{"host": "gitlab1004.wikimedia.org", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3412, "only_in_self": [], "only_in_other": ["Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]", "Class[Envoyproxy]", "Class[Profile::Envoy]", "Class[Profile::Tcp_fast_open]", "Class[Profile::Tlsproxy::Envoy]", "Class[Sslcert::Ca_deselect_dstx3]", "Envoyproxy::Cluster[cluster_local_port_443]", "Envoyproxy::Conf[cluster_local_port_443]", "Envoyproxy::Conf[tls_terminator_8443]", "Envoyproxy::Listener[tls_terminator_8443]", "Envoyproxy::Tls_terminator[8443]", "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]", "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]", "Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]", "Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]", "Exec[verify-envoy-config]", "File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]", "File[/etc/envoy/admin-config.yaml]", "File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]", "File[/etc/envoy/clusters.d]", "File[/etc/envoy/envoy.yaml]", "File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]", "File[/etc/envoy/listeners.d]", "File[/etc/envoy/runtime.yaml]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]", "File[/etc/envoy/ssl]", "File[/etc/envoy/stats-config.yaml]", "File[/etc/envoy]", "File[/etc/logrotate.d/envoy]", "File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]", "File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]", "File[/etc/rsyslog.d/40-envoy.conf]", "File[/etc/sysctl.d/70-TCP-Fast-Open.conf]", "File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/envoyproxy.service.d]", "File[/usr/local/sbin/build-envoy-config]", "File[/usr/local/sbin/envoyproxy-hot-restarter]", "File[/usr/local/sbin/envoyproxy-start]", "File[/var/log/envoy]", "File_line[deselect_dst_root_ca_x3]", "Firewall::Service[envoy_tls_termination_src_sets]", "Logrotate::Conf[envoy]", "Nftables::Service[envoy_tls_termination_src_sets]", "Package[envoyproxy]", "Rsyslog::Conf[envoy]", "Service[envoyproxy.service]", "Sysctl::Conffile[TCP Fast Open]", "Sysctl::Parameters[TCP Fast Open]", "Systemd::Service[envoyproxy.service]", "Systemd::Syslog[envoy]", "Systemd::Unit[envoyproxy.service]"], "resource_diffs": [{"resource": "Envoyproxy::Conf[tls_terminator_8443]", "parameters": "--- Envoyproxy::Conf[tls_terminator_8443].orig\n+++ Envoyproxy::Conf[tls_terminator_8443]\n\n+    priority  => 0\n+    conf_type => listener\n"}, {"resource": "File[/etc/envoy/envoy.yaml]", "parameters": "--- File[/etc/envoy/envoy.yaml].orig\n+++ File[/etc/envoy/envoy.yaml]\n\n+    group  => root\n+    ensure => present\n+    mode   => 0644\n+    owner  => root\n"}, {"resource": "File[/etc/envoy/ssl]", "parameters": "--- File[/etc/envoy/ssl].orig\n+++ File[/etc/envoy/ssl]\n\n+    mode    => 0740\n+    recurse => True\n+    group   => envoy\n+    ensure  => directory\n+    owner   => envoy\n"}, {"resource": "Firewall::Service[envoy_tls_termination_src_sets]", "parameters": "--- Firewall::Service[envoy_tls_termination_src_sets].orig\n+++ Firewall::Service[envoy_tls_termination_src_sets]\n\n+    notrack             => True\n+    desc                => \n+    port                => 8443\n+    ensure              => present\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    src_sets            => ['CACHES', 'BASTION_HOSTS']\n"}, {"resource": "File[/var/log/envoy]", "parameters": "--- File[/var/log/envoy].orig\n+++ File[/var/log/envoy]\n\n+    mode   => 0755\n+    backup => False\n+    force  => True\n+    owner  => envoy\n+    group  => envoy\n+    ensure => directory\n"}, {"resource": "File[/etc/envoy]", "parameters": "--- File[/etc/envoy].orig\n+++ File[/etc/envoy]\n\n+    group  => root\n+    ensure => directory\n+    mode   => 0755\n+    owner  => root\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]\n\n+    require => Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]\n+    group   => envoy\n+    ensure  => file\n+    owner   => envoy\n"}, {"resource": "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]", "parameters": "--- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh].orig\n+++ Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]\n\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server\n\n+    