport { 22 } accept\n-ip6 saddr { 2001:df2:e500:3:103:102:166:103, 2620:0:860:4:208:80:153:110, 2620:0:861:1:208:80:154:7, 2620:0:863:3:198:35:26:104, 2a02:ec80:300:3:185:15:59:99, 2a02:ec80:600:1:185:15:58:6, 2a02:ec80:700:3:195:200:68:99 } tcp dport { 22 } accept", "parameters": "--- File[/etc/nftables/input/10_ssh-from-bastion.nft].orig\n+++ File[/etc/nftables/input/10_ssh-from-bastion.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem]", "parameters": "--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem].orig\n+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 ferm_active]\n\n+ host_name => pki-root1002\n+ servicegroups => pki_eqiad\n+ contact_groups => admins\n+ max_check_attempts => 3\n+ active_checks_enabled => 1\n+ notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm\n+ passive_checks_enabled => 1\n+ check_command => nrpe_check!check_ferm_active!10\n+ check_interval => 30\n+ service_description => Check whether ferm is active by checking the default input chain\n+ ensure => present\n+ retry_interval => 1\n+ check_freshness => 0\n+ notification_options => c,r,f\n+ is_volatile => 0\n+ check_period => 24x7\n+ notification_interval => 0\n+ notification_period => 24x7\n+ notifications_enabled => 1\n"}, {"resource": "File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]", "content": "--- /etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr.orig\n+++ /etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"Wikimedia_Internal_Root_CA\",\n+ \"hosts\": [\n+ \"Wikimedia_Internal_Root_CA\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr].orig\n+++ File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/aux_front_proxy]", "parameters": "--- File[/etc/cfssl/ssl/aux_front_proxy].orig\n+++ File[/etc/cfssl/ssl/aux_front_proxy]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/ulogd.conf]", "content": "--- /etc/ulogd.conf.orig\n+++ /etc/ulogd.conf\n@@ -0,0 +1,71 @@\n+# MANAGED BY PUPPET\n+[global]\n+logfile=syslog\n+loglevel=3\n+\n+\n+stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,syslog1:SYSLOG\n+\n+\n+\n+\n+[ct1]\n+\n+[ct2]\n+hash_enable=0\n+\n+[mark]\n+\n+[log1]\n+group=0\n+\n+[log2]\n+group=1\n+\n+[log3]\n+group=2\n+\n+[logemu1]\n+sync=1\n+file=/var/log/ulog/syslogemu.log\n+\n+[emunfct1]\n+sync=1\n+file=/var/log/ulog/syslogemu_nfct.log\n+\n+[json1]\n+sync=1\n+file=/var/log/ulog/ulogd.json\n+\n+[jsonnfct1]\n+sync=1\n+file=/var/log/ulog/ulogd_nfct.json\n+\n+\n+[oprint1]\n+sync=1\n+file=/var/log/ulog/oprint.log\n+\n+[gprint1]\n+sync=1\n+file=/var/log/ulog/gprint.log\n+\n+[json1]\n+sync=1\n+file=/var/log/ulog/ulogd.json\n+\n+[xml1]\n+sync=1\n+file=/var/log/ulog/\n+\n+[pcap1]\n+sync=1\n+file=\n+\n+[nacct1]\n+sync=1\n+file=\n+\n+[syslog1]\n+facility=LOG_LOCAL7\n+level=LOG_INFO", "parameters": "--- File[/etc/ulogd.conf].orig\n+++ File[/etc/ulogd.conf]\n\n+ ensure => file\n+ notify => Service[ulogd2]\n+ owner => root\n+ group => root\n"}, {"resource": "Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad]", "parameters": "--- Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad].orig\n+++ Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad]\n\n+ fileset => pki-root-cfssl\n+ require => Class[Bacula::Client]\n+ jobdefaults => Monthly-1st-Wed-productionEqiad\n"}, {"resource": "Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "parameters": "--- Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet].orig\n+++ Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]\n\n+ desc => \n+ prio => 10\n+ proto => tcp\n+ srange => ['backup1014.eqiad.wmnet']\n+ unrestricted_access => False\n+ notrack => False\n+ ensure => present\n+ port => 9102\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube/wikikube.pem]", "parameters": "--- File[/etc/cfssl/ssl/wikikube/wikikube.pem].orig\n+++ File[/etc/cfssl/ssl/wikikube/wikikube.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Cfssl::Cert[syslog]", "parameters": "--- Cfssl::Cert[syslog].orig\n+++ Cfssl::Cert[syslog]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => syslog\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/ferm/conf.d/01_drop-blocked-nets]", "content": "--- /etc/ferm/conf.d/01_drop-blocked-nets.orig\n+++ /etc/ferm/conf.d/01_drop-blocked-nets\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 01_drop-blocked-nets: drop abuse/blocked_nets.yaml defined in the requestctl private repo\n+\n+domain (ip ip6) {\n+\ttable filter {\n+\t\tchain INPUT {\n+\t\t\tsaddr $BLOCKED_NETS DROP;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/01_drop-blocked-nets].orig\n+++ File[/etc/ferm/conf.d/01_drop-blocked-nets]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/csr/wikikube.csr]", "content": "--- /etc/cfssl/csr/wikikube.csr.orig\n+++ /etc/cfssl/csr/wikikube.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"wikikube\",\n+ \"hosts\": [\n+ \"wikikube\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/wikikube.csr].orig\n+++ File[/etc/cfssl/csr/wikikube.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/dse/dse-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/dse/dse-key.pem].orig\n+++ File[/etc/cfssl/ssl/dse/dse-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/zuul.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/zuul.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/zuul.csr]\n\n+ ensure => present\n+ common_name => zuul\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr]", "parameters": "--- File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr].orig\n+++ File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]", "parameters": "--- File[/etc/cfssl/ssl/discovery2026/discovery2026.csr].orig\n+++ File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_ulogd2]", "parameters": "--- Systemd::Timer[wmf_auto_restart_ulogd2].orig\n+++ Systemd::Timer[wmf_auto_restart_ulogd2]\n\n+ fixed_random_delay => False\n+ ensure => present\n+ splay => 0\n+ unit_name => wmf_auto_restart_ulogd2.service\n+ accuracy => 15sec\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 0:9:00'}]\n"}, {"resource": "File[/var/log/wmf_auto_restart_ulogd2]", "parameters": "--- File[/var/log/wmf_auto_restart_ulogd2].orig\n+++ File[/var/log/wmf_auto_restart_ulogd2]\n\n+ mode => 0755\n+ backup => False\n+ group => root\n+ ensure => directory\n+ owner => root\n+ force => True\n"}, {"resource": "Exec[Generate cert wikikube refresh]", "parameters": "--- Exec[Generate cert wikikube refresh].orig\n+++ Exec[Generate cert wikikube refresh]\n\n+ subscribe => File[/etc/cfssl/csr/wikikube.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/wikikube.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube/wikikube\n\n"}, {"resource": "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]", "content": "--- /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft.orig\n+++ /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft\n@@ -1,43 +0,0 @@\n-# Autogenerated by puppet\n-set LOAD_BALANCER_HEALTH_CHECKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:861:101::/64,\n- 2620:0:861:102::/64,\n- 2620:0:861:103::/64,\n- 2620:0:861:107::/64,\n- 2620:0:861:109::/64,\n- 2620:0:861:10a::/64,\n- 2620:0:861:10b::/64,\n- 2620:0:861:10d::/64,\n- 2620:0:861:10e::/64,\n- 2620:0:861:10f::/64,\n- 2620:0:861:119::/64,\n- 2620:0:861:10c::/64,\n- 2620:0:861:113::/64,\n- 2620:0:861:131::/64,\n- 2620:0:861:133::/64,\n- 2620:0:861:135::/64,\n- 2620:0:861:137::/64,\n- 2620:0:861:139::/64,\n- 2620:0:861:13b::/64,\n- 2620:0:861:13d::/64,\n- 2620:0:861:13f::/64,\n- 2620:0:861:142::/64,\n- 2620:0:861:144::/64,\n- 2620:0:860:101::/64,\n- 2620:0:860:102::/64,\n- 2620:0:860:103::/64,\n- 2620:0:860:104::/64,\n- 2a02:ec80:300:101::/64,\n- 2a02:ec80:300:102::/64,\n- 2620:0:863:101::/64,\n- 2620:0:863:102::/64,\n- 2001:df2:e500:101::/64,\n- 2a02:ec80:600:101::/64,\n- 2a02:ec80:600:102::/64,\n- 2a02:ec80:700:101::/64,\n- 2a02:ec80:700:102::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]", "content": "--- /lib/systemd/system/prometheus-node-textfile-check-nft.timer.orig\n+++ /lib/systemd/system/prometheus-node-textfile-check-nft.timer\n@@ -1,12 +0,0 @@\n-[Unit]\n-Description=Periodic execution of prometheus-node-textfile-check-nft.service\n-\n-[Timer]\n-Unit=prometheus-node-textfile-check-nft.service\n-# Accuracy sets the maximum time interval around the execution time we want to allow\n-AccuracySec=15sec\n-OnCalendar=*:0/30\n-RandomizedDelaySec=0\n-\n-[Install]\n-WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer].orig\n+++ File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]\n\n- notify => Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]\n- mode => 0444\n- group => root\n- ensure => present\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/puppet/puppet.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet/puppet.pem].orig\n+++ File[/etc/cfssl/ssl/puppet/puppet.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh]", "parameters": "--- Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh].orig\n+++ Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh]\n\n+ subscribe => File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile ocsp /etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert\n\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Exec[Generate cert cassandra refresh]", "parameters": "--- Exec[Generate cert cassandra refresh].orig\n+++ Exec[Generate cert cassandra refresh]\n\n+ subscribe => File[/etc/cfssl/csr/cassandra.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/cassandra.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cassandra/cassandra\n\n"}, {"resource": "Exec[Generate cert wikikube]", "parameters": "--- Exec[Generate cert wikikube].orig\n+++ Exec[Generate cert wikikube]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/wikikube.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube/wikikube\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube/wikikube.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/wikikube/wikikube-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set AUX_KUBEPODS_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:861:305::/64,\n- 2620:0:860:305::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]", "parameters": "--- Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources].orig\n+++ Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]\n\n+ show_diff => True\n+ notify => Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]\n+ backup => puppet\n+ replace => True\n+ format => plain\n+ ensure_newline => False\n+ owner => root\n+ force => False\n+ path => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources\n+ warn => False\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ order => alpha\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse.csr]\n\n+ ensure => present\n+ common_name => dse\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Nftables::Set[DRUID_PUBLIC_HOSTS]", "parameters": "--- Nftables::Set[DRUID_PUBLIC_HOSTS].orig\n+++ Nftables::Set[DRUID_PUBLIC_HOSTS]\n\n- ensure => present\n- hosts => ['10.64.131.9', '2620:0:861:10a:10:64:131:9', '10.64.132.12', '2620:0:861:10b:10:64:132:12', '10.64.135.9', '2620:0:861:10e:10:64:135:9', '10.64.32.101', '2620:0:861:103:10:64:32:101', '10.64.48.185', '2620:0:861:107:10:64:48:185']\n"}, {"resource": "Exec[Generate cert wikikube_staging_front_proxy refresh]", "parameters": "--- Exec[Generate cert wikikube_staging_front_proxy refresh].orig\n+++ Exec[Generate cert wikikube_staging_front_proxy refresh]\n\n+ subscribe => File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/wikikube_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy\n\n"}, {"resource": "File[/etc/cfssl/csr/discovery2026.csr]", "content": "--- /etc/cfssl/csr/discovery2026.csr.orig\n+++ /etc/cfssl/csr/discovery2026.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"discovery2026\",\n+ \"hosts\": [\n+ \"discovery2026\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/discovery2026.csr].orig\n+++ File[/etc/cfssl/csr/discovery2026.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/ferm/conf.d]", "parameters": "--- File[/etc/ferm/conf.d].orig\n+++ File[/etc/ferm/conf.d]\n\n+ require => Package[ferm]\n+ notify => Service[ferm]\n+ ignore => ['.*']\n+ owner => root\n+ force => True\n+ recurse => True\n+ mode => 0551\n+ group => adm\n+ ensure => directory\n+ purge => True\n"}, {"resource": "Ferm::Conf[defs]", "parameters": "--- Ferm::Conf[defs].orig\n+++ Ferm::Conf[defs]\n\n+ ensure => present\n+ prio => 00\n"}, {"resource": "Motd::Script[backups-pki-root-cfssl]", "parameters": "--- Motd::Script[backups-pki-root-cfssl].orig\n+++ Motd::Script[backups-pki-root-cfssl]\n\n+ ensure => present\n+ priority => 6\n+ tag => backup-motd\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft\n@@ -1,14 +0,0 @@\n-# Autogenerated by puppet\n-set KAFKA_BROKERS_JUMBO_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.130.10,\n- 10.64.131.16,\n- 10.64.132.21,\n- 10.64.134.9,\n- 10.64.135.16,\n- 10.64.136.11,\n- 10.64.154.15,\n- 10.64.160.16,\n- 10.64.0.126\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr].orig\n+++ File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_ulogd2.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_ulogd2.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of wmf_auto_restart_ulogd2.service\n+\n+[Timer]\n+Unit=wmf_auto_restart_ulogd2.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 0:9:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]\n\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "File[/etc/nftables/100_base_puppet.nft]", "content": "--- /etc/nftables/100_base_puppet.nft.orig\n+++ /etc/nftables/100_base_puppet.nft\n@@ -1,45 +0,0 @@\n-# SPDX-License-Identifier: Apache-2.0\n-table inet base {\n-\n- # Include all Puppet-managed sets\n- include \"/etc/nftables/sets/*.nft\"\n-\n- chain prerouting {\n- type filter hook prerouting priority -300;\n-\n- # Include all Puppet-managed rules targetting prerouting chain\n- include \"/etc/nftables/prerouting/*.nft\"\n- # Include all Puppet-managed exceptions from connection tracking\n- include \"/etc/nftables/notrack/*.nft\"\n- }\n-\n- chain input {\n- type filter hook input priority 0 ; policy drop;\n-\n- ct state related,established accept\n- iifname \"lo\" accept\n- pkttype multicast accept\n- meta l4proto ipv6-icmp accept\n- ip protocol icmp accept\n-\n- # Include all Puppet-managed service definitions for incoming traffic\n- include \"/etc/nftables/input/*.nft\"\n- }\n-\n- chain output {\n- type filter hook output priority 0 ; policy accept;\n-\n- # Include any Puppet-managed client definitions filtering outbound traffic\n- include \"/etc/nftables/output/*.nft\"\n- }\n-\n- chain postrouting {\n- type filter hook postrouting priority 0 ;\n-\n- # Include any Puppet-managed custom rules to mark DSCP bits\n- include \"/etc/nftables/postrouting/*.nft\"\n- # Anything else mark as CS0 / default priority class\n- ip dscp != cs0 ip dscp set cs0 counter\n- ip6 dscp != cs0 ip6 dscp set cs0 counter\n- }\n-}", "parameters": "--- File[/etc/nftables/100_base_puppet.nft].orig\n+++ File[/etc/nftables/100_base_puppet.nft]\n\n- require => File[/etc/nftables/]\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/00_defs]", "content": "--- /etc/ferm/conf.d/00_defs.orig\n+++ /etc/ferm/conf.d/00_defs\n@@ -0,0 +1,1139 @@\n+\n+@def $LINK_LOCAL = (169.254.0.0/16 fe80::/10);\n+@def $INTERNAL = (10.0.0.0/8 2620:0:860:100::/56 2620:0:861:100::/56 2620:0:863:100::/56 2001:df2:e500:100::/56 2a02:ec80:300:100::/56 2a02:ec80:600:100::/56 2a02:ec80:700:100::/56 2a02:ec80:ff00:100::/56);\n+# $DOMAIN_NETWORKS is a set of all networks belonging to a domain.\n+# a domain is a realm currently, but the notion is more generic than that on purpose\n+@def $DOMAIN_NETWORKS = (10.128.0.0/24 10.128.1.0/24 10.128.2.0/24 10.132.0.0/24 10.132.2.0/24 10.136.0.0/24 10.136.1.0/24 10.140.0.0/24 10.140.1.0/24 10.140.2.0/24 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.20.0/24 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.24.0/23 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.64.0/21 10.192.7.0/24 10.192.72.0/24 10.192.76.0/24 10.192.8.0/24 10.192.80.0/20 10.192.9.0/24 10.192.96.0/21 10.194.0.0/20 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.62.0/23 10.194.64.0/20 10.194.80.0/21 10.2.1.0/24 10.2.2.0/24 10.2.3.0/24 10.2.4.0/24 10.2.5.0/24 10.2.6.0/24 10.2.7.0/24 10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.141.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.148.0/24 10.64.149.0/24 10.64.150.0/24 10.64.151.0/24 10.64.152.0/24 10.64.153.0/24 10.64.154.0/24 10.64.155.0/24 10.64.156.0/24 10.64.157.0/24 10.64.158.0/24 10.64.159.0/24 10.64.16.0/22 10.64.160.0/24 10.64.161.0/24 10.64.162.0/24 10.64.163.0/24 10.64.164.0/24 10.64.165.0/24 10.64.166.0/24 10.64.167.0/24 10.64.169.0/24 10.64.170.0/24 10.64.171.0/24 10.64.172.0/24 10.64.173.0/24 10.64.174.0/24 10.64.175.0/24 10.64.176.0/24 10.64.177.0/24 10.64.178.0/24 10.64.179.0/24 10.64.180.0/24 10.64.181.0/24 10.64.182.0/24 10.64.183.0/24 10.64.184.0/24 10.64.185.0/24 10.64.186.0/24 10.64.187.0/24 10.64.188.0/24 10.64.189.0/24 10.64.190.0/24 10.64.20.0/24 10.64.21.0/24 10.64.24.0/23 10.64.32.0/22 10.64.36.0/24 10.64.48.0/22 10.64.5.0/24 10.64.53.0/24 10.64.64.0/21 10.64.72.0/24 10.64.76.0/24 10.67.0.0/20 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.32.0/20 10.67.64.0/20 10.67.80.0/21 10.80.0.0/24 10.80.1.0/24 10.80.2.0/24 103.102.166.0/28 103.102.166.224/27 103.102.166.96/27 185.15.58.0/27 185.15.58.224/27 185.15.58.32/27 185.15.59.0/27 185.15.59.224/27 185.15.59.32/27 185.15.59.96/27 195.200.68.0/27 195.200.68.224/27 195.200.68.32/27 195.200.68.96/27 198.35.26.0/27 198.35.26.32/27 198.35.26.96/27 198.35.26.96/27 2001:df2:e500:101::/64 2001:df2:e500:103::/64 2001:df2:e500:1::/64 2001:df2:e500:3::/64 2001:df2:e500:ed1a::/64 208.80.152.128/27 208.80.153.0/27 208.80.153.224/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 208.80.154.0/26 208.80.154.128/26 208.80.154.224/27 208.80.154.64/26 208.80.155.96/27 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:118::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 2620:0:860:140::/64 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:300::/64 2620:0:860:301::/64 2620:0:860:302::/64 2620:0:860:303::/64 2620:0:860:304::/64 2620:0:860:305::/64 2620:0:860:307::/64 2620:0:860:308::/64 2620:0:860:3::/64 2620:0:860:4::/64 2620:0:860:5::/64 2620:0:860:babe::/64 2620:0:860:babf::/64 2620:0:860:cabe::/64 2620:0:860:cabf::/64 2620:0:860:ed1a::/64 2620:0:861:100::/64 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:107::/64 2620:0:861:108::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:113::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:118::/64 2620:0:861:119::/64 2620:0:861:11a::/64 2620:0:861:11c::/64 2620:0:861:11d::/64 2620:0:861:11e::/64 2620:0:861:11f::/64 2620:0:861:120::/64 2620:0:861:121::/64 2620:0:861:122::/64 2620:0:861:123::/64 2620:0:861:124::/64 2620:0:861:125::/64 2620:0:861:126::/64 2620:0:861:127::/64 2620:0:861:128::/64 2620:0:861:129::/64 2620:0:861:12a::/64 2620:0:861:12b::/64 2620:0:861:12c::/64 2620:0:861:12d::/64 2620:0:861:12e::/64 2620:0:861:12f::/64 2620:0:861:131::/64 2620:0:861:132::/64 2620:0:861:133::/64 2620:0:861:134::/64 2620:0:861:135::/64 2620:0:861:136::/64 2620:0:861:137::/64 2620:0:861:138::/64 2620:0:861:139::/64 2620:0:861:13a::/64 2620:0:861:13b::/64 2620:0:861:13c::/64 2620:0:861:13d::/64 2620:0:861:13e::/64 2620:0:861:13f::/64 2620:0:861:140::/64 2620:0:861:141::/64 2620:0:861:142::/64 2620:0:861:143::/64 2620:0:861:144::/64 2620:0:861:145::/64 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:300::/64 2620:0:861:301::/116 2620:0:861:302::/64 2620:0:861:303::/116 2620:0:861:304::/116 2620:0:861:305::/64 2620:0:861:3::/64 2620:0:861:4::/64 2620:0:861:babe::/64 2620:0:861:babf::/116 2620:0:861:cabe::/64 2620:0:861:cabf::/116 2620:0:861:ed1a::/64 2620:0:863:101::/64 2620:0:863:102::/64 2620:0:863:103::/64 2620:0:863:1::/64 2620:0:863:2::/64 2620:0:863:3::/64 2620:0:863:ed1a::/64 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 2a02:ec80:300:103::/64 2a02:ec80:300:1::/64 2a02:ec80:300:2::/64 2a02:ec80:300:3::/64 2a02:ec80:300:ed1a::/64 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 2a02:ec80:600:1::/64 2a02:ec80:600:2::/64 2a02:ec80:600:ed1a::/64 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 2a02:ec80:700:103::/64 2a02:ec80:700:1::/64 2a02:ec80:700:2::/64 2a02:ec80:700:3::/64 2a02:ec80:700:ed1a::/64 );\n+\n+# $PRODUCTION_NETWORKS is a set of all production networks\n+@def $PRODUCTION_NETWORKS = (10.128.0.0/24 10.128.1.0/24 10.128.2.0/24 10.132.0.0/24 10.132.2.0/24 10.136.0.0/24 10.136.1.0/24 10.140.0.0/24 10.140.1.0/24 10.140.2.0/24 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.20.0/24 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.24.0/23 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.64.0/21 10.192.7.0/24 10.192.72.0/24 10.192.76.0/24 10.192.8.0/24 10.192.80.0/20 10.192.9.0/24 10.192.96.0/21 10.194.0.0/20 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.62.0/23 10.194.64.0/20 10.194.80.0/21 10.2.1.0/24 10.2.2.0/24 10.2.3.0/24 10.2.4.0/24 10.2.5.0/24 10.2.6.0/24 10.2.7.0/24 10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.141.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.148.0/24 10.64.149.0/24 10.64.150.0/24 10.64.151.0/24 10.64.152.0/24 10.64.153.0/24 10.64.154.0/24 10.64.155.0/24 10.64.156.0/24 10.64.157.0/24 10.64.158.0/24 10.64.159.0/24 10.64.16.0/22 10.64.160.0/24 10.64.161.0/24 10.64.162.0/24 10.64.163.0/24 10.64.164.0/24 10.64.165.0/24 10.64.166.0/24 10.64.167.0/24 10.64.169.0/24 10.64.170.0/24 10.64.171.0/24 10.64.172.0/24 10.64.173.0/24 10.64.174.0/24 10.64.175.0/24 10.64.176.0/24 10.64.177.0/24 10.64.178.0/24 10.64.179.0/24 10.64.180.0/24 10.64.181.0/24 10.64.182.0/24 10.64.183.0/24 10.64.184.0/24 10.64.185.0/24 10.64.186.0/24 10.64.187.0/24 10.64.188.0/24 10.64.189.0/24 10.64.190.0/24 10.64.20.0/24 10.64.21.0/24 10.64.24.0/23 10.64.32.0/22 10.64.36.0/24 10.64.48.0/22 10.64.5.0/24 10.64.53.0/24 10.64.64.0/21 10.64.72.0/24 10.64.76.0/24 10.67.0.0/20 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.32.0/20 10.67.64.0/20 10.67.80.0/21 10.80.0.0/24 10.80.1.0/24 10.80.2.0/24 103.102.166.0/28 103.102.166.224/27 103.102.166.96/27 185.15.58.0/27 185.15.58.224/27 185.15.58.32/27 185.15.59.0/27 185.15.59.224/27 185.15.59.32/27 185.15.59.96/27 195.200.68.0/27 195.200.68.224/27 195.200.68.32/27 195.200.68.96/27 198.35.26.0/27 198.35.26.32/27 198.35.26.96/27 198.35.26.96/27 2001:df2:e500:101::/64 2001:df2:e500:103::/64 2001:df2:e500:1::/64 2001:df2:e500:3::/64 2001:df2:e500:ed1a::/64 208.80.152.128/27 208.80.153.0/27 208.80.153.224/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 208.80.154.0/26 208.80.154.128/26 208.80.154.224/27 208.80.154.64/26 208.80.155.96/27 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:118::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 2620:0:860:140::/64 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:300::/64 2620:0:860:301::/64 2620:0:860:302::/64 2620:0:860:303::/64 2620:0:860:304::/64 2620:0:860:305::/64 2620:0:860:307::/64 2620:0:860:308::/64 2620:0:860:3::/64 2620:0:860:4::/64 2620:0:860:5::/64 2620:0:860:babe::/64 2620:0:860:babf::/64 2620:0:860:cabe::/64 2620:0:860:cabf::/64 2620:0:860:ed1a::/64 2620:0:861:100::/64 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:107::/64 2620:0:861:108::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:113::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:118::/64 2620:0:861:119::/64 2620:0:861:11a::/64 2620:0:861:11c::/64 2620:0:861:11d::/64 2620:0:861:11e::/64 2620:0:861:11f::/64 2620:0:861:120::/64 2620:0:861:121::/64 2620:0:861:122::/64 2620:0:861:123::/64 2620:0:861:124::/64 2620:0:861:125::/64 2620:0:861:126::/64 2620:0:861:127::/64 2620:0:861:128::/64 2620:0:861:129::/64 2620:0:861:12a::/64 2620:0:861:12b::/64 2620:0:861:12c::/64 2620:0:861:12d::/64 2620:0:861:12e::/64 2620:0:861:12f::/64 2620:0:861:131::/64 2620:0:861:132::/64 2620:0:861:133::/64 2620:0:861:134::/64 2620:0:861:135::/64 2620:0:861:136::/64 2620:0:861:137::/64 2620:0:861:138::/64 2620:0:861:139::/64 2620:0:861:13a::/64 2620:0:861:13b::/64 2620:0:861:13c::/64 2620:0:861:13d::/64 2620:0:861:13e::/64 2620:0:861:13f::/64 2620:0:861:140::/64 2620:0:861:141::/64 2620:0:861:142::/64 2620:0:861:143::/64 2620:0:861:144::/64 2620:0:861:145::/64 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:300::/64 2620:0:861:301::/116 2620:0:861:302::/64 2620:0:861:303::/116 2620:0:861:304::/116 2620:0:861:305::/64 2620:0:861:3::/64 2620:0:861:4::/64 2620:0:861:babe::/64 2620:0:861:babf::/116 2620:0:861:cabe::/64 2620:0:861:cabf::/116 2620:0:861:ed1a::/64 2620:0:863:101::/64 2620:0:863:102::/64 2620:0:863:103::/64 2620:0:863:1::/64 2620:0:863:2::/64 2620:0:863:3::/64 2620:0:863:ed1a::/64 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 2a02:ec80:300:103::/64 2a02:ec80:300:1::/64 2a02:ec80:300:2::/64 2a02:ec80:300:3::/64 2a02:ec80:300:ed1a::/64 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 2a02:ec80:600:1::/64 2a02:ec80:600:2::/64 2a02:ec80:600:ed1a::/64 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 2a02:ec80:700:103::/64 2a02:ec80:700:1::/64 2a02:ec80:700:2::/64 2a02:ec80:700:3::/64 2a02:ec80:700:ed1a::/64 );\n+# $CLOUD_NETWORKS is a set of all Cloud VPS instance networks\n+@def $CLOUD_NETWORKS = (172.16.0.0/21 172.16.128.0/24 172.16.129.0/24 172.16.130.0/24 172.16.131.0/24 172.16.16.0/21 172.16.24.0/24 172.16.8.0/21 172.20.1.0/24 172.20.2.0/24 172.20.254.0/24 172.20.255.0/24 172.20.3.0/24 172.20.4.0/24 172.20.5.0/24 185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:100::/64 2a02:ec80:a000:1::/64 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 2a02:ec80:a000:2ff::/64 2a02:ec80:a000:4000::/64 2a02:ec80:a100:100::/64 2a02:ec80:a100:1::/64 2a02:ec80:a100:205::/64 2a02:ec80:a100:2ff::/64 2a02:ec80:a100:4000::/64 );\n+# $LABS_NETWORKS is a deprecated alias for $CLOUD_NETWORKS\n+@def $LABS_NETWORKS = (172.16.0.0/21 172.16.128.0/24 172.16.129.0/24 172.16.130.0/24 172.16.131.0/24 172.16.16.0/21 172.16.24.0/24 172.16.8.0/21 172.20.1.0/24 172.20.2.0/24 172.20.254.0/24 172.20.255.0/24 172.20.3.0/24 172.20.4.0/24 172.20.5.0/24 185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:100::/64 2a02:ec80:a000:1::/64 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 2a02:ec80:a000:2ff::/64 2a02:ec80:a000:4000::/64 2a02:ec80:a100:100::/64 2a02:ec80:a100:1::/64 2a02:ec80:a100:205::/64 2a02:ec80:a100:2ff::/64 2a02:ec80:a100:4000::/64 );\n+# $CLOUD_NETWORKS_PUBLIC is meant to be a set of all Cloud public networks\n+@def $CLOUD_NETWORKS_PUBLIC = (185.15.56.0/25 185.15.56.160/28 185.15.57.0/29 185.15.57.16/29 185.15.57.24/29 2a02:ec80:a000:4000::/64 2a02:ec80:a100:4000::/64 );\n+# $CLOUD_PRIVATE_NETWORKS is the cloud-private networks with WMCS\n+# hardware with cloud realm private 172.20.x.x addresses. These\n+# hosts are dual-homed, usually also in at least cloud-hosts.\n+@def $CLOUD_PRIVATE_NETWORKS = (172.20.1.0/24 172.20.2.0/24 172.20.3.0/24 172.20.4.0/24 2a02:ec80:a000:201::/64 2a02:ec80:a000:202::/64 2a02:ec80:a000:203::/64 2a02:ec80:a000:204::/64 172.20.5.0/24 2a02:ec80:a100:205::/64);\n+# $FRACK_NETWORKS is meant to be a set of all fundraising networks\n+@def $FRACK_NETWORKS = (10.195.0.0/27 10.195.0.128/29 10.195.0.32/27 10.195.0.64/28 10.195.0.80/29 10.195.0.96/27 10.195.1.0/25 10.64.40.0/27 10.64.40.160/27 10.64.40.192/26 10.64.40.32/27 10.64.40.64/27 10.64.40.96/27 208.80.152.224/28 208.80.155.0/27 );\n+\n+@def $ANALYTICS_NETWORKS = (10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.153.0/24 10.64.155.0/24 10.64.157.0/24 10.64.159.0/24 10.64.161.0/24 10.64.163.0/24 10.64.165.0/24 10.64.167.0/24 10.64.170.0/24 10.64.172.0/24 10.64.174.0/24 10.64.176.0/24 10.64.178.0/24 10.64.180.0/24 10.64.182.0/24 10.64.184.0/24 10.64.186.0/24 10.64.188.0/24 10.64.190.0/24 10.64.21.0/24 10.64.36.0/24 10.64.5.0/24 10.64.53.0/24 2620:0:861:100::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:108::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:11a::/64 2620:0:861:121::/64 2620:0:861:123::/64 2620:0:861:125::/64 2620:0:861:127::/64 2620:0:861:129::/64 2620:0:861:12b::/64 2620:0:861:12d::/64 2620:0:861:12f::/64 2620:0:861:132::/64 2620:0:861:134::/64 2620:0:861:136::/64 2620:0:861:138::/64 2620:0:861:13a::/64 2620:0:861:13c::/64 2620:0:861:13e::/64 2620:0:861:141::/64 2620:0:861:143::/64 2620:0:861:145::/64 );\n+@def $MW_APPSERVER_NETWORKS = (10.64.0.0/22 10.64.130.0/24 10.64.131.0/24 10.64.132.0/24 10.64.133.0/24 10.64.134.0/24 10.64.135.0/24 10.64.136.0/24 10.64.141.0/24 10.64.152.0/24 10.64.154.0/24 10.64.156.0/24 10.64.158.0/24 10.64.16.0/22 10.64.160.0/24 10.64.162.0/24 10.64.164.0/24 10.64.166.0/24 10.64.169.0/24 10.64.171.0/24 10.64.173.0/24 10.64.175.0/24 10.64.177.0/24 10.64.179.0/24 10.64.181.0/24 10.64.183.0/24 10.64.185.0/24 10.64.187.0/24 10.64.189.0/24 10.64.32.0/22 10.64.48.0/22 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:107::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10c::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:113::/64 2620:0:861:119::/64 2620:0:861:120::/64 2620:0:861:122::/64 2620:0:861:124::/64 2620:0:861:126::/64 2620:0:861:128::/64 2620:0:861:12a::/64 2620:0:861:12c::/64 2620:0:861:12e::/64 2620:0:861:131::/64 2620:0:861:133::/64 2620:0:861:135::/64 2620:0:861:137::/64 2620:0:861:139::/64 2620:0:861:13b::/64 2620:0:861:13d::/64 2620:0:861:13f::/64 2620:0:861:142::/64 2620:0:861:144::/64 10.192.0.0/22 10.192.10.0/24 10.192.11.0/24 10.192.12.0/24 10.192.13.0/24 10.192.14.0/24 10.192.15.0/24 10.192.16.0/22 10.192.21.0/24 10.192.22.0/24 10.192.23.0/24 10.192.26.0/24 10.192.27.0/24 10.192.28.0/24 10.192.29.0/24 10.192.30.0/24 10.192.31.0/24 10.192.32.0/22 10.192.36.0/24 10.192.37.0/24 10.192.38.0/24 10.192.39.0/24 10.192.4.0/24 10.192.40.0/24 10.192.41.0/24 10.192.42.0/24 10.192.43.0/24 10.192.44.0/24 10.192.45.0/24 10.192.46.0/24 10.192.47.0/24 10.192.48.0/22 10.192.5.0/24 10.192.52.0/24 10.192.56.0/24 10.192.57.0/24 10.192.58.0/24 10.192.59.0/24 10.192.6.0/24 10.192.7.0/24 10.192.8.0/24 10.192.9.0/24 2620:0:860:100::/64 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 2620:0:860:105::/64 2620:0:860:106::/64 2620:0:860:107::/64 2620:0:860:108::/64 2620:0:860:109::/64 2620:0:860:10a::/64 2620:0:860:10b::/64 2620:0:860:10c::/64 2620:0:860:10d::/64 2620:0:860:10e::/64 2620:0:860:10f::/64 2620:0:860:110::/64 2620:0:860:111::/64 2620:0:860:112::/64 2620:0:860:113::/64 2620:0:860:114::/64 2620:0:860:115::/64 2620:0:860:116::/64 2620:0:860:119::/64 2620:0:860:11a::/64 2620:0:860:11b::/64 2620:0:860:11c::/64 2620:0:860:11d::/64 2620:0:860:11e::/64 2620:0:860:11f::/64 2620:0:860:120::/64 2620:0:860:121::/64 2620:0:860:122::/64 2620:0:860:123::/64 2620:0:860:124::/64 2620:0:860:125::/64 2620:0:860:126::/64 2620:0:860:127::/64 2620:0:860:12b::/64 2620:0:860:12c::/64 2620:0:860:12d::/64 2620:0:860:12e::/64 10.192.64.0/21 10.192.96.0/21 10.194.128.0/17 10.194.16.0/21 10.194.61.0/24 10.194.80.0/21 10.64.64.0/21 10.67.128.0/17 10.67.16.0/21 10.67.24.0/21 10.67.80.0/21 2620:0:860:300::/64 2620:0:860:302::/64 2620:0:860:305::/64 2620:0:860:308::/64 2620:0:860:babe::/64 2620:0:860:cabe::/64 2620:0:861:300::/64 2620:0:861:302::/64 2620:0:861:305::/64 2620:0:861:babe::/64 2620:0:861:cabe::/64 208.80.154.0/26 208.80.154.128/26 208.80.154.64/26 208.80.155.96/27 2620:0:861:1::/64 2620:0:861:2::/64 2620:0:861:3::/64 2620:0:861:4::/64 208.80.153.0/27 208.80.153.32/27 208.80.153.64/27 208.80.153.96/27 2620:0:860:1::/64 2620:0:860:2::/64 2620:0:860:3::/64 2620:0:860:4::/64 );\n+@def $WIKIKUBE_KUBEPODS_NETWORKS = (10.67.128.0/17 2620:0:861:cabe::/64 10.194.128.0/17 2620:0:860:cabe::/64 );\n+@def $STAGING_KUBEPODS_NETWORKS = (10.64.64.0/21 2620:0:861:babe::/64 10.192.64.0/21 2620:0:860:babe::/64 );\n+@def $MLSERVE_KUBEPODS_NETWORKS = (10.67.16.0/21 2620:0:861:300::/64 10.194.16.0/21 2620:0:860:300::/64 );\n+@def $MLSTAGE_KUBEPODS_NETWORKS = (10.194.61.0/24 2620:0:860:302::/64 );\n+@def $DSE_KUBEPODS_NETWORKS = (10.67.24.0/21 2620:0:861:302::/64 10.192.96.0/21 2620:0:860:308::/64 );\n+@def $AUX_KUBEPODS_NETWORKS = (10.67.80.0/21 2620:0:861:305::/64 10.194.80.0/21 2620:0:860:305::/64 );\n+\n+@def $NETWORK_INFRA = (185.15.59.128/27 2a02:ec80:300:fe00::/55 198.35.26.128/27 2620:0:863:fe00::/55 208.80.153.192/27 2620:0:860:fe00::/55 10.192.255.0/24 2620:0:860:13f::/64 10.192.253.0/24 2620:0:860:139::/64 208.80.154.192/27 2620:0:861:fe00::/55 10.64.146.0/24 2620:0:861:11b::/128 10.64.168.0/24 2620:0:861:130::/64 10.64.147.0/24 103.102.166.128/27 2001:df2:e500:fe00::/55 185.15.58.128/27 2a02:ec80:600:fe00::/55 195.200.68.128/27 2a02:ec80:700:fe00::/55);\n+@def $MGMT_NETWORKS = (10.65.0.0/16 10.128.128.0/17 10.193.0.0/16 10.80.128.0/17 10.132.128.0/17 10.136.128.0/17 10.140.128.0/17 );\n+@def $SANDBOX_NETWORKS = (103.102.166.72/29 185.15.59.72/29 195.200.68.64/29 198.35.26.240/28 2001:df2:e500:202::/64 208.80.152.240/28 208.80.155.64/28 2620:0:860:201::/64 2620:0:861:202::/64 2620:0:863:201::/64 2a02:ec80:300:202::/64 2a02:ec80:700:201::/64 );\n+\n+@def $DEPLOYMENT_HOSTS = (10.64.16.93 2620:0:861:102:10:64:16:93 10.192.32.7 2620:0:860:103:10:192:32:7 );\n+@def $CUMIN_MASTERS = (10.64.16.154 2620:0:861:102:10:64:16:154 10.192.32.49 2620:0:860:103:10:192:32:49 );\n+@def $CACHES = (10.64.0.79 2620:0:861:101:10:64:0:79 10.64.0.229 2620:0:861:101:10:64:0:229 10.64.0.14 2620:0:861:101:10:64:0:14 10.64.0.51 2620:0:861:101:10:64:0:51 10.64.16.241 2620:0:861:102:10:64:16:241 10.64.16.94 2620:0:861:102:10:64:16:94 10.64.16.95 2620:0:861:102:10:64:16:95 10.64.16.240 2620:0:861:102:10:64:16:240 10.64.32.14 2620:0:861:103:10:64:32:14 10.64.32.60 2620:0:861:103:10:64:32:60 10.64.32.15 2620:0:861:103:10:64:32:15 10.64.32.65 2620:0:861:103:10:64:32:65 10.64.48.16 2620:0:861:107:10:64:48:16 10.64.48.41 2620:0:861:107:10:64:48:41 10.64.48.27 2620:0:861:107:10:64:48:27 10.64.48.28 2620:0:861:107:10:64:48:28 10.192.23.26 2620:0:860:113:10:192:23:26 10.192.6.20 2620:0:860:107:10:192:6:20 10.192.12.35 2620:0:860:10d:10:192:12:35 10.192.14.25 2620:0:860:10f:10:192:14:25 10.192.4.22 2620:0:860:100:10:192:4:22 10.192.29.26 2620:0:860:116:10:192:29:26 10.192.30.29 2620:0:860:119:10:192:30:29 10.192.36.19 2620:0:860:11b:10:192:36:19 10.192.40.25 2620:0:860:11f:10:192:40:25 10.192.41.21 2620:0:860:120:10:192:41:21 10.192.56.3 2620:0:860:12b:10:192:56:3 10.192.56.4 2620:0:860:12b:10:192:56:4 10.192.57.3 2620:0:860:12c:10:192:57:3 10.192.58.2 2620:0:860:12d:10:192:58:2 10.192.58.3 2620:0:860:12d:10:192:58:3 10.192.59.2 2620:0:860:12e:10:192:59:2 10.80.0.14 2a02:ec80:300:101:10:80:0:14 10.80.1.11 2a02:ec80:300:102:10:80:1:11 10.80.0.13 2a02:ec80:300:101:10:80:0:13 10.80.1.9 2a02:ec80:300:102:10:80:1:9 10.80.0.12 2a02:ec80:300:101:10:80:0:12 10.80.1.7 2a02:ec80:300:102:10:80:1:7 10.80.0.11 2a02:ec80:300:101:10:80:0:11 10.80.1.6 2a02:ec80:300:102:10:80:1:6 10.80.0.10 2a02:ec80:300:101:10:80:0:10 10.80.1.5 2a02:ec80:300:102:10:80:1:5 10.80.0.8 2a02:ec80:300:101:10:80:0:8 10.80.1.4 2a02:ec80:300:102:10:80:1:4 10.80.0.7 2a02:ec80:300:101:10:80:0:7 10.80.1.3 2a02:ec80:300:102:10:80:1:3 10.80.0.6 2a02:ec80:300:101:10:80:0:6 10.80.1.2 2a02:ec80:300:102:10:80:1:2 10.128.0.19 2620:0:863:101:10:128:0:19 10.128.1.27 2620:0:863:102:10:128:1:27 10.128.0.22 2620:0:863:101:10:128:0:22 10.128.1.28 2620:0:863:102:10:128:1:28 10.128.0.25 2620:0:863:101:10:128:0:25 10.128.1.29 2620:0:863:102:10:128:1:29 10.128.0.26 2620:0:863:101:10:128:0:26 10.128.1.31 2620:0:863:102:10:128:1:31 10.128.0.14 2620:0:863:101:10:128:0:14 10.128.1.35 2620:0:863:102:10:128:1:35 10.128.0.21 2620:0:863:101:10:128:0:21 10.128.1.36 2620:0:863:102:10:128:1:36 10.128.0.24 2620:0:863:101:10:128:0:24 10.128.1.10 2620:0:863:102:10:128:1:10 10.128.0.37 2620:0:863:101:10:128:0:37 10.128.1.12 2620:0:863:102:10:128:1:12 10.132.0.17 2001:df2:e500:101:10:132:0:17 10.132.0.18 2001:df2:e500:101:10:132:0:18 10.132.0.19 2001:df2:e500:101:10:132:0:19 10.132.0.24 2001:df2:e500:101:10:132:0:24 10.132.0.29 2001:df2:e500:101:10:132:0:29 10.132.0.30 2001:df2:e500:101:10:132:0:30 10.132.0.34 2001:df2:e500:101:10:132:0:34 10.132.0.35 2001:df2:e500:101:10:132:0:35 10.132.0.36 2001:df2:e500:101:10:132:0:36 10.132.0.37 2001:df2:e500:101:10:132:0:37 10.132.0.38 2001:df2:e500:101:10:132:0:38 10.132.0.25 2001:df2:e500:101:10:132:0:25 10.132.0.26 2001:df2:e500:101:10:132:0:26 10.132.0.27 2001:df2:e500:101:10:132:0:27 10.132.0.28 2001:df2:e500:101:10:132:0:28 10.132.0.16 2001:df2:e500:101:10:132:0:16 10.136.0.6 2a02:ec80:600:101:10:136:0:6 10.136.1.6 2a02:ec80:600:102:10:136:1:6 10.136.0.7 2a02:ec80:600:101:10:136:0:7 10.136.1.7 2a02:ec80:600:102:10:136:1:7 10.136.0.8 2a02:ec80:600:101:10:136:0:8 10.136.1.8 2a02:ec80:600:102:10:136:1:8 10.136.0.9 2a02:ec80:600:101:10:136:0:9 10.136.1.9 2a02:ec80:600:102:10:136:1:9 10.136.0.10 2a02:ec80:600:101:10:136:0:10 10.136.1.10 2a02:ec80:600:102:10:136:1:10 10.136.0.11 2a02:ec80:600:101:10:136:0:11 10.136.1.11 2a02:ec80:600:102:10:136:1:11 10.136.0.12 2a02:ec80:600:101:10:136:0:12 10.136.1.12 2a02:ec80:600:102:10:136:1:12 10.136.0.13 2a02:ec80:600:101:10:136:0:13 10.136.1.13 2a02:ec80:600:102:10:136:1:13 10.140.0.3 2a02:ec80:700:101:10:140:0:3 10.140.1.4 2a02:ec80:700:102:10:140:1:4 10.140.0.4 2a02:ec80:700:101:10:140:0:4 10.140.1.5 2a02:ec80:700:102:10:140:1:5 10.140.0.5 2a02:ec80:700:101:10:140:0:5 10.140.1.6 2a02:ec80:700:102:10:140:1:6 10.140.0.6 2a02:ec80:700:101:10:140:0:6 10.140.1.7 2a02:ec80:700:102:10:140:1:7 10.140.0.7 2a02:ec80:700:101:10:140:0:7 10.140.1.8 2a02:ec80:700:102:10:140:1:8 10.140.0.8 2a02:ec80:700:101:10:140:0:8 10.140.1.9 2a02:ec80:700:102:10:140:1:9 10.140.0.9 2a02:ec80:700:101:10:140:0:9 10.140.1.10 2a02:ec80:700:102:10:140:1:10 10.140.0.10 2a02:ec80:700:101:10:140:0:10 10.140.1.11 2a02:ec80:700:102:10:140:1:11 );\n+@def $LOAD_BALANCER_HEALTH_CHECKS = (10.64.0.136 10.64.16.60 10.64.158.19 10.64.166.19 10.64.133.19 10.64.141.19 10.64.169.19 10.64.171.19 10.64.173.19 10.64.175.19 10.64.177.19 10.64.179.19 10.64.181.19 10.64.183.19 10.64.185.19 10.64.187.19 10.64.189.19 10.64.48.72 10.64.37.17 10.64.1.17 10.64.17.17 10.64.33.17 10.64.130.20 10.64.131.20 10.64.132.20 10.64.134.20 10.64.135.20 10.64.136.20 10.64.158.20 10.64.166.20 10.64.133.20 10.64.141.20 10.64.169.20 10.64.171.20 10.64.173.20 10.64.175.20 10.64.177.20 10.64.179.20 10.64.181.20 10.64.183.20 10.64.185.20 10.64.187.20 10.64.189.20 2620:0:861:101::/64 2620:0:861:102::/64 2620:0:861:103::/64 2620:0:861:107::/64 2620:0:861:109::/64 2620:0:861:10a::/64 2620:0:861:10b::/64 2620:0:861:10d::/64 2620:0:861:10e::/64 2620:0:861:10f::/64 2620:0:861:119::/64 2620:0:861:10c::/64 2620:0:861:113::/64 2620:0:861:119::/64 2620:0:861:131::/64 2620:0:861:133::/64 2620:0:861:135::/64 2620:0:861:137::/64 2620:0:861:139::/64 2620:0:861:13b::/64 2620:0:861:13d::/64 2620:0:861:13f::/64 2620:0:861:142::/64 2620:0:861:144::/64 10.192.23.8 10.192.0.29 10.192.17.8 10.192.33.8 10.192.49.8 10.192.23.2 10.192.5.2 10.192.6.2 10.192.7.2 10.192.8.2 10.192.9.2 10.192.10.2 10.192.11.2 10.192.12.2 10.192.13.2 10.192.14.2 10.192.15.2 10.192.21.2 10.192.22.2 10.192.4.2 10.192.26.2 10.192.27.2 10.192.28.2 10.192.29.2 10.192.30.2 10.192.31.2 10.192.36.2 10.192.37.2 10.192.38.2 10.192.39.2 10.192.40.2 10.192.41.2 10.192.42.2 10.192.43.2 10.192.11.8 10.192.16.140 10.192.1.8 10.192.33.9 10.192.49.9 10.192.23.3 10.192.5.3 10.192.6.3 10.192.7.3 10.192.8.3 10.192.9.3 10.192.10.3 10.192.11.3 10.192.12.3 10.192.13.3 10.192.14.3 10.192.15.3 10.192.21.3 10.192.22.3 10.192.4.3 10.192.26.3 10.192.27.3 10.192.28.3 10.192.29.3 10.192.30.3 10.192.31.3 10.192.36.3 10.192.37.3 10.192.38.3 10.192.39.4 10.192.40.3 10.192.41.3 10.192.42.3 10.192.43.3 10.192.32.14 10.192.1.9 10.192.17.9 10.192.49.10 10.192.23.4 10.192.5.4 10.192.6.4 10.192.7.4 10.192.8.4 10.192.9.4 10.192.10.4 10.192.11.4 10.192.12.4 10.192.13.4 10.192.14.4 10.192.15.4 10.192.21.4 10.192.22.4 10.192.4.5 10.192.26.5 10.192.27.5 10.192.28.5 10.192.29.5 10.192.30.5 10.192.31.5 10.192.36.5 10.192.37.5 10.192.38.5 10.192.39.6 10.192.40.5 10.192.41.5 10.192.42.5 10.192.43.5 10.192.48.213 10.192.1.13 10.192.17.10 10.192.33.10 10.192.23.5 10.192.5.8 10.192.6.5 10.192.7.5 10.192.8.5 10.192.9.5 10.192.10.5 10.192.11.5 10.192.12.5 10.192.13.5 10.192.14.5 10.192.15.5 10.192.21.5 10.192.22.5 10.192.4.5 10.192.26.5 10.192.27.5 10.192.28.5 10.192.29.5 10.192.30.5 10.192.31.5 10.192.36.5 10.192.37.5 10.192.38.5 10.192.39.6 10.192.40.5 10.192.41.5 10.192.42.5 10.192.43.5 2620:0:860:101::/64 2620:0:860:102::/64 2620:0:860:103::/64 2620:0:860:104::/64 10.80.0.3 10.80.1.8 10.80.1.14 10.80.0.9 10.80.0.2 10.80.1.10 2a02:ec80:300:101::/64 2a02:ec80:300:102::/64 10.128.1.18 10.128.0.9 10.128.1.11 2620:0:863:101::/64 2620:0:863:102::/64 10.132.0.39 10.132.0.6 10.132.0.7 2001:df2:e500:101::/64 10.136.0.16 10.136.1.19 10.136.1.15 10.136.0.19 10.136.0.17 10.136.1.20 2a02:ec80:600:101::/64 2a02:ec80:600:102::/64 10.140.0.13 10.140.1.2 10.140.1.14 10.140.0.2 10.140.0.14 10.140.1.3 2a02:ec80:700:101::/64 2a02:ec80:700:102::/64 );\n+@def $KAFKA_BROKERS_MAIN = (10.192.5.9 2620:0:860:106:10:192:5:9 10.192.22.6 2620:0:860:112:10:192:22:6 10.192.32.4 2620:0:860:103:10:192:32:4 10.192.48.33 2620:0:860:104:10:192:48:33 10.192.48.35 2620:0:860:104:10:192:48:35 10.64.0.101 2620:0:861:101:10:64:0:101 10.64.16.30 2620:0:861:102:10:64:16:30 10.64.32.45 2620:0:861:103:10:64:32:45 10.64.48.37 2620:0:861:107:10:64:48:37 10.64.152.5 2620:0:861:120:10:64:152:5 );\n+@def $KAFKA_BROKERS_JUMBO = (10.64.130.10 2620:0:861:109:10:64:130:10 10.64.131.16 2620:0:861:10a:10:64:131:16 10.64.132.21 2620:0:861:10b:10:64:132:21 10.64.134.9 2620:0:861:10d:10:64:134:9 10.64.135.16 2620:0:861:10e:10:64:135:16 10.64.136.11 2620:0:861:10f:10:64:136:11 10.64.154.15 2620:0:861:122:10:64:154:15 10.64.160.16 2620:0:861:128:10:64:160:16 10.64.0.126 2620:0:861:101:10:64:0:126 );\n+@def $KAFKA_BROKERS_LOGGING = (10.64.16.205 2620:0:861:102:10:64:16:205 10.64.133.11 2620:0:861:10c:10:64:133:11 10.64.183.12 2620:0:861:13d:10:64:183:12 10.64.131.13 2620:0:861:10a:10:64:131:13 10.64.135.13 2620:0:861:10e:10:64:135:13 10.192.23.29 2620:0:860:113:10:192:23:29 10.192.11.28 2620:0:860:10c:10:192:11:28 10.192.26.22 2620:0:860:105:10:192:26:22 10.192.11.27 2620:0:860:10c:10:192:11:27 10.192.39.25 2620:0:860:11e:10:192:39:25 );\n+@def $KAFKAMON_HOSTS = (10.64.32.11 2620:0:861:103:10:64:32:11 10.192.16.139 2620:0:860:102:10:192:16:139 );\n+@def $ZOOKEEPER_HOSTS_MAIN = (10.64.0.207 2620:0:861:101:10:64:0:207 10.64.16.110 2620:0:861:102:10:64:16:110 10.64.48.154 2620:0:861:107:10:64:48:154 10.192.16.45 2620:0:860:102:10:192:16:45 10.192.32.52 2620:0:860:103:10:192:32:52 10.192.48.59 2620:0:860:104:10:192:48:59 );\n+@def $ZOOKEEPER_FLINK_HOSTS = (10.64.16.9 2620:0:861:102:10:64:16:9 10.64.0.8 2620:0:861:101:10:64:0:8 10.64.32.41 2620:0:861:103:10:64:32:41 10.192.16.227 2620:0:860:102:10:192:16:227 10.192.32.179 2620:0:860:103:10:192:32:179 10.192.48.219 2620:0:860:104:10:192:48:219 );\n+@def $DRUID_PUBLIC_HOSTS = (10.64.131.9 2620:0:861:10a:10:64:131:9 10.64.132.12 2620:0:861:10b:10:64:132:12 10.64.135.9 2620:0:861:10e:10:64:135:9 10.64.32.101 2620:0:861:103:10:64:32:101 10.64.48.185 2620:0:861:107:10:64:48:185 );\n+@def $LABSTORE_HOSTS = (208.80.154.142 2620:0:861:2:208:80:154:142 208.80.154.71 2620:0:861:3:208:80:154:71 );\n+@def $MYSQL_ROOT_CLIENTS = (10.64.16.90 10.192.16.191 10.64.16.154 10.192.32.49 208.80.154.9 10.64.0.20 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-codfw-bgp-private-vips\n+@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV4 = (172.20.254.0/24);\n+@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV6 = (2a02:ec80:a100:2ff::/64);\n+@def $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS = ($CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV4 $CODFW_PRIVATE_CLOUD_CODFW_BGP_PRIVATE_VIPS_IPV6 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-flat3-codfw\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV4 = (172.16.129.0/24);\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV6 = (2a02:ec80:a100:1::/64);\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_INSTANCES_FLAT3_CODFW_IPV6 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-octavia-lb-mgmt-net-codfw1dev\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV4 = (172.16.131.0/24);\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV6 = (2a02:ec80:a100:100::/64);\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV = ($CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV4 $CODFW_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_CODFW1DEV_IPV6 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances-vxlan-ipv4-only-codfw\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW_IPV4 = (172.16.130.0/24);\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES_VXLAN_IPV4_ONLY_CODFW_IPV4 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-instances2-b-codfw\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW_IPV4 = (172.16.128.0/24);\n+@def $CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW = ($CODFW_PRIVATE_CLOUD_INSTANCES2_B_CODFW_IPV4 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: private, # Network: cloud-private-b1-codfw\n+@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV4 = (172.20.5.0/24);\n+@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV6 = (2a02:ec80:a100:205::/64);\n+@def $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW = ($CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_PRIVATE_B1_CODFW_IPV6 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-bgp-public-vips\n+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV4 = (185.15.57.24/29);\n+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV6 = (2a02:ec80:a100:4000::/64);\n+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV4 $CODFW_PUBLIC_CLOUD_CODFW1DEV_BGP_PUBLIC_VIPS_IPV6 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-floating\n+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_IPV4 = (185.15.57.0/29);\n+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_IPV4 );\n+\n+# Realm: cloud, # Site: codfw, # Sphere: public, # Network: cloud-codfw1dev-floating-additional\n+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL_IPV4 = (185.15.57.16/29);\n+@def $CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL = ($CODFW_PUBLIC_CLOUD_CODFW1DEV_FLOATING_ADDITIONAL_IPV4 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-eqiad-bgp-private-vips\n+@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV4 = (172.20.255.