{"host": "cp3080.esams.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3961, "only_in_self": ["File[/etc/haproxy/lua/cidergrinder_bloom.lua]", "File[/etc/haproxy/lua/cidergrinder_mmdb.lua]", "File[/usr/share/CIDERGRINDER]", "Package[lua5.4-ciderbloom]"], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -190,10 +190,6 @@\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n-    http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n-    http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n-    http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n "}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n"}, {"resource": "Class[Profile::Cache::Haproxy]", "parameters": "--- Class[Profile::Cache::Haproxy].orig\n+++ Class[Profile::Cache::Haproxy]\n\n@@\n-    use_cidergrinder => True\n+    use_cidergrinder => False\n"}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -23,8 +23,6 @@\n     lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n     lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n     lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n-    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n-    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n \n     ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n     ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"}, {"resource": "File[/usr/share/CIDERGRINDER]", "parameters": "--- File[/usr/share/CIDERGRINDER].orig\n+++ File[/usr/share/CIDERGRINDER]\n\n-    ensure  => directory\n-    recurse => True\n-    owner   => root\n-    group   => root\n-    notify  => Service[haproxy]\n-    source  => puppet:///volatile/CIDERGRINDER\n-    before  => Service[haproxy]\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n"}, {"resource": "Haproxy::Confd_site[tls]"}, {"resource": "Confd::File[/etc/haproxy/conf.d/tls.cfg]"}, {"resource": "File[/etc/haproxy/lua/cidergrinder_mmdb.lua]", "content": "--- /etc/haproxy/lua/cidergrinder_mmdb.lua.orig\n+++ /etc/haproxy/lua/cidergrinder_mmdb.lua\n@@ -1,51 +0,0 @@\n--- MMDB file lookup action for HAProxy\n--- This module is part of the CIDERGRINDER project: https://gitlab.wikimedia.org/repos/sre/CIDERGRINDER\n--- SPDX-License-Identifier: GPL-3.0-or-later\n--- Copyright (C) 2026 Chris Danis & the Wikimedia Foundation\n-\n-local maxminddb = require(\"maxminddb\")\n-\n-local args = table.pack(...)\n-\n-local cider_mmdb = nil\n-\n--- lua-load-per-thread mmdb_action.lua /path/to/file.mmdb\n-core.register_init(function()\n-    if #args < 1 then\n-        core.Alert(\"MMDB file name not provided\")\n-        return\n-    end\n-\n-    local fname = args[1]\n-    local err\n-    -- TODO: this seems to throw an error from the C library instead of returning nil + error string.\n-    --       we should pcall instead?\n-    cider_mmdb, err = maxminddb.open(fname)\n-    if not cider_mmdb then\n-        core.Alert(\"Failed to load MMDB file: \" .. tostring(err))\n-        return\n-    end\n-\n-    core.Info(\"Successfully loaded MMDB file: \" .. fname)\n-end)\n-\n--- http-request lua.cidergrinder_mmdb_lookup\n--- Sets the variable \"sess.cidergrinder_mmdb_result\" to the value of the\n--- \"proxy\" field in the MMDB record for the client IP, if it exists.\n--- Otherwise leaves it unset.\n-core.register_action(\"cidergrinder_mmdb_lookup\", { \"http-req\", \"tcp-req\" }, function(txn)\n-    if not cider_mmdb then\n-        return\n-    end\n-\n-    local ip = txn.f:src()\n-    local ok, result, status = pcall(cider_mmdb.lookup, cider_mmdb, ip)\n-    if not ok then\n-        return\n-    end\n-\n-    local ok, result = pcall(cider_mmdb.get, result, \"proxy\")\n-    if ok and result then\n-        txn:set_var(\"sess.cidergrinder_mmdb_result\", result)\n-    end\n-end)", "parameters": "--- File[/etc/haproxy/lua/cidergrinder_mmdb.lua].orig\n+++ File[/etc/haproxy/lua/cidergrinder_mmdb.lua]\n\n-    ensure  => file\n-    owner   => haproxy\n-    mode    => 0644\n-    require => ['File[/etc/haproxy/lua]', 'Package[lua5.4-maxminddb]']\n-    notify  => Service[haproxy]\n-    group   => haproxy\n-    before  => Service[haproxy]\n"}, {"resource": "Package[lua5.4-ciderbloom]", "parameters": "--- Package[lua5.4-ciderbloom].orig\n+++ Package[lua5.4-ciderbloom]\n\n-    ensure   => installed\n-    provider => apt\n"}, {"resource": "File[/etc/haproxy/lua/cidergrinder_bloom.lua]", "content": "--- /etc/haproxy/lua/cidergrinder_bloom.lua.orig\n+++ /etc/haproxy/lua/cidergrinder_bloom.lua\n@@ -1,123 +0,0 @@\n--- Bloom filter lookup action for HAProxy\n--- This module is part of the CIDERGRINDER project: https://gitlab.wikimedia.org/repos/sre/CIDERGRINDER\n--- SPDX-License-Identifier: GPL-3.0-or-later\n--- Copyright (C) 2026 Chris Danis & the Wikimedia Foundation\n-\n-local Bloom = require(\"bloom\")  -- our C library\n-\n--- Global bloom filter instance\n-local bloom_filter = nil\n-local expected_payload_hash = nil\n-\n-local args = table.pack(...)