{"host": "phab2003.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3250, "only_in_self": ["Class[Passwords::Mysql::Phorge_testdb]", "Class[Profile::Phabricator::Migration]", "Class[Role::Phabricator::Migration]", "File[/etc/update-motd.d/05-phabricator--migration]", "File[/var/lib/scap/scap/bin]", "File[/var/lib/scap/scap]", "Motd::Message[phabricator::migration]", "Motd::Script[phabricator::migration]"], "only_in_other": ["Admin::Group[phabricator-admin]", "Admin::Group[phabricator-bulk-manager]", "Admin::Groupmembers[phabricator-admin]", "Admin::Groupmembers[phabricator-bulk-manager]", "Admin::Hashgroup[phabricator-admin]", "Admin::Hashgroup[phabricator-bulk-manager]", "Admin::Hashuser[gjg]", "Admin::Hashuser[mbinder]", "Admin::Hashuser[urbanecm]", "Admin::User[gjg]", "Admin::User[mbinder]", "Admin::User[urbanecm]", "Backup::Set[home]", "Backup::Set[srv-repos]", "Bacula::Client::Job[home-Monthly-1st-Wed-productionEqiad]", "Bacula::Client::Job[srv-repos-Monthly-1st-Wed-productionEqiad]", "Cfssl::Cert[discovery2026__phabricator_discovery_wmnet_server]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]", "Class[Bacula::Client]", "Class[Envoyproxy]", "Class[Exim4]", "Class[Git::Globalconfig]", "Class[Passwords::Mysql::Phabricator]", "Class[Phabricator::Aphlict]", "Class[Phabricator::Config]", "Class[Phabricator::Mailrelay]", "Class[Phabricator::Phd]", "Class[Phabricator::Tools]", "Class[Phabricator::Vcs]", "Class[Phabricator]", "Class[Profile::Backup::Host]", "Class[Profile::Envoy]", "Class[Profile::Phabricator::Datasync]", "Class[Profile::Phabricator::Logmail]", "Class[Profile::Phabricator::Main]", "Class[Profile::Phabricator::Monitoring]", "Class[Profile::Phabricator::Performance]", "Class[Profile::Prometheus::Apache_exporter]", "Class[Profile::Tcp_fast_open]", "Class[Profile::Tlsproxy::Envoy]", "Class[Role::Phabricator]", "Class[Rsync::Server]", "Class[Sslcert::Ca_deselect_dstx3]", "Concat::Fragment[/etc/bacula_puppet_agent_cert]", "Concat::Fragment[/etc/bacula_puppet_ca_chain]", "Concat::Fragment[/etc/rsyncd.conf-header]", "Concat::Fragment[/etc/rsyncd.conf-srv-dumps]", "Concat[/etc/bacula/ssl/cert.pem]", "Concat[/etc/rsyncd.conf]", "Concat_file[/etc/bacula/ssl/cert.pem]", "Concat_file[/etc/rsyncd.conf]", "Concat_fragment[/etc/bacula_puppet_agent_cert]", "Concat_fragment[/etc/bacula_puppet_ca_chain]", "Concat_fragment[/etc/rsyncd.conf-header]", "Concat_fragment[/etc/rsyncd.conf-srv-dumps]", "Envoyproxy::Cluster[cluster_local_port_80]", "Envoyproxy::Conf[cluster_local_port_80]", "Envoyproxy::Conf[tls_terminator_443]", "Envoyproxy::Listener[tls_terminator_443]", "Envoyproxy::Tls_terminator[443]", "Exec[/srv/phab/libext/ava/src_static_dir_exists]", "Exec[/srv/phab/libext/misc_static_dir_exists]", "Exec[/srv/phab/libext/translations/src_static_dir_exists]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server]", "Exec[apt_update_php]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]", "Exec[create-/etc/bacula-keypair]", "Exec[mask_phd.service]", "Exec[mkdir /var/spool/exim4/scan]", "Exec[phab-git-safedir]", "Exec[phabricator-admin_ensure_members]", "Exec[phabricator-bulk-manager_ensure_members]", "Exec[renew certificate - discovery2026__phabricator_discovery_wmnet_server]", "Exec[systemd daemon-reload for aphlict.service (aphlict)]", "Exec[systemd daemon-reload for backup-home-dirs.service (backup-home-dirs.service)]", "Exec[systemd daemon-reload for backup-home-dirs.timer (backup-home-dirs.timer)]", "Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]", "Exec[systemd daemon-reload for phabricator_clean_tmp_files.service (phabricator_clean_tmp_files.service)]", "Exec[systemd daemon-reload for phabricator_clean_tmp_files.timer (phabricator_clean_tmp_files.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.service (phabricator_stats_job_community_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.timer (phabricator_stats_job_community_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_project_changes.service (phabricator_stats_job_project_changes.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_project_changes.timer (phabricator_stats_job_project_changes.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.service (phabricator_stats_job_quarterly_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.timer (phabricator_stats_job_quarterly_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.service (phabricator_stats_job_quarterly_wmf_qls.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.timer (phabricator_stats_job_quarterly_wmf_qls.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.service (phabricator_stats_job_tech_news_weekly_stats.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.timer (phabricator_stats_job_tech_news_weekly_stats.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.service (phabricator_stats_job_yearly_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.timer (phabricator_stats_job_yearly_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_task_dump.service (phabricator_task_dump.service)]", "Exec[systemd daemon-reload for phabricator_task_dump.timer (phabricator_task_dump.timer)]", "Exec[systemd daemon-reload for phd.service (phd)]", "Exec[systemd daemon-reload for rsync-phabricator-home-dirs.service (rsync-phabricator-home-dirs.service)]", "Exec[systemd daemon-reload for rsync-phabricator-home-dirs.timer (rsync-phabricator-home-dirs.timer)]", "Exec[systemd daemon-reload for rsync-phabricator-repos.service (rsync-phabricator-repos.service)]", "Exec[systemd daemon-reload for rsync-phabricator-repos.timer (rsync-phabricator-repos.