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV6 = (2a02:ec80:a000:2ff::/64);\n+@def $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS = ($EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV4 $EQIAD_PRIVATE_CLOUD_EQIAD_BGP_PRIVATE_VIPS_IPV6 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-octavia-lb-mgmt-net-eqiad1\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV4 = (172.16.24.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV6 = (2a02:ec80:a000:100::/64);\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1 = ($EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV4 $EQIAD_PRIVATE_CLOUD_INSTANCES_OCTAVIA_LB_MGMT_NET_EQIAD1_IPV6 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-vxlan-dualstack-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV4 = (172.16.16.0/21);\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV6 = (2a02:ec80:a000:1::/64);\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_DUALSTACK_EQIAD_IPV6 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances-vxlan-v4only-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD_IPV4 = (172.16.8.0/21);\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES_VXLAN_V4ONLY_EQIAD_IPV4 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-instances2-b-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD_IPV4 = (172.16.0.0/21);\n+@def $EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD = ($EQIAD_PRIVATE_CLOUD_INSTANCES2_B_EQIAD_IPV4 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-c8-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV4 = (172.20.1.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV6 = (2a02:ec80:a000:201::/64);\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_C8_EQIAD_IPV6 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-d5-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV4 = (172.20.2.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV6 = (2a02:ec80:a000:202::/64);\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_D5_EQIAD_IPV6 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-e4-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV4 = (172.20.3.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV6 = (2a02:ec80:a000:203::/64);\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_E4_EQIAD_IPV6 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: private, # Network: cloud-private-f4-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV4 = (172.20.4.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV6 = (2a02:ec80:a000:204::/64);\n+@def $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD = ($EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_PRIVATE_F4_EQIAD_IPV6 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: public, # Network: cloud-eqiad1-bgp-public-vips\n+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV4 = (185.15.56.160/28);\n+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV6 = (2a02:ec80:a000:4000::/64);\n+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS = ($EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV4 $EQIAD_PUBLIC_CLOUD_EQIAD1_BGP_PUBLIC_VIPS_IPV6 );\n+\n+# Realm: cloud, # Site: eqiad, # Sphere: public, # Network: cloud-eqiad1-floating\n+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING_IPV4 = (185.15.56.0/25);\n+@def $EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING = ($EQIAD_PUBLIC_CLOUD_EQIAD1_FLOATING_IPV4 );\n+\n+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-administration-codfw\n+@def $CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW_IPV4 = (10.195.0.64/28);\n+@def $CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW = ($CODFW_PRIVATE_FRACK_ADMINISTRATION_CODFW_IPV4 );\n+\n+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-bastion-codfw\n+@def $CODFW_PRIVATE_FRACK_BASTION_CODFW_IPV4 = (10.195.0.128/29);\n+@def $CODFW_PRIVATE_FRACK_BASTION_CODFW = ($CODFW_PRIVATE_FRACK_BASTION_CODFW_IPV4 );\n+\n+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-fundraising-codfw\n+@def $CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW_IPV4 = (10.195.0.32/27);\n+@def $CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW = ($CODFW_PRIVATE_FRACK_FUNDRAISING_CODFW_IPV4 );\n+\n+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-listenerdmz-codfw\n+@def $CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW_IPV4 = (10.195.0.80/29);\n+@def $CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW = ($CODFW_PRIVATE_FRACK_LISTENERDMZ_CODFW_IPV4 );\n+\n+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-management-codfw\n+@def $CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW_IPV4 = (10.195.1.0/25);\n+@def $CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW = ($CODFW_PRIVATE_FRACK_MANAGEMENT_CODFW_IPV4 );\n+\n+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-management-legacy-codfw\n+@def $CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW_IPV4 = (10.195.0.96/27);\n+@def $CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW = ($CODFW_PRIVATE_FRACK_MANAGEMENT_LEGACY_CODFW_IPV4 );\n+\n+# Realm: frack, # Site: codfw, # Sphere: private, # Network: frack-payments-codfw\n+@def $CODFW_PRIVATE_FRACK_PAYMENTS_CODFW_IPV4 = (10.195.0.0/27);\n+@def $CODFW_PRIVATE_FRACK_PAYMENTS_CODFW = ($CODFW_PRIVATE_FRACK_PAYMENTS_CODFW_IPV4 );\n+\n+# Realm: frack, # Site: codfw, # Sphere: public, # Network: frack-external-codfw\n+@def $CODFW_PUBLIC_FRACK_EXTERNAL_CODFW_IPV4 = (208.80.152.224/28);\n+@def $CODFW_PUBLIC_FRACK_EXTERNAL_CODFW = ($CODFW_PUBLIC_FRACK_EXTERNAL_CODFW_IPV4 );\n+\n+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-administration1-e15-eqiad\n+@def $EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD_IPV4 = (10.64.40.64/27);\n+@def $EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_ADMINISTRATION1_E15_EQIAD_IPV4 );\n+\n+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-bastion1-e15-eqiad\n+@def $EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD_IPV4 = (10.64.40.32/27);\n+@def $EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_BASTION1_E15_EQIAD_IPV4 );\n+\n+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-fundraising1-e16-eqiad\n+@def $EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD_IPV4 = (10.64.40.96/27);\n+@def $EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD = ($EQIAD_PRIVATE_FRACK_FUNDRAISING1_E16_EQIAD_IPV4 );\n+\n+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-listenerdmz1-e15-eqiad\n+@def $EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD_IPV4 = (10.64.40.160/27);\n+@def $EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_LISTENERDMZ1_E15_EQIAD_IPV4 );\n+\n+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-management1-eqiad\n+@def $EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD_IPV4 = (10.64.40.192/26);\n+@def $EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD = ($EQIAD_PRIVATE_FRACK_MANAGEMENT1_EQIAD_IPV4 );\n+\n+# Realm: frack, # Site: eqiad, # Sphere: private, # Network: frack-payments1-e15-eqiad\n+@def $EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD_IPV4 = (10.64.40.0/27);\n+@def $EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD = ($EQIAD_PRIVATE_FRACK_PAYMENTS1_E15_EQIAD_IPV4 );\n+\n+# Realm: frack, # Site: eqiad, # Sphere: public, # Network: frack-external1-eqiad\n+@def $EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD_IPV4 = (208.80.155.0/27);\n+@def $EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD = ($EQIAD_PUBLIC_FRACK_EXTERNAL1_EQIAD_IPV4 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: cloud-hosts1-b1-codfw\n+@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV4 = (10.192.20.0/24);\n+@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV6 = (2620:0:860:118::/64);\n+@def $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW = ($CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV4 $CODFW_PRIVATE_CLOUD_HOSTS1_B1_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV4 = (10.192.0.0/22);\n+@def $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV6 = (2620:0:860:101::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_A_CODFW = ($CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a2-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV4 = (10.192.23.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV6 = (2620:0:860:113::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_A2_CODFW = ($CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A2_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a3-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV4 = (10.192.5.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV6 = (2620:0:860:106::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_A3_CODFW = ($CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A3_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a4-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV4 = (10.192.6.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV6 = (2620:0:860:107::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_A4_CODFW = ($CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A4_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a5-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV4 = (10.192.7.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV6 = (2620:0:860:108::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_A5_CODFW = ($CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A5_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a6-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV4 = (10.192.8.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV6 = (2620:0:860:109::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_A6_CODFW = ($CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A6_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a7-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV4 = (10.192.9.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV6 = (2620:0:860:10a::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_A7_CODFW = ($CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A7_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-a8-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV4 = (10.192.10.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV6 = (2620:0:860:10b::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_A8_CODFW = ($CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_A8_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-aux-kubepods-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV4 = (10.194.80.0/21);\n+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV6 = (2620:0:860:305::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_AUX_KUBEPODS_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-aux-kubesvc-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV4 = (10.194.64.0/20);\n+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV6 = (2620:0:860:304::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_AUX_KUBESVC_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV4 = (10.192.16.0/22);\n+@def $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV6 = (2620:0:860:102::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_B_CODFW = ($CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b2-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV4 = (10.192.11.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV6 = (2620:0:860:10c::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_B2_CODFW = ($CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B2_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b3-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV4 = (10.192.12.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV6 = (2620:0:860:10d::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_B3_CODFW = ($CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B3_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b4-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV4 = (10.192.13.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV6 = (2620:0:860:10e::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_B4_CODFW = ($CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B4_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b5-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV4 = (10.192.14.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV6 = (2620:0:860:10f::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_B5_CODFW = ($CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B5_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b6-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV4 = (10.192.15.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV6 = (2620:0:860:110::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_B6_CODFW = ($CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B6_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b7-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV4 = (10.192.21.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV6 = (2620:0:860:111::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_B7_CODFW = ($CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B7_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-b8-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV4 = (10.192.22.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV6 = (2620:0:860:112::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_B8_CODFW = ($CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_B8_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV4 = (10.192.32.0/22);\n+@def $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV6 = (2620:0:860:103::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_C_CODFW = ($CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c1-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV4 = (10.192.4.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV6 = (2620:0:860:100::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_C1_CODFW = ($CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C1_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c2-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV4 = (10.192.26.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV6 = (2620:0:860:105::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_C2_CODFW = ($CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C2_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c3-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV4 = (10.192.27.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV6 = (2620:0:860:114::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_C3_CODFW = ($CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C3_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c4-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV4 = (10.192.28.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV6 = (2620:0:860:115::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_C4_CODFW = ($CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C4_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c5-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV4 = (10.192.29.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV6 = (2620:0:860:116::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_C5_CODFW = ($CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C5_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c6-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV4 = (10.192.30.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV6 = (2620:0:860:119::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_C6_CODFW = ($CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C6_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-c7-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV4 = (10.192.31.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV6 = (2620:0:860:11a::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_C7_CODFW = ($CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_C7_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV4 = (10.192.48.0/22);\n+@def $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV6 = (2620:0:860:104::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D_CODFW = ($CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d1-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV4 = (10.192.36.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV6 = (2620:0:860:11b::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D1_CODFW = ($CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D1_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d2-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV4 = (10.192.37.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV6 = (2620:0:860:11c::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D2_CODFW = ($CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D2_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d3-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV4 = (10.192.38.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV6 = (2620:0:860:11d::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D3_CODFW = ($CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D3_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d4-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV4 = (10.192.39.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV6 = (2620:0:860:11e::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D4_CODFW = ($CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D4_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d5-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV4 = (10.192.40.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV6 = (2620:0:860:11f::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D5_CODFW = ($CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D5_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d6-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV4 = (10.192.41.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV6 = (2620:0:860:120::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D6_CODFW = ($CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D6_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d7-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV4 = (10.192.42.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV6 = (2620:0:860:121::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D7_CODFW = ($CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D7_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-d8-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV4 = (10.192.43.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV6 = (2620:0:860:122::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_D8_CODFW = ($CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_D8_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-dse-kubepods-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV4 = (10.192.96.0/21);\n+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV6 = (2620:0:860:308::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_DSE_KUBEPODS_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-dse-kubesvc-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV4 = (10.192.80.0/20);\n+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV6 = (2620:0:860:307::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_DSE_KUBESVC_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e1-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV4 = (10.192.56.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV6 = (2620:0:860:12b::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_E1_CODFW = ($CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E1_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e2-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV4 = (10.192.44.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV6 = (2620:0:860:123::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_E2_CODFW = ($CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E2_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e3-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV4 = (10.192.57.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV6 = (2620:0:860:12c::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_E3_CODFW = ($CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E3_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e4-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV4 = (10.192.45.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV6 = (2620:0:860:124::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_E4_CODFW = ($CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E4_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-e5-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV4 = (10.192.46.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV6 = (2620:0:860:125::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_E5_CODFW = ($CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_E5_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f1-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV4 = (10.192.58.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV6 = (2620:0:860:12d::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_F1_CODFW = ($CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F1_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f2-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV4 = (10.192.47.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV6 = (2620:0:860:126::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_F2_CODFW = ($CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F2_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f3-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV4 = (10.192.59.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV6 = (2620:0:860:12e::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_F3_CODFW = ($CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F3_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-f4-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV4 = (10.192.52.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV6 = (2620:0:860:127::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_F4_CODFW = ($CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_F4_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-lvs-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_LVS_CODFW_IPV4 = (10.2.1.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_LVS_CODFW = ($CODFW_PRIVATE_PRIVATE1_LVS_CODFW_IPV4 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlserve-kubepods-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV4 = (10.194.16.0/21);\n+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV6 = (2620:0:860:300::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlserve-kubesvc-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV4 = (10.194.0.0/20);\n+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV6 = (2620:0:860:301::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlstage-kubepods-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV4 = (10.194.61.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV6 = (2620:0:860:302::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBEPODS_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-mlstage-kubesvc-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV4 = (10.194.62.0/23);\n+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV6 = (2620:0:860:303::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_MLSTAGE_KUBESVC_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-services-kubepods-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV4 = (10.194.128.0/17);\n+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV6 = (2620:0:860:cabe::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-services-kubesvc-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV4 = (10.192.72.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV6 = (2620:0:860:cabf::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_SERVICES_KUBESVC_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-staging-kubepods-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV4 = (10.192.64.0/21);\n+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV6 = (2620:0:860:babe::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW = ($CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_STAGING_KUBEPODS_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-staging-kubesvc-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV4 = (10.192.76.0/24);\n+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV6 = (2620:0:860:babf::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW = ($CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_STAGING_KUBESVC_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: private, # Network: private1-virtual-codfw\n+@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV4 = (10.192.24.0/23);\n+@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV6 = (2620:0:860:140::/64);\n+@def $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW = ($CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV4 $CODFW_PRIVATE_PRIVATE1_VIRTUAL_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-a-codfw\n+@def $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV4 = (208.80.153.0/27);\n+@def $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV6 = (2620:0:860:1::/64);\n+@def $CODFW_PUBLIC_PUBLIC1_A_CODFW = ($CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_A_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-b-codfw\n+@def $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV4 = (208.80.153.32/27);\n+@def $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV6 = (2620:0:860:2::/64);\n+@def $CODFW_PUBLIC_PUBLIC1_B_CODFW = ($CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_B_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-c-codfw\n+@def $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV4 = (208.80.153.64/27);\n+@def $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV6 = (2620:0:860:3::/64);\n+@def $CODFW_PUBLIC_PUBLIC1_C_CODFW = ($CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_C_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-d-codfw\n+@def $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV4 = (208.80.153.96/27);\n+@def $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV6 = (2620:0:860:4::/64);\n+@def $CODFW_PUBLIC_PUBLIC1_D_CODFW = ($CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_D_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-lvs-codfw\n+@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV4 = (208.80.153.224/27);\n+@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV6 = (2620:0:860:ed1a::/64);\n+@def $CODFW_PUBLIC_PUBLIC1_LVS_CODFW = ($CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_LVS_CODFW_IPV6 );\n+\n+# Realm: production, # Site: codfw, # Sphere: public, # Network: public1-virtual-codfw\n+@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV4 = (208.80.152.128/27);\n+@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV6 = (2620:0:860:5::/64);\n+@def $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW = ($CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV4 $CODFW_PUBLIC_PUBLIC1_VIRTUAL_CODFW_IPV6 );\n+\n+# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-b12-drmrs\n+@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV4 = (10.136.0.0/24);\n+@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV6 = (2a02:ec80:600:101::/64);\n+@def $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV4 $DRMRS_PRIVATE_PRIVATE1_B12_DRMRS_IPV6 );\n+\n+# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-b13-drmrs\n+@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV4 = (10.136.1.0/24);\n+@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV6 = (2a02:ec80:600:102::/64);\n+@def $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV4 $DRMRS_PRIVATE_PRIVATE1_B13_DRMRS_IPV6 );\n+\n+# Realm: production, # Site: drmrs, # Sphere: private, # Network: private1-lvs-drmrs\n+@def $DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS_IPV4 = (10.2.6.0/24);\n+@def $DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS = ($DRMRS_PRIVATE_PRIVATE1_LVS_DRMRS_IPV4 );\n+\n+# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-b12-drmrs\n+@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV4 = (185.15.58.0/27);\n+@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV6 = (2a02:ec80:600:1::/64);\n+@def $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_B12_DRMRS_IPV6 );\n+\n+# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-b13-drmrs\n+@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV4 = (185.15.58.32/27);\n+@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV6 = (2a02:ec80:600:2::/64);\n+@def $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_B13_DRMRS_IPV6 );\n+\n+# Realm: production, # Site: drmrs, # Sphere: public, # Network: public1-lvs-drmrs\n+@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV4 = (185.15.58.224/27);\n+@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV6 = (2a02:ec80:600:ed1a::/64);\n+@def $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS = ($DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV4 $DRMRS_PUBLIC_PUBLIC1_LVS_DRMRS_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-a-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV4 = (10.64.5.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV6 = (2620:0:861:104::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_A_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-b-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV4 = (10.64.21.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV6 = (2620:0:861:105::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_B_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV4 = (10.64.36.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV6 = (2620:0:861:106::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c2-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV4 = (10.64.137.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV6 = (2620:0:861:110::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C2_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c3-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV4 = (10.64.145.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV6 = (2620:0:861:117::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C3_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c4-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV4 = (10.64.170.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV6 = (2620:0:861:11a::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C4_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c5-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV4 = (10.64.172.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV6 = (2620:0:861:132::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C5_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c6-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV4 = (10.64.174.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV6 = (2620:0:861:134::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C6_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-c7-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV4 = (10.64.176.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV6 = (2620:0:861:136::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_C7_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV4 = (10.64.53.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV6 = (2620:0:861:108::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d1-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV4 = (10.64.178.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV6 = (2620:0:861:138::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D1_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d2-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV4 = (10.64.180.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV6 = (2620:0:861:13a::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D2_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d3-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV4 = (10.64.182.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV6 = (2620:0:861:13c::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D3_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d4-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV4 = (10.64.184.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV6 = (2620:0:861:13e::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D4_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d6-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV4 = (10.64.186.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV6 = (2620:0:861:141::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D6_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d7-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV4 = (10.64.188.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV6 = (2620:0:861:143::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D7_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-d8-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV4 = (10.64.190.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV6 = (2620:0:861:145::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_D8_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e1-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV4 = (10.64.138.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV6 = (2620:0:861:100::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E1_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e2-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV4 = (10.64.139.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV6 = (2620:0:861:111::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E2_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e3-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV4 = (10.64.140.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV6 = (2620:0:861:112::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E3_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e5-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV4 = (10.64.153.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV6 = (2620:0:861:121::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E5_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e6-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV4 = (10.64.155.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV6 = (2620:0:861:123::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E6_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e7-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV4 = (10.64.157.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV6 = (2620:0:861:125::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E7_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-e8-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV4 = (10.64.159.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV6 = (2620:0:861:127::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_E8_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f1-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV4 = (10.64.142.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV6 = (2620:0:861:114::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F1_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f2-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV4 = (10.64.143.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV6 = (2620:0:861:115::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F2_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f3-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV4 = (10.64.144.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV6 = (2620:0:861:116::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F3_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f5-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV4 = (10.64.161.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV6 = (2620:0:861:129::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F5_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f6-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV4 = (10.64.163.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV6 = (2620:0:861:12b::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F6_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f7-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV4 = (10.64.165.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV6 = (2620:0:861:12d::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F7_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: analytics1-f8-eqiad\n+@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV4 = (10.64.167.0/24);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV6 = (2620:0:861:12f::/64);\n+@def $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD = ($EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV4 $EQIAD_PRIVATE_ANALYTICS1_F8_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-c8-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV4 = (10.64.151.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV6 = (2620:0:861:11f::/64);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_C8_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-d5-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV4 = (10.64.150.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV6 = (2620:0:861:11e::/64);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_D5_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-e4-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV4 = (10.64.148.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV6 = (2620:0:861:11c::/64);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_E4_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV4 = (10.64.20.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV6 = (2620:0:861:118::/64);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: cloud-hosts1-f4-eqiad\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV4 = (10.64.149.0/24);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV6 = (2620:0:861:11d::/64);\n+@def $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD = ($EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV4 $EQIAD_PRIVATE_CLOUD_HOSTS1_F4_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-a-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV4 = (10.64.0.0/22);\n+@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV6 = (2620:0:861:101::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_A_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_A_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-aux-kubepods-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV4 = (10.67.80.0/21);\n+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV6 = (2620:0:861:305::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_AUX_KUBEPODS_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-aux-kubesvc-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV4 = (10.67.64.0/20);\n+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV6 = (2620:0:861:304::/116);\n+@def $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_AUX_KUBESVC_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-b-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV4 = (10.64.16.0/22);\n+@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV6 = (2620:0:861:102::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_B_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_B_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV4 = (10.64.32.0/22);\n+@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV6 = (2620:0:861:103::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_C_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c2-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV4 = (10.64.133.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV6 = (2620:0:861:10c::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C2_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c3-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV4 = (10.64.141.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV6 = (2620:0:861:113::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C3_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c4-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV4 = (10.64.169.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV6 = (2620:0:861:119::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C4_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c5-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV4 = (10.64.171.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV6 = (2620:0:861:131::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C5_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c6-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV4 = (10.64.173.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV6 = (2620:0:861:133::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C6_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-c7-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV4 = (10.64.175.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV6 = (2620:0:861:135::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_C7_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV4 = (10.64.48.0/22);\n+@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV6 = (2620:0:861:107::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_D_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d1-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV4 = (10.64.177.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV6 = (2620:0:861:137::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D1_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d2-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV4 = (10.64.179.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV6 = (2620:0:861:139::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D2_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d3-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV4 = (10.64.181.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV6 = (2620:0:861:13b::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D3_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d4-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV4 = (10.64.183.