\n-\n-core.register_init(function()\n-    if #args < 1 then\n-        core.Alert(\"Bloom filter file name not provided\")\n-        return\n-    end\n-\n-    local fname = args[1]\n-    local file = io.open(fname, \"rb\")  -- file io allowed in init context\n-    if not file then\n-        core.Alert(\"Failed to open bloom filter file: \" .. fname)\n-        return\n-    end\n-\n-    -- Parse the headers, make note of the checksum\n-    -- Example file contents:\n-    -- PUT /spur.bloom CIDERBLOOM/0.1\\r\\n\n-    -- Bits: 1234567\\r\\n\n-    -- Hashes: 13\\r\\n\n-    -- Payload-Xxhash3: abcdef1234567890\\r\\n\n-    -- Other-user-defined-metadata: value\\r\\n\n-    -- \\r\\n[binary data begins]\n-\n-    -- check the header line, should contain \"CIDERBLOOM/0.1\"\n-    local header = file:read(\"*l\")\n-    if not header or not header:match(\"CIDERBLOOM/0%.1\") then\n-        core.Alert(\"Invalid bloom filter file header: \" .. tostring(header))\n-        file:close()\n-        return\n-    end\n-\n-    local hdrs = {}\n-    -- parse key: value lines until we hit an empty line\n-    -- (keys will never contain whitespace or colons)\n-    while true do\n-        local line = file:read(\"*l\")\n-        if not line or line == \"\" or line == \"\\r\" then\n-            break\n-        end\n-        local key, value = line:match(\"^(.-):%s*(.-)%s*$\")\n-        if key and value then\n-            key = key:lower()\n-            hdrs[key] = value\n-        end\n-    end\n-\n-    if not hdrs[\"bits\"] or not hdrs[\"hashes\"] then\n-        core.Alert(\"Unable to load Bloom filter -- missing required metadata\")\n-        file:close()\n-        return\n-    end\n-\n-    if hdrs[\"payload-xxhash3\"] then\n-        local hash = tonumber(hdrs[\"payload-xxhash3\"], 16)\n-        expected_payload_hash = hash\n-    end\n-\n--- TODO: we could take an expected granularity as an arg from the config file and\n---       crosscheck that against the x-granularity header.\n-\n-    local bits = tonumber(hdrs[\"bits\"])\n-    local hashes = tonumber(hdrs[\"hashes\"])\n-    if not bits or not hashes then\n-        core.Alert(\"Invalid bloom filter header values\")\n-        file:close()\n-        return\n-    end\n-\n-    core.Debug(\"File payload offset: \" .. file:seek(\"cur\", 0))\n-\n-    local ok, bf_or_err = pcall(Bloom.open, file, bits, hashes)\n-    -- Safe to close the file on error or success; mmap() has our back.\n-    file:close()\n-    if not ok then\n-        core.Alert(\"Failed to initialize bloom filter from file: \" .. fname .. \" (\" .. tostring(bf_or_err) .. \")\")\n-        bloom_filter = nil\n-        return\n-    end\n-    bloom_filter = bf_or_err\n-\n-    if expected_payload_hash then\n-        local hash = bloom_filter:checksum()\n-        if hash ~= expected_payload_hash then\n-            core.Alert(string.format(\"Unloading the Bloom filter! checksum mismatch: expected %016x, got %016x\", expected_payload_hash, hash))\n-            bloom_filter = nil\n-        else\n-            core.Debug(string.format(\"Bloom filter checksum matches expected value: %016x\", hash))\n-        end\n-    else\n-        core.Warning(\"Bloom filter metadata lacks payload-xxhash3; skipping integrity check\")\n-    end\n-\n-    core.Info(string.format(\"Bloom filter %s loaded OK! parameters: bits=%d, hashes=%d\", fname, bits, hashes))\n-end)\n-\n--- `http-request lua.bloom_lookup`\n--- expects var(sess.prehashed) to be set to a hash value to check against the bloom filter\n--- sets var(sess.bloom_result) to true or false based on the lookup\n-core.register_action(\"bloom_lookup\", { \"http-req\", \"tcp-req\" }, function(txn)\n-    if not bloom_filter then\n-        return\n-    end\n-\n-    local h = txn:get_var(\"sess.prehashed\")\n-    if h then\n-        