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_aphlict.service (wmf_auto_restart_aphlict.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_aphlict.timer (wmf_auto_restart_aphlict.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.service (wmf_auto_restart_envoyproxy.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.timer (wmf_auto_restart_envoyproxy.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.service (wmf_auto_restart_prometheus-apache-exporter.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.timer (wmf_auto_restart_prometheus-apache-exporter.timer)]", "Exec[update-gitconfig]", "Exec[update-safedir-gitconfig]", "Exec[update-sysusers-vcs]", "Exec[verify-envoy-config]", "Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "Ferm::Service[envoy_tls_termination_src_sets]", "Ferm::Service[phabmain_http]", "Ferm::Service[phabmain_smtp]", "Ferm::Service[rsyncd_access_srv_dumps]", "Ferm::Service[ssh_cluster]", "File[/etc/apache2/sites-available/50-phabricator.conf]", "File[/etc/apache2/sites-enabled/50-phabricator.conf]", "File[/etc/bacula/bacula-fd.conf]", "File[/etc/bacula/ssl/server-keypair.pem]", "File[/etc/bacula/ssl/server.key]", "File[/etc/bacula/ssl/server.p12]", "File[/etc/bacula/ssl]", "File[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]", "File[/etc/default/exim4]", "File[/etc/default/prometheus-apache-exporter]", "File[/etc/default/rsync]", "File[/etc/envoy/admin-config.yaml]", "File[/etc/envoy/clusters.d/00-cluster_local_port_80.yaml]", "File[/etc/envoy/clusters.d]", "File[/etc/envoy/envoy.yaml]", "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "File[/etc/envoy/listeners.d]", "File[/etc/envoy/runtime.yaml]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem]", "File[/etc/envoy/ssl]", "File[/etc/envoy/stats-config.yaml]", "File[/etc/envoy]", "File[/etc/exim4/aliases]", "File[/etc/exim4/dkim]", "File[/etc/exim4/exim4.conf]", "File[/etc/exim4/system_filter]", "File[/etc/exim4/update-exim4.conf.conf]", "File[/etc/gitconfig.d/00-header.gitconfig]", "File[/etc/gitconfig.d/10-setup_proxy.gitconfig]", "File[/etc/gitconfig.d]", "File[/etc/logrotate.d/aphlict]", "File[/etc/logrotate.d/backup-home-dirs]", "File[/etc/logrotate.d/envoy]", "File[/etc/logrotate.d/exim4-paniclog]", "File[/etc/logrotate.d/phabricator_clean_tmp_files]", "File[/etc/logrotate.d/phabricator_stats_job_community_metrics]", "File[/etc/logrotate.d/phabricator_stats_job_project_changes]", "File[/etc/logrotate.d/phabricator_stats_job_quarterly_metrics]", "File[/etc/logrotate.d/phabricator_stats_job_quarterly_wmf_qls]", "File[/etc/logrotate.d/phabricator_stats_job_tech_news_weekly_stats]", "File[/etc/logrotate.d/phabricator_stats_job_yearly_metrics]", "File[/etc/logrotate.d/phabricator_task_dump]", "File[/etc/logrotate.d/phd]", "File[/etc/logrotate.d/rsync-phabricator-home-dirs]", "File[/etc/logrotate.d/rsync-phabricator-repos]", "File[/etc/logrotate.d/wmf_auto_restart_aphlict]", "File[/etc/logrotate.d/wmf_auto_restart_envoyproxy]", "File[/etc/logrotate.d/wmf_auto_restart_prometheus-apache-exporter]", "File[/etc/nftables/input/10_bacula-file-daemon-backup1014.eqiad.wmnet.nft]", "File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]", "File[/etc/nftables/input/10_phabmain-smtp.nft]", "File[/etc/nftables/input/10_phabmain_http.nft]", "File[/etc/nftables/input/10_rsyncd_access_srv-dumps.nft]", "File[/etc/nftables/input/10_ssh_cluster.nft]", "File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]", "File[/etc/phab_community_metrics.conf]", "File[/etc/phab_epipe.conf]", "File[/etc/phab_project_changes.conf]", "File[/etc/phab_quarterly_metrics.conf]", "File[/etc/phab_quarterly_wmf_qls.conf]", "File[/etc/phab_tech_news_weekly_stats.conf]", "File[/etc/phab_yearly_metrics.conf]", "File[/etc/phabricator/config.yaml]", "File[/etc/phabricator]", "File[/etc/phabtools.conf]", "File[/etc/rsync.d]", "File[/etc/rsyslog.d/00-imfile.conf]", "File[/etc/rsyslog.d/10-input-file-apache2-access.conf]", "File[/etc/rsyslog.d/10-input-file-apache2-error.conf]", "File[/etc/rsyslog.d/40-backup-home-dirs.conf]", "File[/etc/rsyslog.d/40-envoy.conf]", "File[/etc/rsyslog.d/40-phabricator-clean-tmp-files.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-community-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-project-changes.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-wmf-qls.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-tech-news-weekly-stats.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-yearly-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-task-dump.conf]", "File[/etc/rsyslog.d/40-rsync-phabricator-home-dirs.conf]", "File[/etc/rsyslog.d/40-rsync-phabricator-repos.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-aphlict.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-envoyproxy.