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV6 = (2620:0:861:13d::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D4_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d6-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV4 = (10.64.185.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV6 = (2620:0:861:13f::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D6_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d7-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV4 = (10.64.187.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV6 = (2620:0:861:142::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D7_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-d8-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV4 = (10.64.189.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV6 = (2620:0:861:144::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_D8_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-dse-kubepods-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV4 = (10.67.24.0/21);\n+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV6 = (2620:0:861:302::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_DSE_KUBEPODS_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-dse-kubesvc-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV4 = (10.67.32.0/20);\n+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV6 = (2620:0:861:303::/116);\n+@def $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_DSE_KUBESVC_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e1-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV4 = (10.64.130.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV6 = (2620:0:861:109::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E1_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e2-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV4 = (10.64.131.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV6 = (2620:0:861:10a::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E2_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e3-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV4 = (10.64.132.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV6 = (2620:0:861:10b::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E3_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e5-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV4 = (10.64.152.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV6 = (2620:0:861:120::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E5_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e6-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV4 = (10.64.154.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV6 = (2620:0:861:122::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E6_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e7-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV4 = (10.64.156.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV6 = (2620:0:861:124::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E7_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-e8-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV4 = (10.64.158.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV6 = (2620:0:861:126::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_E8_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f1-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV4 = (10.64.134.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV6 = (2620:0:861:10d::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F1_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f2-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV4 = (10.64.135.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV6 = (2620:0:861:10e::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F2_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f3-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV4 = (10.64.136.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV6 = (2620:0:861:10f::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F3_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f5-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV4 = (10.64.160.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV6 = (2620:0:861:128::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F5_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f6-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV4 = (10.64.162.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV6 = (2620:0:861:12a::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F6_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f7-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV4 = (10.64.164.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV6 = (2620:0:861:12c::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F7_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-f8-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV4 = (10.64.166.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV6 = (2620:0:861:12e::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_F8_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-lvs-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD_IPV4 = (10.2.2.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_LVS_EQIAD_IPV4 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-mlserve-kubepods-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV4 = (10.67.16.0/21);\n+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV6 = (2620:0:861:300::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBEPODS_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-mlserve-kubesvc-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV4 = (10.67.0.0/20);\n+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV6 = (2620:0:861:301::/116);\n+@def $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_MLSERVE_KUBESVC_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-services-kubepods-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV4 = (10.67.128.0/17);\n+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV6 = (2620:0:861:cabe::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBEPODS_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-services-kubesvc-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV4 = (10.64.72.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV6 = (2620:0:861:cabf::/116);\n+@def $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_SERVICES_KUBESVC_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-staging-kubepods-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV4 = (10.64.64.0/21);\n+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV6 = (2620:0:861:babe::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBEPODS_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-staging-kubesvc-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV4 = (10.64.76.0/24);\n+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV6 = (2620:0:861:babf::/116);\n+@def $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_STAGING_KUBESVC_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: private, # Network: private1-virtual-eqiad\n+@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV4 = (10.64.24.0/23);\n+@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV6 = (2620:0:861:140::/64);\n+@def $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD = ($EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV4 $EQIAD_PRIVATE_PRIVATE1_VIRTUAL_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-a-eqiad\n+@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV4 = (208.80.154.0/26);\n+@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV6 = (2620:0:861:1::/64);\n+@def $EQIAD_PUBLIC_PUBLIC1_A_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_A_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-b-eqiad\n+@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV4 = (208.80.154.128/26);\n+@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV6 = (2620:0:861:2::/64);\n+@def $EQIAD_PUBLIC_PUBLIC1_B_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_B_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-c-eqiad\n+@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV4 = (208.80.154.64/26);\n+@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV6 = (2620:0:861:3::/64);\n+@def $EQIAD_PUBLIC_PUBLIC1_C_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_C_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-d-eqiad\n+@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV4 = (208.80.155.96/27);\n+@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV6 = (2620:0:861:4::/64);\n+@def $EQIAD_PUBLIC_PUBLIC1_D_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_D_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqiad, # Sphere: public, # Network: public1-lvs-eqiad\n+@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV4 = (208.80.154.224/27);\n+@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV6 = (2620:0:861:ed1a::/64);\n+@def $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD = ($EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV4 $EQIAD_PUBLIC_PUBLIC1_LVS_EQIAD_IPV6 );\n+\n+# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-eqsin\n+@def $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV4 = (10.132.0.0/24);\n+@def $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV6 = (2001:df2:e500:101::/64);\n+@def $EQSIN_PRIVATE_PRIVATE1_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV4 $EQSIN_PRIVATE_PRIVATE1_EQSIN_IPV6 );\n+\n+# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-lvs-eqsin\n+@def $EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN_IPV4 = (10.2.5.0/24);\n+@def $EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_LVS_EQSIN_IPV4 );\n+\n+# Realm: production, # Site: eqsin, # Sphere: private, # Network: private1-virtual-eqsin\n+@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV4 = (10.132.2.0/24);\n+@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:103::/64);\n+@def $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN = ($EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV4 $EQSIN_PRIVATE_PRIVATE1_VIRTUAL_EQSIN_IPV6 );\n+\n+# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-eqsin\n+@def $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV4 = (103.102.166.0/28);\n+@def $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV6 = (2001:df2:e500:1::/64);\n+@def $EQSIN_PUBLIC_PUBLIC1_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_EQSIN_IPV6 );\n+\n+# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-lvs-eqsin\n+@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV4 = (103.102.166.224/27);\n+@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV6 = (2001:df2:e500:ed1a::/64);\n+@def $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_LVS_EQSIN_IPV6 );\n+\n+# Realm: production, # Site: eqsin, # Sphere: public, # Network: public1-virtual-eqsin\n+@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV4 = (103.102.166.96/27);\n+@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:3::/64);\n+@def $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN = ($EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV4 $EQSIN_PUBLIC_PUBLIC1_VIRTUAL_EQSIN_IPV6 );\n+\n+# Realm: production, # Site: esams, # Sphere: private, # Network: private1-bw27-esams\n+@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV4 = (10.80.0.0/24);\n+@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV6 = (2a02:ec80:300:101::/64);\n+@def $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_BW27_ESAMS_IPV6 );\n+\n+# Realm: production, # Site: esams, # Sphere: private, # Network: private1-by27-esams\n+@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV4 = (10.80.1.0/24);\n+@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV6 = (2a02:ec80:300:102::/64);\n+@def $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_BY27_ESAMS_IPV6 );\n+\n+# Realm: production, # Site: esams, # Sphere: private, # Network: private1-lvs-esams\n+@def $ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS_IPV4 = (10.2.3.0/24);\n+@def $ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_LVS_ESAMS_IPV4 );\n+\n+# Realm: production, # Site: esams, # Sphere: private, # Network: private1-virtual-esams\n+@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV4 = (10.80.2.0/24);\n+@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:103::/64);\n+@def $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS = ($ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV4 $ESAMS_PRIVATE_PRIVATE1_VIRTUAL_ESAMS_IPV6 );\n+\n+# Realm: production, # Site: esams, # Sphere: public, # Network: public1-bw27-esams\n+@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV4 = (185.15.59.0/27);\n+@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV6 = (2a02:ec80:300:1::/64);\n+@def $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_BW27_ESAMS_IPV6 );\n+\n+# Realm: production, # Site: esams, # Sphere: public, # Network: public1-by27-esams\n+@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV4 = (185.15.59.32/27);\n+@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV6 = (2a02:ec80:300:2::/64);\n+@def $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_BY27_ESAMS_IPV6 );\n+\n+# Realm: production, # Site: esams, # Sphere: public, # Network: public1-lvs-esams\n+@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV4 = (185.15.59.224/27);\n+@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV6 = (2a02:ec80:300:ed1a::/64);\n+@def $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_LVS_ESAMS_IPV6 );\n+\n+# Realm: production, # Site: esams, # Sphere: public, # Network: public1-virtual-esams\n+@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV4 = (185.15.59.96/27);\n+@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:3::/64);\n+@def $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS = ($ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV4 $ESAMS_PUBLIC_PUBLIC1_VIRTUAL_ESAMS_IPV6 );\n+\n+# Realm: production, # Site: magru, # Sphere: private, # Network: private1-b3-magru\n+@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV4 = (10.140.0.0/24);\n+@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV6 = (2a02:ec80:700:101::/64);\n+@def $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_B3_MAGRU_IPV6 );\n+\n+# Realm: production, # Site: magru, # Sphere: private, # Network: private1-b4-magru\n+@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV4 = (10.140.1.0/24);\n+@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV6 = (2a02:ec80:700:102::/64);\n+@def $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_B4_MAGRU_IPV6 );\n+\n+# Realm: production, # Site: magru, # Sphere: private, # Network: private1-lvs-magru\n+@def $MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU_IPV4 = (10.2.7.0/24);\n+@def $MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_LVS_MAGRU_IPV4 );\n+\n+# Realm: production, # Site: magru, # Sphere: private, # Network: private1-virtual-magru\n+@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV4 = (10.140.2.0/24);\n+@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:103::/64);\n+@def $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU = ($MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV4 $MAGRU_PRIVATE_PRIVATE1_VIRTUAL_MAGRU_IPV6 );\n+\n+# Realm: production, # Site: magru, # Sphere: public, # Network: public1-b3-magru\n+@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV4 = (195.200.68.0/27);\n+@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV6 = (2a02:ec80:700:1::/64);\n+@def $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_B3_MAGRU_IPV6 );\n+\n+# Realm: production, # Site: magru, # Sphere: public, # Network: public1-b4-magru\n+@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV4 = (195.200.68.32/27);\n+@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV6 = (2a02:ec80:700:2::/64);\n+@def $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_B4_MAGRU_IPV6 );\n+\n+# Realm: production, # Site: magru, # Sphere: public, # Network: public1-lvs-magru\n+@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV4 = (195.200.68.224/27);\n+@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV6 = (2a02:ec80:700:ed1a::/64);\n+@def $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_LVS_MAGRU_IPV6 );\n+\n+# Realm: production, # Site: magru, # Sphere: public, # Network: public1-virtual-magru\n+@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV4 = (195.200.68.96/27);\n+@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:3::/64);\n+@def $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU = ($MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV4 $MAGRU_PUBLIC_PUBLIC1_VIRTUAL_MAGRU_IPV6 );\n+\n+# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-22-ulsfo\n+@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV4 = (10.128.0.0/24);\n+@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV6 = (2620:0:863:101::/64);\n+@def $ULSFO_PRIVATE_PRIVATE1_22_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_22_ULSFO_IPV6 );\n+\n+# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-23-ulsfo\n+@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV4 = (10.128.1.0/24);\n+@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV6 = (2620:0:863:102::/64);\n+@def $ULSFO_PRIVATE_PRIVATE1_23_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_23_ULSFO_IPV6 );\n+\n+# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-lvs-ulsfo\n+@def $ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO_IPV4 = (10.2.4.0/24);\n+@def $ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_LVS_ULSFO_IPV4 );\n+\n+# Realm: production, # Site: ulsfo, # Sphere: private, # Network: private1-virtual-ulsfo\n+@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV4 = (10.128.2.0/24);\n+@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV6 = (2620:0:863:103::/64);\n+@def $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO = ($ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV4 $ULSFO_PRIVATE_PRIVATE1_VIRTUAL_ULSFO_IPV6 );\n+\n+# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-22-ulsfo\n+@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV4 = (198.35.26.0/27);\n+@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV6 = (2620:0:863:1::/64);\n+@def $ULSFO_PUBLIC_PUBLIC1_22_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_22_ULSFO_IPV6 );\n+\n+# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-23-ulsfo\n+@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV4 = (198.35.26.32/27);\n+@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV6 = (2620:0:863:2::/64);\n+@def $ULSFO_PUBLIC_PUBLIC1_23_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_23_ULSFO_IPV6 );\n+\n+# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-lvs-ulsfo\n+@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV4 = (198.35.26.96/27);\n+@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV6 = (2620:0:863:ed1a::/64);\n+@def $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_LVS_ULSFO_IPV6 );\n+\n+# Realm: production, # Site: ulsfo, # Sphere: public, # Network: public1-virtual-ulsfo\n+@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV4 = (198.35.26.96/27);\n+@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV6 = (2620:0:863:3::/64);\n+@def $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO = ($ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV4 $ULSFO_PUBLIC_PUBLIC1_VIRTUAL_ULSFO_IPV6 );\n+\n+# Realm: sandbox, # Site: codfw, # Sphere: public, # Network: sandbox1-a-codfw\n+@def $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV4 = (208.80.152.240/28);\n+@def $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV6 = (2620:0:860:201::/64);\n+@def $CODFW_PUBLIC_SANDBOX1_A_CODFW = ($CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV4 $CODFW_PUBLIC_SANDBOX1_A_CODFW_IPV6 );\n+\n+# Realm: sandbox, # Site: eqiad, # Sphere: public, # Network: sandbox1-b-eqiad\n+@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV4 = (208.80.155.64/28);\n+@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV6 = (2620:0:861:202::/64);\n+@def $EQIAD_PUBLIC_SANDBOX1_B_EQIAD = ($EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV4 $EQIAD_PUBLIC_SANDBOX1_B_EQIAD_IPV6 );\n+\n+# Realm: sandbox, # Site: eqsin, # Sphere: public, # Network: sandbox1-virtual-eqsin\n+@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV4 = (103.102.166.72/29);\n+@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV6 = (2001:df2:e500:202::/64);\n+@def $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN = ($EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV4 $EQSIN_PUBLIC_SANDBOX1_VIRTUAL_EQSIN_IPV6 );\n+\n+# Realm: sandbox, # Site: esams, # Sphere: public, # Network: sandbox1-virtual-esams\n+@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV4 = (185.15.59.72/29);\n+@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV6 = (2a02:ec80:300:202::/64);\n+@def $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS = ($ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV4 $ESAMS_PUBLIC_SANDBOX1_VIRTUAL_ESAMS_IPV6 );\n+\n+# Realm: sandbox, # Site: magru, # Sphere: public, # Network: sandbox1-virtual-magru\n+@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV4 = (195.200.68.64/29);\n+@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV6 = (2a02:ec80:700:201::/64);\n+@def $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU = ($MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV4 $MAGRU_PUBLIC_SANDBOX1_VIRTUAL_MAGRU_IPV6 );\n+\n+# Realm: sandbox, # Site: ulsfo, # Sphere: public, # Network: sandbox1-ulsfo\n+@def $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV4 = (198.35.26.240/28);\n+@def $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV6 = (2620:0:863:201::/64);\n+@def $ULSFO_PUBLIC_SANDBOX1_ULSFO = ($ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV4 $ULSFO_PUBLIC_SANDBOX1_ULSFO_IPV6 );", "parameters": "--- File[/etc/ferm/conf.d/00_defs].orig\n+++ File[/etc/ferm/conf.d/00_defs]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem]", "parameters": "--- File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem].orig\n+++ File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 raid_md].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 raid_md]\n\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => pki_eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf\n@@ -1,10 +0,0 @@\n-# rsyslog.conf(5) configuration file for services.\n-# This file is managed by Puppet.\n-if $programname startswith \"prometheus-node-textfile-check-nft\" then {\n- action(\n- type=\"omfile\" file=\"/var/log/prometheus-node-textfile-check-nft/syslog.log\"\n- fileOwner=\"root\" fileGroup=\"root\"\n- fileCreateMode=\"0644\"\n- )\n- & stop\n-}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]\n\n- notify => Service[rsyslog]\n- mode => 0444\n- group => root\n- ensure => present\n- owner => root\n"}, {"resource": "File[/etc/nftables/]", "parameters": "--- File[/etc/nftables/].orig\n+++ File[/etc/nftables/]\n\n- path => /etc/nftables\n- recurse => True\n- group => root\n- ensure => directory\n- owner => root\n- purge => True\n"}, {"resource": "File[/etc/cfssl/ssl/cassandra/cassandra.pem]", "parameters": "--- File[/etc/cfssl/ssl/cassandra/cassandra.pem].orig\n+++ File[/etc/cfssl/ssl/cassandra/cassandra.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[Generate cert aux]", "parameters": "--- Exec[Generate cert aux].orig\n+++ Exec[Generate cert aux]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/aux.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/aux.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux/aux\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/aux/aux.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/aux/aux-key.pem 2>&1)\"\n\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_ulogd2]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_ulogd2].orig\n+++ Rsyslog::Conf[wmf_auto_restart_ulogd2]\n\n+ ensure => present\n+ priority => 40\n+ mode => 0444\n+ require => File[/var/log/wmf_auto_restart_ulogd2]\n"}, {"resource": "Exec[Generate cert mlserve_front_proxy]", "parameters": "--- Exec[Generate cert mlserve_front_proxy].orig\n+++ Exec[Generate cert mlserve_front_proxy]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/mlserve_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem 2>&1)\"\n\n"}, {"resource": "Nftables::Set[MONITORING_HOSTS]", "parameters": "--- Nftables::Set[MONITORING_HOSTS].orig\n+++ Nftables::Set[MONITORING_HOSTS]\n\n- ensure => present\n- hosts => ['208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]\n\n+ refreshonly => True\n+ before => ['Service[wmf_auto_restart_ulogd2.timer]']\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Cfssl::Cert[aux_front_proxy]", "parameters": "--- Cfssl::Cert[aux_front_proxy].orig\n+++ Cfssl::Cert[aux_front_proxy]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => aux_front_proxy\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Exec[renew certificate - discovery2026]", "parameters": "--- Exec[renew certificate - discovery2026].orig\n+++ Exec[renew certificate - discovery2026]\n\n+ require => Exec[Generate cert discovery2026]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/discovery2026/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/discovery2026/discovery2026.pem -checkend 952200\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]\n\n+ ensure => present\n+ common_name => Wikimedia_Internal_Root_CA_ocsp_signing_cert\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/kafka]", "parameters": "--- File[/etc/cfssl/ssl/kafka].orig\n+++ File[/etc/cfssl/ssl/kafka]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-ferm_active.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-ferm_active.service].orig\n+++ Systemd::Unit[nrpe2nodexp-ferm_active.service]\n\n+ override => False\n+ require => ['Class[Systemd]']\n+ ensure => present\n+ unit => nrpe2nodexp-ferm_active.service\n+ restart => False\n+ override_filename => puppet-override.conf\n"}, {"resource": "Class[Nftables]", "parameters": "--- Class[Nftables].orig\n+++ Class[Nftables]\n\n- ensure => present\n"}, {"resource": "File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]", "parameters": "--- File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml].orig\n+++ File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "Ferm::Rule[filter_log_filter-bootp]", "parameters": "--- Ferm::Rule[filter_log_filter-bootp].orig\n+++ Ferm::Rule[filter_log_filter-bootp]\n\n+ rule => proto udp daddr 255.255.255.255 sport 67 dport 68 DROP;\n+ domain => (ip ip6)\n+ chain => INPUT\n+ ensure => present\n+ table => filter\n+ desc => \n+ prio => 98\n"}, {"resource": "Exec[Generate cert syslog refresh]", "parameters": "--- Exec[Generate cert syslog refresh].orig\n+++ Exec[Generate cert syslog refresh]\n\n+ subscribe => File[/etc/cfssl/csr/syslog.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/syslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/syslog/syslog\n\n"}, {"resource": "Exec[renew certificate - network_devices]", "parameters": "--- Exec[renew certificate - network_devices].orig\n+++ Exec[renew certificate - network_devices]\n\n+ require => Exec[Generate cert network_devices]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/network_devices/network_devices.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/network_devices/network_devices\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/network_devices/network_devices.pem -checkend 952200\n"}, {"resource": "Ferm::Service[full_monitoring_metrics_access_tcp]", "parameters": "--- Ferm::Service[full_monitoring_metrics_access_tcp].orig\n+++ Ferm::Service[full_monitoring_metrics_access_tcp]\n\n+ desc => \n+ prio => 10\n+ proto => tcp\n+ srange => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet', '208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n+ unrestricted_access => False\n+ notrack => False\n+ port_range => [1, 65535]\n+ ensure => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 ssh].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 ssh]\n\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => pki_eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Nftables::Set[INSTALL_HOSTS]", "parameters": "--- Nftables::Set[INSTALL_HOSTS].orig\n+++ Nftables::Set[INSTALL_HOSTS]\n\n- ensure => present\n- hosts => ['208.80.154.134', '208.80.153.70', '185.15.59.101', '198.35.26.98', '103.102.166.104', '185.15.58.7', '195.200.68.100', '2620:0:861:2:208:80:154:134', '2620:0:860:3:208:80:153:70', '2a02:ec80:300:3:185:15:59:101', '2620:0:863:3:198:35:26:98', '2001:df2:e500:3:103:102:166:104', '2a02:ec80:600:1:185:15:58:7', '2a02:ec80:700:3:195:200:68:100']\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_ulogd2]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_ulogd2].orig\n+++ Systemd::Syslog[wmf_auto_restart_ulogd2]\n\n+ base_dir => /var/log\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ programname_comparison => startswith\n+ readable_by => all\n+ group => root\n+ ensure => present\n"}, {"resource": "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft\n@@ -1,10 +0,0 @@\n-# Autogenerated by puppet\n-set DRUID_PUBLIC_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.131.9,\n- 10.64.132.12,\n- 10.64.135.9,\n- 10.64.32.101,\n- 10.64.48.185\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Concat::Fragment[/etc/bacula_puppet_ca_chain]", "parameters": "--- Concat::Fragment[/etc/bacula_puppet_ca_chain].orig\n+++ Concat::Fragment[/etc/bacula_puppet_ca_chain]\n\n+ target => /etc/bacula/ssl/cert.pem\n+ order => 02\n+ source => /var/lib/puppet/ssl/certs/ca.pem\n"}, {"resource": "Class[Ulogd]", "parameters": "--- Class[Ulogd].orig\n+++ Class[Ulogd]\n\n+ json_logfile => /var/log/ulog/ulogd.json\n+ gprint_logfile => /var/log/ulog/gprint.log\n+ config_file => /etc/ulogd.conf\n+ xml_directory => /var/log/ulog/\n+ nfct => []\n+ nflog => ['SYSLOG']\n+ ensure => present\n+ syslog_level => info\n+ logemu_logfile => /var/log/ulog/syslogemu.log\n+ json_nfct_logfile => /var/log/ulog/ulogd_nfct.json\n+ oprint_logfile => /var/log/ulog/oprint.log\n+ syslog_facility => local7\n+ pcap_file => /var/log/ulog/ulogd.pcap\n+ acct => []\n+ nacct_file => /var/log/ulog/nacct.log\n+ sync => True\n+ logemu_nfct_logfile => /var/log/ulog/syslogemu_nfct.log\n+ log_level => info\n+ logfile => syslog\n"}, {"resource": "Class[Ferm]", "parameters": "--- Class[Ferm].orig\n+++ Class[Ferm]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "File[/etc/cfssl/csr/debmonitor.csr]", "content": "--- /etc/cfssl/csr/debmonitor.csr.orig\n+++ /etc/cfssl/csr/debmonitor.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"debmonitor\",\n+ \"hosts\": [\n+ \"debmonitor\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/debmonitor.csr].orig\n+++ File[/etc/cfssl/csr/debmonitor.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/csr/aux_front_proxy.csr]", "content": "--- /etc/cfssl/csr/aux_front_proxy.csr.orig\n+++ /etc/cfssl/csr/aux_front_proxy.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"aux_front_proxy\",\n+ \"hosts\": [\n+ \"aux_front_proxy\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/aux_front_proxy.csr].orig\n+++ File[/etc/cfssl/csr/aux_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Nftables::Set[CACHES]", "parameters": "--- Nftables::Set[CACHES].orig\n+++ Nftables::Set[CACHES]\n\n- ensure => present\n- hosts => ['10.64.0.79', '2620:0:861:101:10:64:0:79', '10.64.0.229', '2620:0:861:101:10:64:0:229', '10.64.0.14', '2620:0:861:101:10:64:0:14', '10.64.0.51', '2620:0:861:101:10:64:0:51', '10.64.16.241', '2620:0:861:102:10:64:16:241', '10.64.16.94', '2620:0:861:102:10:64:16:94', '10.64.16.95', '2620:0:861:102:10:64:16:95', '10.64.16.240', '2620:0:861:102:10:64:16:240', '10.64.32.14', '2620:0:861:103:10:64:32:14', '10.64.32.60', '2620:0:861:103:10:64:32:60', '10.64.32.15', '2620:0:861:103:10:64:32:15', '10.64.32.65', '2620:0:861:103:10:64:32:65', '10.64.48.16', '2620:0:861:107:10:64:48:16', '10.64.48.41', '2620:0:861:107:10:64:48:41', '10.64.48.27', '2620:0:861:107:10:64:48:27', '10.64.48.28', '2620:0:861:107:10:64:48:28', '10.192.23.26', '2620:0:860:113:10:192:23:26', '10.192.6.20', '2620:0:860:107:10:192:6:20', '10.192.12.35', '2620:0:860:10d:10:192:12:35', '10.192.14.25', '2620:0:860:10f:10:192:14:25', '10.192.4.22', '2620:0:860:100:10:192:4:22', '10.192.29.26', '2620:0:860:116:10:192:29:26', '10.192.30.29', '2620:0:860:119:10:192:30:29', '10.192.36.19', '2620:0:860:11b:10:192:36:19', '10.192.40.25', '2620:0:860:11f:10:192:40:25', '10.192.41.21', '2620:0:860:120:10:192:41:21', '10.192.56.3', '2620:0:860:12b:10:192:56:3', '10.192.56.4', '2620:0:860:12b:10:192:56:4', '10.192.57.3', '2620:0:860:12c:10:192:57:3', '10.192.58.2', '2620:0:860:12d:10:192:58:2', '10.192.58.3', '2620:0:860:12d:10:192:58:3', '10.192.59.2', '2620:0:860:12e:10:192:59:2', '10.80.0.14', '2a02:ec80:300:101:10:80:0:14', '10.80.1.11', '2a02:ec80:300:102:10:80:1:11', '10.80.0.13', '2a02:ec80:300:101:10:80:0:13', '10.80.1.9', '2a02:ec80:300:102:10:80:1:9', '10.80.0.12', '2a02:ec80:300:101:10:80:0:12', '10.80.1.7', '2a02:ec80:300:102:10:80:1:7', '10.80.0.11', '2a02:ec80:300:101:10:80:0:11', '10.80.1.6', '2a02:ec80:300:102:10:80:1:6', '10.80.0.10', '2a02:ec80:300:101:10:80:0:10', '10.80.1.5', '2a02:ec80:300:102:10:80:1:5', '10.80.0.8', '2a02:ec80:300:101:10:80:0:8', '10.80.1.4', '2a02:ec80:300:102:10:80:1:4', '10.80.0.7', '2a02:ec80:300:101:10:80:0:7', '10.80.1.3', '2a02:ec80:300:102:10:80:1:3', '10.80.0.6', '2a02:ec80:300:101:10:80:0:6', '10.80.1.2', '2a02:ec80:300:102:10:80:1:2', '10.128.0.19', '2620:0:863:101:10:128:0:19', '10.128.1.27', '2620:0:863:102:10:128:1:27', '10.128.0.22', '2620:0:863:101:10:128:0:22', '10.128.1.28', '2620:0:863:102:10:128:1:28', '10.128.0.25', '2620:0:863:101:10:128:0:25', '10.128.1.29', '2620:0:863:102:10:128:1:29', '10.128.0.26', '2620:0:863:101:10:128:0:26', '10.128.1.31', '2620:0:863:102:10:128:1:31', '10.128.0.14', '2620:0:863:101:10:128:0:14', '10.128.1.35', '2620:0:863:102:10:128:1:35', '10.128.0.21', '2620:0:863:101:10:128:0:21', '10.128.1.36', '2620:0:863:102:10:128:1:36', '10.128.0.24', '2620:0:863:101:10:128:0:24', '10.128.1.10', '2620:0:863:102:10:128:1:10', '10.128.0.37', '2620:0:863:101:10:128:0:37', '10.128.1.12', '2620:0:863:102:10:128:1:12', '10.132.0.17', '2001:df2:e500:101:10:132:0:17', '10.132.0.18', '2001:df2:e500:101:10:132:0:18', '10.132.0.19', '2001:df2:e500:101:10:132:0:19', '10.132.0.24', '2001:df2:e500:101:10:132:0:24', '10.132.0.29', '2001:df2:e500:101:10:132:0:29', '10.132.0.30', '2001:df2:e500:101:10:132:0:30', '10.132.0.34', '2001:df2:e500:101:10:132:0:34', '10.132.0.35', '2001:df2:e500:101:10:132:0:35', '10.132.0.36', '2001:df2:e500:101:10:132:0:36', '10.132.0.37', '2001:df2:e500:101:10:132:0:37', '10.132.0.38', '2001:df2:e500:101:10:132:0:38', '10.132.0.25', '2001:df2:e500:101:10:132:0:25', '10.132.0.26', '2001:df2:e500:101:10:132:0:26', '10.132.0.27', '2001:df2:e500:101:10:132:0:27', '10.132.0.28', '2001:df2:e500:101:10:132:0:28', '10.132.0.16', '2001:df2:e500:101:10:132:0:16', '10.136.0.6', '2a02:ec80:600:101:10:136:0:6', '10.136.1.6', '2a02:ec80:600:102:10:136:1:6', '10.136.0.7', '2a02:ec80:600:101:10:136:0:7', '10.136.1.7', '2a02:ec80:600:102:10:136:1:7', '10.136.0.8', '2a02:ec80:600:101:10:136:0:8', '10.136.1.8', '2a02:ec80:600:102:10:136:1:8', '10.136.0.9', '2a02:ec80:600:101:10:136:0:9', '10.136.1.9', '2a02:ec80:600:102:10:136:1:9', '10.136.0.10', '2a02:ec80:600:101:10:136:0:10', '10.136.1.10', '2a02:ec80:600:102:10:136:1:10', '10.136.0.11', '2a02:ec80:600:101:10:136:0:11', '10.136.1.11', '2a02:ec80:600:102:10:136:1:11', '10.136.0.12', '2a02:ec80:600:101:10:136:0:12', '10.136.1.12', '2a02:ec80:600:102:10:136:1:12', '10.136.0.13', '2a02:ec80:600:101:10:136:0:13', '10.136.1.13', '2a02:ec80:600:102:10:136:1:13', '10.140.0.3', '2a02:ec80:700:101:10:140:0:3', '10.140.1.4', '2a02:ec80:700:102:10:140:1:4', '10.140.0.4', '2a02:ec80:700:101:10:140:0:4', '10.140.1.5', '2a02:ec80:700:102:10:140:1:5', '10.140.0.5', '2a02:ec80:700:101:10:140:0:5', '10.140.1.6', '2a02:ec80:700:102:10:140:1:6', '10.140.0.6', '2a02:ec80:700:101:10:140:0:6', '10.140.1.7', '2a02:ec80:700:102:10:140:1:7', '10.140.0.7', '2a02:ec80:700:101:10:140:0:7', '10.140.1.8', '2a02:ec80:700:102:10:140:1:8', '10.140.0.8', '2a02:ec80:700:101:10:140:0:8', '10.140.1.9', '2a02:ec80:700:102:10:140:1:9', '10.140.0.9', '2a02:ec80:700:101:10:140:0:9', '10.140.1.10', '2a02:ec80:700:102:10:140:1:10', '10.140.0.10', '2a02:ec80:700:101:10:140:0:10', '10.140.1.11', '2a02:ec80:700:102:10:140:1:11']\n"}, {"resource": "Cfssl::Cert[mlserve]", "parameters": "--- Cfssl::Cert[mlserve].orig\n+++ Cfssl::Cert[mlserve]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => mlserve\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube/wikikube-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/wikikube/wikikube-key.pem].orig\n+++ File[/etc/cfssl/ssl/wikikube/wikikube-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Service[bacula-fd]", "parameters": "--- Service[bacula-fd].orig\n+++ Service[bacula-fd]\n\n+ ensure => running\n+ require => Package[bacula-fd]\n"}, {"resource": "File[/etc/nftables/prerouting]", "parameters": "--- File[/etc/nftables/prerouting].orig\n+++ File[/etc/nftables/prerouting]\n\n- recurse => True\n- group => root\n- ensure => directory\n- owner => root\n- purge => True\n"}, {"resource": "Rsyslog::Conf[prometheus-node-textfile-check-nft]", "parameters": "--- Rsyslog::Conf[prometheus-node-textfile-check-nft].orig\n+++ Rsyslog::Conf[prometheus-node-textfile-check-nft]\n\n- ensure => present\n- priority => 40\n- mode => 0444\n- require => File[/var/log/prometheus-node-textfile-check-nft]\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/puppet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/puppet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/puppet.csr]\n\n+ ensure => present\n+ common_name => puppet\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/MGMT_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/MGMT_NETWORKS_ipv6.nft\n@@ -1,4 +0,0 @@\n-# Autogenerated by puppet\n-set MGMT_NETWORKS_ipv6 {\n- type ipv6_addr\n-}", "parameters": "--- File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[Generate cert aux_front_proxy]", "parameters": "--- Exec[Generate cert aux_front_proxy].orig\n+++ Exec[Generate cert aux_front_proxy]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/aux_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem 2>&1)\"\n\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/network_devices.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]\n\n+ ensure => present\n+ common_name => network_devices\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]\n\n+ ensure => present\n+ common_name => mlserve_staging\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Exec[renew certificate - cloud_wmnet_ca]", "parameters": "--- Exec[renew certificate - cloud_wmnet_ca].orig\n+++ Exec[renew certificate - cloud_wmnet_ca]\n\n+ require => Exec[Generate cert cloud_wmnet_ca]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem -checkend 952200\n"}, {"resource": "File[/etc/ferm]", "parameters": "--- File[/etc/ferm].orig\n+++ File[/etc/ferm]\n\n@@\n- ensure => absent\n+ ensure => directory\n"}, {"resource": "Systemd::Timer[prometheus-node-textfile-check-nft]", "parameters": "--- Systemd::Timer[prometheus-node-textfile-check-nft].orig\n+++ Systemd::Timer[prometheus-node-textfile-check-nft]\n\n- fixed_random_delay => False\n- ensure => present\n- splay => 0\n- unit_name => prometheus-node-textfile-check-nft.service\n- accuracy => 15sec\n- timer_intervals => [{'start': 'OnCalendar', 'interval': '*:0/30'}]\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[bacula-fd]', 'Package[bacula-common]']\n"}, {"resource": "Exec[Generate cert dse]", "parameters": "--- Exec[Generate cert dse].orig\n+++ Exec[Generate cert dse]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/dse.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse/dse\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/dse/dse.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/dse/dse-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/INSTALL_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/INSTALL_HOSTS_ipv4.nft\n@@ -1,12 +0,0 @@\n-# Autogenerated by puppet\n-set INSTALL_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 208.80.154.134,\n- 208.80.153.70,\n- 185.15.59.101,\n- 198.35.26.98,\n- 103.102.166.104,\n- 185.15.58.7,\n- 195.200.68.100\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n- role_description => Host being setup by Infrastructure Foundations SREs with ntables\n+ role_description => PKI RootCA\n"}, {"resource": "Exec[Generate cert mlserve refresh]", "parameters": "--- Exec[Generate cert mlserve refresh].orig\n+++ Exec[Generate cert mlserve refresh]\n\n+ subscribe => File[/etc/cfssl/csr/mlserve.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/mlserve.