refreshonly => True\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    subscribe   => File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]\n"}, {"resource": "Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]", "parameters": "--- Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem].orig\n+++ Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]\n\n+    require   => Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]\n+    command   => /bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem > /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem\n+    unless    => /usr/bin/test \"$(/bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem | sha512sum)\"\n\n+    subscribe => ['Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]', 'File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]', 'File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]']\n"}, {"resource": "File[/etc/envoy/admin-config.yaml]", "content": "--- /etc/envoy/admin-config.yaml.orig\n+++ /etc/envoy/admin-config.yaml\n@@ -0,0 +1,10 @@\n+---\n+access_log:\n+  typed_config:\n+    \"@type\": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog\n+    path: \"/var/log/envoy/admin-access.log\"\n+address:\n+  socket_address:\n+    address: 0.0.0.0\n+    port_value: 9631\n+ignore_global_conn_limit: true", "parameters": "--- File[/etc/envoy/admin-config.yaml].orig\n+++ File[/etc/envoy/admin-config.yaml]\n\n+    mode   => 0555\n+    owner  => root\n+    group  => root\n+    ensure => present\n+    notify => Exec[verify-envoy-config]\n"}, {"resource": "Sysctl::Parameters[TCP Fast Open]", "parameters": "--- Sysctl::Parameters[TCP Fast Open].orig\n+++ Sysctl::Parameters[TCP Fast Open]\n\n+    priority           => 70\n+    no_priority_prefix => False\n+    ensure             => present\n+    values             => {'net.ipv4.tcp_fastopen': 3}\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']\n"}, {"resource": "Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]", "parameters": "--- Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)].orig\n+++ Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]\n\n+    command     => /bin/systemctl daemon-reload\n+    refreshonly => True\n+    before      => ['Service[envoyproxy.service]']\n"}, {"resource": "File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]", "content": "--- /etc/envoy/clusters.d/00-cluster_local_port_443.yaml.orig\n+++ /etc/envoy/clusters.d/00-cluster_local_port_443.yaml\n@@ -0,0 +1,28 @@\n+name: local_port_443\n+connect_timeout: 1.0s\n+typed_extension_protocol_options:\n+  envoy.extensions.upstreams.http.v3.HttpProtocolOptions:\n+    \"@type\": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\n+    common_http_protocol_options:\n+      idle_timeout: 100.0s\n+      max_requests_per_connection: 1\n+    use_downstream_protocol_config: {}\n+type: strict_dns\n+lb_policy: round_robin\n+load_assignment:\n+  cluster_name: local_port_443\n+  endpoints:\n+  - lb_endpoints:\n+    - endpoint:\n+        address:\n+          socket_address:\n+            address: gitlab1004.wikimedia.org\n+            port_value: 443\n+transport_socket:\n+  name: envoy.transport_sockets.tls\n+  typed_config:\n+    \"@type\": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext\n+    common_tls_context:\n+      validation_context:\n+        trusted_ca:\n+          filename: /etc/ssl/certs/ca-certificates.crt", "parameters": "--- File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml].orig\n+++ File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]\n\n+    mode   => 0444\n+    owner  => root\n+    group  => root\n+    ensure => present\n+    notify => Exec[verify-envoy-config]\n"}, {"resource": "File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]", "content": "--- /etc/systemd/system/envoyproxy.service.d/puppet-override.conf.orig\n+++ /etc/systemd/system/envoyproxy.service.d/puppet-override.conf\n@@ -0,0 +1,26 @@\n+[Service]\n+# TODO: support hot restarts, see for instance https://www.envoyproxy.io/docs/envoy/latest/operations/hot_restarter\n+# Ensure envoy can handle enough file descriptors\n+LimitNOFILE=65536\n+# Allow envoy to bind on a privileged port\n+AmbientCapabilities=CAP_NET_BIND_SERVICE\n+\n+ExecStart=\n+# We use the hot-restarter script to start envoy. Please note that \"restart\"\n+# in systemd terms is stop + start, so it will not hot-restart envoy.