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-prometheus-apache-exporter.conf]", "File[/etc/ssh/userkeys/gjg]", "File[/etc/ssh/userkeys/mbinder]", "File[/etc/ssh/userkeys/urbanecm]", "File[/etc/sudoers.d/phabricator-admin]", "File[/etc/sudoers.d/phabricator-bulk-manager]", "File[/etc/sudoers.d/vcs]", "File[/etc/sudoers.d/www-data]", "File[/etc/sysctl.d/70-TCP-Fast-Open.conf]", "File[/etc/sysctl.d/70-phabricator-network-tuning.conf]", "File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/envoyproxy.service.d]", "File[/etc/sysusers.d/vcs.conf]", "File[/etc/update-motd.d/05-phabricator]", "File[/etc/update-motd.d/06-backups-home]", "File[/etc/update-motd.d/06-backups-srv-repos]", "File[/home/aklapper/.my.cnf]", "File[/home/gjg/.my.cnf]", "File[/home/gjg]", "File[/home/mbinder]", "File[/home/urbanecm/.my.cnf]", "File[/home/urbanecm]", "File[/lib/systemd/system/aphlict.service]", "File[/lib/systemd/system/backup-home-dirs.service]", "File[/lib/systemd/system/backup-home-dirs.timer]", "File[/lib/systemd/system/phabricator_clean_tmp_files.service]", "File[/lib/systemd/system/phabricator_clean_tmp_files.timer]", "File[/lib/systemd/system/phabricator_stats_job_community_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_community_metrics.timer]", "File[/lib/systemd/system/phabricator_stats_job_project_changes.service]", "File[/lib/systemd/system/phabricator_stats_job_project_changes.timer]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.timer]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.service]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.timer]", "File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.service]", "File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.timer]", "File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.timer]", "File[/lib/systemd/system/phabricator_task_dump.service]", "File[/lib/systemd/system/phabricator_task_dump.timer]", "File[/lib/systemd/system/phd.service]", "File[/lib/systemd/system/rsync-phabricator-home-dirs.service]", "File[/lib/systemd/system/rsync-phabricator-home-dirs.timer]", "File[/lib/systemd/system/rsync-phabricator-repos.service]", "File[/lib/systemd/system/rsync-phabricator-repos.timer]", "File[/lib/systemd/system/wmf_auto_restart_aphlict.service]", "File[/lib/systemd/system/wmf_auto_restart_aphlict.timer]", "File[/lib/systemd/system/wmf_auto_restart_envoyproxy.service]", "File[/lib/systemd/system/wmf_auto_restart_envoyproxy.timer]", "File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.service]", "File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.timer]", "File[/srv/dumps/WARNING_NEVER_PUT_PRIVATE_DATA_HERE_THIS_IS_SYNCED_TO_PUBLIC]", "File[/srv/dumps]", "File[/srv/homes]", "File[/srv/phab/aphlict/config.json]", "File[/srv/phab/phabricator//support/aphlict/server/node_modules]", "File[/srv/phab/phabricator/scripts/]", "File[/srv/phab/phabricator/scripts/daemon/]", "File[/srv/phab/phabricator/scripts/mail/]", "File[/srv/phab/phabricator/scripts/repository/]", "File[/srv/phab/phabricator/scripts/ssh/]", "File[/srv/phab/tools/public_task_dump.py]", "File[/srv/repos]", "File[/usr/libexec/phabricator-ssh-hook.sh]", "File[/usr/libexec]", "File[/usr/local/bin/arc]", "File[/usr/local/bin/backup-home-dirs]", "File[/usr/local/bin/chk_phuser]", "File[/usr/local/bin/community_metrics.sh]", "File[/usr/local/bin/git-http-backend]", "File[/usr/local/bin/phab_epipe.py]", "File[/usr/local/bin/phab_git_safedir.sh]", "File[/usr/local/bin/project_changes.sh]", "File[/usr/local/bin/quarterly_metrics.sh]", "File[/usr/local/bin/quarterly_wmf_qls.sh]", "File[/usr/local/bin/tech_news_weekly_stats.sh]", "File[/usr/local/bin/yearly_metrics.sh]", "File[/usr/local/sbin/build-envoy-config]", "File[/usr/local/sbin/envoyproxy-hot-restarter]", "File[/usr/local/sbin/envoyproxy-start]", "File[/var/log/aphlict/]", "File[/var/log/backup-home-dirs]", "File[/var/log/envoy]", "File[/var/log/phabricator_clean_tmp_files]", "File[/var/log/phabricator_stats_job_community_metrics]", "File[/var/log/phabricator_stats_job_project_changes]", "File[/var/log/phabricator_stats_job_quarterly_metrics]", "File[/var/log/phabricator_stats_job_quarterly_wmf_qls]", "File[/var/log/phabricator_stats_job_tech_news_weekly_stats]", "File[/var/log/phabricator_stats_job_yearly_metrics]", "File[/var/log/phabricator_task_dump]", "File[/var/log/phd/ssh.log]", "File[/var/log/phd]", "File[/var/log/rsync-phabricator-home-dirs]", "File[/var/log/rsync-phabricator-repos]", "File[/var/log/wmf_auto_restart_aphlict]", "File[/var/log/wmf_auto_restart_envoyproxy]", "File[/var/log/wmf_auto_restart_prometheus-apache-exporter]", "File[/var/run/aphlict/]", "File[/var/spool/exim4/db]", "File[/var/spool/exim4/scan]", "File[/var/spool/exim4]", "File_line[auto_restart_file_presence_aphlict]", "File_line[auto_restart_file_presence_envoyproxy]", "File_line[auto_restart_file_presence_prometheus-apache-exporter]", "File_line[deselect_dst_root_ca_x3]", "Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "Firewall::Service[envoy_tls_termination_src_sets]", "Firewall::Service[phabmain-smtp]", "Firewall::Service[phabmain_http]", "Firewall::Service[rsyncd_access_srv-dumps]", "Firewall::Service[ssh_cluster]", "Git::Systemconfig[setup proxy]", "Group[aphlict]", "Group[phabricator-admin]", "Group[phabricator-bulk-manager]", "Group[vcs]", "Httpd::Conf[phabricator]", "Httpd::Site[phabricator]", "Logrotate::Conf[aphlict]", "Logrotate::Conf[backup-home-dirs]", "Logrotate::Conf[envoy]", "Logrotate::Conf[exim4-paniclog]", "Logrotate::Conf[phabricator_clean_tmp_files]", "Logrotate::Conf[phabricator_stats_job_community_metrics]", "Logrotate::Conf[phabricator_stats_job_project_changes]", "Logrotate::Conf[phabricator_stats_job_quarterly_metrics]", "Logrotate::Conf[phabricator_stats_job_quarterly_wmf_qls]", "Logrotate::Conf[phabricator_stats_job_tech_news_weekly_stats]", "Logrotate::Conf[phabricator_stats_job_yearly_metrics]", "Logrotate::Conf[phabricator_task_dump]", "Logrotate::Conf[phd]", "Logrotate::Conf[rsync-phabricator-home-dirs]", "Logrotate::Conf[rsync-phabricator-repos]", "Logrotate::Conf[wmf_auto_restart_aphlict]", "Logrotate::Conf[wmf_auto_restart_envoyproxy]", "Logrotate::Conf[wmf_auto_restart_prometheus-apache-exporter]", "Mailalias[root]", "Motd::Message[phabricator