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve/mlserve\n\n"}, {"resource": "Motd::Script[pki::root]", "parameters": "--- Motd::Script[pki::root].orig\n+++ Motd::Script[pki::root]\n\n+ ensure => present\n+ priority => 5\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft\n@@ -1,20 +0,0 @@\n-# Autogenerated by puppet\n-set CLOUD_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2a02:ec80:a000:100::/64,\n- 2a02:ec80:a000:1::/64,\n- 2a02:ec80:a000:201::/64,\n- 2a02:ec80:a000:202::/64,\n- 2a02:ec80:a000:203::/64,\n- 2a02:ec80:a000:204::/64,\n- 2a02:ec80:a000:2ff::/64,\n- 2a02:ec80:a000:4000::/64,\n- 2a02:ec80:a100:100::/64,\n- 2a02:ec80:a100:1::/64,\n- 2a02:ec80:a100:205::/64,\n- 2a02:ec80:a100:2ff::/64,\n- 2a02:ec80:a100:4000::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "parameters": "--- Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia].orig\n+++ Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]\n\n+ refreshonly => True\n+ command => /usr/bin/apt-get update \n"}, {"resource": "File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "Profile::Auto_restarts::Service[ulogd2]", "parameters": "--- Profile::Auto_restarts::Service[ulogd2].orig\n+++ Profile::Auto_restarts::Service[ulogd2]\n\n+ ensure => present\n"}, {"resource": "Confd::File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- Confd::File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ Confd::File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/syslog]", "parameters": "--- File[/etc/cfssl/ssl/syslog].orig\n+++ File[/etc/cfssl/ssl/syslog]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Class[Profile::Firewall]", "parameters": "--- Class[Profile::Firewall].orig\n+++ Class[Profile::Firewall]\n\n@@\n- provider => nftables\n+ provider => ferm\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n- nagios_group => insetup_eqiad\n+ nagios_group => pki_eqiad\n@@\n- cluster => insetup\n+ cluster => pki\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n"}, {"resource": "Cfssl::Cert[etcd]", "parameters": "--- Cfssl::Cert[etcd].orig\n+++ Cfssl::Cert[etcd]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => etcd\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/nftables/sets/CACHES_ipv6.nft]", "content": "--- /etc/nftables/sets/CACHES_ipv6.nft.orig\n+++ /etc/nftables/sets/CACHES_ipv6.nft\n@@ -1,117 +0,0 @@\n-# Autogenerated by puppet\n-set CACHES_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:101:10:64:0:79,\n- 2620:0:861:101:10:64:0:229,\n- 2620:0:861:101:10:64:0:14,\n- 2620:0:861:101:10:64:0:51,\n- 2620:0:861:102:10:64:16:241,\n- 2620:0:861:102:10:64:16:94,\n- 2620:0:861:102:10:64:16:95,\n- 2620:0:861:102:10:64:16:240,\n- 2620:0:861:103:10:64:32:14,\n- 2620:0:861:103:10:64:32:60,\n- 2620:0:861:103:10:64:32:15,\n- 2620:0:861:103:10:64:32:65,\n- 2620:0:861:107:10:64:48:16,\n- 2620:0:861:107:10:64:48:41,\n- 2620:0:861:107:10:64:48:27,\n- 2620:0:861:107:10:64:48:28,\n- 2620:0:860:113:10:192:23:26,\n- 2620:0:860:107:10:192:6:20,\n- 2620:0:860:10d:10:192:12:35,\n- 2620:0:860:10f:10:192:14:25,\n- 2620:0:860:100:10:192:4:22,\n- 2620:0:860:116:10:192:29:26,\n- 2620:0:860:119:10:192:30:29,\n- 2620:0:860:11b:10:192:36:19,\n- 2620:0:860:11f:10:192:40:25,\n- 2620:0:860:120:10:192:41:21,\n- 2620:0:860:12b:10:192:56:3,\n- 2620:0:860:12b:10:192:56:4,\n- 2620:0:860:12c:10:192:57:3,\n- 2620:0:860:12d:10:192:58:2,\n- 2620:0:860:12d:10:192:58:3,\n- 2620:0:860:12e:10:192:59:2,\n- 2a02:ec80:300:101:10:80:0:14,\n- 2a02:ec80:300:102:10:80:1:11,\n- 2a02:ec80:300:101:10:80:0:13,\n- 2a02:ec80:300:102:10:80:1:9,\n- 2a02:ec80:300:101:10:80:0:12,\n- 2a02:ec80:300:102:10:80:1:7,\n- 2a02:ec80:300:101:10:80:0:11,\n- 2a02:ec80:300:102:10:80:1:6,\n- 2a02:ec80:300:101:10:80:0:10,\n- 2a02:ec80:300:102:10:80:1:5,\n- 2a02:ec80:300:101:10:80:0:8,\n- 2a02:ec80:300:102:10:80:1:4,\n- 2a02:ec80:300:101:10:80:0:7,\n- 2a02:ec80:300:102:10:80:1:3,\n- 2a02:ec80:300:101:10:80:0:6,\n- 2a02:ec80:300:102:10:80:1:2,\n- 2620:0:863:101:10:128:0:19,\n- 2620:0:863:102:10:128:1:27,\n- 2620:0:863:101:10:128:0:22,\n- 2620:0:863:102:10:128:1:28,\n- 2620:0:863:101:10:128:0:25,\n- 2620:0:863:102:10:128:1:29,\n- 2620:0:863:101:10:128:0:26,\n- 2620:0:863:102:10:128:1:31,\n- 2620:0:863:101:10:128:0:14,\n- 2620:0:863:102:10:128:1:35,\n- 2620:0:863:101:10:128:0:21,\n- 2620:0:863:102:10:128:1:36,\n- 2620:0:863:101:10:128:0:24,\n- 2620:0:863:102:10:128:1:10,\n- 2620:0:863:101:10:128:0:37,\n- 2620:0:863:102:10:128:1:12,\n- 2001:df2:e500:101:10:132:0:17,\n- 2001:df2:e500:101:10:132:0:18,\n- 2001:df2:e500:101:10:132:0:19,\n- 2001:df2:e500:101:10:132:0:24,\n- 2001:df2:e500:101:10:132:0:29,\n- 2001:df2:e500:101:10:132:0:30,\n- 2001:df2:e500:101:10:132:0:34,\n- 2001:df2:e500:101:10:132:0:35,\n- 2001:df2:e500:101:10:132:0:36,\n- 2001:df2:e500:101:10:132:0:37,\n- 2001:df2:e500:101:10:132:0:38,\n- 2001:df2:e500:101:10:132:0:25,\n- 2001:df2:e500:101:10:132:0:26,\n- 2001:df2:e500:101:10:132:0:27,\n- 2001:df2:e500:101:10:132:0:28,\n- 2001:df2:e500:101:10:132:0:16,\n- 2a02:ec80:600:101:10:136:0:6,\n- 2a02:ec80:600:102:10:136:1:6,\n- 2a02:ec80:600:101:10:136:0:7,\n- 2a02:ec80:600:102:10:136:1:7,\n- 2a02:ec80:600:101:10:136:0:8,\n- 2a02:ec80:600:102:10:136:1:8,\n- 2a02:ec80:600:101:10:136:0:9,\n- 2a02:ec80:600:102:10:136:1:9,\n- 2a02:ec80:600:101:10:136:0:10,\n- 2a02:ec80:600:102:10:136:1:10,\n- 2a02:ec80:600:101:10:136:0:11,\n- 2a02:ec80:600:102:10:136:1:11,\n- 2a02:ec80:600:101:10:136:0:12,\n- 2a02:ec80:600:102:10:136:1:12,\n- 2a02:ec80:600:101:10:136:0:13,\n- 2a02:ec80:600:102:10:136:1:13,\n- 2a02:ec80:700:101:10:140:0:3,\n- 2a02:ec80:700:102:10:140:1:4,\n- 2a02:ec80:700:101:10:140:0:4,\n- 2a02:ec80:700:102:10:140:1:5,\n- 2a02:ec80:700:101:10:140:0:5,\n- 2a02:ec80:700:102:10:140:1:6,\n- 2a02:ec80:700:101:10:140:0:6,\n- 2a02:ec80:700:102:10:140:1:7,\n- 2a02:ec80:700:101:10:140:0:7,\n- 2a02:ec80:700:102:10:140:1:8,\n- 2a02:ec80:700:101:10:140:0:8,\n- 2a02:ec80:700:102:10:140:1:9,\n- 2a02:ec80:700:101:10:140:0:9,\n- 2a02:ec80:700:102:10:140:1:10,\n- 2a02:ec80:700:101:10:140:0:10,\n- 2a02:ec80:700:102:10:140:1:11\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CACHES_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CACHES_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_front_proxy]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_front_proxy].orig\n+++ File[/etc/cfssl/ssl/mlserve_front_proxy]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set LABSTORE_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 208.80.154.142,\n- 208.80.154.71\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File_line[auto_restart_file_presence_ulogd2]", "parameters": "--- File_line[auto_restart_file_presence_ulogd2].orig\n+++ File_line[auto_restart_file_presence_ulogd2]\n\n+ ensure => present\n+ path => /etc/debdeploy-client/autorestarts.conf\n+ require => File[/etc/debdeploy-client/autorestarts.conf]\n+ line => ulogd2\n"}, {"resource": "Nftables::Set[CLOUD_NETWORKS_PUBLIC]", "parameters": "--- Nftables::Set[CLOUD_NETWORKS_PUBLIC].orig\n+++ Nftables::Set[CLOUD_NETWORKS_PUBLIC]\n\n- ensure => present\n- hosts => ['185.15.56.0/25', '185.15.56.160/28', '185.15.57.0/29', '185.15.57.16/29', '185.15.57.24/29', '2a02:ec80:a000:4000::/64', '2a02:ec80:a100:4000::/64']\n"}, {"resource": "Class[Profile::Backup::Host]", "parameters": "--- Class[Profile::Backup::Host].orig\n+++ Class[Profile::Backup::Host]\n\n+ client_version => 9\n+ director_seed => changeme\n+ days => ['Sat', 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri']\n+ pool => productionEqiad\n+ director => backup1014.eqiad.wmnet\n+ enable => True\n"}, {"resource": "Cfssl::Cert[wikikube]", "parameters": "--- Cfssl::Cert[wikikube].orig\n+++ Cfssl::Cert[wikikube]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => wikikube\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Systemd::Unit[nftables]", "parameters": "--- Systemd::Unit[nftables].orig\n+++ Systemd::Unit[nftables]\n\n- override => True\n- require => ['Class[Systemd]']\n- ensure => present\n- unit => nftables\n- restart => False\n- override_filename => puppet-override.conf\n"}, {"resource": "Exec[renew certificate - mlserve]", "parameters": "--- Exec[renew certificate - mlserve].orig\n+++ Exec[renew certificate - mlserve]\n\n+ require => Exec[Generate cert mlserve]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/mlserve/mlserve.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve/mlserve\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve/mlserve.pem -checkend 952200\n"}, {"resource": "Exec[renew certificate - debmonitor]", "parameters": "--- Exec[renew certificate - debmonitor].orig\n+++ Exec[renew certificate - debmonitor]\n\n+ require => Exec[Generate cert debmonitor]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/debmonitor/debmonitor.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/debmonitor/debmonitor\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/debmonitor/debmonitor.pem -checkend 952200\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem].orig\n+++ File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft\n@@ -1,14 +0,0 @@\n-# Autogenerated by puppet\n-set KAFKA_BROKERS_JUMBO_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:109:10:64:130:10,\n- 2620:0:861:10a:10:64:131:16,\n- 2620:0:861:10b:10:64:132:21,\n- 2620:0:861:10d:10:64:134:9,\n- 2620:0:861:10e:10:64:135:16,\n- 2620:0:861:10f:10:64:136:11,\n- 2620:0:861:122:10:64:154:15,\n- 2620:0:861:128:10:64:160:16,\n- 2620:0:861:101:10:64:0:126\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/BASTION_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/BASTION_HOSTS_ipv4.nft\n@@ -1,12 +0,0 @@\n-# Autogenerated by puppet\n-set BASTION_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 208.80.154.7,\n- 208.80.153.110,\n- 185.15.59.99,\n- 198.35.26.104,\n- 103.102.166.103,\n- 185.15.58.6,\n- 195.200.68.99\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[apt_package_from_component_bacula-trixie]", "parameters": "--- Exec[apt_package_from_component_bacula-trixie].orig\n+++ Exec[apt_package_from_component_bacula-trixie]\n\n+ subscribe => Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]\n+ refreshonly => True\n+ before => ['Package[bacula-fd]', 'Package[bacula-common]']\n+ command => /usr/bin/apt-get update\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-ferm_active]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-ferm_active].orig\n+++ Rsyslog::Conf[nrpe2nodexp-ferm_active]\n\n+ ensure => present\n+ priority => 25\n+ mode => 0444\n"}, {"resource": "File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]", "content": "--- /etc/nftables/sets/NETWORK_INFRA_ipv4.nft.orig\n+++ /etc/nftables/sets/NETWORK_INFRA_ipv4.nft\n@@ -1,19 +0,0 @@\n-# Autogenerated by puppet\n-set NETWORK_INFRA_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 185.15.59.128/27,\n- 198.35.26.128/27,\n- 208.80.153.192/27,\n- 10.192.255.0/24,\n- 10.192.253.0/24,\n- 208.80.154.192/27,\n- 10.64.146.0/24,\n- 10.64.168.0/24,\n- 10.64.147.0/24,\n- 103.102.166.128/27,\n- 185.15.58.128/27,\n- 195.200.68.128/27\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft].orig\n+++ File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[Generate cert puppet]", "parameters": "--- Exec[Generate cert puppet].orig\n+++ Exec[Generate cert puppet]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/puppet.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/puppet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet/puppet\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet/puppet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/puppet/puppet-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem].orig\n+++ File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft\n@@ -1,13 +0,0 @@\n-# Autogenerated by puppet\n-set SANDBOX_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 103.102.166.72/29,\n- 185.15.59.72/29,\n- 195.200.68.64/29,\n- 198.35.26.240/28,\n- 208.80.152.240/28,\n- 208.80.155.64/28\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem].orig\n+++ File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/kafka/kafka-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/kafka/kafka-key.pem].orig\n+++ File[/etc/cfssl/ssl/kafka/kafka-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]", "content": "--- /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft.orig\n+++ /etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft\n@@ -1,12 +0,0 @@\n-# Autogenerated by puppet\n-set CLOUD_NETWORKS_PUBLIC_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 185.15.56.0/25,\n- 185.15.56.160/28,\n- 185.15.57.0/29,\n- 185.15.57.16/29,\n- 185.15.57.24/29\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft\n@@ -1,15 +0,0 @@\n-# Autogenerated by puppet\n-set KAFKA_BROKERS_MAIN_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:860:106:10:192:5:9,\n- 2620:0:860:112:10:192:22:6,\n- 2620:0:860:103:10:192:32:4,\n- 2620:0:860:104:10:192:48:33,\n- 2620:0:860:104:10:192:48:35,\n- 2620:0:861:101:10:64:0:101,\n- 2620:0:861:102:10:64:16:30,\n- 2620:0:861:103:10:64:32:45,\n- 2620:0:861:107:10:64:48:37,\n- 2620:0:861:120:10:64:152:5\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Prometheus::Node_textfile[check-nft]", "parameters": "--- Prometheus::Node_textfile[check-nft].orig\n+++ Prometheus::Node_textfile[check-nft]\n\n- run_cmd => /usr/local/bin/check-nft\n- extra_packages => []\n- interval => *:0/30\n- ensure => present\n- filesource => puppet:///modules/profile/firewall/check_nftables.py\n- user => root\n- environment => {}\n"}, {"resource": "File[/etc/ferm/ferm.conf]", "parameters": "--- File[/etc/ferm/ferm.conf].orig\n+++ File[/etc/ferm/ferm.conf]\n\n+ require => Package[ferm]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => file\n+ owner => root\n+ source => puppet:///modules/ferm/ferm.conf\n"}, {"resource": "Nftables::Set[FRACK_NETWORKS]", "parameters": "--- Nftables::Set[FRACK_NETWORKS].orig\n+++ Nftables::Set[FRACK_NETWORKS]\n\n- ensure => present\n- hosts => ['10.195.0.0/27', '10.195.0.128/29', '10.195.0.32/27', '10.195.0.64/28', '10.195.0.80/29', '10.195.0.96/27', '10.195.1.0/25', '10.64.40.0/27', '10.64.40.160/27', '10.64.40.192/26', '10.64.40.32/27', '10.64.40.64/27', '10.64.40.96/27', '208.80.152.224/28', '208.80.155.0/27']\n"}, {"resource": "Exec[renew certificate - dse_front_proxy]", "parameters": "--- Exec[renew certificate - dse_front_proxy].orig\n+++ Exec[renew certificate - dse_front_proxy]\n\n+ require => Exec[Generate cert dse_front_proxy]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem -checkend 952200\n"}, {"resource": "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA]", "parameters": "--- File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA].orig\n+++ File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA]\n\n+ require => ['Package[golang-cfssl]']\n+ mode => 0550\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]\n\n- refreshonly => True\n- command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft\n@@ -1,15 +0,0 @@\n-# Autogenerated by puppet\n-set KAFKA_BROKERS_MAIN_ipv4 {\n- type ipv4_addr\n- elements = { 10.192.5.9,\n- 10.192.22.6,\n- 10.192.32.4,\n- 10.192.48.33,\n- 10.192.48.35,\n- 10.64.0.101,\n- 10.64.16.30,\n- 10.64.32.45,\n- 10.64.48.37,\n- 10.64.152.5\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]", "parameters": "--- Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header].orig\n+++ Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]\n\n+ target => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources\n+ order => 01\n+ source => puppet:///modules/apt/sources-deb822-header.txt\n"}, {"resource": "Systemd::Service[nftables]", "parameters": "--- Systemd::Service[nftables].orig\n+++ Systemd::Service[nftables]\n\n- override => True\n- unit_type => service\n- restart => False\n- service_params => {'hasrestart': True, 'restart': '/usr/bin/systemctl reload nftables'}\n- migration_task => T407130\n- monitoring_enabled => False\n- monitoring_contact_group => admins\n- ensure => present\n- monitoring_critical => False\n"}, {"resource": "File[/etc/cfssl/csr/dse.csr]", "content": "--- /etc/cfssl/csr/dse.csr.orig\n+++ /etc/cfssl/csr/dse.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"dse\",\n+ \"hosts\": [\n+ \"dse\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse.csr].orig\n+++ File[/etc/cfssl/csr/dse.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set PROMETHEUS_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:101:10:64:0:82,\n- 2620:0:861:102:10:64:16:62,\n- 2620:0:861:107:10:64:48:171,\n- 2620:0:861:103:10:64:32:85\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr].orig\n+++ File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]", "content": "--- /etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp.orig\n+++ /etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 1:65535, (10.64.0.82 10.64.16.62 10.64.32.85 10.64.48.171 208.80.153.42 208.80.154.78 2620:0:860:2:208:80:153:42 2620:0:861:101:10:64:0:82 2620:0:861:102:10:64:16:62 2620:0:861:103:10:64:32:85 2620:0:861:107:10:64:48:171 2620:0:861:3:208:80:154:78));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp].orig\n+++ File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "Service[ferm]", "parameters": "--- Service[ferm].orig\n+++ Service[ferm]\n\n+ ensure => running\n+ restart => /bin/systemctl reload-or-restart ferm\n"}, {"resource": "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]", "content": "--- /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft.orig\n+++ /etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft\n@@ -1,191 +0,0 @@\n-# Autogenerated by puppet\n-set LOAD_BALANCER_HEALTH_CHECKS_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.0.136,\n- 10.64.16.60,\n- 10.64.158.19,\n- 10.64.166.19,\n- 10.64.133.19,\n- 10.64.141.19,\n- 10.64.169.19,\n- 10.64.171.19,\n- 10.64.173.19,\n- 10.64.175.19,\n- 10.64.177.19,\n- 10.64.179.19,\n- 10.64.181.19,\n- 10.64.183.19,\n- 10.64.185.19,\n- 10.64.187.19,\n- 10.64.189.19,\n- 10.64.48.72,\n- 10.64.37.17,\n- 10.64.1.17,\n- 10.64.17.17,\n- 10.64.33.17,\n- 10.64.130.20,\n- 10.64.131.20,\n- 10.64.132.20,\n- 10.64.134.20,\n- 10.64.135.20,\n- 10.64.136.20,\n- 10.64.158.20,\n- 10.64.166.20,\n- 10.64.133.20,\n- 10.64.141.20,\n- 10.64.169.20,\n- 10.64.171.20,\n- 10.64.173.20,\n- 10.64.175.20,\n- 10.64.177.20,\n- 10.64.179.20,\n- 10.64.181.20,\n- 10.64.183.20,\n- 10.64.185.20,\n- 10.64.187.20,\n- 10.64.189.20,\n- 10.192.23.8,\n- 10.192.0.29,\n- 10.192.17.8,\n- 10.192.33.8,\n- 10.192.49.8,\n- 10.192.23.2,\n- 10.192.5.2,\n- 10.192.6.2,\n- 10.192.7.2,\n- 10.192.8.2,\n- 10.192.9.2,\n- 10.192.10.2,\n- 10.192.11.2,\n- 10.192.12.2,\n- 10.192.13.2,\n- 10.192.14.2,\n- 10.192.15.2,\n- 10.192.21.2,\n- 10.192.22.2,\n- 10.192.4.2,\n- 10.192.26.2,\n- 10.192.27.2,\n- 10.192.28.2,\n- 10.192.29.2,\n- 10.192.30.2,\n- 10.192.31.2,\n- 10.192.36.2,\n- 10.192.37.2,\n- 10.192.38.2,\n- 10.192.39.2,\n- 10.192.40.2,\n- 10.192.41.2,\n- 10.192.42.2,\n- 10.192.43.2,\n- 10.192.11.8,\n- 10.192.16.140,\n- 10.192.1.8,\n- 10.192.33.9,\n- 10.192.49.9,\n- 10.192.23.3,\n- 10.192.5.3,\n- 10.192.6.3,\n- 10.192.7.3,\n- 10.192.8.3,\n- 10.192.9.3,\n- 10.192.10.3,\n- 10.192.11.3,\n- 10.192.12.3,\n- 10.192.13.3,\n- 10.192.14.3,\n- 10.192.15.3,\n- 10.192.21.3,\n- 10.192.22.3,\n- 10.192.4.3,\n- 10.192.26.3,\n- 10.192.27.3,\n- 10.192.28.3,\n- 10.192.29.3,\n- 10.192.30.3,\n- 10.192.31.3,\n- 10.192.36.3,\n- 10.192.37.3,\n- 10.192.38.3,\n- 10.192.39.4,\n- 10.192.40.3,\n- 10.192.41.3,\n- 10.192.42.3,\n- 10.192.43.3,\n- 10.192.32.14,\n- 10.192.1.9,\n- 10.192.17.9,\n- 10.192.49.10,\n- 10.192.23.4,\n- 10.192.5.4,\n- 10.192.6.4,\n- 10.192.7.4,\n- 10.192.8.4,\n- 10.192.9.4,\n- 10.192.10.4,\n- 10.192.11.4,\n- 10.192.12.4,\n- 10.192.13.4,\n- 10.192.14.4,\n- 10.192.15.4,\n- 10.192.21.4,\n- 10.192.22.4,\n- 10.192.4.5,\n- 10.192.26.5,\n- 10.192.27.5,\n- 10.192.28.5,\n- 10.192.29.5,\n- 10.192.30.5,\n- 10.192.31.5,\n- 10.192.36.5,\n- 10.192.37.5,\n- 10.192.38.5,\n- 10.192.39.6,\n- 10.192.40.5,\n- 10.192.41.5,\n- 10.192.42.5,\n- 10.192.43.5,\n- 10.192.48.213,\n- 10.192.1.13,\n- 10.192.17.10,\n- 10.192.33.10,\n- 10.192.23.5,\n- 10.192.5.8,\n- 10.192.6.5,\n- 10.192.7.5,\n- 10.192.8.5,\n- 10.192.9.5,\n- 10.192.10.5,\n- 10.192.11.5,\n- 10.192.12.5,\n- 10.192.13.5,\n- 10.192.14.5,\n- 10.192.15.5,\n- 10.192.21.5,\n- 10.192.22.5,\n- 10.80.0.3,\n- 10.80.1.8,\n- 10.80.1.14,\n- 10.80.0.9,\n- 10.80.0.2,\n- 10.80.1.10,\n- 10.128.1.18,\n- 10.128.0.9,\n- 10.128.1.11,\n- 10.132.0.39,\n- 10.132.0.6,\n- 10.132.0.7,\n- 10.136.0.16,\n- 10.136.1.19,\n- 10.136.1.15,\n- 10.136.0.19,\n- 10.136.0.17,\n- 10.136.1.20,\n- 10.140.0.13,\n- 10.140.1.2,\n- 10.140.1.14,\n- 10.140.0.2,\n- 10.140.0.14,\n- 10.140.1.3\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Nrpe::Check[check_ferm_active]", "parameters": "--- Nrpe::Check[check_ferm_active].orig\n+++ Nrpe::Check[check_ferm_active]\n\n+ ensure => present\n+ before => Monitoring::Service[ferm_active]\n+ command => /usr/local/lib/nagios/plugins/check_ferm\n+ sudo_user => root\n"}, {"resource": "Nftables::Set[ZOOKEEPER_HOSTS_MAIN]", "parameters": "--- Nftables::Set[ZOOKEEPER_HOSTS_MAIN].orig\n+++ Nftables::Set[ZOOKEEPER_HOSTS_MAIN]\n\n- ensure => present\n- hosts => ['10.64.0.207', '2620:0:861:101:10:64:0:207', '10.64.16.110', '2620:0:861:102:10:64:16:110', '10.64.48.154', '2620:0:861:107:10:64:48:154', '10.192.16.45', '2620:0:860:102:10:192:16:45', '10.192.32.52', '2620:0:860:103:10:192:32:52', '10.192.48.59', '2620:0:860:104:10:192:48:59']\n"}, {"resource": "File[/etc/systemd/system/ferm.service.d]", "parameters": "--- File[/etc/systemd/system/ferm.service.d].orig\n+++ File[/etc/systemd/system/ferm.service.d]\n\n+ ensure => directory\n+ mode => 0555\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[unmask_nftables.service]", "parameters": "--- Exec[unmask_nftables.service].orig\n+++ Exec[unmask_nftables.service]\n\n- refreshonly => False\n- onlyif => /bin/readlink -f /etc/systemd/system/nftables.service | grep -q /dev/null\n- command => /bin/systemctl unmask nftables.service\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_ulogd2.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_ulogd2.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Auto restart job: ulogd2\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/wmf-auto-restart -s ulogd2", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_ulogd2.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]\n\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/LABS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/LABS_NETWORKS_ipv4.nft\n@@ -1,27 +0,0 @@\n-# Autogenerated by puppet\n-set LABS_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 172.16.0.0/21,\n- 172.16.128.0/24,\n- 172.16.129.0/24,\n- 172.16.130.0/24,\n- 172.16.131.0/24,\n- 172.16.16.0/21,\n- 172.16.24.0/24,\n- 172.16.8.0/21,\n- 172.20.1.0/24,\n- 172.20.2.0/24,\n- 172.20.254.0/24,\n- 172.20.255.0/24,\n- 172.20.3.0/24,\n- 172.20.4.0/24,\n- 172.20.5.0/24,\n- 185.15.56.0/25,\n- 185.15.56.160/28,\n- 185.15.57.0/29,\n- 185.15.57.16/29,\n- 185.15.57.24/29\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/csr/network_devices.csr]", "content": "--- /etc/cfssl/csr/network_devices.csr.orig\n+++ /etc/cfssl/csr/network_devices.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"network_devices\",\n+ \"hosts\": [\n+ \"network_devices\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/network_devices.csr].orig\n+++ File[/etc/cfssl/csr/network_devices.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Motd::Message[insetup::infrastructure_foundations_nftables]", "parameters": "--- Motd::Message[insetup::infrastructure_foundations_nftables].orig\n+++ Motd::Message[insetup::infrastructure_foundations_nftables]\n\n- ensure => present\n- message => pki-root1002 is a Host being setup by Infrastructure Foundations SREs with ntables (insetup::infrastructure_foundations_nftables)\n- priority => 5\n"}, {"resource": "Nftables::Set[MYSQL_ROOT_CLIENTS]", "parameters": "--- Nftables::Set[MYSQL_ROOT_CLIENTS].orig\n+++ Nftables::Set[MYSQL_ROOT_CLIENTS]\n\n- ensure => present\n- hosts => ['10.64.16.90', '10.192.16.191', '10.64.16.154', '10.192.32.49', '208.80.154.9', '10.64.0.20']\n"}, {"resource": "Exec[renew certificate - wikikube_staging_front_proxy]", "parameters": "--- Exec[renew certificate - wikikube_staging_front_proxy].orig\n+++ Exec[renew certificate - wikikube_staging_front_proxy]\n\n+ require => Exec[Generate cert wikikube_staging_front_proxy]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem -checkend 952200\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Apt::Package_from_component[bacula-trixie]", "parameters": "--- Apt::Package_from_component[bacula-trixie].orig\n+++ Apt::Package_from_component[bacula-trixie]\n\n+ distro => trixie-wikimedia\n+ priority => 1001\n+ uri => http://apt.wikimedia.org/wikimedia\n+ ensure => present\n+ packages => ['bacula-fd', 'bacula-common']\n+ component => component/bacula9\n+ ensure_packages => True\n"}, {"resource": "File[/etc/cfssl/ssl/syslog/syslog.csr]", "parameters": "--- File[/etc/cfssl/ssl/syslog/syslog.csr].orig\n+++ File[/etc/cfssl/ssl/syslog/syslog.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]\n\n+ ensure => present\n+ common_name => Wikimedia_Internal_Root_CA\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Exec[Generate cert zuul]", "parameters": "--- Exec[Generate cert zuul].orig\n+++ Exec[Generate cert zuul]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/zuul.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul/zuul\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul/zuul.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/zuul/zuul-key.pem 2>&1)\"\n\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]\n\n+ ensure => present\n+ common_name => discovery2026\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Exec[Generate cert etcd refresh]", "parameters": "--- Exec[Generate cert etcd refresh].orig\n+++ Exec[Generate cert etcd refresh]\n\n+ subscribe => File[/etc/cfssl/csr/etcd.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/etcd.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/etcd/etcd\n\n"}, {"resource": "File[/etc/cfssl/ssl/dse]", "parameters": "--- File[/etc/cfssl/ssl/dse].orig\n+++ File[/etc/cfssl/ssl/dse]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Cfssl::Cert[cloud_wmnet_ca]", "parameters": "--- Cfssl::Cert[cloud_wmnet_ca].orig\n+++ Cfssl::Cert[cloud_wmnet_ca]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => cloud_wmnet_ca\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/bacula/bacula-fd.conf]", "content": "--- /etc/bacula/bacula-fd.conf.orig\n+++ /etc/bacula/bacula-fd.conf\n@@ -0,0 +1,47 @@\n+# This file has been autogenerated by puppet. Don't edit by hand\n+\n+# The directors allowed to connect to us\n+Director {\n+ Name = \"backup1014.eqiad.wmnet\"\n+ Password = \"oNZaIQDn8JhLclLcIISdelhD8xIolFuV\"\n+ # Have the Control channel encrypted\n+ TLS Enable = yes\n+ TLS Require = yes\n+ TLS CA Certificate File = \"/etc/ssl/certs/wmf-ca-certificates.crt\"\n+ TLS Verify Peer = yes\n+ TLS Certificate = \"/etc/bacula/ssl/cert.pem\"\n+ TLS Key = \"/etc/bacula/ssl/server.key\"\n+}\n+\n+#\n+# \"Global\" File daemon configuration specifications\n+#\n+FileDaemon {\n+ Name = \"pki-root1002.eqiad.wmnet-fd\"\n+ FDport = 9102\n+ WorkingDirectory = /var/lib/bacula\n+ Pid Directory = /var/run/bacula\n+ Maximum Concurrent Jobs = 1\n+ Plugin Directory = \"/usr/lib/bacula\"\n+ # Have all data stored encrypted\n+ PKI Encryption = Yes\n+ PKI Signatures = Yes\n+ PKI Keypair = \"/etc/bacula/ssl/server-keypair.pem\"\n+ PKI Master Key = \"/var/lib/puppet/ssl/certs/ca.pem\"\n+ # Do enable Data channel encryption.\n+ TLS Enable = yes\n+ TLS Require = yes\n+ TLS Certificate = \"/etc/bacula/ssl/cert.pem\"\n+ TLS Key = \"/etc/bacula/ssl/server.key\"\n+ TLS CA Certificate File = \"/etc/ssl/certs/wmf-ca-certificates.crt\"\n+ # Heartbeat inverval = 0 # in secs\n+ # FDAddresses = # For director connections\n+ # FDSourceAddress = # For connecting to SD\n+ # Maximum Bandwidth Per Job =\n+}\n+\n+# Send all messages except skipped files back to Director\n+Messages {\n+ Name = Standard\n+ director = \"backup1014.eqiad.wmnet\" = all, !skipped, !restored\n+}", "parameters": "--- File[/etc/bacula/bacula-fd.conf].orig\n+++ File[/etc/bacula/bacula-fd.conf]\n\n+ require => ['Package[bacula-fd]']\n+ notify => Service[bacula-fd]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve/mlserve-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/mlserve/mlserve-key.pem].orig\n+++ File[/etc/cfssl/ssl/mlserve/mlserve-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Nftables::Set[DSE_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[DSE_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[DSE_KUBEPODS_NETWORKS]\n\n- ensure => present\n- hosts => ['10.67.24.0/21', '2620:0:861:302::/64', '10.192.96.0/21', '2620:0:860:308::/64']\n"}, {"resource": "Class[Profile::Pki::Root_ca]", "parameters": "--- Class[Profile::Pki::Root_ca].orig\n+++ Class[Profile::Pki::Root_ca]\n\n+ vhost => pki.discovery.wmnet\n+ bootstrap => False\n+ key_params => {'algo': 'ecdsa', 'size': 521}\n+ common_name => Wikimedia_Internal_Root_CA\n+ profiles => {'intermediate': {'usages': ['cert sign', 'crl sign'], 'ca_constraint': {'is_ca': True, 'max_path_len': 1}, 'expiry': '43800h'}, 'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}}\n+ db_host => m1-master.eqiad.wmnet\n+ rsa_intermediates => ['puppet_rsa']\n+ intermediates => ['debmonitor', 'discovery2026', 'kafka', 'cloud_wmnet_ca', 'etcd', 'wikikube', 'wikikube_front_proxy', 'wikikube_staging', 'wikikube_staging_front_proxy', 'mlserve', 'mlserve_front_proxy', 'mlserve_staging', 'mlserve_staging_front_proxy', 'aux', 'aux_front_proxy', 'dse', 'dse_front_proxy', 'cassandra', 'puppet', 'network_devices', 'syslog', 'zuul']\n+ auth_keys => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}}\n+ db_driver => mysql\n+ db_name => pki\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ db_pass => changeme\n+ db_user => pki\n"}, {"resource": "File[/etc/cfssl/ssl/syslog/syslog-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/syslog/syslog-key.pem].orig\n+++ File[/etc/cfssl/ssl/syslog/syslog-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/LABS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/LABS_NETWORKS_ipv6.nft\n@@ -1,20 +0,0 @@\n-# Autogenerated by puppet\n-set LABS_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2a02:ec80:a000:100::/64,\n- 2a02:ec80:a000:1::/64,\n- 2a02:ec80:a000:201::/64,\n- 2a02:ec80:a000:202::/64,\n- 2a02:ec80:a000:203::/64,\n- 2a02:ec80:a000:204::/64,\n- 2a02:ec80:a000:2ff::/64,\n- 2a02:ec80:a000:4000::/64,\n- 2a02:ec80:a100:100::/64,\n- 2a02:ec80:a100:1::/64,\n- 2a02:ec80:a100:205::/64,\n- 2a02:ec80:a100:2ff::/64,\n- 2a02:ec80:a100:4000::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/02_main]", "parameters": "--- File[/etc/ferm/conf.d/02_main].orig\n+++ File[/etc/ferm/conf.d/02_main]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ owner => root\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ source => puppet:///modules/base/firewall/main-input-default-drop.conf\n"}, {"resource": "File[/etc/logrotate.d/prometheus-node-textfile-check-nft]", "content": "--- /etc/logrotate.d/prometheus-node-textfile-check-nft.orig\n+++ /etc/logrotate.d/prometheus-node-textfile-check-nft\n@@ -1,12 +0,0 @@\n-# logrotate(8) config for prometheus-node-textfile-check-nft\n-\n-/var/log/prometheus-node-textfile-check-nft/*.log {\n- daily\n- copytruncate\n- missingok\n- compress\n- delaycompress\n- notifempty\n- rotate 15\n- size 256M\n-}", "parameters": "--- File[/etc/logrotate.d/prometheus-node-textfile-check-nft].orig\n+++ File[/etc/logrotate.d/prometheus-node-textfile-check-nft]\n\n- ensure => present\n- mode => 0444\n- owner => root\n- group => root\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-ferm_active]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-ferm_active].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-ferm_active]\n\n+ user => nagios\n+ send_mail_only_on_error => True\n+ logging_enabled => False\n+ syslog_match_startswith => True\n+ logfile_basedir => /var/log\n+ logfile_perms => all\n+ ensure => present\n+ send_mail => False\n+ splay => 600\n+ logfile_group => root\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ command => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"bba0a2572329bb500b832470e08b381c\" --timeout 10 --check-command \"check_ferm_active\"\n+ private_tmp => False\n+ fixed_random_delay => True\n+ ignore_errors => True\n+ syslog_identifier => nrpe2nodexp-ferm_active\n+ syslog_force_stop => True\n+ logfile_name => syslog.log\n+ description => execution of nrpe2nodexp for the check_ferm_active command.\n+ monitoring_enabled => False\n+ interval => [{'start': 'OnUnitInactiveSec', 'interval': '10min'}]\n+ monitoring_contact_groups => admins\n+ group => prometheus-node-exporter\n+ environment => {}\n+ send_mail_to => root@pki-root1002.eqiad.wmnet\n+ success_exit_status => []\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_staging]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_staging].orig\n+++ File[/etc/cfssl/ssl/wikikube_staging]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Exec[Generate cert debmonitor refresh]", "parameters": "--- Exec[Generate cert debmonitor refresh].orig\n+++ Exec[Generate cert debmonitor refresh]\n\n+ subscribe => File[/etc/cfssl/csr/debmonitor.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/debmonitor.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/debmonitor/debmonitor\n\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem].orig\n+++ File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/systemd/system/nftables.service.d]", "parameters": "--- File[/etc/systemd/system/nftables.service.d].orig\n+++ File[/etc/systemd/system/nftables.service.d]\n\n- ensure => directory\n- mode => 0555\n- owner => root\n- group => root\n"}, {"resource": "Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]", "parameters": "--- Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS].orig\n+++ Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]\n\n- ensure => present\n- hosts => ['10.64.0.136', '10.64.16.60', '10.64.158.19', '10.64.166.19', '10.64.133.19', '10.64.141.19', '10.64.169.19', '10.64.171.19', '10.64.173.19', '10.64.175.19', '10.64.177.19', '10.64.179.19', '10.64.181.19', '10.64.183.19', '10.64.185.19', '10.64.187.19', '10.64.189.19', '10.64.48.72', '10.64.37.17', '10.64.1.17', '10.64.17.17', '10.64.33.17', '10.64.130.20', '10.64.131.20', '10.64.132.20', '10.64.134.20', '10.64.135.20', '10.64.136.20', '10.64.158.20', '10.64.166.20', '10.64.133.20', '10.64.141.20', '10.64.169.20', '10.64.171.20', '10.64.173.20', '10.64.175.20', '10.64.177.20', '10.64.179.20', '10.64.181.20', '10.64.183.20', '10.64.185.20', '10.64.187.20', '10.64.189.20', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:119::/64', '2620:0:861:10c::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.23.8', '10.192.0.29', '10.192.17.8', '10.192.33.8', '10.192.49.8', '10.192.23.2', '10.192.5.2', '10.192.6.2', '10.192.7.2', '10.192.8.2', '10.192.9.2', '10.192.10.2', '10.192.11.2', '10.192.12.2', '10.192.13.2', '10.192.14.2', '10.192.15.2', '10.192.21.2', '10.192.22.2', '10.192.4.2', '10.192.26.2', '10.192.27.2', '10.192.28.2', '10.192.29.2', '10.192.30.2', '10.192.31.2', '10.192.36.2', '10.192.37.2', '10.192.38.2', '10.192.39.2', '10.192.40.2', '10.192.41.2', '10.192.42.2', '10.192.43.2', '10.192.11.8', '10.192.16.140', '10.192.1.8', '10.192.33.9', '10.192.49.9', '10.192.23.3', '10.192.5.3', '10.192.6.3', '10.192.7.3', '10.192.8.3', '10.192.9.3', '10.192.10.3', '10.192.11.3', '10.192.12.3', '10.192.13.3', '10.192.14.3', '10.192.15.3', '10.192.21.3', '10.192.22.3', '10.192.4.3', '10.192.26.3', '10.192.27.3', '10.192.28.3', '10.192.29.3', '10.192.30.3', '10.192.31.3', '10.192.36.3', '10.192.37.3', '10.192.38.3', '10.192.39.4', '10.192.40.3', '10.192.41.3', '10.192.42.3', '10.192.43.3', '10.192.32.14', '10.192.1.9', '10.192.17.9', '10.192.49.10', '10.192.23.4', '10.192.5.4', '10.192.6.4', '10.192.7.4', '10.192.8.4', '10.192.9.4', '10.192.10.4', '10.192.11.4', '10.192.12.4', '10.192.13.4', '10.192.14.4', '10.192.15.4', '10.192.21.4', '10.192.22.4', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '10.192.48.213', '10.192.1.13', '10.192.17.10', '10.192.33.10', '10.192.23.5', '10.192.5.8', '10.192.6.5', '10.192.7.5', '10.192.8.5', '10.192.9.5', '10.192.10.5', '10.192.11.5', '10.192.12.5', '10.192.13.5', '10.192.14.5', '10.192.15.5', '10.192.21.5', '10.192.22.5', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '10.80.0.3', '10.80.1.8', '10.80.1.14', '10.80.0.9', '10.80.0.2', '10.80.1.10', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '10.128.1.18', '10.128.0.9', '10.128.1.11', '2620:0:863:101::/64', '2620:0:863:102::/64', '10.132.0.39', '10.132.0.6', '10.132.0.7', '2001:df2:e500:101::/64', '10.136.0.16', '10.136.1.19', '10.136.1.15', '10.136.0.19', '10.136.0.17', '10.136.1.20', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '10.140.0.13', '10.140.1.2', '10.140.1.14', '10.140.0.2', '10.140.0.14', '10.140.1.3', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64']\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_nftables\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"pki::root\",cluster=\"pki\"} 1.0"}, {"resource": "Exec[Generate cert network_devices refresh]", "parameters": "--- Exec[Generate cert network_devices refresh].orig\n+++ Exec[Generate cert network_devices refresh]\n\n+ subscribe => File[/etc/cfssl/csr/network_devices.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/network_devices.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/network_devices/network_devices\n\n"}, {"resource": "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft\n@@ -1,8 +0,0 @@\n-# Autogenerated by puppet\n-set MLSTAGE_KUBEPODS_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.194.61.0/24\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/nftables/input]", "parameters": "--- File[/etc/nftables/input].orig\n+++ File[/etc/nftables/input]\n\n- recurse => True\n- group => root\n- ensure => directory\n- owner => root\n- purge => True\n"}, {"resource": "File[/etc/cfssl/csr/puppet_rsa.csr]", "content": "--- /etc/cfssl/csr/puppet_rsa.csr.orig\n+++ /etc/cfssl/csr/puppet_rsa.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"puppet_rsa\",\n+ \"hosts\": [\n+ \"puppet_rsa\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"rsa\",\n+ \"size\": 4096\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/puppet_rsa.csr].orig\n+++ File[/etc/cfssl/csr/puppet_rsa.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Nftables::Set[AUX_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[AUX_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[AUX_KUBEPODS_NETWORKS]\n\n- ensure => present\n- hosts => ['10.67.80.0/21', '2620:0:861:305::/64', '10.194.80.0/21', '2620:0:860:305::/64']\n"}, {"resource": "File[/etc/nftables/sets/INTERNAL_ipv4.nft]", "content": "--- /etc/nftables/sets/INTERNAL_ipv4.nft.orig\n+++ /etc/nftables/sets/INTERNAL_ipv4.nft\n@@ -1,8 +0,0 @@\n-# Autogenerated by puppet\n-set INTERNAL_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.0.0.0/8\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/INTERNAL_ipv4.nft].orig\n+++ File[/etc/nftables/sets/INTERNAL_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/etcd/etcd.csr]", "parameters": "--- File[/etc/cfssl/ssl/etcd/etcd.csr].orig\n+++ File[/etc/cfssl/ssl/etcd/etcd.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Systemd::Timer::Job[prometheus-node-textfile-check-nft]", "parameters": "--- Systemd::Timer::Job[prometheus-node-textfile-check-nft].orig\n+++ Systemd::Timer::Job[prometheus-node-textfile-check-nft]\n\n- user => root\n- send_mail_only_on_error => True\n- logging_enabled => True\n- syslog_match_startswith => True\n- logfile_basedir => /var/log\n- logfile_perms => all\n- ensure => present\n- send_mail => False\n- logfile_group => root\n- monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n- command => /usr/local/bin/check-nft\n- private_tmp => False\n- fixed_random_delay => False\n- syslog_force_stop => True\n- ignore_errors => False\n- logfile_name => syslog.log\n- description => Systemd timer to gather node metrics for check-nft\n- monitoring_enabled => False\n- interval => {'start': 'OnCalendar', 'interval': '*:0/30'}\n- monitoring_contact_groups => admins\n- environment => {}\n- send_mail_to => root@pki-root1002.eqiad.wmnet\n- success_exit_status => []\n"}, {"resource": "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft\n@@ -1,8 +0,0 @@\n-# Autogenerated by puppet\n-set MLSTAGE_KUBEPODS_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:860:302::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]\n\n+ ensure => present\n+ common_name => dse_front_proxy\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]", "content": "--- /etc/nftables/sets/NETWORK_INFRA_ipv6.nft.orig\n+++ /etc/nftables/sets/NETWORK_INFRA_ipv6.nft\n@@ -1,18 +0,0 @@\n-# Autogenerated by puppet\n-set NETWORK_INFRA_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2a02:ec80:300:fe00::/55,\n- 2620:0:863:fe00::/55,\n- 2620:0:860:fe00::/55,\n- 2620:0:860:13f::/64,\n- 2620:0:860:139::/64,\n- 2620:0:861:fe00::/55,\n- 2620:0:861:11b::/128,\n- 2620:0:861:130::/64,\n- 2001:df2:e500:fe00::/55,\n- 2a02:ec80:600:fe00::/55,\n- 2a02:ec80:700:fe00::/55\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft].orig\n+++ File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Cfssl::Cert[puppet]", "parameters": "--- Cfssl::Cert[puppet].orig\n+++ Cfssl::Cert[puppet]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => puppet\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]\n\n+ ensure => present\n+ common_name => aux_front_proxy\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Exec[renew certificate - etcd]", "parameters": "--- Exec[renew certificate - etcd].orig\n+++ Exec[renew certificate - etcd]\n\n+ require => Exec[Generate cert etcd]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/etcd/etcd.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/etcd/etcd\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/etcd/etcd.pem -checkend 952200\n"}, {"resource": "File[/etc/cfssl/ssl/dse/dse.pem]", "parameters": "--- File[/etc/cfssl/ssl/dse/dse.pem].orig\n+++ File[/etc/cfssl/ssl/dse/dse.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[update_alternative_ip6tables]", "parameters": "--- Exec[update_alternative_ip6tables].orig\n+++ Exec[update_alternative_ip6tables]\n\n+ command => /usr/bin/update-alternatives --force --set ip6tables /usr/sbin/ip6tables-legacy\n+ unless => /usr/bin/update-alternatives --query ip6tables | /bin/grep 'Value: /usr/sbin/ip6tables-legacy'\n"}, {"resource": "Nftables::Set[PRODUCTION_NETWORKS]", "parameters": "--- Nftables::Set[PRODUCTION_NETWORKS].orig\n+++ Nftables::Set[PRODUCTION_NETWORKS]\n\n- ensure => present\n- hosts => ['10.128.0.0/24', '10.128.1.0/24', '10.128.2.0/24', '10.132.0.0/24', '10.132.2.0/24', '10.136.0.0/24', '10.136.1.0/24', '10.140.0.0/24', '10.140.1.0/24', '10.140.2.0/24', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.20.0/24', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.24.0/23', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.64.0/21', '10.192.7.0/24', '10.192.72.0/24', '10.192.76.0/24', '10.192.8.0/24', '10.192.80.0/20', '10.192.9.0/24', '10.192.96.0/21', '10.194.0.0/20', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.62.0/23', '10.194.64.0/20', '10.194.80.0/21', '10.2.1.0/24', '10.2.2.0/24', '10.2.3.0/24', '10.2.4.0/24', '10.2.5.0/24', '10.2.6.0/24', '10.2.7.0/24', '10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.141.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.148.0/24', '10.64.149.0/24', '10.64.150.0/24', '10.64.151.0/24', '10.64.152.0/24', '10.64.153.0/24', '10.64.154.0/24', '10.64.155.0/24', '10.64.156.0/24', '10.64.157.0/24', '10.64.158.0/24', '10.64.159.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.161.0/24', '10.64.162.0/24', '10.64.163.0/24', '10.64.164.0/24', '10.64.165.0/24', '10.64.166.0/24', '10.64.167.0/24', '10.64.169.0/24', '10.64.170.0/24', '10.64.171.0/24', '10.64.172.0/24', '10.64.173.0/24', '10.64.174.0/24', '10.64.175.0/24', '10.64.176.0/24', '10.64.177.0/24', '10.64.178.0/24', '10.64.179.0/24', '10.64.180.0/24', '10.64.181.0/24', '10.64.182.0/24', '10.64.183.0/24', '10.64.184.0/24', '10.64.185.0/24', '10.64.186.0/24', '10.64.187.0/24', '10.64.188.0/24', '10.64.189.0/24', '10.64.190.0/24', '10.64.20.0/24', '10.64.21.0/24', '10.64.24.0/23', '10.64.32.0/22', '10.64.36.0/24', '10.64.48.0/22', '10.64.5.0/24', '10.64.53.0/24', '10.64.64.0/21', '10.64.72.0/24', '10.64.76.0/24', '10.67.0.0/20', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.32.0/20', '10.67.64.0/20', '10.67.80.0/21', '10.80.0.0/24', '10.80.1.0/24', '10.80.2.0/24', '103.102.166.0/28', '103.102.166.224/27', '103.102.166.96/27', '185.15.58.0/27', '185.15.58.224/27', '185.15.58.32/27', '185.15.59.0/27', '185.15.59.224/27', '185.15.59.32/27', '185.15.59.96/27', '195.200.68.0/27', '195.200.68.224/27', '195.200.68.32/27', '195.200.68.96/27', '198.35.26.0/27', '198.35.26.32/27', '198.35.26.96/27', '198.35.26.96/27', '2001:df2:e500:101::/64', '2001:df2:e500:103::/64', '2001:df2:e500:1::/64', '2001:df2:e500:3::/64', '2001:df2:e500:ed1a::/64', '208.80.152.128/27', '208.80.153.0/27', '208.80.153.224/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.224/27', '208.80.154.64/26', '208.80.155.96/27', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:118::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '2620:0:860:140::/64', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:300::/64', '2620:0:860:301::/64', '2620:0:860:302::/64', '2620:0:860:303::/64', '2620:0:860:304::/64', '2620:0:860:305::/64', '2620:0:860:307::/64', '2620:0:860:308::/64', '2620:0:860:3::/64', '2620:0:860:4::/64', '2620:0:860:5::/64', '2620:0:860:babe::/64', '2620:0:860:babf::/64', '2620:0:860:cabe::/64', '2620:0:860:cabf::/64', '2620:0:860:ed1a::/64', '2620:0:861:100::/64', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:107::/64', '2620:0:861:108::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:113::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:118::/64', '2620:0:861:119::/64', '2620:0:861:11a::/64', '2620:0:861:11c::/64', '2620:0:861:11d::/64', '2620:0:861:11e::/64', '2620:0:861:11f::/64', '2620:0:861:120::/64', '2620:0:861:121::/64', '2620:0:861:122::/64', '2620:0:861:123::/64', '2620:0:861:124::/64', '2620:0:861:125::/64', '2620:0:861:126::/64', '2620:0:861:127::/64', '2620:0:861:128::/64', '2620:0:861:129::/64', '2620:0:861:12a::/64', '2620:0:861:12b::/64', '2620:0:861:12c::/64', '2620:0:861:12d::/64', '2620:0:861:12e::/64', '2620:0:861:12f::/64', '2620:0:861:131::/64', '2620:0:861:132::/64', '2620:0:861:133::/64', '2620:0:861:134::/64', '2620:0:861:135::/64', '2620:0:861:136::/64', '2620:0:861:137::/64', '2620:0:861:138::/64', '2620:0:861:139::/64', '2620:0:861:13a::/64', '2620:0:861:13b::/64', '2620:0:861:13c::/64', '2620:0:861:13d::/64', '2620:0:861:13e::/64', '2620:0:861:13f::/64', '2620:0:861:140::/64', '2620:0:861:141::/64', '2620:0:861:142::/64', '2620:0:861:143::/64', '2620:0:861:144::/64', '2620:0:861:145::/64', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:300::/64', '2620:0:861:301::/116', '2620:0:861:302::/64', '2620:0:861:303::/116', '2620:0:861:304::/116', '2620:0:861:305::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '2620:0:861:babe::/64', '2620:0:861:babf::/116', '2620:0:861:cabe::/64', '2620:0:861:cabf::/116', '2620:0:861:ed1a::/64', '2620:0:863:101::/64', '2620:0:863:102::/64', '2620:0:863:103::/64', '2620:0:863:1::/64', '2620:0:863:2::/64', '2620:0:863:3::/64', '2620:0:863:ed1a::/64', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '2a02:ec80:300:103::/64', '2a02:ec80:300:1::/64', '2a02:ec80:300:2::/64', '2a02:ec80:300:3::/64', '2a02:ec80:300:ed1a::/64', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '2a02:ec80:600:1::/64', '2a02:ec80:600:2::/64', '2a02:ec80:600:ed1a::/64', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64', '2a02:ec80:700:103::/64', '2a02:ec80:700:1::/64', '2a02:ec80:700:2::/64', '2a02:ec80:700:3::/64', '2a02:ec80:700:ed1a::/64']\n"}, {"resource": "File[/etc/cfssl/ssl/etcd/etcd.pem]", "parameters": "--- File[/etc/cfssl/ssl/etcd/etcd.pem].orig\n+++ File[/etc/cfssl/ssl/etcd/etcd.