local r = bloom_filter:contains_hashval(h)\n-        txn:set_var(\"sess.bloom_result\", r)\n-    end\n-end)\n-\n-core.Info(\"Bloom filter action registered\")", "parameters": "--- File[/etc/haproxy/lua/cidergrinder_bloom.lua].orig\n+++ File[/etc/haproxy/lua/cidergrinder_bloom.lua]\n\n-    ensure  => file\n-    owner   => haproxy\n-    mode    => 0644\n-    require => ['File[/etc/haproxy/lua]', 'Package[lua5.4-ciderbloom]']\n-    notify  => Service[haproxy]\n-    group   => haproxy\n-    before  => Service[haproxy]\n"}, {"resource": "Class[Haproxy]", "parameters": "--- Class[Haproxy].orig\n+++ Class[Haproxy]\n\n@@\n-    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    tune.lua.bool-sample-conversion pre-3.1-bug\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-unsafe-violations-in-http-request\n    option     accept-unsafe-violations-in-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n+    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    tune.lua.bool-sample-conversion pre-3.1-bug\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-unsafe-violations-in-http-request\n    option     accept-unsafe-violations-in-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n"}], "perc_changed": "0.40%"}, "core": {"total": 3961, "only_in_self": ["File[/etc/haproxy/lua/cidergrinder_bloom.lua]", "File[/etc/haproxy/lua/cidergrinder_mmdb.lua]", "File[/usr/share/CIDERGRINDER]", "Package[lua5.4-ciderbloom]"], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -190,10 +190,6 @@\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n-    http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n-    http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n-    http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n "}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -23,8 +23,6 @@\n     lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n     lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n     lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n-    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n-    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n \n     ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n     ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"}], "perc_changed": "0.15%"}, "main": {"total": 3961, "only_in_self": ["File[/etc/haproxy/lua/cidergrinder_bloom.lua]", "File[/etc/haproxy/lua/cidergrinder_mmdb.lua]", "File[/usr/share/CIDERGRINDER]", "Package[lua5.4-ciderbloom]"], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -190,10 +190,6 @@\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n-    http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n-    http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n-    http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n "}, {"resource": "Haproxy::Confd_site[tls]"}, {"resource": "Confd::File[/etc/haproxy/conf.d/tls.cfg]"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n"}, {"resource": "Class[Profile::Cache::Haproxy]", "parameters": "--- Class[Profile::Cache::Haproxy].orig\n+++ Class[Profile::Cache::Haproxy]\n\n@@\n-    use_cidergrinder => True\n+    use_cidergrinder => False\n"}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -23,8 +23,6 @@\n     lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n     lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n     lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n-    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n-    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n \n     ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n     ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n"}, {"resource": "Class[Haproxy]", "parameters": "--- Class[Haproxy].orig\n+++ Class[Haproxy]\n\n@@\n-    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    tune.lua.bool-sample-conversion pre-3.1-bug\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-unsafe-violations-in-http-request\n    option     accept-unsafe-violations-in-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n+    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    tune.lua.bool-sample-conversion pre-3.1-bug\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-unsafe-violations-in-http-request\n    option     accept-unsafe-violations-in-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n"}], "perc_changed": "0.30%"}}}