]", "Motd::Script[backups-home]", "Motd::Script[backups-srv-repos]", "Motd::Script[phabricator]", "Mount[/var/spool/exim4/db]", "Mount[/var/spool/exim4/scan]", "Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "Nftables::Service[envoy_tls_termination_src_sets]", "Nftables::Service[phabmain-smtp]", "Nftables::Service[phabmain_http]", "Nftables::Service[rsyncd_access_srv-dumps]", "Nftables::Service[ssh_cluster]", "Package[apachetop]", "Package[bacula-fd]", "Package[envoyproxy]", "Package[exim4-config]", "Package[exim4-daemon-heavy]", "Package[mariadb-client]", "Package[nodejs]", "Package[prometheus-apache-exporter]", "Package[python3-mysqldb]", "Package[python3-phabricator]", "Package[python3-pygments]", "Package[python3-pymysql]", "Package[s-nail]", "Package[subversion]", "Phabricator::Libext[/srv/phab/libext/ava/src]", "Phabricator::Libext[/srv/phab/libext/misc]", "Phabricator::Libext[/srv/phab/libext/translations/src]", "Phabricator::Logmail[community_metrics]", "Phabricator::Logmail[project_changes]", "Phabricator::Logmail[quarterly_metrics]", "Phabricator::Logmail[quarterly_wmf_qls]", "Phabricator::Logmail[tech_news_weekly_stats]", "Phabricator::Logmail[yearly_metrics]", "Profile::Auto_restarts::Service[aphlict]", "Profile::Auto_restarts::Service[envoyproxy]", "Profile::Auto_restarts::Service[prometheus-apache-exporter]", "Prometheus::Apache_exporter[default]", "Prometheus::Blackbox::Check::Tcp[phabricator-smtp]", "Puppet::Expose_agent_certs[/etc/bacula]", "Rsync::Quickdatacopy[phabricator-home-dirs]", "Rsync::Quickdatacopy[phabricator-repos]", "Rsync::Server::Module[srv-dumps]", "Rsyslog::Conf[backup-home-dirs]", "Rsyslog::Conf[envoy]", "Rsyslog::Conf[imfile]", "Rsyslog::Conf[input-file-apache2-access]", "Rsyslog::Conf[input-file-apache2-error]", "Rsyslog::Conf[phabricator_clean_tmp_files]", "Rsyslog::Conf[phabricator_stats_job_community_metrics]", "Rsyslog::Conf[phabricator_stats_job_project_changes]", "Rsyslog::Conf[phabricator_stats_job_quarterly_metrics]", "Rsyslog::Conf[phabricator_stats_job_quarterly_wmf_qls]", "Rsyslog::Conf[phabricator_stats_job_tech_news_weekly_stats]", "Rsyslog::Conf[phabricator_stats_job_yearly_metrics]", "Rsyslog::Conf[phabricator_task_dump]", "Rsyslog::Conf[rsync-phabricator-home-dirs]", "Rsyslog::Conf[rsync-phabricator-repos]", "Rsyslog::Conf[wmf_auto_restart_aphlict]", "Rsyslog::Conf[wmf_auto_restart_envoyproxy]", "Rsyslog::Conf[wmf_auto_restart_prometheus-apache-exporter]", "Rsyslog::Input::File[apache2-access]", "Rsyslog::Input::File[apache2-error]", "Service[aphlict]", "Service[backup-home-dirs.timer]", "Service[bacula-fd]", "Service[envoyproxy.service]", "Service[exim4]", "Service[phabricator_clean_tmp_files.timer]", "Service[phabricator_stats_job_community_metrics.timer]", "Service[phabricator_stats_job_project_changes.timer]", "Service[phabricator_stats_job_quarterly_metrics.timer]", "Service[phabricator_stats_job_quarterly_wmf_qls.timer]", "Service[phabricator_stats_job_tech_news_weekly_stats.timer]", "Service[phabricator_stats_job_yearly_metrics.timer]", "Service[phabricator_task_dump.timer]", "Service[phd]", "Service[prometheus-apache-exporter]", "Service[rsync-phabricator-home-dirs.timer]", "Service[rsync-phabricator-repos.timer]", "Service[rsync]", "Service[wmf_auto_restart_aphlict.timer]", "Service[wmf_auto_restart_envoyproxy.timer]", "Service[wmf_auto_restart_prometheus-apache-exporter.timer]", "Ssh::Userkey[gjg]", "Ssh::Userkey[mbinder]", "Ssh::Userkey[urbanecm]", "Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]", "Sudo::Group[phabricator-admin]", "Sudo::Group[phabricator-bulk-manager]", "Sudo::User[vcs]", "Sudo::User[www-data]", "Sysctl::Conffile[TCP Fast Open]", "Sysctl::Conffile[phabricator network tuning]", "Sysctl::Parameters[TCP Fast Open]", "Sysctl::Parameters[phabricator network tuning]", "Systemd::Mask[phd.service]", "Systemd::Service[aphlict]", "Systemd::Service[backup-home-dirs]", "Systemd::Service[envoyproxy.service]", "Systemd::Service[phabricator_clean_tmp_files]", "Systemd::Service[phabricator_stats_job_community_metrics]", "Systemd::Service[phabricator_stats_job_project_changes]", "Systemd::Service[phabricator_stats_job_quarterly_metrics]", "Systemd::Service[phabricator_stats_job_quarterly_wmf_qls]", "Systemd::Service[phabricator_stats_job_tech_news_weekly_stats]", "Systemd::Service[phabricator_stats_job_yearly_metrics]", "Systemd::Service[phabricator_task_dump]", "Systemd::Service[phd]", "Systemd::Service[rsync-phabricator-home-dirs]", "Systemd::Service[rsync-phabricator-repos]", "Systemd::Service[wmf_auto_restart_aphlict]", "Systemd::Service[wmf_auto_restart_envoyproxy]", "Systemd::Service[wmf_auto_restart_prometheus-apache-exporter]", "Systemd::Syslog[backup-home-dirs]", "Systemd::Syslog[envoy]", "Systemd::Syslog[phabricator_clean_tmp_files]", "Systemd::Syslog[phabricator_stats_job_community_metrics]", "Systemd::Syslog[phabricator_stats_job_project_changes]", "Systemd::Syslog[phabricator_stats_job_quarterly_metrics]", "Systemd::Syslog[phabricator_stats_job_quarterly_wmf_qls]", "Systemd::Syslog[phabricator_stats_job_tech_news_weekly_stats]", "Systemd::Syslog[phabricator_stats_job_yearly_metrics]", "Systemd::Syslog[phabricator_task_dump]", "Systemd::Syslog[rsync-phabricator-home-dirs]", "Systemd::Syslog[rsync-phabricator-repos]", "Systemd::Syslog[wmf_auto_restart_aphlict]", "Systemd::Syslog[wmf_auto_restart_envoyproxy]", "Systemd::Syslog[wmf_auto_restart_prometheus-apache-exporter]", "Systemd::Sysuser[vcs]", "Systemd::Timer::Job[backup-home-dirs]", "Systemd::Timer::Job[phabricator_clean