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/aux]", "parameters": "--- File[/etc/cfssl/ssl/aux].orig\n+++ File[/etc/cfssl/ssl/aux]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Exec[systemd daemon-reload for nftables.service (nftables)]", "parameters": "--- Exec[systemd daemon-reload for nftables.service (nftables)].orig\n+++ Exec[systemd daemon-reload for nftables.service (nftables)]\n\n- refreshonly => True\n- before => ['Service[nftables]']\n- command => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate cert etcd]", "parameters": "--- Exec[Generate cert etcd].orig\n+++ Exec[Generate cert etcd]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/etcd.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/etcd.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/etcd/etcd\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/etcd/etcd.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/etcd/etcd-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/cfssl/ssl/etcd]", "parameters": "--- File[/etc/cfssl/ssl/etcd].orig\n+++ File[/etc/cfssl/ssl/etcd]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/debmonitor/debmonitor.csr]", "parameters": "--- File[/etc/cfssl/ssl/debmonitor/debmonitor.csr].orig\n+++ File[/etc/cfssl/ssl/debmonitor/debmonitor.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid]\n\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => pki_eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft\n@@ -1,99 +0,0 @@\n-# Autogenerated by puppet\n-set MW_APPSERVER_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:861:101::/64,\n- 2620:0:861:102::/64,\n- 2620:0:861:103::/64,\n- 2620:0:861:107::/64,\n- 2620:0:861:109::/64,\n- 2620:0:861:10a::/64,\n- 2620:0:861:10b::/64,\n- 2620:0:861:10c::/64,\n- 2620:0:861:10d::/64,\n- 2620:0:861:10e::/64,\n- 2620:0:861:10f::/64,\n- 2620:0:861:113::/64,\n- 2620:0:861:119::/64,\n- 2620:0:861:120::/64,\n- 2620:0:861:122::/64,\n- 2620:0:861:124::/64,\n- 2620:0:861:126::/64,\n- 2620:0:861:128::/64,\n- 2620:0:861:12a::/64,\n- 2620:0:861:12c::/64,\n- 2620:0:861:12e::/64,\n- 2620:0:861:131::/64,\n- 2620:0:861:133::/64,\n- 2620:0:861:135::/64,\n- 2620:0:861:137::/64,\n- 2620:0:861:139::/64,\n- 2620:0:861:13b::/64,\n- 2620:0:861:13d::/64,\n- 2620:0:861:13f::/64,\n- 2620:0:861:142::/64,\n- 2620:0:861:144::/64,\n- 2620:0:860:100::/64,\n- 2620:0:860:101::/64,\n- 2620:0:860:102::/64,\n- 2620:0:860:103::/64,\n- 2620:0:860:104::/64,\n- 2620:0:860:105::/64,\n- 2620:0:860:106::/64,\n- 2620:0:860:107::/64,\n- 2620:0:860:108::/64,\n- 2620:0:860:109::/64,\n- 2620:0:860:10a::/64,\n- 2620:0:860:10b::/64,\n- 2620:0:860:10c::/64,\n- 2620:0:860:10d::/64,\n- 2620:0:860:10e::/64,\n- 2620:0:860:10f::/64,\n- 2620:0:860:110::/64,\n- 2620:0:860:111::/64,\n- 2620:0:860:112::/64,\n- 2620:0:860:113::/64,\n- 2620:0:860:114::/64,\n- 2620:0:860:115::/64,\n- 2620:0:860:116::/64,\n- 2620:0:860:119::/64,\n- 2620:0:860:11a::/64,\n- 2620:0:860:11b::/64,\n- 2620:0:860:11c::/64,\n- 2620:0:860:11d::/64,\n- 2620:0:860:11e::/64,\n- 2620:0:860:11f::/64,\n- 2620:0:860:120::/64,\n- 2620:0:860:121::/64,\n- 2620:0:860:122::/64,\n- 2620:0:860:123::/64,\n- 2620:0:860:124::/64,\n- 2620:0:860:125::/64,\n- 2620:0:860:126::/64,\n- 2620:0:860:127::/64,\n- 2620:0:860:12b::/64,\n- 2620:0:860:12c::/64,\n- 2620:0:860:12d::/64,\n- 2620:0:860:12e::/64,\n- 2620:0:860:300::/64,\n- 2620:0:860:302::/64,\n- 2620:0:860:305::/64,\n- 2620:0:860:308::/64,\n- 2620:0:860:babe::/64,\n- 2620:0:860:cabe::/64,\n- 2620:0:861:300::/64,\n- 2620:0:861:302::/64,\n- 2620:0:861:305::/64,\n- 2620:0:861:babe::/64,\n- 2620:0:861:cabe::/64,\n- 2620:0:861:1::/64,\n- 2620:0:861:2::/64,\n- 2620:0:861:3::/64,\n- 2620:0:861:4::/64,\n- 2620:0:860:1::/64,\n- 2620:0:860:2::/64,\n- 2620:0:860:3::/64,\n- 2620:0:860:4::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[bacula-fd]', 'Package[bacula-common]']\n"}, {"resource": "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set DSE_KUBEPODS_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.67.24.0/21,\n- 10.192.96.0/21\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set WIKIKUBE_KUBEPODS_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.67.128.0/17,\n- 10.194.128.0/17\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]", "parameters": "--- Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula].orig\n+++ Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]\n\n+ outfile => /etc/bacula/ssl/server.p12\n+ group => bacula\n+ private_key => /var/lib/puppet/ssl/private_keys/pki-root1002.eqiad.wmnet.pem\n+ certfile => /var/lib/puppet/ssl/certs/ca.pem\n+ ensure => absent\n+ public_key => /var/lib/puppet/ssl/certs/pki-root1002.eqiad.wmnet.pem\n+ owner => bacula\n"}, {"resource": "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set STAGING_KUBEPODS_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.64.64.0/21,\n- 10.192.64.0/21\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/csr/cloud_wmnet_ca.csr]", "content": "--- /etc/cfssl/csr/cloud_wmnet_ca.csr.orig\n+++ /etc/cfssl/csr/cloud_wmnet_ca.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"cloud_wmnet_ca\",\n+ \"hosts\": [\n+ \"cloud_wmnet_ca\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/cloud_wmnet_ca.csr].orig\n+++ File[/etc/cfssl/csr/cloud_wmnet_ca.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]\n\n+ ensure => present\n+ common_name => wikikube_staging_front_proxy\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Service[nrpe2nodexp-ferm_active.timer]", "parameters": "--- Service[nrpe2nodexp-ferm_active.timer].orig\n+++ Service[nrpe2nodexp-ferm_active.timer]\n\n+ ensure => running\n+ provider => systemd\n+ enable => True\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]\n\n+ ensure => present\n+ common_name => puppet_rsa\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'rsa', 'size': 4096}\n+ hosts => []\n"}, {"resource": "Exec[Generate cert debmonitor]", "parameters": "--- Exec[Generate cert debmonitor].orig\n+++ Exec[Generate cert debmonitor]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/debmonitor.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/debmonitor/debmonitor\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/debmonitor/debmonitor.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/debmonitor/debmonitor-key.pem 2>&1)\"\n\n"}, {"resource": "Cfssl::Cert[zuul]", "parameters": "--- Cfssl::Cert[zuul].orig\n+++ Cfssl::Cert[zuul]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => zuul\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Nftables::Set[BASTION_HOSTS]", "parameters": "--- Nftables::Set[BASTION_HOSTS].orig\n+++ Nftables::Set[BASTION_HOSTS]\n\n- ensure => present\n- hosts => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']\n"}, {"resource": "Nftables::Set[DOMAIN_NETWORKS]", "parameters": "--- Nftables::Set[DOMAIN_NETWORKS].orig\n+++ Nftables::Set[DOMAIN_NETWORKS]\n\n- ensure => present\n- hosts => ['10.128.0.0/24', '10.128.1.0/24', '10.128.2.0/24', '10.132.0.0/24', '10.132.2.0/24', '10.136.0.0/24', '10.136.1.0/24', '10.140.0.0/24', '10.140.1.0/24', '10.140.2.0/24', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.20.0/24', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.24.0/23', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.64.0/21', '10.192.7.0/24', '10.192.72.0/24', '10.192.76.0/24', '10.192.8.0/24', '10.192.80.0/20', '10.192.9.0/24', '10.192.96.0/21', '10.194.0.0/20', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.62.0/23', '10.194.64.0/20', '10.194.80.0/21', '10.2.1.0/24', '10.2.2.0/24', '10.2.3.0/24', '10.2.4.0/24', '10.2.5.0/24', '10.2.6.0/24', '10.2.7.0/24', '10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.141.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.148.0/24', '10.64.149.0/24', '10.64.150.0/24', '10.64.151.0/24', '10.64.152.0/24', '10.64.153.0/24', '10.64.154.0/24', '10.64.155.0/24', '10.64.156.0/24', '10.64.157.0/24', '10.64.158.0/24', '10.64.159.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.161.0/24', '10.64.162.0/24', '10.64.163.0/24', '10.64.164.0/24', '10.64.165.0/24', '10.64.166.0/24', '10.64.167.0/24', '10.64.169.0/24', '10.64.170.0/24', '10.64.171.0/24', '10.64.172.0/24', '10.64.173.0/24', '10.64.174.0/24', '10.64.175.0/24', '10.64.176.0/24', '10.64.177.0/24', '10.64.178.0/24', '10.64.179.0/24', '10.64.180.0/24', '10.64.181.0/24', '10.64.182.0/24', '10.64.183.0/24', '10.64.184.0/24', '10.64.185.0/24', '10.64.186.0/24', '10.64.187.0/24', '10.64.188.0/24', '10.64.189.0/24', '10.64.190.0/24', '10.64.20.0/24', '10.64.21.0/24', '10.64.24.0/23', '10.64.32.0/22', '10.64.36.0/24', '10.64.48.0/22', '10.64.5.0/24', '10.64.53.0/24', '10.64.64.0/21', '10.64.72.0/24', '10.64.76.0/24', '10.67.0.0/20', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.32.0/20', '10.67.64.0/20', '10.67.80.0/21', '10.80.0.0/24', '10.80.1.0/24', '10.80.2.0/24', '103.102.166.0/28', '103.102.166.224/27', '103.102.166.96/27', '185.15.58.0/27', '185.15.58.224/27', '185.15.58.32/27', '185.15.59.0/27', '185.15.59.224/27', '185.15.59.32/27', '185.15.59.96/27', '195.200.68.0/27', '195.200.68.224/27', '195.200.68.32/27', '195.200.68.96/27', '198.35.26.0/27', '198.35.26.32/27', '198.35.26.96/27', '198.35.26.96/27', '2001:df2:e500:101::/64', '2001:df2:e500:103::/64', '2001:df2:e500:1::/64', '2001:df2:e500:3::/64', '2001:df2:e500:ed1a::/64', '208.80.152.128/27', '208.80.153.0/27', '208.80.153.224/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.224/27', '208.80.154.64/26', '208.80.155.96/27', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:118::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '2620:0:860:140::/64', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:300::/64', '2620:0:860:301::/64', '2620:0:860:302::/64', '2620:0:860:303::/64', '2620:0:860:304::/64', '2620:0:860:305::/64', '2620:0:860:307::/64', '2620:0:860:308::/64', '2620:0:860:3::/64', '2620:0:860:4::/64', '2620:0:860:5::/64', '2620:0:860:babe::/64', '2620:0:860:babf::/64', '2620:0:860:cabe::/64', '2620:0:860:cabf::/64', '2620:0:860:ed1a::/64', '2620:0:861:100::/64', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:107::/64', '2620:0:861:108::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:113::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:118::/64', '2620:0:861:119::/64', '2620:0:861:11a::/64', '2620:0:861:11c::/64', '2620:0:861:11d::/64', '2620:0:861:11e::/64', '2620:0:861:11f::/64', '2620:0:861:120::/64', '2620:0:861:121::/64', '2620:0:861:122::/64', '2620:0:861:123::/64', '2620:0:861:124::/64', '2620:0:861:125::/64', '2620:0:861:126::/64', '2620:0:861:127::/64', '2620:0:861:128::/64', '2620:0:861:129::/64', '2620:0:861:12a::/64', '2620:0:861:12b::/64', '2620:0:861:12c::/64', '2620:0:861:12d::/64', '2620:0:861:12e::/64', '2620:0:861:12f::/64', '2620:0:861:131::/64', '2620:0:861:132::/64', '2620:0:861:133::/64', '2620:0:861:134::/64', '2620:0:861:135::/64', '2620:0:861:136::/64', '2620:0:861:137::/64', '2620:0:861:138::/64', '2620:0:861:139::/64', '2620:0:861:13a::/64', '2620:0:861:13b::/64', '2620:0:861:13c::/64', '2620:0:861:13d::/64', '2620:0:861:13e::/64', '2620:0:861:13f::/64', '2620:0:861:140::/64', '2620:0:861:141::/64', '2620:0:861:142::/64', '2620:0:861:143::/64', '2620:0:861:144::/64', '2620:0:861:145::/64', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:300::/64', '2620:0:861:301::/116', '2620:0:861:302::/64', '2620:0:861:303::/116', '2620:0:861:304::/116', '2620:0:861:305::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '2620:0:861:babe::/64', '2620:0:861:babf::/116', '2620:0:861:cabe::/64', '2620:0:861:cabf::/116', '2620:0:861:ed1a::/64', '2620:0:863:101::/64', '2620:0:863:102::/64', '2620:0:863:103::/64', '2620:0:863:1::/64', '2620:0:863:2::/64', '2620:0:863:3::/64', '2620:0:863:ed1a::/64', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '2a02:ec80:300:103::/64', '2a02:ec80:300:1::/64', '2a02:ec80:300:2::/64', '2a02:ec80:300:3::/64', '2a02:ec80:300:ed1a::/64', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '2a02:ec80:600:1::/64', '2a02:ec80:600:2::/64', '2a02:ec80:600:ed1a::/64', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64', '2a02:ec80:700:103::/64', '2a02:ec80:700:1::/64', '2a02:ec80:700:2::/64', '2a02:ec80:700:3::/64', '2a02:ec80:700:ed1a::/64']\n"}, {"resource": "File[/etc/cfssl/ssl/zuul/zuul-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/zuul/zuul-key.pem].orig\n+++ File[/etc/cfssl/ssl/zuul/zuul-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/cassandra]", "parameters": "--- File[/etc/cfssl/ssl/cassandra].orig\n+++ File[/etc/cfssl/ssl/cassandra]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/update-motd.d/05-pki--root]", "content": "--- /etc/update-motd.d/05-pki--root.orig\n+++ /etc/update-motd.d/05-pki--root\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+printf \"%s\\n\" \"pki-root1002 is a PKI RootCA (pki::root)\"", "parameters": "--- File[/etc/update-motd.d/05-pki--root].orig\n+++ File[/etc/update-motd.d/05-pki--root]\n\n+ ensure => present\n+ owner => root\n+ mode => 0555\n+ group => root\n"}, {"resource": "Exec[renew certificate - mlserve_staging_front_proxy]", "parameters": "--- Exec[renew certificate - mlserve_staging_front_proxy].orig\n+++ Exec[renew certificate - mlserve_staging_front_proxy]\n\n+ require => Exec[Generate cert mlserve_staging_front_proxy]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem -checkend 952200\n"}, {"resource": "Nftables::Set[ANALYTICS_NETWORKS]", "parameters": "--- Nftables::Set[ANALYTICS_NETWORKS].orig\n+++ Nftables::Set[ANALYTICS_NETWORKS]\n\n- ensure => present\n- hosts => ['10.64.137.0/24', '10.64.138.0/24', '10.64.139.0/24', '10.64.140.0/24', '10.64.142.0/24', '10.64.143.0/24', '10.64.144.0/24', '10.64.145.0/24', '10.64.153.0/24', '10.64.155.0/24', '10.64.157.0/24', '10.64.159.0/24', '10.64.161.0/24', '10.64.163.0/24', '10.64.165.0/24', '10.64.167.0/24', '10.64.170.0/24', '10.64.172.0/24', '10.64.174.0/24', '10.64.176.0/24', '10.64.178.0/24', '10.64.180.0/24', '10.64.182.0/24', '10.64.184.0/24', '10.64.186.0/24', '10.64.188.0/24', '10.64.190.0/24', '10.64.21.0/24', '10.64.36.0/24', '10.64.5.0/24', '10.64.53.0/24', '2620:0:861:100::/64', '2620:0:861:104::/64', '2620:0:861:105::/64', '2620:0:861:106::/64', '2620:0:861:108::/64', '2620:0:861:110::/64', '2620:0:861:111::/64', '2620:0:861:112::/64', '2620:0:861:114::/64', '2620:0:861:115::/64', '2620:0:861:116::/64', '2620:0:861:117::/64', '2620:0:861:11a::/64', '2620:0:861:121::/64', '2620:0:861:123::/64', '2620:0:861:125::/64', '2620:0:861:127::/64', '2620:0:861:129::/64', '2620:0:861:12b::/64', '2620:0:861:12d::/64', '2620:0:861:12f::/64', '2620:0:861:132::/64', '2620:0:861:134::/64', '2620:0:861:136::/64', '2620:0:861:138::/64', '2620:0:861:13a::/64', '2620:0:861:13c::/64', '2620:0:861:13e::/64', '2620:0:861:141::/64', '2620:0:861:143::/64', '2620:0:861:145::/64']\n"}, {"resource": "Cfssl::Signer[Wikimedia_Internal_Root_CA]", "parameters": "--- Cfssl::Signer[Wikimedia_Internal_Root_CA].orig\n+++ Cfssl::Signer[Wikimedia_Internal_Root_CA]\n\n+ default_ocsp_url => http://pki.discovery.wmnet/ocsp/Wikimedia_Internal_Root_CA\n+ manage_services => False\n+ default_crl_url => http://pki.discovery.wmnet/crl/Wikimedia_Internal_Root_CA\n+ listen_addr => pki-root1002.eqiad.wmnet\n+ manage_db => True\n+ default_usages => ['signing', 'key encipherment', 'client auth']\n+ db_name => pki\n+ log_level => info\n+ db_user => pki\n+ listen_port => 8888\n+ profiles => {'intermediate': {'usages': ['cert sign', 'crl sign'], 'ca_constraint': {'is_ca': True, 'max_path_len': 1}, 'expiry': '43800h'}, 'ocsp': {'usages': ['digital signature', 'ocsp signing'], 'expiry': '43800h'}}\n+ db_host => m1-master.eqiad.wmnet\n+ default_auth_key => default_auth\n+ serve_ensure => absent\n+ db_driver => mysql\n+ default_expiry => 672h\n+ db_pass => changeme\n+ auth_keys => {'default_auth': {'key': 'aaaabbbbccccdddd', 'type': 'standard'}}\n"}, {"resource": "Nftables::Set[DEPLOYMENT_HOSTS]", "parameters": "--- Nftables::Set[DEPLOYMENT_HOSTS].orig\n+++ Nftables::Set[DEPLOYMENT_HOSTS]\n\n- ensure => present\n- hosts => ['10.64.16.93', '2620:0:861:102:10:64:16:93', '10.192.32.7', '2620:0:860:103:10:192:32:7']\n"}, {"resource": "Package[ulogd2]", "parameters": "--- Package[ulogd2].orig\n+++ Package[ulogd2]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Exec[Generate cert wikikube_staging_front_proxy]", "parameters": "--- Exec[Generate cert wikikube_staging_front_proxy].orig\n+++ Exec[Generate cert wikikube_staging_front_proxy]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/wikikube_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]", "content": "--- /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft.orig\n+++ /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet\n-set ZOOKEEPER_HOSTS_MAIN_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.0.207,\n- 10.64.16.110,\n- 10.64.48.154,\n- 10.192.16.45,\n- 10.192.32.52,\n- 10.192.48.59\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft].orig\n+++ File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]", "content": "--- /etc/nftables/sets/LINK_LOCAL_ipv4.nft.orig\n+++ /etc/nftables/sets/LINK_LOCAL_ipv4.nft\n@@ -1,8 +0,0 @@\n-# Autogenerated by puppet\n-set LINK_LOCAL_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 169.254.0.0/16\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft].orig\n+++ File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[Generate cert mlserve]", "parameters": "--- Exec[Generate cert mlserve].orig\n+++ Exec[Generate cert mlserve]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/mlserve.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve/mlserve\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve/mlserve.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/mlserve/mlserve-key.pem 2>&1)\"\n\n"}, {"resource": "Systemd::Service[wmf_auto_restart_ulogd2]", "parameters": "--- Systemd::Service[wmf_auto_restart_ulogd2].orig\n+++ Systemd::Service[wmf_auto_restart_ulogd2]\n\n+ override => False\n+ require => Systemd::Unit[wmf_auto_restart_ulogd2.service]\n+ unit_type => timer\n+ restart => False\n+ service_params => {}\n+ migration_task => T407130\n+ monitoring_enabled => False\n+ monitoring_contact_group => admins\n+ ensure => present\n+ monitoring_critical => False\n"}, {"resource": "File[/etc/ferm/conf.d/98_log-everything]", "content": "--- /etc/ferm/conf.d/98_log-everything.orig\n+++ /etc/ferm/conf.d/98_log-everything\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 98_log-everything: \n+\n+domain (ip ip6) {\n+\ttable filter {\n+\t\tchain INPUT {\n+\t\t\tNFLOG mod limit limit 1/second limit-burst 5 nflog-prefix \"[fw-in-drop]\";\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/98_log-everything].orig\n+++ File[/etc/ferm/conf.d/98_log-everything]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem].orig\n+++ File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[renew certificate - wikikube]", "parameters": "--- Exec[renew certificate - wikikube].orig\n+++ Exec[renew certificate - wikikube]\n\n+ require => Exec[Generate cert wikikube]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/wikikube/wikikube.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube/wikikube\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube/wikikube.pem -checkend 952200\n"}, {"resource": "File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/INSTALL_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/INSTALL_HOSTS_ipv6.nft\n@@ -1,12 +0,0 @@\n-# Autogenerated by puppet\n-set INSTALL_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:2:208:80:154:134,\n- 2620:0:860:3:208:80:153:70,\n- 2a02:ec80:300:3:185:15:59:101,\n- 2620:0:863:3:198:35:26:98,\n- 2001:df2:e500:3:103:102:166:104,\n- 2a02:ec80:600:1:185:15:58:7,\n- 2a02:ec80:700:3:195:200:68:100\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/network_devices/network_devices-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/network_devices/network_devices-key.pem].orig\n+++ File[/etc/cfssl/ssl/network_devices/network_devices-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/bacula/ssl/server.key]", "parameters": "--- File[/etc/bacula/ssl/server.key].orig\n+++ File[/etc/bacula/ssl/server.key]\n\n+ show_diff => False\n+ mode => 0400\n+ group => bacula\n+ ensure => present\n+ owner => bacula\n+ source => /var/lib/puppet/ssl/private_keys/pki-root1002.eqiad.wmnet.pem\n"}, {"resource": "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft\n@@ -1,189 +0,0 @@\n-# Autogenerated by puppet\n-set DOMAIN_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.128.0.0/24,\n- 10.128.1.0/24,\n- 10.128.2.0/24,\n- 10.132.0.0/24,\n- 10.132.2.0/24,\n- 10.136.0.0/24,\n- 10.136.1.0/24,\n- 10.140.0.0/24,\n- 10.140.1.0/24,\n- 10.140.2.0/24,\n- 10.192.0.0/22,\n- 10.192.10.0/24,\n- 10.192.11.0/24,\n- 10.192.12.0/24,\n- 10.192.13.0/24,\n- 10.192.14.0/24,\n- 10.192.15.0/24,\n- 10.192.16.0/22,\n- 10.192.20.0/24,\n- 10.192.21.0/24,\n- 10.192.22.0/24,\n- 10.192.23.0/24,\n- 10.192.24.0/23,\n- 10.192.26.0/24,\n- 10.192.27.0/24,\n- 10.192.28.0/24,\n- 10.192.29.0/24,\n- 10.192.30.0/24,\n- 10.192.31.0/24,\n- 10.192.32.0/22,\n- 10.192.36.0/24,\n- 10.192.37.0/24,\n- 10.192.38.0/24,\n- 10.192.39.0/24,\n- 10.192.4.0/24,\n- 10.192.40.0/24,\n- 10.192.41.0/24,\n- 10.192.42.0/24,\n- 10.192.43.0/24,\n- 10.192.44.0/24,\n- 10.192.45.0/24,\n- 10.192.46.0/24,\n- 10.192.47.0/24,\n- 10.192.48.0/22,\n- 10.192.5.0/24,\n- 10.192.52.0/24,\n- 10.192.56.0/24,\n- 10.192.57.0/24,\n- 10.192.58.0/24,\n- 10.192.59.0/24,\n- 10.192.6.0/24,\n- 10.192.64.0/21,\n- 10.192.7.0/24,\n- 10.192.72.0/24,\n- 10.192.76.0/24,\n- 10.192.8.0/24,\n- 10.192.80.0/20,\n- 10.192.9.0/24,\n- 10.192.96.0/21,\n- 10.194.0.0/20,\n- 10.194.128.0/17,\n- 10.194.16.0/21,\n- 10.194.61.0/24,\n- 10.194.62.0/23,\n- 10.194.64.0/20,\n- 10.194.80.0/21,\n- 10.2.1.0/24,\n- 10.2.2.0/24,\n- 10.2.3.0/24,\n- 10.2.4.0/24,\n- 10.2.5.0/24,\n- 10.2.6.0/24,\n- 10.2.7.0/24,\n- 10.64.0.0/22,\n- 10.64.130.0/24,\n- 10.64.131.0/24,\n- 10.64.132.0/24,\n- 10.64.133.0/24,\n- 10.64.134.0/24,\n- 10.64.135.0/24,\n- 10.64.136.0/24,\n- 10.64.137.0/24,\n- 10.64.138.0/24,\n- 10.64.139.0/24,\n- 10.64.140.0/24,\n- 10.64.141.0/24,\n- 10.64.142.0/24,\n- 10.64.143.0/24,\n- 10.64.144.0/24,\n- 10.64.145.0/24,\n- 10.64.148.0/24,\n- 10.64.149.0/24,\n- 10.64.150.0/24,\n- 10.64.151.0/24,\n- 10.64.152.0/24,\n- 10.64.153.0/24,\n- 10.64.154.0/24,\n- 10.64.155.0/24,\n- 10.64.156.0/24,\n- 10.64.157.0/24,\n- 10.64.158.0/24,\n- 10.64.159.0/24,\n- 10.64.16.0/22,\n- 10.64.160.0/24,\n- 10.64.161.0/24,\n- 10.64.162.0/24,\n- 10.64.163.0/24,\n- 10.64.164.0/24,\n- 10.64.165.0/24,\n- 10.64.166.0/24,\n- 10.64.167.0/24,\n- 10.64.169.0/24,\n- 10.64.170.0/24,\n- 10.64.171.0/24,\n- 10.64.172.0/24,\n- 10.64.173.0/24,\n- 10.64.174.0/24,\n- 10.64.175.0/24,\n- 10.64.176.0/24,\n- 10.64.177.0/24,\n- 10.64.178.0/24,\n- 10.64.179.0/24,\n- 10.64.180.0/24,\n- 10.64.181.0/24,\n- 10.64.182.0/24,\n- 10.64.183.0/24,\n- 10.64.184.0/24,\n- 10.64.185.0/24,\n- 10.64.186.0/24,\n- 10.64.187.0/24,\n- 10.64.188.0/24,\n- 10.64.189.0/24,\n- 10.64.190.0/24,\n- 10.64.20.0/24,\n- 10.64.21.0/24,\n- 10.64.24.0/23,\n- 10.64.32.0/22,\n- 10.64.36.0/24,\n- 10.64.48.0/22,\n- 10.64.5.0/24,\n- 10.64.53.0/24,\n- 10.64.64.0/21,\n- 10.64.72.0/24,\n- 10.64.76.0/24,\n- 10.67.0.0/20,\n- 10.67.128.0/17,\n- 10.67.16.0/21,\n- 10.67.24.0/21,\n- 10.67.32.0/20,\n- 10.67.64.0/20,\n- 10.67.80.0/21,\n- 10.80.0.0/24,\n- 10.80.1.0/24,\n- 10.80.2.0/24,\n- 103.102.166.0/28,\n- 103.102.166.224/27,\n- 103.102.166.96/27,\n- 185.15.58.0/27,\n- 185.15.58.224/27,\n- 185.15.58.32/27,\n- 185.15.59.0/27,\n- 185.15.59.224/27,\n- 185.15.59.32/27,\n- 185.15.59.96/27,\n- 195.200.68.0/27,\n- 195.200.68.224/27,\n- 195.200.68.32/27,\n- 195.200.68.96/27,\n- 198.35.26.0/27,\n- 198.35.26.32/27,\n- 198.35.26.96/27,\n- 208.80.152.128/27,\n- 208.80.153.0/27,\n- 208.80.153.224/27,\n- 208.80.153.32/27,\n- 208.80.153.64/27,\n- 208.80.153.96/27,\n- 208.80.154.0/26,\n- 208.80.154.128/26,\n- 208.80.154.224/27,\n- 208.80.154.64/26,\n- 208.80.155.96/27\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/csr/mlserve.csr]", "content": "--- /etc/cfssl/csr/mlserve.csr.orig\n+++ /etc/cfssl/csr/mlserve.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"mlserve\",\n+ \"hosts\": [\n+ \"mlserve\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/mlserve.csr].orig\n+++ File[/etc/cfssl/csr/mlserve.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft\n@@ -1,10 +0,0 @@\n-# Autogenerated by puppet\n-set DRUID_PUBLIC_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:10a:10:64:131:9,\n- 2620:0:861:10b:10:64:132:12,\n- 2620:0:861:10e:10:64:135:9,\n- 2620:0:861:103:10:64:32:101,\n- 2620:0:861:107:10:64:48:185\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube]", "parameters": "--- File[/etc/cfssl/ssl/wikikube].orig\n+++ File[/etc/cfssl/ssl/wikikube]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem].orig\n+++ File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Logrotate::Conf[prometheus-node-textfile-check-nft]", "parameters": "--- Logrotate::Conf[prometheus-node-textfile-check-nft].orig\n+++ Logrotate::Conf[prometheus-node-textfile-check-nft]\n\n- ensure => present\n"}, {"resource": "Exec[Generate cert puppet_rsa]", "parameters": "--- Exec[Generate cert puppet_rsa].orig\n+++ Exec[Generate cert puppet_rsa]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/puppet_rsa.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa/puppet_rsa\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/cfssl/csr/puppet.csr]", "content": "--- /etc/cfssl/csr/puppet.csr.orig\n+++ /etc/cfssl/csr/puppet.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"puppet\",\n+ \"hosts\": [\n+ \"puppet\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/puppet.csr].orig\n+++ File[/etc/cfssl/csr/puppet.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/debmonitor]", "parameters": "--- File[/etc/cfssl/ssl/debmonitor].orig\n+++ File[/etc/cfssl/ssl/debmonitor]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]", "content": "--- /etc/cfssl/csr/mlserve_staging_front_proxy.csr.orig\n+++ /etc/cfssl/csr/mlserve_staging_front_proxy.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"mlserve_staging_front_proxy\",\n+ \"hosts\": [\n+ \"mlserve_staging_front_proxy\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr].orig\n+++ File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]", "content": "--- /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft.orig\n+++ /etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet\n-set ZOOKEEPER_HOSTS_MAIN_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:101:10:64:0:207,\n- 2620:0:861:102:10:64:16:110,\n- 2620:0:861:107:10:64:48:154,\n- 2620:0:860:102:10:192:16:45,\n- 2620:0:860:103:10:192:32:52,\n- 2620:0:860:104:10:192:48:59\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft].orig\n+++ File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve/mlserve.pem]", "parameters": "--- File[/etc/cfssl/ssl/mlserve/mlserve.pem].orig\n+++ File[/etc/cfssl/ssl/mlserve/mlserve.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft\n@@ -1,12 +0,0 @@\n-# Autogenerated by puppet\n-set CLOUD_PRIVATE_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2a02:ec80:a000:201::/64,\n- 2a02:ec80:a000:202::/64,\n- 2a02:ec80:a000:203::/64,\n- 2a02:ec80:a000:204::/64,\n- 2a02:ec80:a100:205::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[Generate cert wikikube_front_proxy]", "parameters": "--- Exec[Generate cert wikikube_front_proxy].orig\n+++ Exec[Generate cert wikikube_front_proxy]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/wikikube_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set KAFKAMON_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:103:10:64:32:11,\n- 2620:0:860:102:10:192:16:139\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[Generate cert mlserve_front_proxy refresh]", "parameters": "--- Exec[Generate cert mlserve_front_proxy refresh].orig\n+++ Exec[Generate cert mlserve_front_proxy refresh]\n\n+ subscribe => File[/etc/cfssl/csr/mlserve_front_proxy.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/mlserve_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy\n\n"}, {"resource": "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf]", "content": "--- /etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf.orig\n+++ /etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf\n@@ -0,0 +1,43 @@\n+{\n+ \"auth_keys\": {\n+ \"default_auth\": {\n+ \"key\": \"aaaabbbbccccdddd\",\n+ \"type\": \"standard\"\n+ }\n+ },\n+ \"signing\": {\n+ \"default\": {\n+ \"auth_key\": \"default_auth\",\n+ \"usages\": [\n+ \"signing\",\n+ \"key encipherment\",\n+ \"client auth\"\n+ ],\n+ \"expiry\": \"672h\",\n+ \"crl_url\": \"http://pki.discovery.wmnet/crl/Wikimedia_Internal_Root_CA\",\n+ \"ocsp_url\": \"http://pki.discovery.wmnet/ocsp/Wikimedia_Internal_Root_CA\"\n+ },\n+ \"profiles\": {\n+ \"intermediate\": {\n+ \"auth_key\": \"default_auth\",\n+ \"expiry\": \"43800h\",\n+ \"usages\": [\n+ \"cert sign\",\n+ \"crl sign\"\n+ ],\n+ \"ca_constraint\": {\n+ \"is_ca\": true,\n+ \"max_path_len\": 1\n+ }\n+ },\n+ \"ocsp\": {\n+ \"auth_key\": \"default_auth\",\n+ \"expiry\": \"43800h\",\n+ \"usages\": [\n+ \"digital signature\",\n+ \"ocsp signing\"\n+ ]\n+ }\n+ }\n+ }\n+}", "parameters": "--- File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf].orig\n+++ File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf]\n\n+ show_diff => False\n+ mode => 0440\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "File[/etc/nftables/forward]", "parameters": "--- File[/etc/nftables/forward].orig\n+++ File[/etc/nftables/forward]\n\n- recurse => True\n- group => root\n- ensure => directory\n- owner => root\n- purge => True\n"}, {"resource": "File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]", "parameters": "--- File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl].orig\n+++ File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/kafka/kafka.csr]", "parameters": "--- File[/etc/cfssl/ssl/kafka/kafka.csr].orig\n+++ File[/etc/cfssl/ssl/kafka/kafka.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Ferm::Conf[main]", "parameters": "--- Ferm::Conf[main].orig\n+++ Ferm::Conf[main]\n\n+ ensure => present\n+ prio => 02\n+ source => puppet:///modules/base/firewall/main-input-default-drop.conf\n"}, {"resource": "File[/etc/cfssl/ssl/dse/dse.csr]", "parameters": "--- File[/etc/cfssl/ssl/dse/dse.csr].orig\n+++ File[/etc/cfssl/ssl/dse/dse.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Alternatives::Select[iptables]", "parameters": "--- Alternatives::Select[iptables].orig\n+++ Alternatives::Select[iptables]\n\n+ path => /usr/sbin/iptables-legacy\n+ require => Package[iptables]\n"}, {"resource": "File[/etc/ferm/conf.d/10_ssh_from_bastion]", "content": "--- /etc/ferm/conf.d/10_ssh_from_bastion.orig\n+++ /etc/ferm/conf.d/10_ssh_from_bastion\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 22, (103.102.166.103 185.15.58.6 185.15.59.99 195.200.68.99 198.35.26.104 2001:df2:e500:3:103:102:166:103 208.80.153.110 208.80.154.7 2620:0:860:4:208:80:153:110 2620:0:861:1:208:80:154:7 2620:0:863:3:198:35:26:104 2a02:ec80:300:3:185:15:59:99 2a02:ec80:600:1:185:15:58:6 2a02:ec80:700:3:195:200:68:99));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_ssh_from_bastion].orig\n+++ File[/etc/ferm/conf.d/10_ssh_from_bastion]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft\n@@ -1,189 +0,0 @@\n-# Autogenerated by puppet\n-set PRODUCTION_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.128.0.0/24,\n- 10.128.1.0/24,\n- 10.128.2.0/24,\n- 10.132.0.0/24,\n- 10.132.2.0/24,\n- 10.136.0.0/24,\n- 10.136.1.0/24,\n- 10.140.0.0/24,\n- 10.140.1.0/24,\n- 10.140.2.0/24,\n- 10.192.0.0/22,\n- 10.192.10.0/24,\n- 10.192.11.0/24,\n- 10.192.12.0/24,\n- 10.192.13.0/24,\n- 10.192.14.0/24,\n- 10.192.15.0/24,\n- 10.192.16.0/22,\n- 10.192.20.0/24,\n- 10.192.21.0/24,\n- 10.192.22.0/24,\n- 10.192.23.0/24,\n- 10.192.24.0/23,\n- 10.192.26.0/24,\n- 10.192.27.0/24,\n- 10.192.28.0/24,\n- 10.192.29.0/24,\n- 10.192.30.0/24,\n- 10.192.31.0/24,\n- 10.192.32.0/22,\n- 10.192.36.0/24,\n- 10.192.37.0/24,\n- 10.192.38.0/24,\n- 10.192.39.0/24,\n- 10.192.4.0/24,\n- 10.192.40.0/24,\n- 10.192.41.0/24,\n- 10.192.42.0/24,\n- 10.192.43.0/24,\n- 10.192.44.0/24,\n- 10.192.45.0/24,\n- 10.192.46.0/24,\n- 10.192.47.0/24,\n- 10.192.48.0/22,\n- 10.192.5.0/24,\n- 10.192.52.0/24,\n- 10.192.56.0/24,\n- 10.192.57.0/24,\n- 10.192.58.0/24,\n- 10.192.59.0/24,\n- 10.192.6.0/24,\n- 10.192.64.0/21,\n- 10.192.7.0/24,\n- 10.192.72.0/24,\n- 10.192.76.0/24,\n- 10.192.8.0/24,\n- 10.192.80.0/20,\n- 10.192.9.0/24,\n- 10.192.96.0/21,\n- 10.194.0.0/20,\n- 10.194.128.0/17,\n- 10.194.16.0/21,\n- 10.194.61.0/24,\n- 10.194.62.0/23,\n- 10.194.64.0/20,\n- 10.194.80.0/21,\n- 10.2.1.0/24,\n- 10.2.2.0/24,\n- 10.2.3.0/24,\n- 10.2.4.0/24,\n- 10.2.5.0/24,\n- 10.2.6.0/24,\n- 10.2.7.0/24,\n- 10.64.0.0/22,\n- 10.64.130.0/24,\n- 10.64.131.0/24,\n- 10.64.132.0/24,\n- 10.64.133.0/24,\n- 10.64.134.0/24,\n- 10.64.135.0/24,\n- 10.64.136.0/24,\n- 10.64.137.0/24,\n- 10.64.138.0/24,\n- 10.64.139.0/24,\n- 10.64.140.0/24,\n- 10.64.141.0/24,\n- 10.64.142.0/24,\n- 10.64.143.0/24,\n- 10.64.144.0/24,\n- 10.64.145.0/24,\n- 10.64.148.0/24,\n- 10.64.149.0/24,\n- 10.64.150.0/24,\n- 10.64.151.0/24,\n- 10.64.152.0/24,\n- 10.64.153.0/24,\n- 10.64.154.0/24,\n- 10.64.155.0/24,\n- 10.64.156.0/24,\n- 10.64.157.0/24,\n- 10.64.158.0/24,\n- 10.64.159.0/24,\n- 10.64.16.0/22,\n- 10.64.160.0/24,\n- 10.64.161.0/24,\n- 10.64.162.0/24,\n- 10.64.163.0/24,\n- 10.64.164.0/24,\n- 10.64.165.0/24,\n- 10.64.166.0/24,\n- 10.64.167.0/24,\n- 10.64.169.0/24,\n- 10.64.170.0/24,\n- 10.64.171.0/24,\n- 10.64.172.0/24,\n- 10.64.173.0/24,\n- 10.64.174.0/24,\n- 10.64.175.0/24,\n- 10.64.176.0/24,\n- 10.64.177.0/24,\n- 10.64.178.0/24,\n- 10.64.179.0/24,\n- 10.64.180.0/24,\n- 10.64.181.0/24,\n- 10.64.182.0/24,\n- 10.64.183.0/24,\n- 10.64.184.0/24,\n- 10.64.185.0/24,\n- 10.64.186.0/24,\n- 10.64.187.0/24,\n- 10.64.188.0/24,\n- 10.64.189.0/24,\n- 10.64.190.0/24,\n- 10.64.20.0/24,\n- 10.64.21.0/24,\n- 10.64.24.0/23,\n- 10.64.32.0/22,\n- 10.64.36.0/24,\n- 10.64.48.0/22,\n- 10.64.5.0/24,\n- 10.64.53.0/24,\n- 10.64.64.0/21,\n- 10.64.72.0/24,\n- 10.64.76.0/24,\n- 10.67.0.0/20,\n- 10.67.128.0/17,\n- 10.67.16.0/21,\n- 10.67.24.0/21,\n- 10.67.32.0/20,\n- 10.67.64.0/20,\n- 10.67.80.0/21,\n- 10.80.0.0/24,\n- 10.80.1.0/24,\n- 10.80.2.0/24,\n- 103.102.166.0/28,\n- 103.102.166.224/27,\n- 103.102.166.96/27,\n- 185.15.58.0/27,\n- 185.15.58.224/27,\n- 185.15.58.32/27,\n- 185.15.59.0/27,\n- 185.15.59.224/27,\n- 185.15.59.32/27,\n- 185.15.59.96/27,\n- 195.200.68.0/27,\n- 195.200.68.224/27,\n- 195.200.68.32/27,\n- 195.200.68.96/27,\n- 198.35.26.0/27,\n- 198.35.26.32/27,\n- 198.35.26.96/27,\n- 208.80.152.128/27,\n- 208.80.153.0/27,\n- 208.80.153.224/27,\n- 208.80.153.32/27,\n- 208.80.153.64/27,\n- 208.80.153.96/27,\n- 208.80.154.0/26,\n- 208.80.154.128/26,\n- 208.80.154.224/27,\n- 208.80.154.64/26,\n- 208.80.155.96/27\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Systemd::Syslog[ulogd]", "parameters": "--- Systemd::Syslog[ulogd].orig\n+++ Systemd::Syslog[ulogd]\n\n+ base_dir => /var/log\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ programname_comparison => startswith\n+ readable_by => user\n+ group => root\n+ ensure => present\n"}, {"resource": "Exec[renew certificate - aux]", "parameters": "--- Exec[renew certificate - aux].orig\n+++ Exec[renew certificate - aux]\n\n+ require => Exec[Generate cert aux]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/aux/aux.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux/aux\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/aux/aux.pem -checkend 952200\n"}, {"resource": "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr]", "parameters": "--- File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr].orig\n+++ File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/puppet]", "parameters": "--- File[/etc/cfssl/ssl/puppet].orig\n+++ File[/etc/cfssl/ssl/puppet]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set STAGING_KUBEPODS_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:861:babe::/64,\n- 2620:0:860:babe::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"wmf_auto_restart_ulogd2\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/wmf_auto_restart_ulogd2/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n- cluster => insetup\n+ cluster => pki\n"}, {"resource": "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]", "content": "--- /etc/update-motd.d/05-insetup--infrastructure-foundations-nftables.orig\n+++ /etc/update-motd.d/05-insetup--infrastructure-foundations-nftables\n@@ -1,2 +0,0 @@\n-#!/bin/sh\n-printf \"%s\\n\" \"pki-root1002 is a Host being setup by Infrastructure Foundations SREs with ntables (insetup::infrastructure_foundations_nftables)\"", "parameters": "--- File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables].orig\n+++ File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]\n\n- ensure => present\n- owner => root\n- mode => 0555\n- group => root\n"}, {"resource": "Cfssl::Cert[debmonitor]", "parameters": "--- Cfssl::Cert[debmonitor].orig\n+++ Cfssl::Cert[debmonitor]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => debmonitor\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/zuul]", "parameters": "--- File[/etc/cfssl/ssl/zuul].orig\n+++ File[/etc/cfssl/ssl/zuul]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Cfssl::Cert[aux]", "parameters": "--- Cfssl::Cert[aux].orig\n+++ Cfssl::Cert[aux]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => aux\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Exec[Generate cert mlserve_staging refresh]", "parameters": "--- Exec[Generate cert mlserve_staging refresh].orig\n+++ Exec[Generate cert mlserve_staging refresh]\n\n+ subscribe => File[/etc/cfssl/csr/mlserve_staging.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/mlserve_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging/mlserve_staging\n\n"}, {"resource": "File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet]", "content": "--- /etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet.orig\n+++ /etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 9102, (10.64.183.10 2620:0:861:13d:10:64:183:10));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet].orig\n+++ File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "Package[iptables]", "parameters": "--- Package[iptables].orig\n+++ Package[iptables]\n\n@@\n- ensure => absent\n+ ensure => installed\n"}, {"resource": "Nftables::File[base]", "parameters": "--- Nftables::File[base].orig\n+++ Nftables::File[base]\n\n- ensure => present\n- order => 100\n"}, {"resource": "Exec[renew certificate - zuul]", "parameters": "--- Exec[renew certificate - zuul].orig\n+++ Exec[renew certificate - zuul]\n\n+ require => Exec[Generate cert zuul]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/zuul/zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul/zuul\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/zuul/zuul.pem -checkend 952200\n"}, {"resource": "Cfssl::Cert[mlserve_staging_front_proxy]", "parameters": "--- Cfssl::Cert[mlserve_staging_front_proxy].orig\n+++ Cfssl::Cert[mlserve_staging_front_proxy]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => mlserve_staging_front_proxy\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Exec[renew certificate - aux_front_proxy]", "parameters": "--- Exec[renew certificate - aux_front_proxy].orig\n+++ Exec[renew certificate - aux_front_proxy]\n\n+ require => Exec[Generate cert aux_front_proxy]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem -checkend 952200\n"}, {"resource": "Motd::Script[insetup::infrastructure_foundations_nftables]", "parameters": "--- Motd::Script[insetup::infrastructure_foundations_nftables].orig\n+++ Motd::Script[insetup::infrastructure_foundations_nftables]\n\n- ensure => present\n- priority => 5\n"}, {"resource": "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]", "content": "--- /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft.orig\n+++ /etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft\n@@ -1,4 +0,0 @@\n-# Autogenerated by puppet\n-set MYSQL_ROOT_CLIENTS_ipv6 {\n- type ipv6_addr\n-}", "parameters": "--- File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Systemd::Syslog[prometheus-node-textfile-check-nft]", "parameters": "--- Systemd::Syslog[prometheus-node-textfile-check-nft].orig\n+++ Systemd::Syslog[prometheus-node-textfile-check-nft]\n\n- base_dir => /var/log\n- log_filename => syslog.log\n- force_stop => True\n- owner => root\n- programname_comparison => startswith\n- readable_by => all\n- group => root\n- ensure => present\n"}, {"resource": "File[/etc/bacula/ssl/server.p12]", "parameters": "--- File[/etc/bacula/ssl/server.p12].orig\n+++ File[/etc/bacula/ssl/server.p12]\n\n+ ensure => absent\n+ mode => 0440\n+ owner => bacula\n+ group => bacula\n"}, {"resource": "Nrpe::Plugin[check_ferm]", "parameters": "--- Nrpe::Plugin[check_ferm].orig\n+++ Nrpe::Plugin[check_ferm]\n\n+ ensure => present\n+ source => puppet:///modules/base/firewall/check_ferm\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem].orig\n+++ File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Class[Profile::Firewall::Log::Ferm]", "parameters": "--- Class[Profile::Firewall::Log::Ferm].orig\n+++ Class[Profile::Firewall::Log::Ferm]\n\n+ separate_file => True\n+ log_burst => 5\n+ log_rate => 1/second\n"}, {"resource": "File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]", "content": "--- /etc/nftables/input/10_ssh-from-cumin-masters.nft.orig\n+++ /etc/nftables/input/10_ssh-from-cumin-masters.nft\n@@ -1,4 +0,0 @@\n-# Managed by puppet\n-# \n-ip saddr @CUMIN_MASTERS_ipv4 tcp dport { 22 } accept\n-ip6 saddr @CUMIN_MASTERS_ipv6 tcp dport { 22 } accept", "parameters": "--- File[/etc/nftables/input/10_ssh-from-cumin-masters.nft].orig\n+++ File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]\n\n- require => ['Nftables::Set[CUMIN_MASTERS]']\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/puppet/puppet-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet/puppet-key.pem].orig\n+++ File[/etc/cfssl/ssl/puppet/puppet-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Ferm::Rule[dscp-default]", "parameters": "--- Ferm::Rule[dscp-default].orig\n+++ Ferm::Rule[dscp-default]\n\n+ rule => DSCP set-dscp-class CS0;\n+ domain => (ip ip6)\n+ chain => POSTROUTING\n+ ensure => present\n+ table => mangle\n+ desc => \n+ prio => 99\n"}, {"resource": "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set WIKIKUBE_KUBEPODS_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:861:cabe::/64,\n- 2620:0:860:cabe::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[Generate cert aux_front_proxy refresh]", "parameters": "--- Exec[Generate cert aux_front_proxy refresh].orig\n+++ Exec[Generate cert aux_front_proxy refresh]\n\n+ subscribe => File[/etc/cfssl/csr/aux_front_proxy.