\n+# We will have to use \"reload\" to obtain the desired result -\n+# and have puppet run 'systemctl reload envoyproxy.service' instead.\n+Environment=\"ENVOY_CONFIG=/etc/envoy/envoy.yaml\"\n+Environment=\"SERVICE_ZONE=eqiad\"\n+Environment=\"SERVICE_CLUSTER=misc\"\n+Environment=\"SERVICE_NODE=gitlab1004.wikimedia.org\"\n+ExecStart=/usr/local/sbin/envoyproxy-hot-restarter /usr/local/sbin/envoyproxy-start \n+ExecReload=\n+ExecReload=/bin/kill -s HUP $MAINPID\n+\n+# Security settings\n+ProtectKernelModules=yes\n+ProtectKernelTunables=yes\n+PrivateTmp=yes\n+ProtectSystem=strict\n+ReadWritePaths=/var/log/envoy/", "parameters": "--- File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf].orig\n+++ File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]\n\n+    mode   => 0444\n+    owner  => root\n+    group  => root\n+    ensure => present\n+    notify => Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]\n"}, {"resource": "File[/usr/local/sbin/envoyproxy-hot-restarter]", "parameters": "--- File[/usr/local/sbin/envoyproxy-hot-restarter].orig\n+++ File[/usr/local/sbin/envoyproxy-hot-restarter]\n\n+    source => puppet:///modules/envoyproxy/hot_restarter/hot-restarter.py\n+    mode   => 0555\n+    owner  => root\n+    group  => root\n+    ensure => present\n"}, {"resource": "Service[envoyproxy.service]", "parameters": "--- Service[envoyproxy.service].orig\n+++ Service[envoyproxy.service]\n\n+    ensure  => running\n+    restart => /bin/systemctl reload envoyproxy.service\n+    enable  => True\n"}, {"resource": "Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]", "parameters": "--- Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server].orig\n+++ Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]\n\n+    notify_services => []\n+    ensure          => present\n+    key             => {'algo': 'ecdsa', 'size': 256}\n+    mode            => 0740\n+    names           => []\n+    before          => Exec[verify-envoy-config]\n+    require         => Package[envoyproxy]\n+    renew_seconds   => 952200\n+    owner           => envoy\n+    outdir          => /etc/envoy/ssl\n+    auto_renew      => True\n+    profile         => server\n+    common_name     => gitlab.wikimedia.org\n+    provide_chain   => True\n+    label           => discovery2026\n+    hosts           => ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']\n+    environment     => ['GODEBUG=x509ignoreCN=0']\n+    before_services => []\n+    group           => envoy\n+    notify          => Service[envoyproxy.service]\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]\n\n+    source => puppet:///modules/profile/pki/intermediates/discovery2026-cert.pem\n+    mode   => 0440\n+    owner  => envoy\n+    group  => envoy\n+    ensure => file\n"}, {"resource": "File[/etc/envoy/runtime.yaml]", "content": "--- /etc/envoy/runtime.yaml.orig\n+++ /etc/envoy/runtime.yaml\n@@ -0,0 +1 @@\n+--- {}", "parameters": "--- File[/etc/envoy/runtime.yaml].orig\n+++ File[/etc/envoy/runtime.yaml]\n\n+    mode   => 0555\n+    owner  => root\n+    group  => root\n+    ensure => absent\n+    notify => Exec[verify-envoy-config]\n"}, {"resource": "File[/etc/systemd/system/envoyproxy.service.d]", "parameters": "--- File[/etc/systemd/system/envoyproxy.service.d].orig\n+++ File[/etc/systemd/system/envoyproxy.service.d]\n\n+    group  => root\n+    ensure => directory\n+    mode   => 0555\n+    owner  => root\n"}, {"resource": "Rsyslog::Conf[envoy]", "parameters": "--- Rsyslog::Conf[envoy].orig\n+++ Rsyslog::Conf[envoy]\n\n+    priority => 40\n+    mode     => 0444\n+    ensure   => present\n+    require  => File[/var/log/envoy]\n"}, {"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_8443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_8443.yaml\n@@ -0,0 +1,57 @@\n+address:\n+    socket_address:\n+        port_value: 8443\n+        address: 0.0.0.0\n+per_connection_buffer_limit_bytes: 268435456\n+listener_filters:\n+- name: \"envoy.filters.listener.tls_inspector\"\n+  typed_config:\n+    \"@type\": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector\n+tcp_fast_open_queue_length: 150\n+filter_chains:\n+# Non-SNI support\n+- transport_socket:\n+    name: envoy.transport_sockets.tls\n+    typed_config:\n+      '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext\n+      common_tls_context:\n+        tls_certificates:\n+        - certificate_chain: { filename: \"/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem\" }\n+          private_key: { filename: \"/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem\" }\n+  filters:\n+  - name: envoy.http_connection_manager\n+    typed_config:\n+      \"@type\": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\n+      stat_prefix: ingress_http\n+      common_http_protocol_options:\n+        idle_timeout: 125.0s\n+      stream_idle_timeout: 1800.0s\n+      route_config:\n+        virtual_hosts:\n+        - name: non_sni_port_443\n+          domains: [\"*\"]\n+          routes:\n+          - match: { prefix: \"/\" }\n+            route:\n+              cluster: local_port_443\n+              timeout: 0.0s\n+              idle_timeout: 900.0s\n+              retry_policy:\n+                num_retries: 1\n+                retry_on: \"5xx\"\n+      http_filters:\n+      - name: envoy.filters.http.router\n+        typed_config:\n+          \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router\n+      http_protocol_options:\n+        accept_http_10: true\n+      server_header_transformation: APPEND_IF_ABSENT\n+      internal_address_config:\n+        unix_sockets: true\n+        cidr_ranges:\n+        - address_prefix: 10.0.0.0\n+          prefix_len: 8\n+        - address_prefix: 127.0.0.1\n+          prefix_len: 32\n+        - address_prefix: ::1\n+          prefix_len: 128", "parameters": "--- File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml].orig\n+++ File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]\n\n+    mode   => 0444\n+    owner  => root\n+    group  => root\n+    ensure => present\n+    notify => Exec[verify-envoy-config]\n"}, {"resource": "Envoyproxy::Tls_terminator[8443]", "parameters": "--- Envoyproxy::Tls_terminator[8443].orig\n+++ Envoyproxy::Tls_terminator[8443]\n\n+    global_key_path           => /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem\n+    request_headers_to_add    => {}\n+    global_cert_path          => /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem\n+    downstream_idle_timeout   => 125.0\n+    response_headers_to_add   => {}\n+    websockets                => False\n+    upstreams                 => [{'server_names': ['*'], 'cert_path': None, 'key_path': None, 'upstream_port': 443, 'upstream_addr': 'gitlab1004.wikimedia.org', 'upstream_tls': True}]\n+    upstream_idle_timeout     => 900.0\n+    connect_timeout           => 1.0\n+    header_key_format         => none\n+    retry_policy              => {'num_retries': 1, 'retry_on': '5xx'}\n+    use_remote_address        => False\n+    has_error_page            => False\n+    listen_ipv6               => False\n+    local_otel_reporting_pct  => 0.0\n+    rate_limit_enabled        => False\n+    max_requests_per_conn     => 1\n+    fast_open_queue           => 150\n+    connection_buffer_limit   => 268435456\n+    stream_idle_timeout       => 1800.0\n+    upstream_response_timeout => 0.0\n+    access_log                => False\n+    idle_timeout              => 100.0\n"}, {"resource": "File[/etc/envoy/stats-config.yaml]", "parameters": "--- File[/etc/envoy/stats-config.yaml].orig\n+++ File[/etc/envoy/stats-config.yaml]\n\n+    source => puppet:///modules/envoyproxy/stats-config.yaml\n+    mode   => 0555\n+    owner  => root\n+    group  => root\n+    ensure => present\n+    notify => Exec[verify-envoy-config]\n"}, {"resource": "Nftables::Service[envoy_tls_termination_src_sets]", "parameters": "--- Nftables::Service[envoy_tls_termination_src_sets].orig\n+++ Nftables::Service[envoy_tls_termination_src_sets]\n\n+    notrack             => True\n+    desc                => \n+    port                => 8443\n+    ensure              => present\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    