_tmp_files]", "Systemd::Timer::Job[phabricator_stats_job_community_metrics]", "Systemd::Timer::Job[phabricator_stats_job_project_changes]", "Systemd::Timer::Job[phabricator_stats_job_quarterly_metrics]", "Systemd::Timer::Job[phabricator_stats_job_quarterly_wmf_qls]", "Systemd::Timer::Job[phabricator_stats_job_tech_news_weekly_stats]", "Systemd::Timer::Job[phabricator_stats_job_yearly_metrics]", "Systemd::Timer::Job[phabricator_task_dump]", "Systemd::Timer::Job[rsync-phabricator-home-dirs]", "Systemd::Timer::Job[rsync-phabricator-repos]", "Systemd::Timer::Job[wmf_auto_restart_aphlict]", "Systemd::Timer::Job[wmf_auto_restart_envoyproxy]", "Systemd::Timer::Job[wmf_auto_restart_prometheus-apache-exporter]", "Systemd::Timer[backup-home-dirs]", "Systemd::Timer[phabricator_clean_tmp_files]", "Systemd::Timer[phabricator_stats_job_community_metrics]", "Systemd::Timer[phabricator_stats_job_project_changes]", "Systemd::Timer[phabricator_stats_job_quarterly_metrics]", "Systemd::Timer[phabricator_stats_job_quarterly_wmf_qls]", "Systemd::Timer[phabricator_stats_job_tech_news_weekly_stats]", "Systemd::Timer[phabricator_stats_job_yearly_metrics]", "Systemd::Timer[phabricator_task_dump]", "Systemd::Timer[rsync-phabricator-home-dirs]", "Systemd::Timer[rsync-phabricator-repos]", "Systemd::Timer[wmf_auto_restart_aphlict]", "Systemd::Timer[wmf_auto_restart_envoyproxy]", "Systemd::Timer[wmf_auto_restart_prometheus-apache-exporter]", "Systemd::Unit[aphlict]", "Systemd::Unit[backup-home-dirs.service]", "Systemd::Unit[backup-home-dirs.timer]", "Systemd::Unit[envoyproxy.service]", "Systemd::Unit[phabricator_clean_tmp_files.service]", "Systemd::Unit[phabricator_clean_tmp_files.timer]", "Systemd::Unit[phabricator_stats_job_community_metrics.service]", "Systemd::Unit[phabricator_stats_job_community_metrics.timer]", "Systemd::Unit[phabricator_stats_job_project_changes.service]", "Systemd::Unit[phabricator_stats_job_project_changes.timer]", "Systemd::Unit[phabricator_stats_job_quarterly_metrics.service]", "Systemd::Unit[phabricator_stats_job_quarterly_metrics.timer]", "Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.service]", "Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.timer]", "Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.service]", "Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.timer]", "Systemd::Unit[phabricator_stats_job_yearly_metrics.service]", "Systemd::Unit[phabricator_stats_job_yearly_metrics.timer]", "Systemd::Unit[phabricator_task_dump.service]", "Systemd::Unit[phabricator_task_dump.timer]", "Systemd::Unit[phd]", "Systemd::Unit[rsync-phabricator-home-dirs.service]", "Systemd::Unit[rsync-phabricator-home-dirs.timer]", "Systemd::Unit[rsync-phabricator-repos.service]", "Systemd::Unit[rsync-phabricator-repos.timer]", "Systemd::Unit[wmf_auto_restart_aphlict.service]", "Systemd::Unit[wmf_auto_restart_aphlict.timer]", "Systemd::Unit[wmf_auto_restart_envoyproxy.service]", "Systemd::Unit[wmf_auto_restart_envoyproxy.timer]", "Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.service]", "Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.timer]", "User[aphlict]", "User[gjg]", "User[mbinder]", "User[urbanecm]", "User[vcs]"], "resource_diffs": [{"resource": "Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.timer (phabricator_stats_job_community_metrics.timer)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.timer (phabricator_stats_job_community_metrics.timer)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.timer (phabricator_stats_job_community_metrics.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Concat::Fragment[/etc/bacula_puppet_agent_cert]", "parameters": "--- Concat::Fragment[/etc/bacula_puppet_agent_cert].orig\n+++ Concat::Fragment[/etc/bacula_puppet_agent_cert]\n\n+ source => /var/lib/puppet/ssl/certs/phab2003.codfw.wmnet.pem\n+ target => /etc/bacula/ssl/cert.pem\n+ order => 01\n"}, {"resource": "Firewall::Service[ssh_cluster]", "parameters": "--- Firewall::Service[ssh_cluster].orig\n+++ Firewall::Service[ssh_cluster]\n\n+ ensure => present\n+ port => 22\n+ proto => tcp\n+ prio => 10\n+ srange => ['phab1004.eqiad.wmnet', 'phab2002.codfw.wmnet']\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "File[/etc/logrotate.d/phabricator_clean_tmp_files]", "content": "--- /etc/logrotate.d/phabricator_clean_tmp_files.orig\n+++ /etc/logrotate.d/phabricator_clean_tmp_files\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for phabricator_clean_tmp_files\n+\n+/var/log/phabricator_clean_tmp_files/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/phabricator_clean_tmp_files].orig\n+++ File[/etc/logrotate.d/phabricator_clean_tmp_files]\n\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Syslog[phabricator_clean_tmp_files]", "parameters": "--- Systemd::Syslog[phabricator_clean_tmp_files].orig\n+++ Systemd::Syslog[phabricator_clean_tmp_files]\n\n+ readable_by => all\n+ ensure => present\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Admin::Groupmembers[phabricator-bulk-manager]", "parameters": "--- Admin::Groupmembers[phabricator-bulk-manager].orig\n+++ Admin::Groupmembers[phabricator-bulk-manager]\n\n+ before => Exec[enforce-users-groups-cleanup]\n+ default_member => root\n"}, {"resource": "Systemd::Unit[rsync-phabricator-repos.service]", "parameters": "--- Systemd::Unit[rsync-phabricator-repos.service].orig\n+++ Systemd::Unit[rsync-phabricator-repos.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => rsync-phabricator-repos.