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/aux_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/aux_front_proxy/aux_front_proxy\n\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_front_proxy]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_front_proxy].orig\n+++ File[/etc/cfssl/ssl/wikikube_front_proxy]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Nftables::Set[MW_APPSERVER_NETWORKS]", "parameters": "--- Nftables::Set[MW_APPSERVER_NETWORKS].orig\n+++ Nftables::Set[MW_APPSERVER_NETWORKS]\n\n- ensure => present\n- hosts => ['10.64.0.0/22', '10.64.130.0/24', '10.64.131.0/24', '10.64.132.0/24', '10.64.133.0/24', '10.64.134.0/24', '10.64.135.0/24', '10.64.136.0/24', '10.64.141.0/24', '10.64.152.0/24', '10.64.154.0/24', '10.64.156.0/24', '10.64.158.0/24', '10.64.16.0/22', '10.64.160.0/24', '10.64.162.0/24', '10.64.164.0/24', '10.64.166.0/24', '10.64.169.0/24', '10.64.171.0/24', '10.64.173.0/24', '10.64.175.0/24', '10.64.177.0/24', '10.64.179.0/24', '10.64.181.0/24', '10.64.183.0/24', '10.64.185.0/24', '10.64.187.0/24', '10.64.189.0/24', '10.64.32.0/22', '10.64.48.0/22', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10c::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:120::/64', '2620:0:861:122::/64', '2620:0:861:124::/64', '2620:0:861:126::/64', '2620:0:861:128::/64', '2620:0:861:12a::/64', '2620:0:861:12c::/64', '2620:0:861:12e::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.0.0/22', '10.192.10.0/24', '10.192.11.0/24', '10.192.12.0/24', '10.192.13.0/24', '10.192.14.0/24', '10.192.15.0/24', '10.192.16.0/22', '10.192.21.0/24', '10.192.22.0/24', '10.192.23.0/24', '10.192.26.0/24', '10.192.27.0/24', '10.192.28.0/24', '10.192.29.0/24', '10.192.30.0/24', '10.192.31.0/24', '10.192.32.0/22', '10.192.36.0/24', '10.192.37.0/24', '10.192.38.0/24', '10.192.39.0/24', '10.192.4.0/24', '10.192.40.0/24', '10.192.41.0/24', '10.192.42.0/24', '10.192.43.0/24', '10.192.44.0/24', '10.192.45.0/24', '10.192.46.0/24', '10.192.47.0/24', '10.192.48.0/22', '10.192.5.0/24', '10.192.52.0/24', '10.192.56.0/24', '10.192.57.0/24', '10.192.58.0/24', '10.192.59.0/24', '10.192.6.0/24', '10.192.7.0/24', '10.192.8.0/24', '10.192.9.0/24', '2620:0:860:100::/64', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '2620:0:860:105::/64', '2620:0:860:106::/64', '2620:0:860:107::/64', '2620:0:860:108::/64', '2620:0:860:109::/64', '2620:0:860:10a::/64', '2620:0:860:10b::/64', '2620:0:860:10c::/64', '2620:0:860:10d::/64', '2620:0:860:10e::/64', '2620:0:860:10f::/64', '2620:0:860:110::/64', '2620:0:860:111::/64', '2620:0:860:112::/64', '2620:0:860:113::/64', '2620:0:860:114::/64', '2620:0:860:115::/64', '2620:0:860:116::/64', '2620:0:860:119::/64', '2620:0:860:11a::/64', '2620:0:860:11b::/64', '2620:0:860:11c::/64', '2620:0:860:11d::/64', '2620:0:860:11e::/64', '2620:0:860:11f::/64', '2620:0:860:120::/64', '2620:0:860:121::/64', '2620:0:860:122::/64', '2620:0:860:123::/64', '2620:0:860:124::/64', '2620:0:860:125::/64', '2620:0:860:126::/64', '2620:0:860:127::/64', '2620:0:860:12b::/64', '2620:0:860:12c::/64', '2620:0:860:12d::/64', '2620:0:860:12e::/64', '10.192.64.0/21', '10.192.96.0/21', '10.194.128.0/17', '10.194.16.0/21', '10.194.61.0/24', '10.194.80.0/21', '10.64.64.0/21', '10.67.128.0/17', '10.67.16.0/21', '10.67.24.0/21', '10.67.80.0/21', '2620:0:860:300::/64', '2620:0:860:302::/64', '2620:0:860:305::/64', '2620:0:860:308::/64', '2620:0:860:babe::/64', '2620:0:860:cabe::/64', '2620:0:861:300::/64', '2620:0:861:302::/64', '2620:0:861:305::/64', '2620:0:861:babe::/64', '2620:0:861:cabe::/64', '208.80.154.0/26', '208.80.154.128/26', '208.80.154.64/26', '208.80.155.96/27', '2620:0:861:1::/64', '2620:0:861:2::/64', '2620:0:861:3::/64', '2620:0:861:4::/64', '208.80.153.0/27', '208.80.153.32/27', '208.80.153.64/27', '208.80.153.96/27', '2620:0:860:1::/64', '2620:0:860:2::/64', '2620:0:860:3::/64', '2620:0:860:4::/64']\n"}, {"resource": "File[/var/log/prometheus-node-textfile-check-nft]", "parameters": "--- File[/var/log/prometheus-node-textfile-check-nft].orig\n+++ File[/var/log/prometheus-node-textfile-check-nft]\n\n- mode => 0755\n- backup => False\n- group => root\n- ensure => directory\n- owner => root\n- force => True\n"}, {"resource": "File[/etc/cfssl/ssl/etcd/etcd-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/etcd/etcd-key.pem].orig\n+++ File[/etc/cfssl/ssl/etcd/etcd-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr].orig\n+++ File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft\n@@ -1,99 +0,0 @@\n-# Autogenerated by puppet\n-set MW_APPSERVER_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.64.0.0/22,\n- 10.64.130.0/24,\n- 10.64.131.0/24,\n- 10.64.132.0/24,\n- 10.64.133.0/24,\n- 10.64.134.0/24,\n- 10.64.135.0/24,\n- 10.64.136.0/24,\n- 10.64.141.0/24,\n- 10.64.152.0/24,\n- 10.64.154.0/24,\n- 10.64.156.0/24,\n- 10.64.158.0/24,\n- 10.64.16.0/22,\n- 10.64.160.0/24,\n- 10.64.162.0/24,\n- 10.64.164.0/24,\n- 10.64.166.0/24,\n- 10.64.169.0/24,\n- 10.64.171.0/24,\n- 10.64.173.0/24,\n- 10.64.175.0/24,\n- 10.64.177.0/24,\n- 10.64.179.0/24,\n- 10.64.181.0/24,\n- 10.64.183.0/24,\n- 10.64.185.0/24,\n- 10.64.187.0/24,\n- 10.64.189.0/24,\n- 10.64.32.0/22,\n- 10.64.48.0/22,\n- 10.192.0.0/22,\n- 10.192.10.0/24,\n- 10.192.11.0/24,\n- 10.192.12.0/24,\n- 10.192.13.0/24,\n- 10.192.14.0/24,\n- 10.192.15.0/24,\n- 10.192.16.0/22,\n- 10.192.21.0/24,\n- 10.192.22.0/24,\n- 10.192.23.0/24,\n- 10.192.26.0/24,\n- 10.192.27.0/24,\n- 10.192.28.0/24,\n- 10.192.29.0/24,\n- 10.192.30.0/24,\n- 10.192.31.0/24,\n- 10.192.32.0/22,\n- 10.192.36.0/24,\n- 10.192.37.0/24,\n- 10.192.38.0/24,\n- 10.192.39.0/24,\n- 10.192.4.0/24,\n- 10.192.40.0/24,\n- 10.192.41.0/24,\n- 10.192.42.0/24,\n- 10.192.43.0/24,\n- 10.192.44.0/24,\n- 10.192.45.0/24,\n- 10.192.46.0/24,\n- 10.192.47.0/24,\n- 10.192.48.0/22,\n- 10.192.5.0/24,\n- 10.192.52.0/24,\n- 10.192.56.0/24,\n- 10.192.57.0/24,\n- 10.192.58.0/24,\n- 10.192.59.0/24,\n- 10.192.6.0/24,\n- 10.192.7.0/24,\n- 10.192.8.0/24,\n- 10.192.9.0/24,\n- 10.192.64.0/21,\n- 10.192.96.0/21,\n- 10.194.128.0/17,\n- 10.194.16.0/21,\n- 10.194.61.0/24,\n- 10.194.80.0/21,\n- 10.64.64.0/21,\n- 10.67.128.0/17,\n- 10.67.16.0/21,\n- 10.67.24.0/21,\n- 10.67.80.0/21,\n- 208.80.154.0/26,\n- 208.80.154.128/26,\n- 208.80.154.64/26,\n- 208.80.155.96/27,\n- 208.80.153.0/27,\n- 208.80.153.32/27,\n- 208.80.153.64/27,\n- 208.80.153.96/27\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set PROMETHEUS_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.0.82,\n- 10.64.16.62,\n- 10.64.48.171,\n- 10.64.32.85\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "parameters": "--- Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert].orig\n+++ Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert]\n\n+ require => Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile ocsp /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem -checkend 952200\n"}, {"resource": "Exec[update_alternative_iptables]", "parameters": "--- Exec[update_alternative_iptables].orig\n+++ Exec[update_alternative_iptables]\n\n+ command => /usr/bin/update-alternatives --force --set iptables /usr/sbin/iptables-legacy\n+ unless => /usr/bin/update-alternatives --query iptables | /bin/grep 'Value: /usr/sbin/iptables-legacy'\n"}, {"resource": "Ferm::Rule[log-everything]", "parameters": "--- Ferm::Rule[log-everything].orig\n+++ Ferm::Rule[log-everything]\n\n+ rule => NFLOG mod limit limit 1/second limit-burst 5 nflog-prefix \"[fw-in-drop]\";\n+ domain => (ip ip6)\n+ chain => INPUT\n+ ensure => present\n+ table => filter\n+ desc => \n+ prio => 98\n"}, {"resource": "Nftables::Service[full-monitoring-metrics-access-tcp]", "parameters": "--- Nftables::Service[full-monitoring-metrics-access-tcp].orig\n+++ Nftables::Service[full-monitoring-metrics-access-tcp]\n\n- desc => \n- prio => 10\n- proto => tcp\n- unrestricted_access => False\n- notrack => False\n- port_range => [1, 65535]\n- ensure => present\n- src_ips => ['10.64.0.82', '10.64.16.62', '10.64.32.85', '10.64.48.171', '208.80.153.42', '208.80.154.78', '2620:0:860:2:208:80:153:42', '2620:0:861:101:10:64:0:82', '2620:0:861:102:10:64:16:62', '2620:0:861:103:10:64:32:85', '2620:0:861:107:10:64:48:171', '2620:0:861:3:208:80:154:78']\n"}, {"resource": "Nftables::Set[INTERNAL]", "parameters": "--- Nftables::Set[INTERNAL].orig\n+++ Nftables::Set[INTERNAL]\n\n- ensure => present\n- hosts => ['10.0.0.0/8', '2620:0:860:100::/56', '2620:0:861:100::/56', '2620:0:863:100::/56', '2a02:ec80:300:100::/56', '2a02:ec80:600:100::/56', '2a02:ec80:700:100::/56', '2001:df2:e500:100::/56', '2a02:ec80:ff00:100::/56']\n"}, {"resource": "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem].orig\n+++ File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Cfssl::Cert[mlserve_front_proxy]", "parameters": "--- Cfssl::Cert[mlserve_front_proxy].orig\n+++ Cfssl::Cert[mlserve_front_proxy]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => mlserve_front_proxy\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set KAFKAMON_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.32.11,\n- 10.192.16.139\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]", "parameters": "--- Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources].orig\n+++ Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]\n\n+ show_diff => True\n+ backup => puppet\n+ replace => True\n+ format => plain\n+ ensure_newline => False\n+ owner => root\n+ force => False\n+ mode => 0444\n+ group => root\n+ tag => _etc_apt_sources.list.d_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources\n+ order => alpha\n"}, {"resource": "File[/etc/bacula/ssl]", "parameters": "--- File[/etc/bacula/ssl].orig\n+++ File[/etc/bacula/ssl]\n\n+ ensure => directory\n+ mode => 0555\n+ owner => bacula\n+ group => bacula\n"}, {"resource": "Exec[Generate cert mlserve_staging_front_proxy]", "parameters": "--- Exec[Generate cert mlserve_staging_front_proxy].orig\n+++ Exec[Generate cert mlserve_staging_front_proxy]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/mlserve_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem 2>&1)\"\n\n"}, {"resource": "Package[nftables]", "parameters": "--- Package[nftables].orig\n+++ Package[nftables]\n\n- ensure => present\n- provider => apt\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]\n\n+ ensure => present\n+ common_name => cloud_wmnet_ca\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_staging_front_proxy]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_staging_front_proxy].orig\n+++ File[/etc/cfssl/ssl/mlserve_staging_front_proxy]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem].orig\n+++ File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem].orig\n+++ File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "content": "--- /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft.orig\n+++ /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft\n@@ -1,4 +0,0 @@\n-# Managed by puppet\n-# \n-ip saddr { 10.64.0.82, 10.64.16.62, 10.64.32.85, 10.64.48.171, 208.80.153.42, 208.80.154.78 } tcp dport 1-65535 accept\n-ip6 saddr { 2620:0:860:2:208:80:153:42, 2620:0:861:101:10:64:0:82, 2620:0:861:102:10:64:16:62, 2620:0:861:103:10:64:32:85, 2620:0:861:107:10:64:48:171, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept", "parameters": "--- File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft].orig\n+++ File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]", "content": "--- /etc/nftables/sets/CUMIN_MASTERS_ipv6.nft.orig\n+++ /etc/nftables/sets/CUMIN_MASTERS_ipv6.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set CUMIN_MASTERS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:102:10:64:16:154,\n- 2620:0:860:103:10:192:32:49\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/98_filter_log_filter-bootp]", "content": "--- /etc/ferm/conf.d/98_filter_log_filter-bootp.orig\n+++ /etc/ferm/conf.d/98_filter_log_filter-bootp\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 98_filter_log_filter-bootp: \n+\n+domain (ip ip6) {\n+\ttable filter {\n+\t\tchain INPUT {\n+\t\t\tproto udp daddr 255.255.255.255 sport 67 dport 68 DROP;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/98_filter_log_filter-bootp].orig\n+++ File[/etc/ferm/conf.d/98_filter_log_filter-bootp]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "parameters": "--- Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert].orig\n+++ Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile ocsp /etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem 2>&1)\"\n\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]\n\n+ refreshonly => True\n+ before => ['Service[nrpe2nodexp-ferm_active.timer]']\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/nftables/output]", "parameters": "--- File[/etc/nftables/output].orig\n+++ File[/etc/nftables/output]\n\n- recurse => True\n- group => root\n- ensure => directory\n- owner => root\n- purge => True\n"}, {"resource": "File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]", "content": "--- /etc/nftables/input/10_full-monitoring-metrics-access-udp.nft.orig\n+++ /etc/nftables/input/10_full-monitoring-metrics-access-udp.nft\n@@ -1,4 +0,0 @@\n-# Managed by puppet\n-# \n-ip saddr { 10.64.0.82, 10.64.16.62, 10.64.32.85, 10.64.48.171, 208.80.153.42, 208.80.154.78 } udp dport 1-65535 accept\n-ip6 saddr { 2620:0:860:2:208:80:153:42, 2620:0:861:101:10:64:0:82, 2620:0:861:102:10:64:16:62, 2620:0:861:103:10:64:32:85, 2620:0:861:107:10:64:48:171, 2620:0:861:3:208:80:154:78 } udp dport 1-65535 accept", "parameters": "--- File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft].orig\n+++ File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Cfssl::Cert[wikikube_staging]", "parameters": "--- Cfssl::Cert[wikikube_staging].orig\n+++ Cfssl::Cert[wikikube_staging]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => wikikube_staging\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/usr/local/sbin/ferm-status]", "parameters": "--- File[/usr/local/sbin/ferm-status].orig\n+++ File[/usr/local/sbin/ferm-status]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-ferm_active]", "parameters": "--- Systemd::Timer[nrpe2nodexp-ferm_active].orig\n+++ Systemd::Timer[nrpe2nodexp-ferm_active]\n\n+ fixed_random_delay => True\n+ ensure => present\n+ splay => 600\n+ unit_name => nrpe2nodexp-ferm_active.service\n+ accuracy => 15sec\n+ timer_intervals => [{'start': 'OnUnitInactiveSec', 'interval': '10min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "File[/etc/logrotate.d/ulogd]", "content": "--- /etc/logrotate.d/ulogd.orig\n+++ /etc/logrotate.d/ulogd\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for ulogd\n+\n+/var/log/ulogd/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/ulogd].orig\n+++ File[/etc/logrotate.d/ulogd]\n\n+ ensure => present\n+ mode => 0444\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet\n-set ZOOKEEPER_FLINK_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:102:10:64:16:9,\n- 2620:0:861:101:10:64:0:8,\n- 2620:0:861:103:10:64:32:41,\n- 2620:0:860:102:10:192:16:227,\n- 2620:0:860:103:10:192:32:179,\n- 2620:0:860:104:10:192:48:219\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Nftables::Set[KAFKAMON_HOSTS]", "parameters": "--- Nftables::Set[KAFKAMON_HOSTS].orig\n+++ Nftables::Set[KAFKAMON_HOSTS]\n\n- ensure => present\n- hosts => ['10.64.32.11', '2620:0:861:103:10:64:32:11', '10.192.16.139', '2620:0:860:102:10:192:16:139']\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]\n\n+ ensure => present\n+ common_name => wikikube_staging\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft\n@@ -1,183 +0,0 @@\n-# Autogenerated by puppet\n-set DOMAIN_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2001:df2:e500:101::/64,\n- 2001:df2:e500:103::/64,\n- 2001:df2:e500:1::/64,\n- 2001:df2:e500:3::/64,\n- 2001:df2:e500:ed1a::/64,\n- 2620:0:860:100::/64,\n- 2620:0:860:101::/64,\n- 2620:0:860:102::/64,\n- 2620:0:860:103::/64,\n- 2620:0:860:104::/64,\n- 2620:0:860:105::/64,\n- 2620:0:860:106::/64,\n- 2620:0:860:107::/64,\n- 2620:0:860:108::/64,\n- 2620:0:860:109::/64,\n- 2620:0:860:10a::/64,\n- 2620:0:860:10b::/64,\n- 2620:0:860:10c::/64,\n- 2620:0:860:10d::/64,\n- 2620:0:860:10e::/64,\n- 2620:0:860:10f::/64,\n- 2620:0:860:110::/64,\n- 2620:0:860:111::/64,\n- 2620:0:860:112::/64,\n- 2620:0:860:113::/64,\n- 2620:0:860:114::/64,\n- 2620:0:860:115::/64,\n- 2620:0:860:116::/64,\n- 2620:0:860:118::/64,\n- 2620:0:860:119::/64,\n- 2620:0:860:11a::/64,\n- 2620:0:860:11b::/64,\n- 2620:0:860:11c::/64,\n- 2620:0:860:11d::/64,\n- 2620:0:860:11e::/64,\n- 2620:0:860:11f::/64,\n- 2620:0:860:120::/64,\n- 2620:0:860:121::/64,\n- 2620:0:860:122::/64,\n- 2620:0:860:123::/64,\n- 2620:0:860:124::/64,\n- 2620:0:860:125::/64,\n- 2620:0:860:126::/64,\n- 2620:0:860:127::/64,\n- 2620:0:860:12b::/64,\n- 2620:0:860:12c::/64,\n- 2620:0:860:12d::/64,\n- 2620:0:860:12e::/64,\n- 2620:0:860:140::/64,\n- 2620:0:860:1::/64,\n- 2620:0:860:2::/64,\n- 2620:0:860:300::/64,\n- 2620:0:860:301::/64,\n- 2620:0:860:302::/64,\n- 2620:0:860:303::/64,\n- 2620:0:860:304::/64,\n- 2620:0:860:305::/64,\n- 2620:0:860:307::/64,\n- 2620:0:860:308::/64,\n- 2620:0:860:3::/64,\n- 2620:0:860:4::/64,\n- 2620:0:860:5::/64,\n- 2620:0:860:babe::/64,\n- 2620:0:860:babf::/64,\n- 2620:0:860:cabe::/64,\n- 2620:0:860:cabf::/64,\n- 2620:0:860:ed1a::/64,\n- 2620:0:861:100::/64,\n- 2620:0:861:101::/64,\n- 2620:0:861:102::/64,\n- 2620:0:861:103::/64,\n- 2620:0:861:104::/64,\n- 2620:0:861:105::/64,\n- 2620:0:861:106::/64,\n- 2620:0:861:107::/64,\n- 2620:0:861:108::/64,\n- 2620:0:861:109::/64,\n- 2620:0:861:10a::/64,\n- 2620:0:861:10b::/64,\n- 2620:0:861:10c::/64,\n- 2620:0:861:10d::/64,\n- 2620:0:861:10e::/64,\n- 2620:0:861:10f::/64,\n- 2620:0:861:110::/64,\n- 2620:0:861:111::/64,\n- 2620:0:861:112::/64,\n- 2620:0:861:113::/64,\n- 2620:0:861:114::/64,\n- 2620:0:861:115::/64,\n- 2620:0:861:116::/64,\n- 2620:0:861:117::/64,\n- 2620:0:861:118::/64,\n- 2620:0:861:119::/64,\n- 2620:0:861:11a::/64,\n- 2620:0:861:11c::/64,\n- 2620:0:861:11d::/64,\n- 2620:0:861:11e::/64,\n- 2620:0:861:11f::/64,\n- 2620:0:861:120::/64,\n- 2620:0:861:121::/64,\n- 2620:0:861:122::/64,\n- 2620:0:861:123::/64,\n- 2620:0:861:124::/64,\n- 2620:0:861:125::/64,\n- 2620:0:861:126::/64,\n- 2620:0:861:127::/64,\n- 2620:0:861:128::/64,\n- 2620:0:861:129::/64,\n- 2620:0:861:12a::/64,\n- 2620:0:861:12b::/64,\n- 2620:0:861:12c::/64,\n- 2620:0:861:12d::/64,\n- 2620:0:861:12e::/64,\n- 2620:0:861:12f::/64,\n- 2620:0:861:131::/64,\n- 2620:0:861:132::/64,\n- 2620:0:861:133::/64,\n- 2620:0:861:134::/64,\n- 2620:0:861:135::/64,\n- 2620:0:861:136::/64,\n- 2620:0:861:137::/64,\n- 2620:0:861:138::/64,\n- 2620:0:861:139::/64,\n- 2620:0:861:13a::/64,\n- 2620:0:861:13b::/64,\n- 2620:0:861:13c::/64,\n- 2620:0:861:13d::/64,\n- 2620:0:861:13e::/64,\n- 2620:0:861:13f::/64,\n- 2620:0:861:140::/64,\n- 2620:0:861:141::/64,\n- 2620:0:861:142::/64,\n- 2620:0:861:143::/64,\n- 2620:0:861:144::/64,\n- 2620:0:861:145::/64,\n- 2620:0:861:1::/64,\n- 2620:0:861:2::/64,\n- 2620:0:861:300::/64,\n- 2620:0:861:301::/116,\n- 2620:0:861:302::/64,\n- 2620:0:861:303::/116,\n- 2620:0:861:304::/116,\n- 2620:0:861:305::/64,\n- 2620:0:861:3::/64,\n- 2620:0:861:4::/64,\n- 2620:0:861:babe::/64,\n- 2620:0:861:babf::/116,\n- 2620:0:861:cabe::/64,\n- 2620:0:861:cabf::/116,\n- 2620:0:861:ed1a::/64,\n- 2620:0:863:101::/64,\n- 2620:0:863:102::/64,\n- 2620:0:863:103::/64,\n- 2620:0:863:1::/64,\n- 2620:0:863:2::/64,\n- 2620:0:863:3::/64,\n- 2620:0:863:ed1a::/64,\n- 2a02:ec80:300:101::/64,\n- 2a02:ec80:300:102::/64,\n- 2a02:ec80:300:103::/64,\n- 2a02:ec80:300:1::/64,\n- 2a02:ec80:300:2::/64,\n- 2a02:ec80:300:3::/64,\n- 2a02:ec80:300:ed1a::/64,\n- 2a02:ec80:600:101::/64,\n- 2a02:ec80:600:102::/64,\n- 2a02:ec80:600:1::/64,\n- 2a02:ec80:600:2::/64,\n- 2a02:ec80:600:ed1a::/64,\n- 2a02:ec80:700:101::/64,\n- 2a02:ec80:700:102::/64,\n- 2a02:ec80:700:103::/64,\n- 2a02:ec80:700:1::/64,\n- 2a02:ec80:700:2::/64,\n- 2a02:ec80:700:3::/64,\n- 2a02:ec80:700:ed1a::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Systemd::Override[ferm-service-status-restart]", "parameters": "--- Systemd::Override[ferm-service-status-restart].orig\n+++ Systemd::Override[ferm-service-status-restart]\n\n+ ensure => present\n+ restart => False\n+ unit => ferm\n+ source => puppet:///modules/ferm/ferm_systemd_override\n"}, {"resource": "File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]", "content": "--- /etc/cfssl/csr/wikikube_staging_front_proxy.csr.orig\n+++ /etc/cfssl/csr/wikikube_staging_front_proxy.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"wikikube_staging_front_proxy\",\n+ \"hosts\": [\n+ \"wikikube_staging_front_proxy\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr].orig\n+++ File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/var/log/ulogd]", "parameters": "--- File[/var/log/ulogd].orig\n+++ File[/var/log/ulogd]\n\n+ mode => 0755\n+ backup => False\n+ group => root\n+ ensure => directory\n+ owner => root\n+ force => True\n"}, {"resource": "Nftables::Set[PROMETHEUS_HOSTS]", "parameters": "--- Nftables::Set[PROMETHEUS_HOSTS].orig\n+++ Nftables::Set[PROMETHEUS_HOSTS]\n\n- ensure => present\n- hosts => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-check-nft.timer]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-check-nft.timer].orig\n+++ Systemd::Unit[prometheus-node-textfile-check-nft.timer]\n\n- override => False\n- require => ['Class[Systemd]']\n- ensure => present\n- unit => prometheus-node-textfile-check-nft.timer\n- restart => False\n- override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca]", "parameters": "--- File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca].orig\n+++ File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca]\n\n+ require => ['Package[golang-cfssl]']\n+ mode => 0550\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "File[/etc/default/ferm]", "parameters": "--- File[/etc/default/ferm].orig\n+++ File[/etc/default/ferm]\n\n+ require => Package[ferm]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => file\n+ owner => root\n+ source => puppet:///modules/ferm/ferm.default\n"}, {"resource": "Package[bacula-fd]", "parameters": "--- Package[bacula-fd].orig\n+++ Package[bacula-fd]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/etcd.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/etcd.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/etcd.csr]\n\n+ ensure => present\n+ common_name => etcd\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/zuul/zuul.pem]", "parameters": "--- File[/etc/cfssl/ssl/zuul/zuul.pem].orig\n+++ File[/etc/cfssl/ssl/zuul/zuul.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Cfssl::Cert[cassandra]", "parameters": "--- Cfssl::Cert[cassandra].orig\n+++ Cfssl::Cert[cassandra]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => cassandra\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set AUX_KUBEPODS_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.67.80.0/21,\n- 10.194.80.0/21\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "parameters": "--- Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia].orig\n+++ Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]\n\n+ order => 10\n+ target => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube/wikikube.csr]", "parameters": "--- File[/etc/cfssl/ssl/wikikube/wikikube.csr].orig\n+++ File[/etc/cfssl/ssl/wikikube/wikikube.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/debmonitor/debmonitor.pem]", "parameters": "--- File[/etc/cfssl/ssl/debmonitor/debmonitor.pem].orig\n+++ File[/etc/cfssl/ssl/debmonitor/debmonitor.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Nftables::Set[MGMT_NETWORKS]", "parameters": "--- Nftables::Set[MGMT_NETWORKS].orig\n+++ Nftables::Set[MGMT_NETWORKS]\n\n- ensure => present\n- hosts => ['10.65.0.0/16', '10.128.128.0/17', '10.193.0.0/16', '10.80.128.0/17', '10.132.128.0/17', '10.136.128.0/17', '10.140.128.0/17']\n"}, {"resource": "Logrotate::Conf[ulogd]", "parameters": "--- Logrotate::Conf[ulogd].orig\n+++ Logrotate::Conf[ulogd]\n\n+ ensure => present\n"}, {"resource": "Exec[renew certificate - wikikube_front_proxy]", "parameters": "--- Exec[renew certificate - wikikube_front_proxy].orig\n+++ Exec[renew certificate - wikikube_front_proxy]\n\n+ require => Exec[Generate cert wikikube_front_proxy]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem -checkend 952200\n"}, {"resource": "Nftables::Service[full-monitoring-metrics-access-udp]", "parameters": "--- Nftables::Service[full-monitoring-metrics-access-udp].orig\n+++ Nftables::Service[full-monitoring-metrics-access-udp]\n\n- desc => \n- prio => 10\n- proto => udp\n- unrestricted_access => False\n- notrack => False\n- port_range => [1, 65535]\n- ensure => present\n- src_ips => ['10.64.0.82', '10.64.16.62', '10.64.32.85', '10.64.48.171', '208.80.153.42', '208.80.154.78', '2620:0:860:2:208:80:153:42', '2620:0:861:101:10:64:0:82', '2620:0:861:102:10:64:16:62', '2620:0:861:103:10:64:32:85', '2620:0:861:107:10:64:48:171', '2620:0:861:3:208:80:154:78']\n"}, {"resource": "File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/MONITORING_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/MONITORING_HOSTS_ipv4.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set MONITORING_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 208.80.154.78,\n- 208.80.153.42\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-ferm_active.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-ferm_active.service\n@@ -0,0 +1,11 @@\n+[Unit]\n+Description=execution of nrpe2nodexp for the check_ferm_active command.\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=nagios\n+\n+Group=prometheus-node-exporter\n+SyslogIdentifier=nrpe2nodexp-ferm_active\n+ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"bba0a2572329bb500b832470e08b381c\" --timeout 10 --check-command \"check_ferm_active\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-ferm_active.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]\n\n+ notify => Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "Nftables::Set[SANDBOX_NETWORKS]", "parameters": "--- Nftables::Set[SANDBOX_NETWORKS].orig\n+++ Nftables::Set[SANDBOX_NETWORKS]\n\n- ensure => present\n- hosts => ['103.102.166.72/29', '185.15.59.72/29', '195.200.68.64/29', '198.35.26.240/28', '2001:df2:e500:202::/64', '208.80.152.240/28', '208.80.155.64/28', '2620:0:860:201::/64', '2620:0:861:202::/64', '2620:0:863:201::/64', '2a02:ec80:300:202::/64', '2a02:ec80:700:201::/64']\n"}, {"resource": "Cfssl::Cert[mlserve_staging]", "parameters": "--- Cfssl::Cert[mlserve_staging].orig\n+++ Cfssl::Cert[mlserve_staging]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => mlserve_staging\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/MONITORING_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/MONITORING_HOSTS_ipv6.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set MONITORING_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:3:208:80:154:78,\n- 2620:0:860:2:208:80:153:42\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Nftables::Set[CLOUD_PRIVATE_NETWORKS]", "parameters": "--- Nftables::Set[CLOUD_PRIVATE_NETWORKS].orig\n+++ Nftables::Set[CLOUD_PRIVATE_NETWORKS]\n\n- ensure => present\n- hosts => ['172.20.1.0/24', '172.20.2.0/24', '172.20.3.0/24', '172.20.4.0/24', '2a02:ec80:a000:201::/64', '2a02:ec80:a000:202::/64', '2a02:ec80:a000:203::/64', '2a02:ec80:a000:204::/64', '172.20.5.0/24', '2a02:ec80:a100:205::/64']\n"}, {"resource": "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft\n@@ -1,38 +0,0 @@\n-# Autogenerated by puppet\n-set ANALYTICS_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:861:100::/64,\n- 2620:0:861:104::/64,\n- 2620:0:861:105::/64,\n- 2620:0:861:106::/64,\n- 2620:0:861:108::/64,\n- 2620:0:861:110::/64,\n- 2620:0:861:111::/64,\n- 2620:0:861:112::/64,\n- 2620:0:861:114::/64,\n- 2620:0:861:115::/64,\n- 2620:0:861:116::/64,\n- 2620:0:861:117::/64,\n- 2620:0:861:11a::/64,\n- 2620:0:861:121::/64,\n- 2620:0:861:123::/64,\n- 2620:0:861:125::/64,\n- 2620:0:861:127::/64,\n- 2620:0:861:129::/64,\n- 2620:0:861:12b::/64,\n- 2620:0:861:12d::/64,\n- 2620:0:861:12f::/64,\n- 2620:0:861:132::/64,\n- 2620:0:861:134::/64,\n- 2620:0:861:136::/64,\n- 2620:0:861:138::/64,\n- 2620:0:861:13a::/64,\n- 2620:0:861:13c::/64,\n- 2620:0:861:13e::/64,\n- 2620:0:861:141::/64,\n- 2620:0:861:143::/64,\n- 2620:0:861:145::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/update-motd.d/06-backups-pki-root-cfssl]", "content": "--- /etc/update-motd.d/06-backups-pki-root-cfssl.orig\n+++ /etc/update-motd.d/06-backups-pki-root-cfssl\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+echo \"Backed up on this host: pki-root-cfssl\"", "parameters": "--- File[/etc/update-motd.d/06-backups-pki-root-cfssl].orig\n+++ File[/etc/update-motd.d/06-backups-pki-root-cfssl]\n\n+ ensure => present\n+ owner => root\n+ mode => 0555\n+ group => root\n"}, {"resource": "Exec[renew certificate - mlserve_front_proxy]", "parameters": "--- Exec[renew certificate - mlserve_front_proxy].orig\n+++ Exec[renew certificate - mlserve_front_proxy]\n\n+ require => Exec[Generate cert mlserve_front_proxy]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem -checkend 952200\n"}, {"resource": "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet\n-set ZOOKEEPER_FLINK_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.16.9,\n- 10.64.0.8,\n- 10.64.32.41,\n- 10.192.16.227,\n- 10.192.32.179,\n- 10.192.48.219\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Cfssl::Cert[kafka]", "parameters": "--- Cfssl::Cert[kafka].orig\n+++ Cfssl::Cert[kafka]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => kafka\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr].orig\n+++ File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]", "parameters": "--- Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c].orig\n+++ Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]\n\n+ instance => ops\n+ team => observability\n+ logs => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_ferm_active))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n+ alert_name => nrpe_Check_whether_ferm_is_active_by_checking_the_default_input_chain\n+ for => 32m\n+ dashboard => TODO\n+ def_label_whitelst => ['team', 'severity']\n+ summary => NRPE CHECK: Check whether ferm is active by checking the default input chain\n+ site => eqiad\n+ severity => info\n+ expr => (nagios_nrpe_check_result{alert_rule_hash=\"bba0a2572329bb500b832470e08b381c\",check_name=\"check_ferm_active\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n+ description => NRPE CHECK: Check whether ferm is active by checking the default input chain\n+ group => nrpechecks\n+ ensure => present\n+ runbook => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm\n"}, {"resource": "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft\n@@ -1,9 +0,0 @@\n-# Autogenerated by puppet\n-set DSE_KUBEPODS_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:861:302::/64,\n- 2620:0:860:308::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Ferm::Rule[drop-blocked-nets]", "parameters": "--- Ferm::Rule[drop-blocked-nets].orig\n+++ Ferm::Rule[drop-blocked-nets]\n\n+ rule => saddr $BLOCKED_NETS DROP;\n+ domain => (ip ip6)\n+ chain => INPUT\n+ ensure => present\n+ table => filter\n+ desc => drop abuse/blocked_nets.yaml defined in the requestctl private repo\n+ prio => 01\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem].orig\n+++ File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/nftables/notrack]", "parameters": "--- File[/etc/nftables/notrack].orig\n+++ File[/etc/nftables/notrack]\n\n- recurse => True\n- group => root\n- ensure => directory\n- owner => root\n- purge => True\n"}, {"resource": "Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]\n\n- ensure => present\n- hosts => ['10.67.128.0/17', '2620:0:861:cabe::/64', '10.194.128.0/17', '2620:0:860:cabe::/64']\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_ulogd2.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_ulogd2.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_ulogd2.timer]\n\n+ override => False\n+ require => ['Class[Systemd]']\n+ ensure => present\n+ unit => wmf_auto_restart_ulogd2.timer\n+ restart => False\n+ override_filename => puppet-override.conf\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve]", "parameters": "--- File[/etc/cfssl/ssl/mlserve].orig\n+++ File[/etc/cfssl/ssl/mlserve]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Cfssl::Cert[puppet_rsa]", "parameters": "--- Cfssl::Cert[puppet_rsa].orig\n+++ Cfssl::Cert[puppet_rsa]\n\n+ notify_services => []\n+ key => {'algo': 'rsa', 'size': 4096}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => puppet_rsa\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_ulogd2]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_ulogd2].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_ulogd2]\n\n+ user => root\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ syslog_match_startswith => True\n+ logfile_basedir => /var/log\n+ logfile_perms => all\n+ ensure => present\n+ send_mail => False\n+ require => File[/usr/local/sbin/wmf-auto-restart]\n+ logfile_group => root\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ command => /usr/local/sbin/wmf-auto-restart -s ulogd2\n+ private_tmp => False\n+ fixed_random_delay => False\n+ syslog_force_stop => True\n+ ignore_errors => False\n+ logfile_name => syslog.log\n+ description => Auto restart job: ulogd2\n+ monitoring_enabled => False\n+ interval => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 0:9:00'}\n+ monitoring_contact_groups => admins\n+ environment => {}\n+ send_mail_to => root@pki-root1002.eqiad.wmnet\n+ success_exit_status => []\n"}, {"resource": "File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/FRACK_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/FRACK_NETWORKS_ipv6.nft\n@@ -1,4 +0,0 @@\n-# Autogenerated by puppet\n-set FRACK_NETWORKS_ipv6 {\n- type ipv6_addr\n-}", "parameters": "--- File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/usr/local/bin/check-nft]", "parameters": "--- File[/usr/local/bin/check-nft].orig\n+++ File[/usr/local/bin/check-nft]\n\n- mode => 0555\n- group => root\n- ensure => present\n- owner => root\n- source => puppet:///modules/profile/firewall/check_nftables.py\n"}, {"resource": "Monitoring::Exported_nagios_host[pki-root1002]", "parameters": "--- Monitoring::Exported_nagios_host[pki-root1002].orig\n+++ Monitoring::Exported_nagios_host[pki-root1002]\n\n@@\n- hostgroups => insetup_eqiad,asw2-b-eqiad\n+ hostgroups => pki_eqiad,asw2-b-eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "content": "--- component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.orig\n+++ component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia\n@@ -0,0 +1,5 @@\n+Types: deb deb-src\n+URIs: http://apt.wikimedia.org/wikimedia\n+Suites: trixie-wikimedia\n+Components: component/bacula9\n+Signed-By: /etc/apt/keyrings/wikimedia-archive-keyring.gpg", "parameters": "--- Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia].orig\n+++ Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]\n\n+ tag => _etc_apt_sources.list.d_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources\n+ order => 10\n+ target => /etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources\n"}, {"resource": "File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]", "parameters": "--- File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf].orig\n+++ File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]\n\n+ notify => Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ owner => root\n+ source => puppet:///modules/ferm/ferm_systemd_override\n"}, {"resource": "File[/etc/cfssl/ssl/cloud_wmnet_ca]", "parameters": "--- File[/etc/cfssl/ssl/cloud_wmnet_ca].orig\n+++ File[/etc/cfssl/ssl/cloud_wmnet_ca]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]\n\n+ ensure => present\n+ common_name => debmonitor\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Cfssl::Cert[wikikube_front_proxy]", "parameters": "--- Cfssl::Cert[wikikube_front_proxy].orig\n+++ Cfssl::Cert[wikikube_front_proxy]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => wikikube_front_proxy\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "Nftables::Set[KAFKA_BROKERS_MAIN]", "parameters": "--- Nftables::Set[KAFKA_BROKERS_MAIN].orig\n+++ Nftables::Set[KAFKA_BROKERS_MAIN]\n\n- ensure => present\n- hosts => ['10.192.5.9', '2620:0:860:106:10:192:5:9', '10.192.22.6', '2620:0:860:112:10:192:22:6', '10.192.32.4', '2620:0:860:103:10:192:32:4', '10.192.48.33', '2620:0:860:104:10:192:48:33', '10.192.48.35', '2620:0:860:104:10:192:48:35', '10.64.0.101', '2620:0:861:101:10:64:0:101', '10.64.16.30', '2620:0:861:102:10:64:16:30', '10.64.32.45', '2620:0:861:103:10:64:32:45', '10.64.48.37', '2620:0:861:107:10:64:48:37', '10.64.152.5', '2620:0:861:120:10:64:152:5']\n"}, {"resource": "File[/etc/cfssl/ssl/aux/aux-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/aux/aux-key.pem].orig\n+++ File[/etc/cfssl/ssl/aux/aux-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/modules-load.d/conntrack.conf]", "parameters": "--- File[/etc/modules-load.d/conntrack.conf].orig\n+++ File[/etc/modules-load.d/conntrack.conf]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "Cfssl::Cert[dse]", "parameters": "--- Cfssl::Cert[dse].orig\n+++ Cfssl::Cert[dse]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => dse\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/network_devices/network_devices.pem]", "parameters": "--- File[/etc/cfssl/ssl/network_devices/network_devices.pem].orig\n+++ File[/etc/cfssl/ssl/network_devices/network_devices.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Nftables::Set[KAFKA_BROKERS_JUMBO]", "parameters": "--- Nftables::Set[KAFKA_BROKERS_JUMBO].orig\n+++ Nftables::Set[KAFKA_BROKERS_JUMBO]\n\n- ensure => present\n- hosts => ['10.64.130.10', '2620:0:861:109:10:64:130:10', '10.64.131.16', '2620:0:861:10a:10:64:131:16', '10.64.132.21', '2620:0:861:10b:10:64:132:21', '10.64.134.9', '2620:0:861:10d:10:64:134:9', '10.64.135.16', '2620:0:861:10e:10:64:135:16', '10.64.136.11', '2620:0:861:10f:10:64:136:11', '10.64.154.15', '2620:0:861:122:10:64:154:15', '10.64.160.16', '2620:0:861:128:10:64:160:16', '10.64.0.126', '2620:0:861:101:10:64:0:126']\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-ferm_active.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-ferm_active.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-ferm_active.timer]\n\n+ override => False\n+ require => ['Class[Systemd]']\n+ ensure => present\n+ unit => nrpe2nodexp-ferm_active.timer\n+ restart => False\n+ override_filename => puppet-override.conf\n"}, {"resource": "Nftables::Set[NETWORK_INFRA]", "parameters": "--- Nftables::Set[NETWORK_INFRA].orig\n+++ Nftables::Set[NETWORK_INFRA]\n\n- ensure => present\n- hosts => ['185.15.59.128/27', '2a02:ec80:300:fe00::/55', '198.35.26.128/27', '2620:0:863:fe00::/55', '208.80.153.192/27', '2620:0:860:fe00::/55', '10.192.255.0/24', '2620:0:860:13f::/64', '10.192.253.0/24', '2620:0:860:139::/64', '208.80.154.192/27', '2620:0:861:fe00::/55', '10.64.146.0/24', '2620:0:861:11b::/128', '10.64.168.0/24', '2620:0:861:130::/64', '10.64.147.0/24', '103.102.166.128/27', '2001:df2:e500:fe00::/55', '185.15.58.128/27', '2a02:ec80:600:fe00::/55', '195.200.68.128/27', '2a02:ec80:700:fe00::/55']\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Nftables::Set[LABSTORE_HOSTS]", "parameters": "--- Nftables::Set[LABSTORE_HOSTS].orig\n+++ Nftables::Set[LABSTORE_HOSTS]\n\n- ensure => present\n- hosts => ['208.80.154.142', '2620:0:861:2:208:80:154:142', '208.80.154.71', '2620:0:861:3:208:80:154:71']\n"}, {"resource": "Exec[Generate cert puppet_rsa refresh]", "parameters": "--- Exec[Generate cert puppet_rsa refresh].orig\n+++ Exec[Generate cert puppet_rsa refresh]\n\n+ subscribe => File[/etc/cfssl/csr/puppet_rsa.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/puppet_rsa.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet_rsa/puppet_rsa\n\n"}, {"resource": "Concat_fragment[/etc/bacula_puppet_agent_cert]", "parameters": "--- Concat_fragment[/etc/bacula_puppet_agent_cert].orig\n+++ Concat_fragment[/etc/bacula_puppet_agent_cert]\n\n+ tag => _etc_bacula_ssl_cert.pem\n+ source => /var/lib/puppet/ssl/certs/pki-root1002.eqiad.wmnet.pem\n+ order => 01\n+ target => /etc/bacula/ssl/cert.pem\n"}, {"resource": "Class[Bacula::Client]", "parameters": "--- Class[Bacula::Client].orig\n+++ Class[Bacula::Client]\n\n+ directorpassword => oNZaIQDn8JhLclLcIISdelhD8xIolFuV\n+ client_version => 9\n+ fdport => 9102\n+ file_retention => 90 days\n+ catalog => production\n+ job_retention => 90 days\n+ director => backup1014.eqiad.wmnet\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_ferm_active.cfg]", "content": "--- /etc/nagios/nrpe.d/check_ferm_active.cfg.orig\n+++ /etc/nagios/nrpe.d/check_ferm_active.cfg\n@@ -0,0 +1,2 @@\n+# File generated by puppet. DO NOT edit by hand\n+command[check_ferm_active]=/usr/bin/sudo /usr/local/lib/nagios/plugins/check_ferm", "parameters": "--- File[/etc/nagios/nrpe.d/check_ferm_active.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_ferm_active.cfg]\n\n+ require => Package[nagios-nrpe-server]\n+ notify => Service[nagios-nrpe-server]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ tag => nrpe::check\n+ owner => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]\n\n+ ensure => present\n+ common_name => wikikube_front_proxy\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Service[nftables]", "parameters": "--- Service[nftables].orig\n+++ Service[nftables]\n\n- ensure => running\n- restart => /usr/bin/systemctl reload nftables\n- hasrestart => True\n- enable => True\n"}, {"resource": "File[/etc/nftables/main.nft]", "parameters": "--- File[/etc/nftables/main.nft].orig\n+++ File[/etc/nftables/main.nft]\n\n- require => File[/etc/nftables]\n- notify => Service[nftables]\n- group => root\n- ensure => present\n- owner => root\n- source => puppet:///modules/nftables/main.nft\n"}, {"resource": "Monitoring::Service[ferm_active]", "parameters": "--- Monitoring::Service[ferm_active].orig\n+++ Monitoring::Service[ferm_active]\n\n+ contact_group => admins\n+ config_dir => /etc/nagios\n+ critical => False\n+ freshness => 36000\n+ notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm\n+ retries => 3\n+ passive => False\n+ check_command => nrpe_check!check_ferm_active!10\n+ check_interval => 30\n+ description => Check whether ferm is active by checking the default input chain\n+ migration_task => T350694\n+ ensure => present\n+ host => pki-root1002\n+ retry_interval => 1\n"}, {"resource": "Exec[Generate cert zuul refresh]", "parameters": "--- Exec[Generate cert zuul refresh].orig\n+++ Exec[Generate cert zuul refresh]\n\n+ subscribe => File[/etc/cfssl/csr/zuul.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/zuul.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/zuul/zuul\n\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_ulogd2]", "content": "--- /etc/logrotate.d/wmf_auto_restart_ulogd2.orig\n+++ /etc/logrotate.d/wmf_auto_restart_ulogd2\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for wmf_auto_restart_ulogd2\n+\n+/var/log/wmf_auto_restart_ulogd2/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_ulogd2].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_ulogd2]\n\n+ ensure => present\n+ mode => 0444\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr].orig\n+++ File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Nrpe::Monitor_service[ferm_active]", "parameters": "--- Nrpe::Monitor_service[ferm_active].orig\n+++ Nrpe::Monitor_service[ferm_active]\n\n+ nrpe2nodexp_parse_perf_data => False\n+ nrpe_command => /usr/local/lib/nagios/plugins/check_ferm\n+ critical => False\n+ notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/check_ferm\n+ check_interval => 30\n+ migration_task => T350694\n+ ensure => present\n+ enable_nrpe2nodexp => True\n+ retry_interval => 1\n+ contact_group => admins\n+ enable_icinga_check => True\n+ retries => 3\n+ timeout => 10\n+ description => Check whether ferm is active by checking the default input chain\n+ sudo_user => root\n+ alertmanager_team => observability\n"}, {"resource": "File[/etc/cfssl/ssl/puppet/puppet.csr]", "parameters": "--- File[/etc/cfssl/ssl/puppet/puppet.csr].orig\n+++ File[/etc/cfssl/ssl/puppet/puppet.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-ferm_active.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-ferm_active.timer\n@@ -0,0 +1,14 @@\n+[Unit]\n+Description=Periodic execution of nrpe2nodexp-ferm_active.service\n+\n+[Timer]\n+Unit=nrpe2nodexp-ferm_active.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnUnitInactiveSec=10min\n+OnActiveSec=1s\n+RandomizedDelaySec=600\n+FixedRandomDelay=true\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]\n\n+ notify => Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "Ferm::Service[ssh_from_cumin_masters]", "parameters": "--- Ferm::Service[ssh_from_cumin_masters].orig\n+++ Ferm::Service[ssh_from_cumin_masters]\n\n+ src_sets => ['CUMIN_MASTERS']\n+ desc => \n+ prio => 10\n+ proto => tcp\n+ unrestricted_access => False\n+ notrack => False\n+ ensure => present\n+ port => 22\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/syslog.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/syslog.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/syslog.csr]\n\n+ ensure => present\n+ common_name => syslog\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Sudo::User[nrpe-check_ferm_active]", "parameters": "--- Sudo::User[nrpe-check_ferm_active].orig\n+++ Sudo::User[nrpe-check_ferm_active]\n\n+ require => ['Class[Sudo]']\n+ ensure => present\n+ user => nagios\n+ privileges => ['ALL = (root) NOPASSWD: /usr/local/lib/nagios/plugins/check_ferm']\n+ tag => nrpe::check\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_ulogd2.