src_sets            => ['CACHES', 'BASTION_HOSTS']\n"}, {"resource": "Sysctl::Conffile[TCP Fast Open]", "parameters": "--- Sysctl::Conffile[TCP Fast Open].orig\n+++ Sysctl::Conffile[TCP Fast Open]\n\n+    priority           => 70\n+    no_priority_prefix => False\n+    ensure             => present\n"}, {"resource": "Class[Envoyproxy]", "parameters": "--- Class[Envoyproxy].orig\n+++ Class[Envoyproxy]\n\n+    admin_port      => 9631\n+    pkg_name        => envoyproxy\n+    service_cluster => misc\n+    runtime         => {}\n+    ensure          => present\n+    use_override    => True\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]\n\n+    names       => []\n+    hosts       => ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']\n+    common_name => gitlab.wikimedia.org\n+    ensure      => present\n+    key         => {'algo': 'ecdsa', 'size': 256}\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr].orig\n+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]\n\n+    group  => envoy\n+    ensure => file\n+    mode   => 0440\n+    owner  => envoy\n"}, {"resource": "Class[Profile::Envoy]", "parameters": "--- Class[Profile::Envoy].orig\n+++ Class[Profile::Envoy]\n\n+    require => ['Class[Profile::Tcp_fast_open]']\n+    runtime => {}\n+    ensure  => present\n+    cluster => misc\n"}, {"resource": "File[/usr/local/sbin/build-envoy-config]", "parameters": "--- File[/usr/local/sbin/build-envoy-config].orig\n+++ File[/usr/local/sbin/build-envoy-config]\n\n+    source => puppet:///modules/envoyproxy/build_envoy_config.py\n+    mode   => 0555\n+    owner  => root\n+    group  => root\n+    ensure => present\n"}, {"resource": "Systemd::Syslog[envoy]", "parameters": "--- Systemd::Syslog[envoy].orig\n+++ Systemd::Syslog[envoy]\n\n+    force_stop             => True\n+    log_filename           => syslog.log\n+    ensure                 => present\n+    base_dir               => /var/log\n+    readable_by            => group\n+    require                => Package[envoyproxy]\n+    owner                  => envoy\n+    group                  => envoy\n+    programname_comparison => startswith\n"}, {"resource": "File[/etc/envoy/clusters.d]", "parameters": "--- File[/etc/envoy/clusters.d].orig\n+++ File[/etc/envoy/clusters.d]\n\n+    mode    => 0755\n+    recurse => True\n+    group   => root\n+    ensure  => directory\n+    purge   => True\n+    owner   => root\n"}, {"resource": "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]", "parameters": "--- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server].orig\n+++ Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]\n\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server\n\n+    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem 2>&1)\"\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]\n"}, {"resource": "Envoyproxy::Listener[tls_terminator_8443]", "parameters": "--- Envoyproxy::Listener[tls_terminator_8443].orig\n+++ Envoyproxy::Listener[tls_terminator_8443]\n\n+    priority => 0\n"}, {"resource": "File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]", "content": "--- /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr.orig\n+++ /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr\n@@ -0,0 +1,19 @@\n+{\n+  \"CN\": \"gitlab.wikimedia.org\",\n+  \"hosts\": [\n+    \"gitlab.wikimedia.org\",\n+    \"gitlab-replica-a.wikimedia.org\",\n+    \"gitlab-replica-b.wikimedia.org\",\n+    \"gitlab.discovery.wmnet\",\n+    \"gitlab-replica-a.discovery.wmnet\",\n+    \"gitlab-replica-b.discovery.wmnet\",\n+    \"gitlab1004.wikimedia.org\"\n+  ],\n+  \"key\": {\n+    \"algo\": \"ecdsa\",\n+    \"size\": 256\n+  },\n+  \"names\": [\n+\n+  ]\n+}", "parameters": "--- File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr].orig\n+++ File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]\n\n+    group  => root\n+    ensure => file\n+    mode   => 0400\n+    owner  => root\n"}, {"resource": "Envoyproxy::Cluster[cluster_local_port_443]", "parameters": "--- Envoyproxy::Cluster[cluster_local_port_443].orig\n+++ Envoyproxy::Cluster[cluster_local_port_443]\n\n+    priority => 