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for backup-home-dirs.timer (backup-home-dirs.timer)]", "parameters": "--- Exec[systemd daemon-reload for backup-home-dirs.timer (backup-home-dirs.timer)].orig\n+++ Exec[systemd daemon-reload for backup-home-dirs.timer (backup-home-dirs.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_prometheus-apache-exporter]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_prometheus-apache-exporter].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_prometheus-apache-exporter]\n\n+ monitoring_contact_groups => admins\n+ ensure => present\n+ private_tmp => False\n+ description => Auto restart job: prometheus-apache-exporter\n+ command => /usr/local/sbin/wmf-auto-restart -s prometheus-apache-exporter\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 13:4:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ require => File[/usr/local/sbin/wmf-auto-restart]\n+ logfile_basedir => /var/log\n"}, {"resource": "Exec[phabricator-bulk-manager_ensure_members]", "parameters": "--- Exec[phabricator-bulk-manager_ensure_members].orig\n+++ Exec[phabricator-bulk-manager_ensure_members]\n\n+ logoutput => True\n+ command => /usr/bin/gpasswd phabricator-bulk-manager -M mbinder\n+ path => /usr/bin:/bin\n+ require => ['User[mbinder]']\n+ unless => getent group phabricator-bulk-manager | xargs test -z || getent group phabricator-bulk-manager | cut -d ':' -f 4 | grep -E ^mbinder$\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.timer (wmf_auto_restart_prometheus-apache-exporter.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.timer (wmf_auto_restart_prometheus-apache-exporter.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.timer (wmf_auto_restart_prometheus-apache-exporter.timer)]\n\n+ before => ['Service[wmf_auto_restart_prometheus-apache-exporter.timer]']\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/usr/libexec/phabricator-ssh-hook.sh]", "content": "--- /usr/libexec/phabricator-ssh-hook.sh.orig\n+++ /usr/libexec/phabricator-ssh-hook.sh\n@@ -0,0 +1,12 @@\n+#!/bin/sh\n+\n+# This is the name users should connect with\n+VCSUSER=vcs\n+ROOT=\"/srv/phab/phabricator\"\n+\n+if [ \"$1\" != \"$VCSUSER\" ];\n+then\n+ exit 1\n+fi\n+\n+exec \"$ROOT/bin/ssh-auth\" $@", "parameters": "--- File[/usr/libexec/phabricator-ssh-hook.sh].orig\n+++ File[/usr/libexec/phabricator-ssh-hook.sh]\n\n+ mode => 0755\n+ require => File[/usr/libexec]\n+ owner => root\n+ group => root\n"}, {"resource": "Concat[/etc/bacula/ssl/cert.pem]", "parameters": "--- Concat[/etc/bacula/ssl/cert.pem].orig\n+++ Concat[/etc/bacula/ssl/cert.pem]\n\n+ warn => False\n+ ensure => present\n+ show_diff => True\n+ replace => True\n+ ensure_newline => False\n+ force => False\n+ format => plain\n+ mode => 0644\n+ path => /etc/bacula/ssl/cert.pem\n+ order => alpha\n+ backup => puppet\n"}, {"resource": "File[/lib/systemd/system/rsync-phabricator-home-dirs.timer]", "content": "--- /lib/systemd/system/rsync-phabricator-home-dirs.timer.orig\n+++ /lib/systemd/system/rsync-phabricator-home-dirs.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of rsync-phabricator-home-dirs.service\n+\n+[Timer]\n+Unit=rsync-phabricator-home-dirs.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-*-* *:00/10:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/rsync-phabricator-home-dirs.timer].orig\n+++ File[/lib/systemd/system/rsync-phabricator-home-dirs.timer]\n\n+ notify => Exec[systemd daemon-reload for rsync-phabricator-home-dirs.timer (rsync-phabricator-home-dirs.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.service (wmf_auto_restart_prometheus-apache-exporter.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.service (wmf_auto_restart_prometheus-apache-exporter.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.service (wmf_auto_restart_prometheus-apache-exporter.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Rsyslog::Conf[phabricator_stats_job_quarterly_wmf_qls]", "parameters": "--- Rsyslog::Conf[phabricator_stats_job_quarterly_wmf_qls].orig\n+++ Rsyslog::Conf[phabricator_stats_job_quarterly_wmf_qls]\n\n+ mode => 0444\n+ require => File[/var/log/phabricator_stats_job_quarterly_wmf_qls]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-phabricator-stats-job-yearly-metrics.conf]", "content": "--- /etc/rsyslog.d/40-phabricator-stats-job-yearly-metrics.conf.orig\n+++ /etc/rsyslog.d/40-phabricator-stats-job-yearly-metrics.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"phabricator_stats_job_yearly_metrics\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/phabricator_stats_job_yearly_metrics/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-phabricator-stats-job-yearly-metrics.conf].orig\n+++ File[/etc/rsyslog.d/40-phabricator-stats-job-yearly-metrics.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Nftables::Service[rsyncd_access_srv-dumps]", "parameters": "--- Nftables::Service[rsyncd_access_srv-dumps].orig\n+++ Nftables::Service[rsyncd_access_srv-dumps]\n\n+ ensure => present\n+ port => [873, 1873]\n+ proto => tcp\n+ prio => 10\n+ notrack => False\n+ src_ips => ['10.192.27.6', '10.64.16.101', '208.80.154.142', '208.80.154.71', '2620:0:860:114:10:192:27:6', '2620:0:861:102:10:64:16:101', '2620:0:861:2:208:80:154:142', '2620:0:861:3:208:80:154:71']\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "File[/usr/local/bin/quarterly_wmf_qls.sh]", "content": "--- /usr/local/bin/quarterly_wmf_qls.sh.orig\n+++ /usr/local/bin/quarterly_wmf_qls.sh\n@@ -0,0 +1,162 @@\n+#!/bin/bash\n+# Quarterly statistics of Phabricator for internal WMF QLS\n+# per T362804 - aklapper 20240425\n+# SPDX-License-Identifier: Apache-2.0\n+# ! this file is managed by puppet !