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_ulogd2.service].orig\n+++ Systemd::Unit[wmf_auto_restart_ulogd2.service]\n\n+ override => False\n+ require => ['Class[Systemd]']\n+ ensure => present\n+ unit => wmf_auto_restart_ulogd2.service\n+ restart => False\n+ override_filename => puppet-override.conf\n"}, {"resource": "Exec[Generate cert kafka]", "parameters": "--- Exec[Generate cert kafka].orig\n+++ Exec[Generate cert kafka]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/kafka.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/kafka.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/kafka/kafka\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/kafka/kafka.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/kafka/kafka-key.pem 2>&1)\"\n\n"}, {"resource": "Class[Profile::Firewall::Nftables_base_sets]", "parameters": "--- Class[Profile::Firewall::Nftables_base_sets].orig\n+++ Class[Profile::Firewall::Nftables_base_sets]\n\n- druid_public_hosts => ['10.64.131.9', '2620:0:861:10a:10:64:131:9', '10.64.132.12', '2620:0:861:10b:10:64:132:12', '10.64.135.9', '2620:0:861:10e:10:64:135:9', '10.64.32.101', '2620:0:861:103:10:64:32:101', '10.64.48.185', '2620:0:861:107:10:64:48:185']\n- kafkamon_hosts => ['10.64.32.11', '2620:0:861:103:10:64:32:11', '10.192.16.139', '2620:0:860:102:10:192:16:139']\n- monitoring_hosts => ['208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n- deployment_hosts => ['10.64.16.93', '2620:0:861:102:10:64:16:93', '10.192.32.7', '2620:0:860:103:10:192:32:7']\n- zookeeper_flink_hosts => ['10.64.16.9', '2620:0:861:102:10:64:16:9', '10.64.0.8', '2620:0:861:101:10:64:0:8', '10.64.32.41', '2620:0:861:103:10:64:32:41', '10.192.16.227', '2620:0:860:102:10:192:16:227', '10.192.32.179', '2620:0:860:103:10:192:32:179', '10.192.48.219', '2620:0:860:104:10:192:48:219']\n- zookeeper_hosts_main => ['10.64.0.207', '2620:0:861:101:10:64:0:207', '10.64.16.110', '2620:0:861:102:10:64:16:110', '10.64.48.154', '2620:0:861:107:10:64:48:154', '10.192.16.45', '2620:0:860:102:10:192:16:45', '10.192.32.52', '2620:0:860:103:10:192:32:52', '10.192.48.59', '2620:0:860:104:10:192:48:59']\n- lb_health_checks => ['10.64.0.136', '10.64.16.60', '10.64.158.19', '10.64.166.19', '10.64.133.19', '10.64.141.19', '10.64.169.19', '10.64.171.19', '10.64.173.19', '10.64.175.19', '10.64.177.19', '10.64.179.19', '10.64.181.19', '10.64.183.19', '10.64.185.19', '10.64.187.19', '10.64.189.19', '10.64.48.72', '10.64.37.17', '10.64.1.17', '10.64.17.17', '10.64.33.17', '10.64.130.20', '10.64.131.20', '10.64.132.20', '10.64.134.20', '10.64.135.20', '10.64.136.20', '10.64.158.20', '10.64.166.20', '10.64.133.20', '10.64.141.20', '10.64.169.20', '10.64.171.20', '10.64.173.20', '10.64.175.20', '10.64.177.20', '10.64.179.20', '10.64.181.20', '10.64.183.20', '10.64.185.20', '10.64.187.20', '10.64.189.20', '2620:0:861:101::/64', '2620:0:861:102::/64', '2620:0:861:103::/64', '2620:0:861:107::/64', '2620:0:861:109::/64', '2620:0:861:10a::/64', '2620:0:861:10b::/64', '2620:0:861:10d::/64', '2620:0:861:10e::/64', '2620:0:861:10f::/64', '2620:0:861:119::/64', '2620:0:861:10c::/64', '2620:0:861:113::/64', '2620:0:861:119::/64', '2620:0:861:131::/64', '2620:0:861:133::/64', '2620:0:861:135::/64', '2620:0:861:137::/64', '2620:0:861:139::/64', '2620:0:861:13b::/64', '2620:0:861:13d::/64', '2620:0:861:13f::/64', '2620:0:861:142::/64', '2620:0:861:144::/64', '10.192.23.8', '10.192.0.29', '10.192.17.8', '10.192.33.8', '10.192.49.8', '10.192.23.2', '10.192.5.2', '10.192.6.2', '10.192.7.2', '10.192.8.2', '10.192.9.2', '10.192.10.2', '10.192.11.2', '10.192.12.2', '10.192.13.2', '10.192.14.2', '10.192.15.2', '10.192.21.2', '10.192.22.2', '10.192.4.2', '10.192.26.2', '10.192.27.2', '10.192.28.2', '10.192.29.2', '10.192.30.2', '10.192.31.2', '10.192.36.2', '10.192.37.2', '10.192.38.2', '10.192.39.2', '10.192.40.2', '10.192.41.2', '10.192.42.2', '10.192.43.2', '10.192.11.8', '10.192.16.140', '10.192.1.8', '10.192.33.9', '10.192.49.9', '10.192.23.3', '10.192.5.3', '10.192.6.3', '10.192.7.3', '10.192.8.3', '10.192.9.3', '10.192.10.3', '10.192.11.3', '10.192.12.3', '10.192.13.3', '10.192.14.3', '10.192.15.3', '10.192.21.3', '10.192.22.3', '10.192.4.3', '10.192.26.3', '10.192.27.3', '10.192.28.3', '10.192.29.3', '10.192.30.3', '10.192.31.3', '10.192.36.3', '10.192.37.3', '10.192.38.3', '10.192.39.4', '10.192.40.3', '10.192.41.3', '10.192.42.3', '10.192.43.3', '10.192.32.14', '10.192.1.9', '10.192.17.9', '10.192.49.10', '10.192.23.4', '10.192.5.4', '10.192.6.4', '10.192.7.4', '10.192.8.4', '10.192.9.4', '10.192.10.4', '10.192.11.4', '10.192.12.4', '10.192.13.4', '10.192.14.4', '10.192.15.4', '10.192.21.4', '10.192.22.4', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '10.192.48.213', '10.192.1.13', '10.192.17.10', '10.192.33.10', '10.192.23.5', '10.192.5.8', '10.192.6.5', '10.192.7.5', '10.192.8.5', '10.192.9.5', '10.192.10.5', '10.192.11.5', '10.192.12.5', '10.192.13.5', '10.192.14.5', '10.192.15.5', '10.192.21.5', '10.192.22.5', '10.192.4.5', '10.192.26.5', '10.192.27.5', '10.192.28.5', '10.192.29.5', '10.192.30.5', '10.192.31.5', '10.192.36.5', '10.192.37.5', '10.192.38.5', '10.192.39.6', '10.192.40.5', '10.192.41.5', '10.192.42.5', '10.192.43.5', '2620:0:860:101::/64', '2620:0:860:102::/64', '2620:0:860:103::/64', '2620:0:860:104::/64', '10.80.0.3', '10.80.1.8', '10.80.1.14', '10.80.0.9', '10.80.0.2', '10.80.1.10', '2a02:ec80:300:101::/64', '2a02:ec80:300:102::/64', '10.128.1.18', '10.128.0.9', '10.128.1.11', '2620:0:863:101::/64', '2620:0:863:102::/64', '10.132.0.39', '10.132.0.6', '10.132.0.7', '2001:df2:e500:101::/64', '10.136.0.16', '10.136.1.19', '10.136.1.15', '10.136.0.19', '10.136.0.17', '10.136.1.20', '2a02:ec80:600:101::/64', '2a02:ec80:600:102::/64', '10.140.0.13', '10.140.1.2', '10.140.1.14', '10.140.0.2', '10.140.0.14', '10.140.1.3', '2a02:ec80:700:101::/64', '2a02:ec80:700:102::/64']\n- cache_hosts => ['10.64.0.79', '2620:0:861:101:10:64:0:79', '10.64.0.229', '2620:0:861:101:10:64:0:229', '10.64.0.14', '2620:0:861:101:10:64:0:14', '10.64.0.51', '2620:0:861:101:10:64:0:51', '10.64.16.241', '2620:0:861:102:10:64:16:241', '10.64.16.94', '2620:0:861:102:10:64:16:94', '10.64.16.95', '2620:0:861:102:10:64:16:95', '10.64.16.240', '2620:0:861:102:10:64:16:240', '10.64.32.14', '2620:0:861:103:10:64:32:14', '10.64.32.60', '2620:0:861:103:10:64:32:60', '10.64.32.15', '2620:0:861:103:10:64:32:15', '10.64.32.65', '2620:0:861:103:10:64:32:65', '10.64.48.16', '2620:0:861:107:10:64:48:16', '10.64.48.41', '2620:0:861:107:10:64:48:41', '10.64.48.27', '2620:0:861:107:10:64:48:27', '10.64.48.28', '2620:0:861:107:10:64:48:28', '10.192.23.26', '2620:0:860:113:10:192:23:26', '10.192.6.20', '2620:0:860:107:10:192:6:20', '10.192.12.35', '2620:0:860:10d:10:192:12:35', '10.192.14.25', '2620:0:860:10f:10:192:14:25', '10.192.4.22', '2620:0:860:100:10:192:4:22', '10.192.29.26', '2620:0:860:116:10:192:29:26', '10.192.30.29', '2620:0:860:119:10:192:30:29', '10.192.36.19', '2620:0:860:11b:10:192:36:19', '10.192.40.25', '2620:0:860:11f:10:192:40:25', '10.192.41.21', '2620:0:860:120:10:192:41:21', '10.192.56.3', '2620:0:860:12b:10:192:56:3', '10.192.56.4', '2620:0:860:12b:10:192:56:4', '10.192.57.3', '2620:0:860:12c:10:192:57:3', '10.192.58.2', '2620:0:860:12d:10:192:58:2', '10.192.58.3', '2620:0:860:12d:10:192:58:3', '10.192.59.2', '2620:0:860:12e:10:192:59:2', '10.80.0.14', '2a02:ec80:300:101:10:80:0:14', '10.80.1.11', '2a02:ec80:300:102:10:80:1:11', '10.80.0.13', '2a02:ec80:300:101:10:80:0:13', '10.80.1.9', '2a02:ec80:300:102:10:80:1:9', '10.80.0.12', '2a02:ec80:300:101:10:80:0:12', '10.80.1.7', '2a02:ec80:300:102:10:80:1:7', '10.80.0.11', '2a02:ec80:300:101:10:80:0:11', '10.80.1.6', '2a02:ec80:300:102:10:80:1:6', '10.80.0.10', '2a02:ec80:300:101:10:80:0:10', '10.80.1.5', '2a02:ec80:300:102:10:80:1:5', '10.80.0.8', '2a02:ec80:300:101:10:80:0:8', '10.80.1.4', '2a02:ec80:300:102:10:80:1:4', '10.80.0.7', '2a02:ec80:300:101:10:80:0:7', '10.80.1.3', '2a02:ec80:300:102:10:80:1:3', '10.80.0.6', '2a02:ec80:300:101:10:80:0:6', '10.80.1.2', '2a02:ec80:300:102:10:80:1:2', '10.128.0.19', '2620:0:863:101:10:128:0:19', '10.128.1.27', '2620:0:863:102:10:128:1:27', '10.128.0.22', '2620:0:863:101:10:128:0:22', '10.128.1.28', '2620:0:863:102:10:128:1:28', '10.128.0.25', '2620:0:863:101:10:128:0:25', '10.128.1.29', '2620:0:863:102:10:128:1:29', '10.128.0.26', '2620:0:863:101:10:128:0:26', '10.128.1.31', '2620:0:863:102:10:128:1:31', '10.128.0.14', '2620:0:863:101:10:128:0:14', '10.128.1.35', '2620:0:863:102:10:128:1:35', '10.128.0.21', '2620:0:863:101:10:128:0:21', '10.128.1.36', '2620:0:863:102:10:128:1:36', '10.128.0.24', '2620:0:863:101:10:128:0:24', '10.128.1.10', '2620:0:863:102:10:128:1:10', '10.128.0.37', '2620:0:863:101:10:128:0:37', '10.128.1.12', '2620:0:863:102:10:128:1:12', '10.132.0.17', '2001:df2:e500:101:10:132:0:17', '10.132.0.18', '2001:df2:e500:101:10:132:0:18', '10.132.0.19', '2001:df2:e500:101:10:132:0:19', '10.132.0.24', '2001:df2:e500:101:10:132:0:24', '10.132.0.29', '2001:df2:e500:101:10:132:0:29', '10.132.0.30', '2001:df2:e500:101:10:132:0:30', '10.132.0.34', '2001:df2:e500:101:10:132:0:34', '10.132.0.35', '2001:df2:e500:101:10:132:0:35', '10.132.0.36', '2001:df2:e500:101:10:132:0:36', '10.132.0.37', '2001:df2:e500:101:10:132:0:37', '10.132.0.38', '2001:df2:e500:101:10:132:0:38', '10.132.0.25', '2001:df2:e500:101:10:132:0:25', '10.132.0.26', '2001:df2:e500:101:10:132:0:26', '10.132.0.27', '2001:df2:e500:101:10:132:0:27', '10.132.0.28', '2001:df2:e500:101:10:132:0:28', '10.132.0.16', '2001:df2:e500:101:10:132:0:16', '10.136.0.6', '2a02:ec80:600:101:10:136:0:6', '10.136.1.6', '2a02:ec80:600:102:10:136:1:6', '10.136.0.7', '2a02:ec80:600:101:10:136:0:7', '10.136.1.7', '2a02:ec80:600:102:10:136:1:7', '10.136.0.8', '2a02:ec80:600:101:10:136:0:8', '10.136.1.8', '2a02:ec80:600:102:10:136:1:8', '10.136.0.9', '2a02:ec80:600:101:10:136:0:9', '10.136.1.9', '2a02:ec80:600:102:10:136:1:9', '10.136.0.10', '2a02:ec80:600:101:10:136:0:10', '10.136.1.10', '2a02:ec80:600:102:10:136:1:10', '10.136.0.11', '2a02:ec80:600:101:10:136:0:11', '10.136.1.11', '2a02:ec80:600:102:10:136:1:11', '10.136.0.12', '2a02:ec80:600:101:10:136:0:12', '10.136.1.12', '2a02:ec80:600:102:10:136:1:12', '10.136.0.13', '2a02:ec80:600:101:10:136:0:13', '10.136.1.13', '2a02:ec80:600:102:10:136:1:13', '10.140.0.3', '2a02:ec80:700:101:10:140:0:3', '10.140.1.4', '2a02:ec80:700:102:10:140:1:4', '10.140.0.4', '2a02:ec80:700:101:10:140:0:4', '10.140.1.5', '2a02:ec80:700:102:10:140:1:5', '10.140.0.5', '2a02:ec80:700:101:10:140:0:5', '10.140.1.6', '2a02:ec80:700:102:10:140:1:6', '10.140.0.6', '2a02:ec80:700:101:10:140:0:6', '10.140.1.7', '2a02:ec80:700:102:10:140:1:7', '10.140.0.7', '2a02:ec80:700:101:10:140:0:7', '10.140.1.8', '2a02:ec80:700:102:10:140:1:8', '10.140.0.8', '2a02:ec80:700:101:10:140:0:8', '10.140.1.9', '2a02:ec80:700:102:10:140:1:9', '10.140.0.9', '2a02:ec80:700:101:10:140:0:9', '10.140.1.10', '2a02:ec80:700:102:10:140:1:10', '10.140.0.10', '2a02:ec80:700:101:10:140:0:10', '10.140.1.11', '2a02:ec80:700:102:10:140:1:11']\n- mysql_root_clients => ['10.64.16.90', '10.192.16.191', '10.64.16.154', '10.192.32.49', '208.80.154.9', '10.64.0.20']\n- bastion_hosts => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']\n- kafka_brokers_main => ['10.192.5.9', '2620:0:860:106:10:192:5:9', '10.192.22.6', '2620:0:860:112:10:192:22:6', '10.192.32.4', '2620:0:860:103:10:192:32:4', '10.192.48.33', '2620:0:860:104:10:192:48:33', '10.192.48.35', '2620:0:860:104:10:192:48:35', '10.64.0.101', '2620:0:861:101:10:64:0:101', '10.64.16.30', '2620:0:861:102:10:64:16:30', '10.64.32.45', '2620:0:861:103:10:64:32:45', '10.64.48.37', '2620:0:861:107:10:64:48:37', '10.64.152.5', '2620:0:861:120:10:64:152:5']\n- cumin_masters => ['10.64.16.154', '2620:0:861:102:10:64:16:154', '10.192.32.49', '2620:0:860:103:10:192:32:49']\n- kafka_brokers_jumbo => ['10.64.130.10', '2620:0:861:109:10:64:130:10', '10.64.131.16', '2620:0:861:10a:10:64:131:16', '10.64.132.21', '2620:0:861:10b:10:64:132:21', '10.64.134.9', '2620:0:861:10d:10:64:134:9', '10.64.135.16', '2620:0:861:10e:10:64:135:16', '10.64.136.11', '2620:0:861:10f:10:64:136:11', '10.64.154.15', '2620:0:861:122:10:64:154:15', '10.64.160.16', '2620:0:861:128:10:64:160:16', '10.64.0.126', '2620:0:861:101:10:64:0:126']\n- kafka_brokers_logging => ['10.64.16.205', '2620:0:861:102:10:64:16:205', '10.64.133.11', '2620:0:861:10c:10:64:133:11', '10.64.183.12', '2620:0:861:13d:10:64:183:12', '10.64.131.13', '2620:0:861:10a:10:64:131:13', '10.64.135.13', '2620:0:861:10e:10:64:135:13', '10.192.23.29', '2620:0:860:113:10:192:23:29', '10.192.11.28', '2620:0:860:10c:10:192:11:28', '10.192.26.22', '2620:0:860:105:10:192:26:22', '10.192.11.27', '2620:0:860:10c:10:192:11:27', '10.192.39.25', '2620:0:860:11e:10:192:39:25']\n- prometheus_nodes => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet']\n- install_hosts => {'eqiad': '208.80.154.134', 'codfw': '208.80.153.70', 'esams': '185.15.59.101', 'ulsfo': '198.35.26.98', 'eqsin': '103.102.166.104', 'drmrs': '185.15.58.7', 'magru': '195.200.68.100'}\n- install_hosts6 => {'eqiad': '2620:0:861:2:208:80:154:134', 'codfw': '2620:0:860:3:208:80:153:70', 'esams': '2a02:ec80:300:3:185:15:59:101', 'ulsfo': '2620:0:863:3:198:35:26:98', 'eqsin': '2001:df2:e500:3:103:102:166:104', 'drmrs': '2a02:ec80:600:1:185:15:58:7', 'magru': '2a02:ec80:700:3:195:200:68:100'}\n- labstore_hosts => ['208.80.154.142', '2620:0:861:2:208:80:154:142', '208.80.154.71', '2620:0:861:3:208:80:154:71']\n"}, {"resource": "Systemd::Unit[prometheus-node-textfile-check-nft.service]", "parameters": "--- Systemd::Unit[prometheus-node-textfile-check-nft.service].orig\n+++ Systemd::Unit[prometheus-node-textfile-check-nft.service]\n\n- override => False\n- require => ['Class[Systemd]']\n- ensure => present\n- unit => prometheus-node-textfile-check-nft.service\n- restart => False\n- override_filename => puppet-override.conf\n"}, {"resource": "Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "parameters": "--- Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia].orig\n+++ Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]\n\n+ components => component/bacula9\n+ dist => trixie-wikimedia\n+ bin => True\n+ allow_releaseinfo_change => False\n+ trust_repo => False\n+ keyfile => puppet:///modules/install_server/autoinstall/keyring/wikimedia-archive-keyring.gpg\n+ ensure => present\n+ uri => http://apt.wikimedia.org/wikimedia\n+ source => True\n"}, {"resource": "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set DEPLOYMENT_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:102:10:64:16:93,\n- 2620:0:860:103:10:192:32:7\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Ferm::Service[full_monitoring_metrics_access_udp]", "parameters": "--- Ferm::Service[full_monitoring_metrics_access_udp].orig\n+++ Ferm::Service[full_monitoring_metrics_access_udp]\n\n+ desc => \n+ prio => 10\n+ proto => udp\n+ srange => ['prometheus1005.eqiad.wmnet', 'prometheus1006.eqiad.wmnet', 'prometheus1007.eqiad.wmnet', 'prometheus1008.eqiad.wmnet', '208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n+ unrestricted_access => False\n+ notrack => False\n+ port_range => [1, 65535]\n+ ensure => present\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_staging]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_staging].orig\n+++ File[/etc/cfssl/ssl/mlserve_staging]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Exec[Generate cert kafka refresh]", "parameters": "--- Exec[Generate cert kafka refresh].orig\n+++ Exec[Generate cert kafka refresh]\n\n+ subscribe => File[/etc/cfssl/csr/kafka.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/kafka.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/kafka/kafka\n\n"}, {"resource": "File[/etc/cfssl/ssl/network_devices]", "parameters": "--- File[/etc/cfssl/ssl/network_devices].orig\n+++ File[/etc/cfssl/ssl/network_devices]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Exec[Generate cert syslog]", "parameters": "--- Exec[Generate cert syslog].orig\n+++ Exec[Generate cert syslog]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/syslog.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/syslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/syslog/syslog\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/syslog/syslog.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/syslog/syslog-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/cfssl/csr/kafka.csr]", "content": "--- /etc/cfssl/csr/kafka.csr.orig\n+++ /etc/cfssl/csr/kafka.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"kafka\",\n+ \"hosts\": [\n+ \"kafka\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/kafka.csr].orig\n+++ File[/etc/cfssl/csr/kafka.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/INTERNAL_ipv6.nft]", "content": "--- /etc/nftables/sets/INTERNAL_ipv6.nft.orig\n+++ /etc/nftables/sets/INTERNAL_ipv6.nft\n@@ -1,15 +0,0 @@\n-# Autogenerated by puppet\n-set INTERNAL_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2620:0:860:100::/56,\n- 2620:0:861:100::/56,\n- 2620:0:863:100::/56,\n- 2a02:ec80:300:100::/56,\n- 2a02:ec80:600:100::/56,\n- 2a02:ec80:700:100::/56,\n- 2001:df2:e500:100::/56,\n- 2a02:ec80:ff00:100::/56\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/INTERNAL_ipv6.nft].orig\n+++ File[/etc/nftables/sets/INTERNAL_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 disk_space].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 disk_space]\n\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => pki_eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Exec[Generate cert mlserve_staging_front_proxy refresh]", "parameters": "--- Exec[Generate cert mlserve_staging_front_proxy refresh].orig\n+++ Exec[Generate cert mlserve_staging_front_proxy refresh]\n\n+ subscribe => File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/mlserve_staging_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy\n\n"}, {"resource": "File[/etc/cfssl/csr/zuul.csr]", "content": "--- /etc/cfssl/csr/zuul.csr.orig\n+++ /etc/cfssl/csr/zuul.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"zuul\",\n+ \"hosts\": [\n+ \"zuul\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/zuul.csr].orig\n+++ File[/etc/cfssl/csr/zuul.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets]", "parameters": "--- File[/etc/nftables/sets].orig\n+++ File[/etc/nftables/sets]\n\n- recurse => True\n- group => root\n- ensure => directory\n- owner => root\n- purge => True\n"}, {"resource": "Concat_file[/etc/bacula/ssl/cert.pem]", "parameters": "--- Concat_file[/etc/bacula/ssl/cert.pem].orig\n+++ Concat_file[/etc/bacula/ssl/cert.pem]\n\n+ show_diff => True\n+ backup => puppet\n+ replace => True\n+ format => plain\n+ ensure_newline => False\n+ force => False\n+ mode => 0644\n+ tag => _etc_bacula_ssl_cert.pem\n+ order => alpha\n"}, {"resource": "File[/etc/nftables/sets/CACHES_ipv4.nft]", "content": "--- /etc/nftables/sets/CACHES_ipv4.nft.orig\n+++ /etc/nftables/sets/CACHES_ipv4.nft\n@@ -1,117 +0,0 @@\n-# Autogenerated by puppet\n-set CACHES_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.0.79,\n- 10.64.0.229,\n- 10.64.0.14,\n- 10.64.0.51,\n- 10.64.16.241,\n- 10.64.16.94,\n- 10.64.16.95,\n- 10.64.16.240,\n- 10.64.32.14,\n- 10.64.32.60,\n- 10.64.32.15,\n- 10.64.32.65,\n- 10.64.48.16,\n- 10.64.48.41,\n- 10.64.48.27,\n- 10.64.48.28,\n- 10.192.23.26,\n- 10.192.6.20,\n- 10.192.12.35,\n- 10.192.14.25,\n- 10.192.4.22,\n- 10.192.29.26,\n- 10.192.30.29,\n- 10.192.36.19,\n- 10.192.40.25,\n- 10.192.41.21,\n- 10.192.56.3,\n- 10.192.56.4,\n- 10.192.57.3,\n- 10.192.58.2,\n- 10.192.58.3,\n- 10.192.59.2,\n- 10.80.0.14,\n- 10.80.1.11,\n- 10.80.0.13,\n- 10.80.1.9,\n- 10.80.0.12,\n- 10.80.1.7,\n- 10.80.0.11,\n- 10.80.1.6,\n- 10.80.0.10,\n- 10.80.1.5,\n- 10.80.0.8,\n- 10.80.1.4,\n- 10.80.0.7,\n- 10.80.1.3,\n- 10.80.0.6,\n- 10.80.1.2,\n- 10.128.0.19,\n- 10.128.1.27,\n- 10.128.0.22,\n- 10.128.1.28,\n- 10.128.0.25,\n- 10.128.1.29,\n- 10.128.0.26,\n- 10.128.1.31,\n- 10.128.0.14,\n- 10.128.1.35,\n- 10.128.0.21,\n- 10.128.1.36,\n- 10.128.0.24,\n- 10.128.1.10,\n- 10.128.0.37,\n- 10.128.1.12,\n- 10.132.0.17,\n- 10.132.0.18,\n- 10.132.0.19,\n- 10.132.0.24,\n- 10.132.0.29,\n- 10.132.0.30,\n- 10.132.0.34,\n- 10.132.0.35,\n- 10.132.0.36,\n- 10.132.0.37,\n- 10.132.0.38,\n- 10.132.0.25,\n- 10.132.0.26,\n- 10.132.0.27,\n- 10.132.0.28,\n- 10.132.0.16,\n- 10.136.0.6,\n- 10.136.1.6,\n- 10.136.0.7,\n- 10.136.1.7,\n- 10.136.0.8,\n- 10.136.1.8,\n- 10.136.0.9,\n- 10.136.1.9,\n- 10.136.0.10,\n- 10.136.1.10,\n- 10.136.0.11,\n- 10.136.1.11,\n- 10.136.0.12,\n- 10.136.1.12,\n- 10.136.0.13,\n- 10.136.1.13,\n- 10.140.0.3,\n- 10.140.1.4,\n- 10.140.0.4,\n- 10.140.1.5,\n- 10.140.0.5,\n- 10.140.1.6,\n- 10.140.0.6,\n- 10.140.1.7,\n- 10.140.0.7,\n- 10.140.1.8,\n- 10.140.0.8,\n- 10.140.1.9,\n- 10.140.0.9,\n- 10.140.1.10,\n- 10.140.0.10,\n- 10.140.1.11\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CACHES_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CACHES_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf]", "content": "--- /etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf.orig\n+++ /etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf\n@@ -0,0 +1 @@\n+{\"driver\":\"mysql\",\"data_source\":\"pki:changeme@tcp(m1-master.eqiad.wmnet:3306)/pki?parseTime=true&tls=skip-verify\"}", "parameters": "--- File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf].orig\n+++ File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf]\n\n+ show_diff => False\n+ require => ['Package[golang-cfssl]']\n+ mode => 0440\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/csr/cassandra.csr]", "content": "--- /etc/cfssl/csr/cassandra.csr.orig\n+++ /etc/cfssl/csr/cassandra.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"cassandra\",\n+ \"hosts\": [\n+ \"cassandra\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/cassandra.csr].orig\n+++ File[/etc/cfssl/csr/cassandra.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Package[ferm]", "parameters": "--- Package[ferm].orig\n+++ Package[ferm]\n\n@@\n- ensure => purged\n+ ensure => installed\n"}, {"resource": "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft\n@@ -1,38 +0,0 @@\n-# Autogenerated by puppet\n-set ANALYTICS_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 10.64.137.0/24,\n- 10.64.138.0/24,\n- 10.64.139.0/24,\n- 10.64.140.0/24,\n- 10.64.142.0/24,\n- 10.64.143.0/24,\n- 10.64.144.0/24,\n- 10.64.145.0/24,\n- 10.64.153.0/24,\n- 10.64.155.0/24,\n- 10.64.157.0/24,\n- 10.64.159.0/24,\n- 10.64.161.0/24,\n- 10.64.163.0/24,\n- 10.64.165.0/24,\n- 10.64.167.0/24,\n- 10.64.170.0/24,\n- 10.64.172.0/24,\n- 10.64.174.0/24,\n- 10.64.176.0/24,\n- 10.64.178.0/24,\n- 10.64.180.0/24,\n- 10.64.182.0/24,\n- 10.64.184.0/24,\n- 10.64.186.0/24,\n- 10.64.188.0/24,\n- 10.64.190.0/24,\n- 10.64.21.0/24,\n- 10.64.36.0/24,\n- 10.64.5.0/24,\n- 10.64.53.0/24\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::infrastructure_foundations_nftables:\n+role::pki::root:\n - Infrastructure Foundations"}, {"resource": "Nftables::Set[CUMIN_MASTERS]", "parameters": "--- Nftables::Set[CUMIN_MASTERS].orig\n+++ Nftables::Set[CUMIN_MASTERS]\n\n- ensure => present\n- hosts => ['10.64.16.154', '2620:0:861:102:10:64:16:154', '10.192.32.49', '2620:0:860:103:10:192:32:49']\n"}, {"resource": "File[/etc/cfssl/ssl/discovery2026]", "parameters": "--- File[/etc/cfssl/ssl/discovery2026].orig\n+++ File[/etc/cfssl/ssl/discovery2026]\n\n+ recurse => True\n+ mode => 0740\n+ group => root\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Exec[Generate cert cloud_wmnet_ca]", "parameters": "--- Exec[Generate cert cloud_wmnet_ca].orig\n+++ Exec[Generate cert cloud_wmnet_ca]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/cloud_wmnet_ca.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve/mlserve.csr]", "parameters": "--- File[/etc/cfssl/ssl/mlserve/mlserve.csr].orig\n+++ File[/etc/cfssl/ssl/mlserve/mlserve.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_ferm_active]", "content": "--- /etc/sudoers.d/nrpe-check_ferm_active.orig\n+++ /etc/sudoers.d/nrpe-check_ferm_active\n@@ -0,0 +1,3 @@\n+# This file is managed by Puppet!\n+\n+nagios ALL = (root) NOPASSWD: /usr/local/lib/nagios/plugins/check_ferm", "parameters": "--- File[/etc/sudoers.d/nrpe-check_ferm_active].orig\n+++ File[/etc/sudoers.d/nrpe-check_ferm_active]\n\n+ require => Package[nagios-nrpe-server]\n+ mode => 0440\n+ group => root\n+ validate_cmd => /usr/sbin/visudo -cqf %\n+ ensure => present\n+ owner => root\n"}, {"resource": "Ferm::Service[ssh_from_bastion]", "parameters": "--- Ferm::Service[ssh_from_bastion].orig\n+++ Ferm::Service[ssh_from_bastion]\n\n+ desc => \n+ prio => 10\n+ proto => tcp\n+ srange => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']\n+ unrestricted_access => False\n+ notrack => False\n+ ensure => present\n+ port => 22\n"}, {"resource": "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem]", "parameters": "--- File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem].orig\n+++ File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]", "content": "--- /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft.orig\n+++ /etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft\n@@ -1,15 +0,0 @@\n-# Autogenerated by puppet\n-set KAFKA_BROKERS_LOGGING_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.16.205,\n- 10.64.133.11,\n- 10.64.183.12,\n- 10.64.131.13,\n- 10.64.135.13,\n- 10.192.23.29,\n- 10.192.11.28,\n- 10.192.26.22,\n- 10.192.11.27,\n- 10.192.39.25\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft].orig\n+++ File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Exec[Generate cert dse_front_proxy]", "parameters": "--- Exec[Generate cert dse_front_proxy].orig\n+++ Exec[Generate cert dse_front_proxy]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/dse_front_proxy.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "content": "--- /etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr.orig\n+++ /etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"Wikimedia_Internal_Root_CA_ocsp_signing_cert\",\n+ \"hosts\": [\n+ \"Wikimedia_Internal_Root_CA_ocsp_signing_cert\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr].orig\n+++ File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Nftables::Set[KAFKA_BROKERS_LOGGING]", "parameters": "--- Nftables::Set[KAFKA_BROKERS_LOGGING].orig\n+++ Nftables::Set[KAFKA_BROKERS_LOGGING]\n\n- ensure => present\n- hosts => ['10.64.16.205', '2620:0:861:102:10:64:16:205', '10.64.133.11', '2620:0:861:10c:10:64:133:11', '10.64.183.12', '2620:0:861:13d:10:64:183:12', '10.64.131.13', '2620:0:861:10a:10:64:131:13', '10.64.135.13', '2620:0:861:10e:10:64:135:13', '10.192.23.29', '2620:0:860:113:10:192:23:29', '10.192.11.28', '2620:0:860:10c:10:192:11:28', '10.192.26.22', '2620:0:860:105:10:192:26:22', '10.192.11.27', '2620:0:860:10c:10:192:11:27', '10.192.39.25', '2620:0:860:11e:10:192:39:25']\n"}, {"resource": "File[/etc/cfssl/ssl/kafka/kafka.pem]", "parameters": "--- File[/etc/cfssl/ssl/kafka/kafka.pem].orig\n+++ File[/etc/cfssl/ssl/kafka/kafka.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/postrouting]", "parameters": "--- File[/etc/nftables/postrouting].orig\n+++ File[/etc/nftables/postrouting]\n\n- recurse => True\n- group => root\n- ensure => directory\n- owner => root\n- purge => True\n"}, {"resource": "Exec[Generate cert cloud_wmnet_ca refresh]", "parameters": "--- Exec[Generate cert cloud_wmnet_ca refresh].orig\n+++ Exec[Generate cert cloud_wmnet_ca refresh]\n\n+ subscribe => File[/etc/cfssl/csr/cloud_wmnet_ca.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/cloud_wmnet_ca.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca\n\n"}, {"resource": "Systemd::Service[prometheus-node-textfile-check-nft]", "parameters": "--- Systemd::Service[prometheus-node-textfile-check-nft].orig\n+++ Systemd::Service[prometheus-node-textfile-check-nft]\n\n- override => False\n- require => Systemd::Unit[prometheus-node-textfile-check-nft.service]\n- unit_type => timer\n- restart => False\n- service_params => {}\n- migration_task => T407130\n- monitoring_enabled => False\n- monitoring_contact_group => admins\n- ensure => present\n- monitoring_critical => False\n"}, {"resource": "File[/etc/rsyslog.d/40-ulogd.conf]", "content": "--- /etc/rsyslog.d/40-ulogd.conf.orig\n+++ /etc/rsyslog.d/40-ulogd.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"ulogd\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/ulogd/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0600\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-ulogd.conf].orig\n+++ File[/etc/rsyslog.d/40-ulogd.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ group => root\n+ ensure => present\n+ owner => root\n"}, {"resource": "Concat_fragment[/etc/bacula_puppet_ca_chain]", "parameters": "--- Concat_fragment[/etc/bacula_puppet_ca_chain].orig\n+++ Concat_fragment[/etc/bacula_puppet_ca_chain]\n\n+ tag => _etc_bacula_ssl_cert.pem\n+ source => /var/lib/puppet/ssl/certs/ca.pem\n+ order => 02\n+ target => /etc/bacula/ssl/cert.pem\n"}, {"resource": "Systemd::Service[nrpe2nodexp-ferm_active]", "parameters": "--- Systemd::Service[nrpe2nodexp-ferm_active].orig\n+++ Systemd::Service[nrpe2nodexp-ferm_active]\n\n+ override => False\n+ require => Systemd::Unit[nrpe2nodexp-ferm_active.service]\n+ unit_type => timer\n+ restart => False\n+ service_params => {}\n+ migration_task => T407130\n+ monitoring_enabled => False\n+ monitoring_contact_group => admins\n+ ensure => present\n+ monitoring_critical => False\n"}, {"resource": "Exec[renew certificate - kafka]", "parameters": "--- Exec[renew certificate - kafka].orig\n+++ Exec[renew certificate - kafka]\n\n+ require => Exec[Generate cert kafka]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/kafka/kafka.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/kafka/kafka\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/kafka/kafka.pem -checkend 952200\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Package[bacula-common]", "parameters": "--- Package[bacula-common].orig\n+++ Package[bacula-common]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem]", "parameters": "--- File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem].orig\n+++ File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/cassandra.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]\n\n+ ensure => present\n+ common_name => cassandra\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Nftables::Set[STAGING_KUBEPODS_NETWORKS]", "parameters": "--- Nftables::Set[STAGING_KUBEPODS_NETWORKS].orig\n+++ Nftables::Set[STAGING_KUBEPODS_NETWORKS]\n\n- ensure => present\n- hosts => ['10.64.64.0/21', '2620:0:861:babe::/64', '10.192.64.0/21', '2620:0:860:babe::/64']\n"}, {"resource": "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem].orig\n+++ File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem]\n\n+ show_diff => False\n+ mode => 0440\n+ backup => False\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]", "content": "--- /etc/nftables/sets/LINK_LOCAL_ipv6.nft.orig\n+++ /etc/nftables/sets/LINK_LOCAL_ipv6.nft\n@@ -1,8 +0,0 @@\n-# Autogenerated by puppet\n-set LINK_LOCAL_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { fe80::/10\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft].orig\n+++ File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Class[Firewall]", "parameters": "--- Class[Firewall].orig\n+++ Class[Firewall]\n\n@@\n- provider => nftables\n+ provider => ferm\n"}, {"resource": "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]", "content": "--- /etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft.orig\n+++ /etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft\n@@ -1,13 +0,0 @@\n-# Autogenerated by puppet\n-set SANDBOX_NETWORKS_ipv6 {\n- type ipv6_addr\n- flags interval\n- auto-merge\n- elements = { 2001:df2:e500:202::/64,\n- 2620:0:860:201::/64,\n- 2620:0:861:202::/64,\n- 2620:0:863:201::/64,\n- 2a02:ec80:300:202::/64,\n- 2a02:ec80:700:201::/64\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Concat::Fragment[/etc/bacula_puppet_agent_cert]", "parameters": "--- Concat::Fragment[/etc/bacula_puppet_agent_cert].orig\n+++ Concat::Fragment[/etc/bacula_puppet_agent_cert]\n\n+ target => /etc/bacula/ssl/cert.pem\n+ order => 01\n+ source => /var/lib/puppet/ssl/certs/pki-root1002.eqiad.wmnet.pem\n"}, {"resource": "File[/etc/cfssl/ssl/syslog/syslog.pem]", "parameters": "--- File[/etc/cfssl/ssl/syslog/syslog.pem].orig\n+++ File[/etc/cfssl/ssl/syslog/syslog.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[renew certificate - wikikube_staging]", "parameters": "--- Exec[renew certificate - wikikube_staging].orig\n+++ Exec[renew certificate - wikikube_staging]\n\n+ require => Exec[Generate cert wikikube_staging]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging/wikikube_staging\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem -checkend 952200\n"}, {"resource": "Exec[Generate cert network_devices]", "parameters": "--- Exec[Generate cert network_devices].orig\n+++ Exec[Generate cert network_devices]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/network_devices.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/network_devices/network_devices\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/network_devices/network_devices.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/network_devices/network_devices-key.pem 2>&1)\"\n\n"}, {"resource": "Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "parameters": "--- Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert].orig\n+++ Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => Wikimedia_Internal_Root_CA_ocsp_signing_cert\n+ owner => root\n+ profile => ocsp\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr]", "parameters": "--- File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr].orig\n+++ File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Nftables::Set[LINK_LOCAL]", "parameters": "--- Nftables::Set[LINK_LOCAL].orig\n+++ Nftables::Set[LINK_LOCAL]\n\n- ensure => present\n- hosts => ['169.254.0.0/16', 'fe80::/10']\n"}, {"resource": "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem]", "parameters": "--- File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem].orig\n+++ File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]", "content": "--- /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft.orig\n+++ /etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set DEPLOYMENT_HOSTS_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.16.93,\n- 10.192.32.7\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Exec[renew certificate - syslog]", "parameters": "--- Exec[renew certificate - syslog].orig\n+++ Exec[renew certificate - syslog]\n\n+ require => Exec[Generate cert syslog]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/syslog/syslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/syslog/syslog\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/syslog/syslog.pem -checkend 952200\n"}, {"resource": "Exec[Generate cert discovery2026]", "parameters": "--- Exec[Generate cert discovery2026].orig\n+++ Exec[Generate cert discovery2026]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/discovery2026.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/discovery2026/discovery2026\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/discovery2026/discovery2026.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/discovery2026/discovery2026-key.pem 2>&1)\"\n\n"}, {"resource": "File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]", "content": "--- /etc/nftables/sets/CUMIN_MASTERS_ipv4.nft.orig\n+++ /etc/nftables/sets/CUMIN_MASTERS_ipv4.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set CUMIN_MASTERS_ipv4 {\n- type ipv4_addr\n- elements = { 10.64.16.154,\n- 10.192.32.49\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/cfssl/csr/mlserve_front_proxy.csr]", "content": "--- /etc/cfssl/csr/mlserve_front_proxy.csr.orig\n+++ /etc/cfssl/csr/mlserve_front_proxy.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"mlserve_front_proxy\",\n+ \"hosts\": [\n+ \"mlserve_front_proxy\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/mlserve_front_proxy.csr].orig\n+++ File[/etc/cfssl/csr/mlserve_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]", "parameters": "--- File[/etc/cfssl/ssl/discovery2026/discovery2026.pem].orig\n+++ File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/cfssl/csr/wikikube_front_proxy.csr]", "content": "--- /etc/cfssl/csr/wikikube_front_proxy.csr.orig\n+++ /etc/cfssl/csr/wikikube_front_proxy.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"wikikube_front_proxy\",\n+ \"hosts\": [\n+ \"wikikube_front_proxy\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/wikikube_front_proxy.csr].orig\n+++ File[/etc/cfssl/csr/wikikube_front_proxy.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]", "content": "--- /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft.orig\n+++ /etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft\n@@ -1,12 +0,0 @@\n-# Autogenerated by puppet\n-set CLOUD_PRIVATE_NETWORKS_ipv4 {\n- type ipv4_addr\n- flags interval\n- auto-merge\n- elements = { 172.20.1.0/24,\n- 172.20.2.0/24,\n- 172.20.3.0/24,\n- 172.20.4.0/24,\n- 172.20.5.0/24\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft].orig\n+++ File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "Nftables::Service[ssh-from-bastion]", "parameters": "--- Nftables::Service[ssh-from-bastion].orig\n+++ Nftables::Service[ssh-from-bastion]\n\n- desc => \n- prio => 10\n- proto => tcp\n- unrestricted_access => False\n- notrack => False\n- ensure => present\n- port => 22\n- src_ips => ['103.102.166.103', '185.15.58.6', '185.15.59.99', '195.200.68.99', '198.35.26.104', '2001:df2:e500:3:103:102:166:103', '208.80.153.110', '208.80.154.7', '2620:0:860:4:208:80:153:110', '2620:0:861:1:208:80:154:7', '2620:0:863:3:198:35:26:104', '2a02:ec80:300:3:185:15:59:99', '2a02:ec80:600:1:185:15:58:6', '2a02:ec80:700:3:195:200:68:99']\n"}, {"resource": "Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "parameters": "--- Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet].orig\n+++ Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]\n\n+ desc => \n+ prio => 10\n+ proto => tcp\n+ srange => ['backup1014.eqiad.wmnet']\n+ unrestricted_access => False\n+ notrack => False\n+ ensure => present\n+ port => 9102\n"}, {"resource": "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]", "content": "--- /etc/ferm/conf.d/10_full_monitoring_metrics_access_udp.orig\n+++ /etc/ferm/conf.d/10_full_monitoring_metrics_access_udp\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(udp, 1:65535, (10.64.0.82 10.64.16.62 10.64.32.85 10.64.48.171 208.80.153.42 208.80.154.78 2620:0:860:2:208:80:153:42 2620:0:861:101:10:64:0:82 2620:0:861:102:10:64:16:62 2620:0:861:103:10:64:32:85 2620:0:861:107:10:64:48:171 2620:0:861:3:208:80:154:78));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp].orig\n+++ File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]\n\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => present\n+ tag => ferm\n+ owner => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/wikikube.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]\n\n+ ensure => present\n+ common_name => wikikube\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]\n\n+ ensure => present\n+ common_name => mlserve_staging_front_proxy\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "Puppet::Expose_agent_certs[/etc/bacula]", "parameters": "--- Puppet::Expose_agent_certs[/etc/bacula].orig\n+++ Puppet::Expose_agent_certs[/etc/bacula]\n\n+ provide_private => True\n+ require => Package[bacula-fd]\n+ notify => Service[bacula-fd]\n+ provide_p12 => False\n+ user => bacula\n+ ssldir => /var/lib/puppet/ssl\n+ provide_keypair => True\n+ group => bacula\n+ ensure => present\n+ provide_pem => True\n"}, {"resource": "Exec[Generate cert dse refresh]", "parameters": "--- Exec[Generate cert dse refresh].orig\n+++ Exec[Generate cert dse refresh]\n\n+ subscribe => File[/etc/cfssl/csr/dse.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/dse.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse/dse\n\n"}, {"resource": "Exec[renew certificate - cassandra]", "parameters": "--- Exec[renew certificate - cassandra].orig\n+++ Exec[renew certificate - cassandra]\n\n+ require => Exec[Generate cert cassandra]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl sign -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/ssl/cassandra/cassandra.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/cassandra/cassandra\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/cassandra/cassandra.pem -checkend 952200\n"}, {"resource": "Exec[create-/etc/bacula-keypair]", "parameters": "--- Exec[create-/etc/bacula-keypair].orig\n+++ Exec[create-/etc/bacula-keypair]\n\n+ creates => /etc/bacula/ssl/server-keypair.pem\n+ before => File[/etc/bacula/ssl/server-keypair.pem]\n+ command => /bin/cat /var/lib/puppet/ssl/private_keys/pki-root1002.eqiad.wmnet.pem /var/lib/puppet/ssl/certs/pki-root1002.eqiad.wmnet.pem > /etc/bacula/ssl/server-keypair.pem\n+ require => File[/etc/bacula/ssl]\n"}, {"resource": "File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/BASTION_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/BASTION_HOSTS_ipv6.nft\n@@ -1,12 +0,0 @@\n-# Autogenerated by puppet\n-set BASTION_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:1:208:80:154:7,\n- 2a02:ec80:300:3:185:15:59:99,\n- 2620:0:860:4:208:80:153:110,\n- 2620:0:863:3:198:35:26:104,\n- 2001:df2:e500:3:103:102:166:103,\n- 2a02:ec80:600:1:185:15:58:6,\n- 2a02:ec80:700:3:195:200:68:99\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]", "content": "--- /etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft.orig\n+++ /etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft\n@@ -1,7 +0,0 @@\n-# Autogenerated by puppet\n-set LABSTORE_HOSTS_ipv6 {\n- type ipv6_addr\n- elements = { 2620:0:861:2:208:80:154:142,\n- 2620:0:861:3:208:80:154:71\n- }\n-}", "parameters": "--- File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft].orig\n+++ File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]\n\n- notify => ['Service[nftables]']\n- mode => 0444\n- group => root\n- ensure => present\n- tag => nft\n- owner => root\n"}, {"resource": "File[/etc/ferm/functions.conf]", "parameters": "--- File[/etc/ferm/functions.conf].orig\n+++ File[/etc/ferm/functions.conf]\n\n+ require => Package[ferm]\n+ notify => Service[ferm]\n+ mode => 0400\n+ group => root\n+ ensure => file\n+ owner => root\n+ source => puppet:///modules/ferm/functions.conf\n"}, {"resource": "Ferm::Filter_log[filter-bootp]", "parameters": "--- Ferm::Filter_log[filter-bootp].orig\n+++ Ferm::Filter_log[filter-bootp]\n\n+ dport => 68\n+ daddr => 255.255.255.255\n+ ensure => present\n+ sport => 67\n+ proto => udp\n"}, {"resource": "Systemd::Unmask[nftables.service]", "parameters": "--- Systemd::Unmask[nftables.service].orig\n+++ Systemd::Unmask[nftables.service]\n\n- refreshonly => False\n- unit => nftables.service\n"}, {"resource": "Cfssl::Cert[wikikube_staging_front_proxy]", "parameters": "--- Cfssl::Cert[wikikube_staging_front_proxy].orig\n+++ Cfssl::Cert[wikikube_staging_front_proxy]\n\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ signer_config => {'config_dir': '/etc/cfssl/signers/Wikimedia_Internal_Root_CA'}\n+ common_name => wikikube_staging_front_proxy\n+ owner => root\n+ profile => intermediate\n+ mode => 0740\n+ ensure => present\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ provide_chain => False\n+ require => Cfssl::Signer[Wikimedia_Internal_Root_CA]\n+ before_services => []\n+ group => root\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ auto_renew => True\n+ hosts => []\n"}, {"resource": "File[/etc/nftables.conf]", "parameters": "--- File[/etc/nftables.conf].orig\n+++ File[/etc/nftables.conf]\n\n- ensure => absent\n- owner => root\n- group => root\n"}, {"resource": "Rsyslog::Conf[ulogd]", "parameters": "--- Rsyslog::Conf[ulogd].orig\n+++ Rsyslog::Conf[ulogd]\n\n+ ensure => present\n+ priority => 40\n+ mode => 0444\n+ require => File[/var/log/ulogd]\n"}, {"resource": "File[/etc/cfssl/ssl/aux/aux.pem]", "parameters": "--- File[/etc/cfssl/ssl/aux/aux.pem].orig\n+++ File[/etc/cfssl/ssl/aux/aux.pem]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Service[prometheus-node-textfile-check-nft.timer]", "parameters": "--- Service[prometheus-node-textfile-check-nft.timer].orig\n+++ Service[prometheus-node-textfile-check-nft.timer]\n\n- ensure => running\n- provider => systemd\n- enable => True\n"}, {"resource": "File[/etc/bacula/ssl/server-keypair.pem]", "parameters": "--- File[/etc/bacula/ssl/server-keypair.pem].orig\n+++ File[/etc/bacula/ssl/server-keypair.pem]\n\n+ ensure => present\n+ mode => 0400\n+ owner => bacula\n+ group => bacula\n"}, {"resource": "File[/etc/cfssl/ssl/aux/aux.csr]", "parameters": "--- File[/etc/cfssl/ssl/aux/aux.csr].orig\n+++ File[/etc/cfssl/ssl/aux/aux.csr]\n\n+ ensure => file\n+ mode => 0440\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]\n\n- refreshonly => True\n- before => ['Service[prometheus-node-textfile-check-nft.timer]']\n- command => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[Generate cert puppet refresh]", "parameters": "--- Exec[Generate cert puppet refresh].orig\n+++ Exec[Generate cert puppet refresh]\n\n+ subscribe => File[/etc/cfssl/csr/puppet.