0\n"}, {"resource": "File_line[deselect_dst_root_ca_x3]", "parameters": "--- File_line[deselect_dst_root_ca_x3].orig\n+++ File_line[deselect_dst_root_ca_x3]\n\n+    line               => !mozilla/DST_Root_CA_X3.crt\n+    append_on_no_match => False\n+    require            => Package[ca-certificates]\n+    match              => ^!?mozilla/DST_Root_CA_X3\\.crt$\n+    path               => /etc/ca-certificates.conf\n+    notify             => Exec[update-ca-certificates]\n"}, {"resource": "File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]", "content": "--- /etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft.orig\n+++ /etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft\n@@ -0,0 +1,6 @@\n+# Managed by puppet\n+# \n+ip saddr @BASTION_HOSTS_ipv4 tcp dport { 8443 } notrack\n+ip saddr @CACHES_ipv4 tcp dport { 8443 } notrack\n+ip6 saddr @BASTION_HOSTS_ipv6 tcp dport { 8443 } notrack\n+ip6 saddr @CACHES_ipv6 tcp dport { 8443 } notrack", "parameters": "--- File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft].orig\n+++ File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]\n\n+    mode    => 0444\n+    require => ['Nftables::Set[CACHES]', 'Nftables::Set[BASTION_HOSTS]']\n+    tag     => nft\n+    group   => root\n+    ensure  => present\n+    notify  => ['Service[nftables]']\n+    owner   => root\n"}, {"resource": "Envoyproxy::Conf[cluster_local_port_443]", "parameters": "--- Envoyproxy::Conf[cluster_local_port_443].orig\n+++ Envoyproxy::Conf[cluster_local_port_443]\n\n+    priority  => 0\n+    conf_type => cluster\n"}, {"resource": "File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]", "content": "--- /etc/nftables/input/10_envoy_tls_termination_src_sets.nft.orig\n+++ /etc/nftables/input/10_envoy_tls_termination_src_sets.nft\n@@ -0,0 +1,6 @@\n+# Managed by puppet\n+# \n+ip saddr @BASTION_HOSTS_ipv4 tcp dport { 8443 } accept\n+ip saddr @CACHES_ipv4 tcp dport { 8443 } accept\n+ip6 saddr @BASTION_HOSTS_ipv6 tcp dport { 8443 } accept\n+ip6 saddr @CACHES_ipv6 tcp dport { 8443 } accept", "parameters": "--- File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft].orig\n+++ File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]\n\n+    mode    => 0444\n+    require => ['Nftables::Set[CACHES]', 'Nftables::Set[BASTION_HOSTS]']\n+    tag     => nft\n+    group   => root\n+    ensure  => present\n+    notify  => ['Service[nftables]']\n+    owner   => root\n"}, {"resource": "File[/etc/sysctl.d/70-TCP-Fast-Open.conf]", "content": "--- /etc/sysctl.d/70-TCP-Fast-Open.conf.orig\n+++ /etc/sysctl.d/70-TCP-Fast-Open.conf\n@@ -0,0 +1,2 @@\n+# sysctl parameters managed by Puppet.\n+net.ipv4.tcp_fastopen = 3", "parameters": "--- File[/etc/sysctl.d/70-TCP-Fast-Open.conf].orig\n+++ File[/etc/sysctl.d/70-TCP-Fast-Open.conf]\n\n+    group  => root\n+    ensure => present\n+    notify => Exec[update_sysctl]\n+    owner  => root\n"}, {"resource": "Exec[verify-envoy-config]", "parameters": "--- Exec[verify-envoy-config].orig\n+++ Exec[verify-envoy-config]\n\n+    command     => /usr/local/sbin/build-envoy-config -c '/etc/envoy'\n+    user        => root\n+    require     => Package[envoyproxy]\n+    refreshonly => True\n+    notify      => Systemd::Service[envoyproxy.service]\n"}, {"resource": "File[/etc/envoy/listeners.d]", "parameters": "--- File[/etc/envoy/listeners.d].orig\n+++ File[/etc/envoy/listeners.d]\n\n+    mode    => 0755\n+    recurse => True\n+    group   => root\n+    ensure  => directory\n+    purge   => True\n+    owner   => root\n"}, {"resource": "Package[envoyproxy]", "parameters": "--- Package[envoyproxy].orig\n+++ Package[envoyproxy]\n\n+    ensure   => present\n+    provider => apt\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']\n"}, {"resource": "File[/usr/local/sbin/envoyproxy-start]", "parameters": "--- File[/usr/local/sbin/envoyproxy-start].orig\n+++ File[/usr/local/sbin/envoyproxy-start]\n\n+    source => puppet:///modules/envoyproxy/hot_restarter/start-envoy.sh\n+    mode   => 0555\n+    owner  => root\n+    group  => root\n+    ensure => present\n"}, {"resource": "Class[Profile::Tlsproxy::Envoy]", "parameters": "--- Class[Profile::Tlsproxy::Envoy].orig\n+++ Class[Profile::Tlsproxy::Envoy]\n\n+    error_page                => False\n+    retries                   => True\n+    request_headers_to_add    => {}\n+    tls_port                  => 8443\n+    upstream_tls              => True\n+    downstream_idle_timeout   => 125.0\n+    firewall_global           => False\n+    websockets                => False\n+    ssl_provider              => cfssl\n+    services                  => [{'server_names': ['*'], 'port': 443}]\n+    upstream_idle_timeout     => 900.0\n+    require                   => ['Class[Profile::Envoy]']\n+    cfssl_label               => discovery2026\n+    header_key_format         => none\n+    use_remote_address        => False\n+    max_requests              => 1\n+    global_cert_name          => gitlab.wikimedia.org\n+    listen_ipv6               => False\n+    local_otel_reporting_pct  => 0.0\n+    rate_limit_enabled        => False\n+    fast_open_queue           => 150\n+    firewall_src_sets         => ['CACHES', 'BASTION_HOSTS']\n+    access_log                => False\n+    cfssl_options             => {'hosts': ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']}\n+    connection_buffer_limit   => 268435456\n+    stream_idle_timeout       => 1800.0\n+    upstream_response_timeout => 0.0\n+    sni_support               => no\n+    upstream_addr             => gitlab1004.wikimedia.org\n+    idle_timeout              => 100.0\n"}, {"resource": "Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]", "parameters": "--- Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server].orig\n+++ Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]\n\n+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server\n\n+    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem -checkend 952200\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]\n\n+    group  => envoy\n+    ensure => file\n+    mode   => 0440\n+    owner  => envoy\n"}, {"resource": "Systemd::Service[envoyproxy.service]", "parameters": "--- Systemd::Service[envoyproxy.service].orig\n+++ Systemd::Service[envoyproxy.service]\n\n+    service_params           => {'restart': '/bin/systemctl reload envoyproxy.service'}\n+    restart                  => False\n+    migration_task           => T407130\n+    override                 => True\n+    ensure                   => present\n+    monitoring_critical      => False\n+    monitoring_contact_group => admins\n+    monitoring_enabled       => False\n+    unit_type                => service\n"}, {"resource": "Systemd::Unit[envoyproxy.service]", "parameters": "--- Systemd::Unit[envoyproxy.service].orig\n+++ Systemd::Unit[envoyproxy.service]\n\n+    require           => ['Class[Systemd]']\n+    override_filename => puppet-override.conf\n+    restart           => False\n+    unit              => envoyproxy.service\n+    override          => True\n+    ensure            => present\n"}, {"resource": "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change].orig\n+++ Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]\n\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]\n+    refreshonly => True\n+    subscribe   => File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]\n"}, {"resource": "File[/etc/rsyslog.d/40-envoy.conf]", "content": "--- /etc/rsyslog.d/40-envoy.conf.orig\n+++ /etc/rsyslog.d/40-envoy.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"envoy\" then {\n+    action(\n+        type=\"omfile\" file=\"/var/log/envoy/syslog.log\"\n+        fileOwner=\"envoy\" fileGroup=\"envoy\"\n+        fileCreateMode=\"0640\"\n+    )\n+    & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-envoy.conf].orig\n+++ File[/etc/rsyslog.d/40-envoy.conf]\n\n+    mode   => 0444\n+    owner  => root\n+    group  => root\n+    ensure => present\n+    notify => Service[rsyslog]\n"}, {"resource": "Logrotate::Conf[envoy]", "parameters": "--- Logrotate::Conf[envoy].orig\n+++ Logrotate::Conf[envoy]\n\n+    ensure => present\n"}, {"resource": "File[/etc/logrotate.d/envoy]", "content": "--- /etc/logrotate.d/envoy.orig\n+++ /etc/logrotate.d/envoy\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for envoy\n+\n+/var/log/envoy/*.log {\n+    daily\n+    copytruncate\n+    missingok\n+    compress\n+    delaycompress\n+    notifempty\n+    rotate 15\n+    size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/envoy].orig\n+++ File[/etc/logrotate.d/envoy]\n\n+    group  => root\n+    ensure => present\n+    mode   => 0444\n+    owner  => root\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]\n\n+    mode      => 0440\n+    backup    => False\n+    show_diff => False\n+    group     => envoy\n+    ensure    => file\n+    owner     => envoy\n"}], "perc_changed": "3.40%"}, "core": {"total": 3412, "only_in_self": [], "only_in_other": ["Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]", "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]", "Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]", "Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]", "Exec[verify-envoy-config]", "File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]", "File[/etc/envoy/admin-config.yaml]", "File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]", "File[/etc/envoy/clusters.d]", "File[/etc/envoy/envoy.yaml]", "File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]", "File[/etc/envoy/listeners.d]", "File[/etc/envoy/runtime.yaml]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]", "File[/etc/envoy/ssl]", "File[/etc/envoy/stats-config.yaml]", "File[/etc/envoy]", "File[/etc/logrotate.d/envoy]", "File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]", "File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]", "File[/etc/rsyslog.d/40-envoy.conf]", "File[/etc/sysctl.d/70-TCP-Fast-Open.conf]", "File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/envoyproxy.service.d]", "File[/usr/local/sbin/build-envoy-config]", "File[/usr/local/sbin/envoyproxy-hot-restarter]", "File[/usr/local/sbin/envoyproxy-start]", "File[/var/log/envoy]", "File_line[deselect_dst_root_ca_x3]", "Package[envoyproxy]", "Service[envoyproxy.service]"], "resource_diffs": [], "perc_changed": "1.08%"}, "main": {"total": 3412, "only_in_self": [], "only_in_other": ["Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]", "Class[Envoyproxy]", "Class[Profile::Envoy]", "Class[Profile::Tcp_fast_open]", "Class[Profile::Tlsproxy::Envoy]", "Class[Sslcert::Ca_deselect_dstx3]", "Envoyproxy::Cluster[cluster_local_port_443]", "Envoyproxy::Conf[cluster_local_port_443]", "Envoyproxy::Conf[tls_terminator_8443]", "Envoyproxy::Listener[tls_terminator_8443]", "Envoyproxy::Tls_terminator[8443]", "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]", "Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]", "Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]", "Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]", "Exec[verify-envoy-config]", "File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]", "File[/etc/envoy/admin-config.yaml]", "File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]", "File[/etc/envoy/clusters.d]", "File[/etc/envoy/envoy.yaml]", "File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]", "File[/etc/envoy/listeners.d]", "File[/etc/envoy/runtime.yaml]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]", "File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]", "File[/etc/envoy/ssl]", "File[/etc/envoy/stats-config.yaml]", "File[/etc/envoy]", "File[/etc/logrotate.d/envoy]", "File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]", "File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]", "File[/etc/rsyslog.d/40-envoy.conf]", "File[/etc/sysctl.d/70-TCP-Fast-Open.conf]", "File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/envoyproxy.service.d]", "File[/usr/local/sbin/build-envoy-config]", "File[/usr/local/sbin/envoyproxy-hot-restarter]", "File[/usr/local/sbin/envoyproxy-start]", "File[/var/log/envoy]", "File_line[deselect_dst_root_ca_x3]", "Firewall::Service[envoy_tls_termination_src_sets]", "Logrotate::Conf[envoy]", "Nftables::Service[envoy_tls_termination_src_sets]", "Package[envoyproxy]", "Rsyslog::Conf[envoy]", "Service[envoyproxy.service]", "Sysctl::Conffile[TCP Fast Open]", "Sysctl::Parameters[TCP Fast Open]", "Systemd::Service[envoyproxy.service]", "Systemd::Syslog[envoy]", "Systemd::Unit[envoyproxy.service]"], "resource_diffs": [{"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']\n"}], "perc_changed": "1.76%"}}}