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/puppet.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/puppet/puppet\n\n"}, {"resource": "Motd::Message[pki::root]", "parameters": "--- Motd::Message[pki::root].orig\n+++ Motd::Message[pki::root]\n\n+ ensure => present\n+ message => pki-root1002 is a PKI RootCA (pki::root)\n+ priority => 5\n"}, {"resource": "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]", "parameters": "--- Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)].orig\n+++ Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]\n\n+ refreshonly => True\n+ before => ['Service[ferm]']\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/usr/local/lib/nagios/plugins/check_ferm]", "parameters": "--- File[/usr/local/lib/nagios/plugins/check_ferm].orig\n+++ File[/usr/local/lib/nagios/plugins/check_ferm]\n\n+ require => File[/usr/local/lib/nagios/plugins/]\n+ mode => 0555\n+ group => root\n+ ensure => file\n+ tag => nrpe::plugin\n+ owner => root\n+ source => puppet:///modules/base/firewall/check_ferm\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka.csr]\n\n+ ensure => present\n+ common_name => kafka\n+ names => [{'organisation': 'Wikimedia Foundation, Inc', 'organisational_unit': 'SRE Foundations', 'locality': 'San Francisco', 'state': 'California', 'country': 'US'}]\n+ key => {'algo': 'ecdsa', 'size': 521}\n+ hosts => []\n"}, {"resource": "File[/etc/cfssl/csr/mlserve_staging.csr]", "content": "--- /etc/cfssl/csr/mlserve_staging.csr.orig\n+++ /etc/cfssl/csr/mlserve_staging.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"mlserve_staging\",\n+ \"hosts\": [\n+ \"mlserve_staging\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 521\n+ },\n+ \"names\": [\n+ {\n+ \"C\": \"US\",\n+ \"L\": \"San Francisco\",\n+ \"O\": \"Wikimedia Foundation, Inc\",\n+ \"OU\": \"SRE Foundations\",\n+ \"S\": \"California\"\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/mlserve_staging.csr].orig\n+++ File[/etc/cfssl/csr/mlserve_staging.csr]\n\n+ ensure => file\n+ mode => 0400\n+ owner => root\n+ group => root\n"}, {"resource": "Exec[Generate cert wikikube_staging]", "parameters": "--- Exec[Generate cert wikikube_staging].orig\n+++ Exec[Generate cert wikikube_staging]\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ command => /usr/bin/cfssl gencert -ca=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca.pem -ca-key=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca/ca-key.pem -config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf -db-config=/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf -profile intermediate /etc/cfssl/csr/wikikube_staging.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/wikikube_staging/wikikube_staging\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem 2>&1)\"\n\n"}], "perc_changed": "37.90%"}, "core": {"total": 2929, "only_in_self": ["Exec[systemd daemon-reload for nftables.service (nftables)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]", "Exec[unmask_nftables.service]", "File[/etc/logrotate.d/prometheus-node-textfile-check-nft]", "File[/etc/nftables.conf]", "File[/etc/nftables/100_base_puppet.nft]", "File[/etc/nftables/]", "File[/etc/nftables/forward]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]", "File[/etc/nftables/input/10_ssh-from-bastion.nft]", "File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]", "File[/etc/nftables/input]", "File[/etc/nftables/main.nft]", "File[/etc/nftables/notrack]", "File[/etc/nftables/output]", "File[/etc/nftables/postrouting]", "File[/etc/nftables/prerouting]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/CACHES_ipv4.nft]", "File[/etc/nftables/sets/CACHES_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/INTERNAL_ipv4.nft]", "File[/etc/nftables/sets/INTERNAL_ipv6.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]", "File[/etc/nftables/sets]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]", "File[/etc/systemd/system/nftables.service.d/puppet-override.conf]", "File[/etc/systemd/system/nftables.service.d]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]", "File[/usr/local/bin/check-nft]", "File[/var/log/prometheus-node-textfile-check-nft]", "Node[__node_regexp__pki-root1002.eqiad.]", "Package[nftables]", "Service[nftables]", "Service[prometheus-node-textfile-check-nft.timer]"], "only_in_other": ["Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]", "Concat[/etc/bacula/ssl/cert.pem]", "Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]", "Concat_file[/etc/bacula/ssl/cert.pem]", "Concat_fragment[/etc/bacula_puppet_agent_cert]", "Concat_fragment[/etc/bacula_puppet_ca_chain]", "Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]", "Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh]", "Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "Exec[Generate cert aux refresh]", "Exec[Generate cert aux]", "Exec[Generate cert aux_front_proxy refresh]", "Exec[Generate cert aux_front_proxy]", "Exec[Generate cert cassandra refresh]", "Exec[Generate cert cassandra]", "Exec[Generate cert cloud_wmnet_ca refresh]", "Exec[Generate cert cloud_wmnet_ca]", "Exec[Generate cert debmonitor refresh]", "Exec[Generate cert debmonitor]", "Exec[Generate cert discovery2026 refresh]", "Exec[Generate cert discovery2026]", "Exec[Generate cert dse refresh]", "Exec[Generate cert dse]", "Exec[Generate cert dse_front_proxy refresh]", "Exec[Generate cert dse_front_proxy]", "Exec[Generate cert etcd refresh]", "Exec[Generate cert etcd]", "Exec[Generate cert kafka refresh]", "Exec[Generate cert kafka]", "Exec[Generate cert mlserve refresh]", "Exec[Generate cert mlserve]", "Exec[Generate cert mlserve_front_proxy refresh]", "Exec[Generate cert mlserve_front_proxy]", "Exec[Generate cert mlserve_staging refresh]", "Exec[Generate cert mlserve_staging]", "Exec[Generate cert mlserve_staging_front_proxy refresh]", "Exec[Generate cert mlserve_staging_front_proxy]", "Exec[Generate cert network_devices refresh]", "Exec[Generate cert network_devices]", "Exec[Generate cert puppet refresh]", "Exec[Generate cert puppet]", "Exec[Generate cert puppet_rsa refresh]", "Exec[Generate cert puppet_rsa]", "Exec[Generate cert syslog refresh]", "Exec[Generate cert syslog]", "Exec[Generate cert wikikube refresh]", "Exec[Generate cert wikikube]", "Exec[Generate cert wikikube_front_proxy refresh]", "Exec[Generate cert wikikube_front_proxy]", "Exec[Generate cert wikikube_staging refresh]", "Exec[Generate cert wikikube_staging]", "Exec[Generate cert wikikube_staging_front_proxy refresh]", "Exec[Generate cert wikikube_staging_front_proxy]", "Exec[Generate cert zuul refresh]", "Exec[Generate cert zuul]", "Exec[apt_package_from_component_bacula-trixie]", "Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Exec[create-/etc/bacula-keypair]", "Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "Exec[renew certificate - aux]", "Exec[renew certificate - aux_front_proxy]", "Exec[renew certificate - cassandra]", "Exec[renew certificate - cloud_wmnet_ca]", "Exec[renew certificate - debmonitor]", "Exec[renew certificate - discovery2026]", "Exec[renew certificate - dse]", "Exec[renew certificate - dse_front_proxy]", "Exec[renew certificate - etcd]", "Exec[renew certificate - kafka]", "Exec[renew certificate - mlserve]", "Exec[renew certificate - mlserve_front_proxy]", "Exec[renew certificate - mlserve_staging]", "Exec[renew certificate - mlserve_staging_front_proxy]", "Exec[renew certificate - network_devices]", "Exec[renew certificate - puppet]", "Exec[renew certificate - puppet_rsa]", "Exec[renew certificate - syslog]", "Exec[renew certificate - wikikube]", "Exec[renew certificate - wikikube_front_proxy]", "Exec[renew certificate - wikikube_staging]", "Exec[renew certificate - wikikube_staging_front_proxy]", "Exec[renew certificate - zuul]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]", "Exec[update_alternative_ip6tables]", "Exec[update_alternative_iptables]", "File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list]", "File[/etc/bacula/bacula-fd.conf]", "File[/etc/bacula/ssl/server-keypair.pem]", "File[/etc/bacula/ssl/server.key]", "File[/etc/bacula/ssl/server.p12]", "File[/etc/bacula/ssl]", "File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]", "File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "File[/etc/cfssl/csr/aux.csr]", "File[/etc/cfssl/csr/aux_front_proxy.csr]", "File[/etc/cfssl/csr/cassandra.csr]", "File[/etc/cfssl/csr/cloud_wmnet_ca.csr]", "File[/etc/cfssl/csr/debmonitor.csr]", "File[/etc/cfssl/csr/discovery2026.csr]", "File[/etc/cfssl/csr/dse.csr]", "File[/etc/cfssl/csr/dse_front_proxy.csr]", "File[/etc/cfssl/csr/etcd.csr]", "File[/etc/cfssl/csr/kafka.csr]", "File[/etc/cfssl/csr/mlserve.csr]", "File[/etc/cfssl/csr/mlserve_front_proxy.csr]", "File[/etc/cfssl/csr/mlserve_staging.csr]", "File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]", "File[/etc/cfssl/csr/network_devices.csr]", "File[/etc/cfssl/csr/puppet.csr]", "File[/etc/cfssl/csr/puppet_rsa.csr]", "File[/etc/cfssl/csr/syslog.csr]", "File[/etc/cfssl/csr/wikikube.csr]", "File[/etc/cfssl/csr/wikikube_front_proxy.csr]", "File[/etc/cfssl/csr/wikikube_staging.csr]", "File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]", "File[/etc/cfssl/csr/zuul.csr]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "File[/etc/cfssl/ssl/aux/aux-key.pem]", "File[/etc/cfssl/ssl/aux/aux.csr]", "File[/etc/cfssl/ssl/aux/aux.pem]", "File[/etc/cfssl/ssl/aux]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem]", "File[/etc/cfssl/ssl/aux_front_proxy]", "File[/etc/cfssl/ssl/cassandra/cassandra-key.pem]", "File[/etc/cfssl/ssl/cassandra/cassandra.csr]", "File[/etc/cfssl/ssl/cassandra/cassandra.pem]", "File[/etc/cfssl/ssl/cassandra]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/ssl/cloud_wmnet_ca]", "File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem]", "File[/etc/cfssl/ssl/debmonitor/debmonitor.csr]", "File[/etc/cfssl/ssl/debmonitor/debmonitor.pem]", "File[/etc/cfssl/ssl/debmonitor]", "File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]", "File[/etc/cfssl/ssl/discovery2026]", "File[/etc/cfssl/ssl/dse/dse-key.pem]", "File[/etc/cfssl/ssl/dse/dse.csr]", "File[/etc/cfssl/ssl/dse/dse.pem]", "File[/etc/cfssl/ssl/dse]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem]", "File[/etc/cfssl/ssl/dse_front_proxy]", "File[/etc/cfssl/ssl/etcd/etcd-key.pem]", "File[/etc/cfssl/ssl/etcd/etcd.csr]", "File[/etc/cfssl/ssl/etcd/etcd.pem]", "File[/etc/cfssl/ssl/etcd]", "File[/etc/cfssl/ssl/kafka/kafka-key.pem]", "File[/etc/cfssl/ssl/kafka/kafka.csr]", "File[/etc/cfssl/ssl/kafka/kafka.pem]", "File[/etc/cfssl/ssl/kafka]", "File[/etc/cfssl/ssl/mlserve/mlserve-key.pem]", "File[/etc/cfssl/ssl/mlserve/mlserve.csr]", "File[/etc/cfssl/ssl/mlserve/mlserve.pem]", "File[/etc/cfssl/ssl/mlserve]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem]", "File[/etc/cfssl/ssl/mlserve_front_proxy]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem]", "File[/etc/cfssl/ssl/mlserve_staging]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy]", "File[/etc/cfssl/ssl/network_devices/network_devices-key.pem]", "File[/etc/cfssl/ssl/network_devices/network_devices.csr]", "File[/etc/cfssl/ssl/network_devices/network_devices.pem]", "File[/etc/cfssl/ssl/network_devices]", "File[/etc/cfssl/ssl/puppet/puppet-key.pem]", "File[/etc/cfssl/ssl/puppet/puppet.csr]", "File[/etc/cfssl/ssl/puppet/puppet.pem]", "File[/etc/cfssl/ssl/puppet]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem]", "File[/etc/cfssl/ssl/puppet_rsa]", "File[/etc/cfssl/ssl/syslog/syslog-key.pem]", "File[/etc/cfssl/ssl/syslog/syslog.csr]", "File[/etc/cfssl/ssl/syslog/syslog.pem]", "File[/etc/cfssl/ssl/syslog]", "File[/etc/cfssl/ssl/wikikube/wikikube-key.pem]", "File[/etc/cfssl/ssl/wikikube/wikikube.csr]", "File[/etc/cfssl/ssl/wikikube/wikikube.pem]", "File[/etc/cfssl/ssl/wikikube]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem]", "File[/etc/cfssl/ssl/wikikube_front_proxy]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem]", "File[/etc/cfssl/ssl/wikikube_staging]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy]", "File[/etc/cfssl/ssl/zuul/zuul-key.pem]", "File[/etc/cfssl/ssl/zuul/zuul.csr]", "File[/etc/cfssl/ssl/zuul/zuul.pem]", "File[/etc/cfssl/ssl/zuul]", "File[/etc/default/ferm]", "File[/etc/ferm/conf.d/00_defs]", "File[/etc/ferm/conf.d/01_drop-blocked-nets]", "File[/etc/ferm/conf.d/02_main]", "File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]", "File[/etc/ferm/conf.d/10_ssh_from_bastion]", "File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]", "File[/etc/ferm/conf.d/98_filter_log_filter-bootp]", "File[/etc/ferm/conf.d/98_log-everything]", "File[/etc/ferm/conf.d/99_dscp-default]", "File[/etc/ferm/conf.d]", "File[/etc/ferm/ferm.conf]", "File[/etc/ferm/functions.conf]", "File[/etc/logrotate.d/ulogd]", "File[/etc/logrotate.d/wmf_auto_restart_ulogd2]", "File[/etc/nagios/nrpe.d/check_ferm_active.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]", "File[/etc/rsyslog.d/40-ulogd.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]", "File[/etc/sudoers.d/nrpe-check_ferm_active]", "File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]", "File[/etc/systemd/system/ferm.service.d]", "File[/etc/ulogd.conf]", "File[/etc/update-motd.d/05-pki--root]", "File[/etc/update-motd.d/06-backups-pki-root-cfssl]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]", "File[/usr/local/lib/nagios/plugins/check_ferm]", "File[/var/log/ulogd]", "File[/var/log/wmf_auto_restart_ulogd2]", "File_line[auto_restart_file_presence_ulogd2]", "Node[__node_regexp__pki-root10012.eqiad.]", "Package[bacula-common]", "Package[bacula-fd]", "Package[ulogd2]", "Service[bacula-fd]", "Service[ferm]", "Service[nrpe2nodexp-ferm_active.timer]", "Service[ulogd2]", "Service[wmf_auto_restart_ulogd2.timer]"], "resource_diffs": [{"resource": "File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]", "parameters": "--- File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl].orig\n+++ File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "Package[iptables]", "parameters": "--- Package[iptables].orig\n+++ Package[iptables]\n\n@@\n- ensure => absent\n+ ensure => installed\n"}, {"resource": "File[/usr/local/sbin/ferm-status]", "parameters": "--- File[/usr/local/sbin/ferm-status].orig\n+++ File[/usr/local/sbin/ferm-status]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]", "parameters": "--- File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml].orig\n+++ File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "File[/etc/ferm]", "parameters": "--- File[/etc/ferm].orig\n+++ File[/etc/ferm]\n\n@@\n- ensure => absent\n+ ensure => directory\n"}, {"resource": "File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "File[/etc/modules-load.d/conntrack.conf]", "parameters": "--- File[/etc/modules-load.d/conntrack.conf].orig\n+++ File[/etc/modules-load.d/conntrack.conf]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "Package[ferm]", "parameters": "--- Package[ferm].orig\n+++ Package[ferm]\n\n@@\n- ensure => purged\n+ ensure => installed\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::infrastructure_foundations_nftables:\n+role::pki::root:\n - Infrastructure Foundations"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_nftables\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"pki::root\",cluster=\"pki\"} 1.0"}], "perc_changed": "13.01%"}, "main": {"total": 2929, "only_in_self": ["Class[Nftables]", "Class[Profile::Firewall::Nftables_base_sets]", "Class[Role::Insetup::Infrastructure_foundations_nftables]", "Exec[systemd daemon-reload for nftables.service (nftables)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.service (prometheus-node-textfile-check-nft.service)]", "Exec[systemd daemon-reload for prometheus-node-textfile-check-nft.timer (prometheus-node-textfile-check-nft.timer)]", "Exec[unmask_nftables.service]", "File[/etc/logrotate.d/prometheus-node-textfile-check-nft]", "File[/etc/nftables.conf]", "File[/etc/nftables/100_base_puppet.nft]", "File[/etc/nftables/]", "File[/etc/nftables/forward]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "File[/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft]", "File[/etc/nftables/input/10_ssh-from-bastion.nft]", "File[/etc/nftables/input/10_ssh-from-cumin-masters.nft]", "File[/etc/nftables/input]", "File[/etc/nftables/main.nft]", "File[/etc/nftables/notrack]", "File[/etc/nftables/output]", "File[/etc/nftables/postrouting]", "File[/etc/nftables/prerouting]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/ANALYTICS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/AUX_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/BASTION_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/CACHES_ipv4.nft]", "File[/etc/nftables/sets/CACHES_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_PUBLIC_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/CLOUD_PRIVATE_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv4.nft]", "File[/etc/nftables/sets/CUMIN_MASTERS_ipv6.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DEPLOYMENT_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DOMAIN_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/DRUID_PUBLIC_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/DSE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/FRACK_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/INSTALL_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/INTERNAL_ipv4.nft]", "File[/etc/nftables/sets/INTERNAL_ipv6.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/KAFKAMON_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_JUMBO_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_LOGGING_ipv6.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/KAFKA_BROKERS_MAIN_ipv6.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/LABSTORE_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/LABS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv4.nft]", "File[/etc/nftables/sets/LINK_LOCAL_ipv6.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv4.nft]", "File[/etc/nftables/sets/LOAD_BALANCER_HEALTH_CHECKS_ipv6.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MGMT_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSERVE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MLSTAGE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/MW_APPSERVER_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv4.nft]", "File[/etc/nftables/sets/MYSQL_ROOT_CLIENTS_ipv6.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv4.nft]", "File[/etc/nftables/sets/NETWORK_INFRA_ipv6.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/PRODUCTION_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/PROMETHEUS_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/SANDBOX_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/STAGING_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv4.nft]", "File[/etc/nftables/sets/WIKIKUBE_KUBEPODS_NETWORKS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_FLINK_HOSTS_ipv6.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv4.nft]", "File[/etc/nftables/sets/ZOOKEEPER_HOSTS_MAIN_ipv6.nft]", "File[/etc/nftables/sets]", "File[/etc/rsyslog.d/40-prometheus-node-textfile-check-nft.conf]", "File[/etc/systemd/system/nftables.service.d/puppet-override.conf]", "File[/etc/systemd/system/nftables.service.d]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-nftables]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.service]", "File[/lib/systemd/system/prometheus-node-textfile-check-nft.timer]", "File[/usr/local/bin/check-nft]", "File[/var/log/prometheus-node-textfile-check-nft]", "Logrotate::Conf[prometheus-node-textfile-check-nft]", "Motd::Message[insetup::infrastructure_foundations_nftables]", "Motd::Script[insetup::infrastructure_foundations_nftables]", "Nftables::File[base]", "Nftables::Service[full-monitoring-metrics-access-tcp]", "Nftables::Service[full-monitoring-metrics-access-udp]", "Nftables::Service[ssh-from-bastion]", "Nftables::Service[ssh-from-cumin-masters]", "Nftables::Set[ANALYTICS_NETWORKS]", "Nftables::Set[AUX_KUBEPODS_NETWORKS]", "Nftables::Set[BASTION_HOSTS]", "Nftables::Set[CACHES]", "Nftables::Set[CLOUD_NETWORKS]", "Nftables::Set[CLOUD_NETWORKS_PUBLIC]", "Nftables::Set[CLOUD_PRIVATE_NETWORKS]", "Nftables::Set[CUMIN_MASTERS]", "Nftables::Set[DEPLOYMENT_HOSTS]", "Nftables::Set[DOMAIN_NETWORKS]", "Nftables::Set[DRUID_PUBLIC_HOSTS]", "Nftables::Set[DSE_KUBEPODS_NETWORKS]", "Nftables::Set[FRACK_NETWORKS]", "Nftables::Set[INSTALL_HOSTS]", "Nftables::Set[INTERNAL]", "Nftables::Set[KAFKAMON_HOSTS]", "Nftables::Set[KAFKA_BROKERS_JUMBO]", "Nftables::Set[KAFKA_BROKERS_LOGGING]", "Nftables::Set[KAFKA_BROKERS_MAIN]", "Nftables::Set[LABSTORE_HOSTS]", "Nftables::Set[LABS_NETWORKS]", "Nftables::Set[LINK_LOCAL]", "Nftables::Set[LOAD_BALANCER_HEALTH_CHECKS]", "Nftables::Set[MGMT_NETWORKS]", "Nftables::Set[MLSERVE_KUBEPODS_NETWORKS]", "Nftables::Set[MLSTAGE_KUBEPODS_NETWORKS]", "Nftables::Set[MONITORING_HOSTS]", "Nftables::Set[MW_APPSERVER_NETWORKS]", "Nftables::Set[MYSQL_ROOT_CLIENTS]", "Nftables::Set[NETWORK_INFRA]", "Nftables::Set[PRODUCTION_NETWORKS]", "Nftables::Set[PROMETHEUS_HOSTS]", "Nftables::Set[SANDBOX_NETWORKS]", "Nftables::Set[STAGING_KUBEPODS_NETWORKS]", "Nftables::Set[WIKIKUBE_KUBEPODS_NETWORKS]", "Nftables::Set[ZOOKEEPER_FLINK_HOSTS]", "Nftables::Set[ZOOKEEPER_HOSTS_MAIN]", "Node[__node_regexp__pki-root1002.eqiad.]", "Package[nftables]", "Prometheus::Node_textfile[check-nft]", "Rsyslog::Conf[prometheus-node-textfile-check-nft]", "Service[nftables]", "Service[prometheus-node-textfile-check-nft.timer]", "Systemd::Service[nftables]", "Systemd::Service[prometheus-node-textfile-check-nft]", "Systemd::Syslog[prometheus-node-textfile-check-nft]", "Systemd::Timer::Job[prometheus-node-textfile-check-nft]", "Systemd::Timer[prometheus-node-textfile-check-nft]", "Systemd::Unit[nftables]", "Systemd::Unit[prometheus-node-textfile-check-nft.service]", "Systemd::Unit[prometheus-node-textfile-check-nft.timer]", "Systemd::Unmask[nftables.service]"], "only_in_other": ["Alternatives::Select[ip6tables]", "Alternatives::Select[iptables]", "Apt::Package_from_component[bacula-trixie]", "Apt::Repository[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Backup::Set[pki-root-cfssl]", "Bacula::Client::Job[pki-root-cfssl-Monthly-1st-Wed-productionEqiad]", "Cfssl::Cert[Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "Cfssl::Cert[aux]", "Cfssl::Cert[aux_front_proxy]", "Cfssl::Cert[cassandra]", "Cfssl::Cert[cloud_wmnet_ca]", "Cfssl::Cert[debmonitor]", "Cfssl::Cert[discovery2026]", "Cfssl::Cert[dse]", "Cfssl::Cert[dse_front_proxy]", "Cfssl::Cert[etcd]", "Cfssl::Cert[kafka]", "Cfssl::Cert[mlserve]", "Cfssl::Cert[mlserve_front_proxy]", "Cfssl::Cert[mlserve_staging]", "Cfssl::Cert[mlserve_staging_front_proxy]", "Cfssl::Cert[network_devices]", "Cfssl::Cert[puppet]", "Cfssl::Cert[puppet_rsa]", "Cfssl::Cert[syslog]", "Cfssl::Cert[wikikube]", "Cfssl::Cert[wikikube_front_proxy]", "Cfssl::Cert[wikikube_staging]", "Cfssl::Cert[wikikube_staging_front_proxy]", "Cfssl::Cert[zuul]", "Cfssl::Config[Wikimedia_Internal_Root_CA]", "Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]", "Cfssl::Csr[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "Cfssl::Csr[/etc/cfssl/csr/aux.csr]", "Cfssl::Csr[/etc/cfssl/csr/aux_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/cassandra.csr]", "Cfssl::Csr[/etc/cfssl/csr/cloud_wmnet_ca.csr]", "Cfssl::Csr[/etc/cfssl/csr/debmonitor.csr]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/etcd.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka.csr]", "Cfssl::Csr[/etc/cfssl/csr/mlserve.csr]", "Cfssl::Csr[/etc/cfssl/csr/mlserve_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/mlserve_staging.csr]", "Cfssl::Csr[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/network_devices.csr]", "Cfssl::Csr[/etc/cfssl/csr/puppet.csr]", "Cfssl::Csr[/etc/cfssl/csr/puppet_rsa.csr]", "Cfssl::Csr[/etc/cfssl/csr/syslog.csr]", "Cfssl::Csr[/etc/cfssl/csr/wikikube.csr]", "Cfssl::Csr[/etc/cfssl/csr/wikikube_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/wikikube_staging.csr]", "Cfssl::Csr[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/zuul.csr]", "Cfssl::Db[Wikimedia_Internal_Root_CA]", "Cfssl::Signer[Wikimedia_Internal_Root_CA]", "Class[Bacula::Client]", "Class[Profile::Backup::Host]", "Class[Profile::Firewall::Log::Ferm]", "Class[Profile::Pki::Root_ca]", "Class[Role::Pki::Root]", "Class[Ulogd]", "Concat::Fragment[/etc/bacula_puppet_agent_cert]", "Concat::Fragment[/etc/bacula_puppet_ca_chain]", "Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]", "Concat::Fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Concat[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]", "Concat[/etc/bacula/ssl/cert.pem]", "Concat_file[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.sources]", "Concat_file[/etc/bacula/ssl/cert.pem]", "Concat_fragment[/etc/bacula_puppet_agent_cert]", "Concat_fragment[/etc/bacula_puppet_ca_chain]", "Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia-header]", "Concat_fragment[component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert refresh]", "Exec[Generate cert Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "Exec[Generate cert aux refresh]", "Exec[Generate cert aux]", "Exec[Generate cert aux_front_proxy refresh]", "Exec[Generate cert aux_front_proxy]", "Exec[Generate cert cassandra refresh]", "Exec[Generate cert cassandra]", "Exec[Generate cert cloud_wmnet_ca refresh]", "Exec[Generate cert cloud_wmnet_ca]", "Exec[Generate cert debmonitor refresh]", "Exec[Generate cert debmonitor]", "Exec[Generate cert discovery2026 refresh]", "Exec[Generate cert discovery2026]", "Exec[Generate cert dse refresh]", "Exec[Generate cert dse]", "Exec[Generate cert dse_front_proxy refresh]", "Exec[Generate cert dse_front_proxy]", "Exec[Generate cert etcd refresh]", "Exec[Generate cert etcd]", "Exec[Generate cert kafka refresh]", "Exec[Generate cert kafka]", "Exec[Generate cert mlserve refresh]", "Exec[Generate cert mlserve]", "Exec[Generate cert mlserve_front_proxy refresh]", "Exec[Generate cert mlserve_front_proxy]", "Exec[Generate cert mlserve_staging refresh]", "Exec[Generate cert mlserve_staging]", "Exec[Generate cert mlserve_staging_front_proxy refresh]", "Exec[Generate cert mlserve_staging_front_proxy]", "Exec[Generate cert network_devices refresh]", "Exec[Generate cert network_devices]", "Exec[Generate cert puppet refresh]", "Exec[Generate cert puppet]", "Exec[Generate cert puppet_rsa refresh]", "Exec[Generate cert puppet_rsa]", "Exec[Generate cert syslog refresh]", "Exec[Generate cert syslog]", "Exec[Generate cert wikikube refresh]", "Exec[Generate cert wikikube]", "Exec[Generate cert wikikube_front_proxy refresh]", "Exec[Generate cert wikikube_front_proxy]", "Exec[Generate cert wikikube_staging refresh]", "Exec[Generate cert wikikube_staging]", "Exec[Generate cert wikikube_staging_front_proxy refresh]", "Exec[Generate cert wikikube_staging_front_proxy]", "Exec[Generate cert zuul refresh]", "Exec[Generate cert zuul]", "Exec[apt_package_from_component_bacula-trixie]", "Exec[apt_repository_component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia]", "Exec[create-/etc/bacula-keypair]", "Exec[renew certificate - Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "Exec[renew certificate - aux]", "Exec[renew certificate - aux_front_proxy]", "Exec[renew certificate - cassandra]", "Exec[renew certificate - cloud_wmnet_ca]", "Exec[renew certificate - debmonitor]", "Exec[renew certificate - discovery2026]", "Exec[renew certificate - dse]", "Exec[renew certificate - dse_front_proxy]", "Exec[renew certificate - etcd]", "Exec[renew certificate - kafka]", "Exec[renew certificate - mlserve]", "Exec[renew certificate - mlserve_front_proxy]", "Exec[renew certificate - mlserve_staging]", "Exec[renew certificate - mlserve_staging_front_proxy]", "Exec[renew certificate - network_devices]", "Exec[renew certificate - puppet]", "Exec[renew certificate - puppet_rsa]", "Exec[renew certificate - syslog]", "Exec[renew certificate - wikikube]", "Exec[renew certificate - wikikube_front_proxy]", "Exec[renew certificate - wikikube_staging]", "Exec[renew certificate - wikikube_staging_front_proxy]", "Exec[renew certificate - zuul]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-status-restart)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.service (nrpe2nodexp-ferm_active.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-ferm_active.timer (nrpe2nodexp-ferm_active.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.service (wmf_auto_restart_ulogd2.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_ulogd2.timer (wmf_auto_restart_ulogd2.timer)]", "Exec[update_alternative_ip6tables]", "Exec[update_alternative_iptables]", "Ferm::Conf[defs]", "Ferm::Conf[main]", "Ferm::Filter_log[filter-bootp]", "Ferm::Rule[drop-blocked-nets]", "Ferm::Rule[dscp-default]", "Ferm::Rule[filter_log_filter-bootp]", "Ferm::Rule[log-everything]", "Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "Ferm::Service[full_monitoring_metrics_access_tcp]", "Ferm::Service[full_monitoring_metrics_access_udp]", "Ferm::Service[ssh_from_bastion]", "Ferm::Service[ssh_from_cumin_masters]", "File[/etc/apt/sources.list.d/component-bacula9-apt.wikimedia.org-wikimedia-trixie-wikimedia.list]", "File[/etc/bacula/bacula-fd.conf]", "File[/etc/bacula/ssl/server-keypair.pem]", "File[/etc/bacula/ssl/server.key]", "File[/etc/bacula/ssl/server.p12]", "File[/etc/bacula/ssl]", "File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA.csr]", "File[/etc/cfssl/csr/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "File[/etc/cfssl/csr/aux.csr]", "File[/etc/cfssl/csr/aux_front_proxy.csr]", "File[/etc/cfssl/csr/cassandra.csr]", "File[/etc/cfssl/csr/cloud_wmnet_ca.csr]", "File[/etc/cfssl/csr/debmonitor.csr]", "File[/etc/cfssl/csr/discovery2026.csr]", "File[/etc/cfssl/csr/dse.csr]", "File[/etc/cfssl/csr/dse_front_proxy.csr]", "File[/etc/cfssl/csr/etcd.csr]", "File[/etc/cfssl/csr/kafka.csr]", "File[/etc/cfssl/csr/mlserve.csr]", "File[/etc/cfssl/csr/mlserve_front_proxy.csr]", "File[/etc/cfssl/csr/mlserve_staging.csr]", "File[/etc/cfssl/csr/mlserve_staging_front_proxy.csr]", "File[/etc/cfssl/csr/network_devices.csr]", "File[/etc/cfssl/csr/puppet.csr]", "File[/etc/cfssl/csr/puppet_rsa.csr]", "File[/etc/cfssl/csr/syslog.csr]", "File[/etc/cfssl/csr/wikikube.csr]", "File[/etc/cfssl/csr/wikikube_front_proxy.csr]", "File[/etc/cfssl/csr/wikikube_staging.csr]", "File[/etc/cfssl/csr/wikikube_staging_front_proxy.csr]", "File[/etc/cfssl/csr/zuul.csr]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/ca]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/cfssl.conf]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA/db.conf]", "File[/etc/cfssl/signers/Wikimedia_Internal_Root_CA]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert-key.pem]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.csr]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert/Wikimedia_Internal_Root_CA_ocsp_signing_cert.pem]", "File[/etc/cfssl/ssl/Wikimedia_Internal_Root_CA_ocsp_signing_cert]", "File[/etc/cfssl/ssl/aux/aux-key.pem]", "File[/etc/cfssl/ssl/aux/aux.csr]", "File[/etc/cfssl/ssl/aux/aux.pem]", "File[/etc/cfssl/ssl/aux]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy-key.pem]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.csr]", "File[/etc/cfssl/ssl/aux_front_proxy/aux_front_proxy.pem]", "File[/etc/cfssl/ssl/aux_front_proxy]", "File[/etc/cfssl/ssl/cassandra/cassandra-key.pem]", "File[/etc/cfssl/ssl/cassandra/cassandra.csr]", "File[/etc/cfssl/ssl/cassandra/cassandra.pem]", "File[/etc/cfssl/ssl/cassandra]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca-key.pem]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.csr]", "File[/etc/cfssl/ssl/cloud_wmnet_ca/cloud_wmnet_ca.pem]", "File[/etc/cfssl/ssl/cloud_wmnet_ca]", "File[/etc/cfssl/ssl/debmonitor/debmonitor-key.pem]", "File[/etc/cfssl/ssl/debmonitor/debmonitor.csr]", "File[/etc/cfssl/ssl/debmonitor/debmonitor.pem]", "File[/etc/cfssl/ssl/debmonitor]", "File[/etc/cfssl/ssl/discovery2026/discovery2026-key.pem]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.csr]", "File[/etc/cfssl/ssl/discovery2026/discovery2026.pem]", "File[/etc/cfssl/ssl/discovery2026]", "File[/etc/cfssl/ssl/dse/dse-key.pem]", "File[/etc/cfssl/ssl/dse/dse.csr]", "File[/etc/cfssl/ssl/dse/dse.pem]", "File[/etc/cfssl/ssl/dse]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy-key.pem]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.csr]", "File[/etc/cfssl/ssl/dse_front_proxy/dse_front_proxy.pem]", "File[/etc/cfssl/ssl/dse_front_proxy]", "File[/etc/cfssl/ssl/etcd/etcd-key.pem]", "File[/etc/cfssl/ssl/etcd/etcd.csr]", "File[/etc/cfssl/ssl/etcd/etcd.pem]", "File[/etc/cfssl/ssl/etcd]", "File[/etc/cfssl/ssl/kafka/kafka-key.pem]", "File[/etc/cfssl/ssl/kafka/kafka.csr]", "File[/etc/cfssl/ssl/kafka/kafka.pem]", "File[/etc/cfssl/ssl/kafka]", "File[/etc/cfssl/ssl/mlserve/mlserve-key.pem]", "File[/etc/cfssl/ssl/mlserve/mlserve.csr]", "File[/etc/cfssl/ssl/mlserve/mlserve.pem]", "File[/etc/cfssl/ssl/mlserve]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy-key.pem]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.csr]", "File[/etc/cfssl/ssl/mlserve_front_proxy/mlserve_front_proxy.pem]", "File[/etc/cfssl/ssl/mlserve_front_proxy]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging-key.pem]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.csr]", "File[/etc/cfssl/ssl/mlserve_staging/mlserve_staging.pem]", "File[/etc/cfssl/ssl/mlserve_staging]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy-key.pem]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.csr]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy/mlserve_staging_front_proxy.pem]", "File[/etc/cfssl/ssl/mlserve_staging_front_proxy]", "File[/etc/cfssl/ssl/network_devices/network_devices-key.pem]", "File[/etc/cfssl/ssl/network_devices/network_devices.csr]", "File[/etc/cfssl/ssl/network_devices/network_devices.pem]", "File[/etc/cfssl/ssl/network_devices]", "File[/etc/cfssl/ssl/puppet/puppet-key.pem]", "File[/etc/cfssl/ssl/puppet/puppet.csr]", "File[/etc/cfssl/ssl/puppet/puppet.pem]", "File[/etc/cfssl/ssl/puppet]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa-key.pem]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.csr]", "File[/etc/cfssl/ssl/puppet_rsa/puppet_rsa.pem]", "File[/etc/cfssl/ssl/puppet_rsa]", "File[/etc/cfssl/ssl/syslog/syslog-key.pem]", "File[/etc/cfssl/ssl/syslog/syslog.csr]", "File[/etc/cfssl/ssl/syslog/syslog.pem]", "File[/etc/cfssl/ssl/syslog]", "File[/etc/cfssl/ssl/wikikube/wikikube-key.pem]", "File[/etc/cfssl/ssl/wikikube/wikikube.csr]", "File[/etc/cfssl/ssl/wikikube/wikikube.pem]", "File[/etc/cfssl/ssl/wikikube]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy-key.pem]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.csr]", "File[/etc/cfssl/ssl/wikikube_front_proxy/wikikube_front_proxy.pem]", "File[/etc/cfssl/ssl/wikikube_front_proxy]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging-key.pem]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.csr]", "File[/etc/cfssl/ssl/wikikube_staging/wikikube_staging.pem]", "File[/etc/cfssl/ssl/wikikube_staging]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy-key.pem]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.csr]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy/wikikube_staging_front_proxy.pem]", "File[/etc/cfssl/ssl/wikikube_staging_front_proxy]", "File[/etc/cfssl/ssl/zuul/zuul-key.pem]", "File[/etc/cfssl/ssl/zuul/zuul.csr]", "File[/etc/cfssl/ssl/zuul/zuul.pem]", "File[/etc/cfssl/ssl/zuul]", "File[/etc/default/ferm]", "File[/etc/ferm/conf.d/00_defs]", "File[/etc/ferm/conf.d/01_drop-blocked-nets]", "File[/etc/ferm/conf.d/02_main]", "File[/etc/ferm/conf.d/10_bacula_file_daemon_backup1014_eqiad_wmnet]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_tcp]", "File[/etc/ferm/conf.d/10_full_monitoring_metrics_access_udp]", "File[/etc/ferm/conf.d/10_ssh_from_bastion]", "File[/etc/ferm/conf.d/10_ssh_from_cumin_masters]", "File[/etc/ferm/conf.d/98_filter_log_filter-bootp]", "File[/etc/ferm/conf.d/98_log-everything]", "File[/etc/ferm/conf.d/99_dscp-default]", "File[/etc/ferm/conf.d]", "File[/etc/ferm/ferm.conf]", "File[/etc/ferm/functions.conf]", "File[/etc/logrotate.d/ulogd]", "File[/etc/logrotate.d/wmf_auto_restart_ulogd2]", "File[/etc/nagios/nrpe.d/check_ferm_active.cfg]", "File[/etc/rsyslog.d/25-nrpe2nodexp-ferm-active.conf]", "File[/etc/rsyslog.d/40-ulogd.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-ulogd2.conf]", "File[/etc/sudoers.d/nrpe-check_ferm_active]", "File[/etc/systemd/system/ferm.service.d/ferm-service-status-restart.conf]", "File[/etc/systemd/system/ferm.service.d]", "File[/etc/ulogd.conf]", "File[/etc/update-motd.d/05-pki--root]", "File[/etc/update-motd.d/06-backups-pki-root-cfssl]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.service]", "File[/lib/systemd/system/nrpe2nodexp-ferm_active.timer]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.service]", "File[/lib/systemd/system/wmf_auto_restart_ulogd2.timer]", "File[/usr/local/lib/nagios/plugins/check_ferm]", "File[/var/log/ulogd]", "File[/var/log/wmf_auto_restart_ulogd2]", "File_line[auto_restart_file_presence_ulogd2]", "Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "Logrotate::Conf[ulogd]", "Logrotate::Conf[wmf_auto_restart_ulogd2]", "Monitoring::Exported_nagios_service[pki-root1002 ferm_active]", "Monitoring::Service[ferm_active]", "Motd::Message[pki::root]", "Motd::Script[backups-pki-root-cfssl]", "Motd::Script[pki::root]", "Node[__node_regexp__pki-root10012.eqiad.]", "Nrpe::Check[check_ferm_active]", "Nrpe::Monitor_service[ferm_active]", "Nrpe::Plugin[check_ferm]", "Package[bacula-common]", "Package[bacula-fd]", "Package[ulogd2]", "Profile::Auto_restarts::Service[ulogd2]", "Prometheus::Alert::Rule[check_ferm_active_bba0a2572329bb500b832470e08b381c]", "Puppet::Expose_agent_certs[/etc/bacula]", "Rsyslog::Conf[nrpe2nodexp-ferm_active]", "Rsyslog::Conf[ulogd]", "Rsyslog::Conf[wmf_auto_restart_ulogd2]", "Service[bacula-fd]", "Service[ferm]", "Service[nrpe2nodexp-ferm_active.timer]", "Service[ulogd2]", "Service[wmf_auto_restart_ulogd2.timer]", "Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]", "Sudo::User[nrpe-check_ferm_active]", "Systemd::Override[ferm-service-status-restart]", "Systemd::Service[nrpe2nodexp-ferm_active]", "Systemd::Service[wmf_auto_restart_ulogd2]", "Systemd::Syslog[ulogd]", "Systemd::Syslog[wmf_auto_restart_ulogd2]", "Systemd::Timer::Job[nrpe2nodexp-ferm_active]", "Systemd::Timer::Job[wmf_auto_restart_ulogd2]", "Systemd::Timer[nrpe2nodexp-ferm_active]", "Systemd::Timer[wmf_auto_restart_ulogd2]", "Systemd::Unit[ferm-ferm-service-status-restart]", "Systemd::Unit[nrpe2nodexp-ferm_active.service]", "Systemd::Unit[nrpe2nodexp-ferm_active.timer]", "Systemd::Unit[wmf_auto_restart_ulogd2.service]", "Systemd::Unit[wmf_auto_restart_ulogd2.timer]"], "resource_diffs": [{"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n- cluster => insetup\n+ cluster => pki\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n- nagios_group => insetup_eqiad\n+ nagios_group => pki_eqiad\n@@\n- cluster => insetup\n+ cluster => pki\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n- cluster => insetup\n+ cluster => pki\n"}, {"resource": "File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]", "parameters": "--- File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl].orig\n+++ File[/etc/confd/templates/_etc_ferm_conf.d_00_defs_requestctl.tmpl]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n- cluster => insetup\n+ cluster => pki\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n- cluster => insetup\n+ cluster => pki\n"}, {"resource": "Package[iptables]", "parameters": "--- Package[iptables].orig\n+++ Package[iptables]\n\n@@\n- ensure => absent\n+ ensure => installed\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 raid_md].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 raid_md]\n\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => pki_eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "File[/usr/local/sbin/ferm-status]", "parameters": "--- File[/usr/local/sbin/ferm-status].orig\n+++ File[/usr/local/sbin/ferm-status]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]", "parameters": "--- File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml].orig\n+++ File[/etc/confd/conf.d/_etc_ferm_conf.d_00_defs_requestctl.toml]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 ssh].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 ssh]\n\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => pki_eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Class[Ferm]", "parameters": "--- Class[Ferm].orig\n+++ Class[Ferm]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "File[/etc/ferm]", "parameters": "--- File[/etc/ferm].orig\n+++ File[/etc/ferm]\n\n@@\n- ensure => absent\n+ ensure => directory\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[bacula-fd]', 'Package[bacula-common]']\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n- role_description => Host being setup by Infrastructure Foundations SREs with ntables\n+ role_description => PKI RootCA\n"}, {"resource": "File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "Confd::File[/etc/ferm/conf.d/00_defs_requestctl]", "parameters": "--- Confd::File[/etc/ferm/conf.d/00_defs_requestctl].orig\n+++ Confd::File[/etc/ferm/conf.d/00_defs_requestctl]\n\n@@\n- ensure => absent\n+ ensure => present\n"}, {"resource": "Monitoring::Exported_nagios_host[pki-root1002]", "parameters": "--- Monitoring::Exported_nagios_host[pki-root1002].orig\n+++ Monitoring::Exported_nagios_host[pki-root1002]\n\n@@\n- hostgroups => insetup_eqiad,asw2-b-eqiad\n+ hostgroups => pki_eqiad,asw2-b-eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Class[Profile::Firewall]", "parameters": "--- Class[Profile::Firewall].orig\n+++ Class[Profile::Firewall]\n\n@@\n- provider => nftables\n+ provider => ferm\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n- nagios_group => insetup_eqiad\n+ nagios_group => pki_eqiad\n@@\n- cluster => insetup\n+ cluster => pki\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n"}, {"resource": "File[/etc/modules-load.d/conntrack.conf]", "parameters": "--- File[/etc/modules-load.d/conntrack.conf].orig\n+++ File[/etc/modules-load.d/conntrack.conf]\n\n@@\n- ensure => absent\n+ ensure => file\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 disk_space].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 disk_space]\n\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => pki_eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Package[ferm]", "parameters": "--- Package[ferm].orig\n+++ Package[ferm]\n\n@@\n- ensure => purged\n+ ensure => installed\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::infrastructure_foundations_nftables:\n+role::pki::root:\n - Infrastructure Foundations"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_nftables\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"infrastructure-foundations\",role=\"pki::root\",cluster=\"pki\"} 1.0"}, {"resource": "Class[Firewall]", "parameters": "--- Class[Firewall].orig\n+++ Class[Firewall]\n\n@@\n- provider => nftables\n+ provider => ferm\n"}, {"resource": "Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid]", "parameters": "--- Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid].orig\n+++ Monitoring::Exported_nagios_service[pki-root1002 raid_broadcom_raid]\n\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => pki_eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[bacula-fd]', 'Package[bacula-common]']\n"}], "perc_changed": "19.53%"}}}