\n+# ./modules/phabricator/files/quarterly_wmf_qls.sh\n+source /etc/phab_quarterly_wmf_qls.conf\n+\n+lastquarterint=$(expr $(expr $(date -d '-1 month' +%m) - 1) / 3 + 1)\n+\n+if (( $lastquarterint % 4 == 1 ))\n+then lastquarterintfy=3\n+elif (( $lastquarterint % 4 == 2 ))\n+then lastquarterintfy=4\n+elif (( $lastquarterint % 4 == 3 ))\n+then lastquarterintfy=1\n+elif (( $lastquarterint % 4 == 0 ))\n+then lastquarterintfy=2\n+fi\n+\n+lastquarterstr=$(date +\"Q$lastquarterint/%Y (Q$lastquarterintfy in FY)\")\n+\n+#echo \"result_tasks\"\n+result_tasks=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -t -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+SELECT DISTINCT t.phid AS phid, autr.userName AS author, t.status AS status, ownr.userName AS owner, FROM_UNIXTIME(t.closedEpoch, '%Y-%m-%d') AS closedDate, clsr.userName AS closer, t.priority AS priority, t.subtype AS subtype, CONCAT(\"https://phabricator.wikimedia.org/T\", t.id) AS url, t.title AS taskTitle, FROM_UNIXTIME(t.dateCreated, '%Y-%m-%d') AS createdDate, ROUND((t.closedEpoch - t.dateCreated) / 86400) AS daysBetween\n+ FROM phabricator_maniphest.maniphest_task t\n+ INNER JOIN phabricator_user.user autr ON autr.phid = t.authorPHID\n+ INNER JOIN phabricator_user.user ownr ON ownr.phid = t.ownerPHID\n+ INNER JOIN phabricator_user.user clsr ON clsr.phid = t.closerPHID\n+ WHERE t.status = \"resolved\"\n+ AND FROM_UNIXTIME(t.closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 3 MONTH,'%Y%m')\n+ AND autr.phid NOT IN\n+ (SELECT ua.userPHID\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_externalaccount ua\n+ ON ua.userPHID = u.phid\n+ WHERE ua.accountType = \"mediawiki\"\n+ AND ((ua.username LIKE '%(WMF)' OR ua.username LIKE '%-WMF')\n+ OR (ua.username LIKE '%(WMDE)' OR ua.username LIKE '%-WMDE')))\n+ AND autr.phid NOT IN\n+ (SELECT ue.userPHID\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_email ue\n+ ON ue.userPHID = u.phid\n+ WHERE (ue.address LIKE '%@wikimedia.org' OR ue.address LIKE '%@wikimedia.de' OR ue.address LIKE '%@speedandfunction.com'))\n+ AND (ownr.phid IN\n+ (SELECT ua.userPHID FROM phabricator_user.user u INNER JOIN phabricator_user.user_externalaccount ua ON ua.userPHID = u.phid WHERE ua.accountType = \"mediawiki\" AND ((ua.username LIKE '%(WMF)' OR ua.username LIKE '%-WMF') OR (ua.username LIKE '%(WMDE)' OR ua.username LIKE '%-WMDE')))\n+ OR ownr.phid IN\n+ (SELECT ue.userPHID FROM phabricator_user.user u INNER JOIN phabricator_user.user_email ue ON ue.userPHID = u.phid WHERE (ue.address LIKE '%@wikimedia.org' OR ue.address LIKE '%@wikimedia.de' OR ue.address LIKE '%@speedandfunction.com')));\n+END\n+)\n+\n+#echo \"result_projects\"\n+result_projects=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -t -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+SELECT t.id AS taskId, t.phid AS phid, p.name AS projectTag\n+ FROM phabricator_maniphest.maniphest_task t\n+ INNER JOIN phabricator_maniphest.edge e ON t.phid = e.src\n+ INNER JOIN phabricator_project.project p ON e.dst = p.phid\n+ WHERE e.type = 41\n+ AND t.phid IN\n+ (SELECT DISTINCT t.phid\n+ FROM phabricator_maniphest.maniphest_task t\n+ INNER JOIN phabricator_user.user autr ON autr.phid = t.authorPHID\n+ INNER JOIN phabricator_user.user ownr ON ownr.phid = t.ownerPHID\n+ WHERE t.status = \"resolved\"\n+ AND FROM_UNIXTIME(t.closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 3 MONTH,'%Y%m')\n+ AND autr.phid NOT IN\n+ (SELECT ua.userPHID\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_externalaccount ua\n+ ON ua.userPHID = u.phid\n+ WHERE ua.accountType = \"mediawiki\"\n+ AND ((ua.username LIKE '%(WMF)' OR ua.username LIKE '%-WMF')\n+ OR (ua.username LIKE '%(WMDE)' OR ua.username LIKE '%-WMDE')))\n+ AND autr.phid NOT IN\n+ (SELECT ue.userPHID\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_email ue\n+ ON ue.userPHID = u.phid\n+ WHERE (ue.address LIKE '%@wikimedia.org' OR ue.address LIKE '%@wikimedia.de' OR ue.address LIKE '%@speedandfunction.com'))\n+ AND (ownr.phid IN\n+ (SELECT ua.userPHID FROM phabricator_user.user u INNER JOIN phabricator_user.user_externalaccount ua ON ua.userPHID = u.phid WHERE ua.accountType = \"mediawiki\" AND ((ua.username LIKE '%(WMF)' OR ua.username LIKE '%-WMF') OR (ua.username LIKE '%(WMDE)' OR ua.username LIKE '%-WMDE')))\n+ OR ownr.phid IN\n+ (SELECT ue.userPHID FROM phabricator_user.user u INNER JOIN phabricator_user.user_email ue ON ue.userPHID = u.phid WHERE (ue.address LIKE '%@wikimedia.org' OR ue.address LIKE '%@wikimedia.de' OR ue.address LIKE '%@speedandfunction.com')))) \n+ ORDER BY t.id;\n+END\n+)\n+\n+#echo \"result_subscribers\"\n+result_subscribers=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -t -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+SELECT t.id AS taskId, t.phid AS phid, u.userName AS subscriber\n+ FROM phabricator_maniphest.maniphest_task t\n+ INNER JOIN phabricator_maniphest.edge e ON t.phid = e.src\n+ INNER JOIN phabricator_user.user u ON e.dst = u.phid\n+ WHERE e.type = 21 \n+ AND t.phid IN\n+ (SELECT DISTINCT t.phid\n+ FROM phabricator_maniphest.maniphest_task t\n+ INNER JOIN phabricator_user.user autr ON autr.phid = t.authorPHID\n+ INNER JOIN phabricator_user.user ownr ON ownr.phid = t.ownerPHID\n+ WHERE t.status = \"resolved\"\n+ AND FROM_UNIXTIME(t.closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 3 MONTH,'%Y%m')\n+ AND autr.phid NOT IN\n+ (SELECT ua.userPHID\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_externalaccount ua\n+ ON ua.userPHID = u.phid\n+ WHERE ua.accountType = \"mediawiki\"\n+ AND ((ua.username LIKE '%(WMF)' OR ua.username LIKE '%-WMF')\n+ OR (ua.username LIKE '%(WMDE)' OR ua.username LIKE '%-WMDE')))\n+ AND autr.phid NOT IN\n+ (SELECT ue.userPHID\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_email ue\n+ ON ue.userPHID = u.phid\n+ WHERE (ue.address LIKE '%@wikimedia.org' OR ue.address LIKE '%@wikimedia.de' OR ue.address LIKE '%@speedandfunction.com'))\n+ AND (ownr.phid IN\n+ (SELECT ua.userPHID FROM phabricator_user.user u INNER JOIN phabricator_user.user_externalaccount ua ON ua.userPHID = u.phid WHERE ua.accountType = \"mediawiki\" AND ((ua.username LIKE '%(WMF)' OR ua.username LIKE '%-WMF') OR (ua.username LIKE '%(WMDE)' OR ua.username LIKE '%-WMDE')))\n+ OR ownr.phid IN\n+ (SELECT ue.userPHID FROM phabricator_user.user u INNER JOIN phabricator_user.user_email ue ON ue.userPHID = u.phid WHERE (ue.address LIKE '%@wikimedia.org' OR ue.address LIKE '%@wikimedia.de' OR ue.address LIKE '%@speedandfunction.com')))) \n+ AND u.isDisabled != 1 \n+ ORDER BY t.id;\n+END\n+)\n+\n+# the actual email\n+cat < 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Phabricator::Logmail[yearly_metrics]", "parameters": "--- Phabricator::Logmail[yearly_metrics].orig\n+++ Phabricator::Logmail[yearly_metrics]\n\n+ ensure => absent\n+ rcpt_address => ['aklapper@wikimedia.org', 'releng@lists.wikimedia.org']\n+ monthday => 1\n+ month => 1\n+ mysql_slave => m3-slave.codfw.wmnet\n+ mysql_slave_port => 3323\n+ minute => 0\n+ basedir => /usr/local/bin\n+ sndr_address => aklapper@wikimedia.org\n+ mysql_db_name => phabricator_maniphest\n+ require => Package[phabricator/deployment]\n+ hour => 0\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of wmf_auto_restart_prometheus-apache-exporter.service\n+\n+[Timer]\n+Unit=wmf_auto_restart_prometheus-apache-exporter.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 13:4:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.timer]\n\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.timer (wmf_auto_restart_prometheus-apache-exporter.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Admin::Groupmembers[phabricator-admin]", "parameters": "--- Admin::Groupmembers[phabricator-admin].orig\n+++ Admin::Groupmembers[phabricator-admin]\n\n+ before => Exec[enforce-users-groups-cleanup]\n+ default_member => root\n"}, {"resource": "File[/etc/sudoers.d/phabricator-admin]", "content": "--- /etc/sudoers.d/phabricator-admin.orig\n+++ /etc/sudoers.d/phabricator-admin\n@@ -0,0 +1,11 @@\n+# This file is managed by Puppet!\n+\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/cache purge --caches user\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/herald\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/remove\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/repository\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/phd\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/policy\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/worker\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/bulk make-silent --id *\n+%phabricator-admin ALL = NOPASSWD: /srv/phab/phabricator/bin/auth strip --all-types --user *", "parameters": "--- File[/etc/sudoers.d/phabricator-admin].orig\n+++ File[/etc/sudoers.d/phabricator-admin]\n\n+ mode => 0440\n+ owner => root\n+ ensure => present\n+ validate_cmd => /usr/sbin/visudo -cqf %\n+ group => root\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_envoyproxy]", "content": "--- /etc/logrotate.d/wmf_auto_restart_envoyproxy.orig\n+++ /etc/logrotate.d/wmf_auto_restart_envoyproxy\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for wmf_auto_restart_envoyproxy\n+\n+/var/log/wmf_auto_restart_envoyproxy/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_envoyproxy].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_envoyproxy]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/sudoers.d/vcs]", "content": "--- /etc/sudoers.d/vcs.orig\n+++ /etc/sudoers.d/vcs\n@@ -0,0 +1,3 @@\n+# This file is managed by Puppet!\n+\n+vcs ALL=(phd) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/svnserve", "parameters": "--- File[/etc/sudoers.d/vcs].orig\n+++ File[/etc/sudoers.d/vcs]\n\n+ mode => 0440\n+ owner => root\n+ ensure => present\n+ validate_cmd => /usr/sbin/visudo -cqf %\n+ group => root\n"}, {"resource": "Envoyproxy::Conf[cluster_local_port_80]", "parameters": "--- Envoyproxy::Conf[cluster_local_port_80].orig\n+++ Envoyproxy::Conf[cluster_local_port_80]\n\n+ priority => 0\n+ conf_type => cluster\n"}, {"resource": "Group[aphlict]", "parameters": "--- Group[aphlict].orig\n+++ Group[aphlict]\n\n+ system => True\n+ ensure => present\n"}, {"resource": "Motd::Script[phabricator]", "parameters": "--- Motd::Script[phabricator].orig\n+++ Motd::Script[phabricator]\n\n+ priority => 5\n+ ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.service (phabricator_stats_job_quarterly_metrics.service)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.service (phabricator_stats_job_quarterly_metrics.service)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.service (phabricator_stats_job_quarterly_metrics.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Concat_file[/etc/rsyncd.conf]", "parameters": "--- Concat_file[/etc/rsyncd.conf].orig\n+++ Concat_file[/etc/rsyncd.conf]\n\n+ show_diff => True\n+ replace => True\n+ ensure_newline => False\n+ force => False\n+ format => plain\n+ mode => 0444\n+ tag => _etc_rsyncd.conf\n+ owner => root\n+ order => alpha\n+ backup => puppet\n+ group => root\n"}, {"resource": "Systemd::Syslog[rsync-phabricator-home-dirs]", "parameters": "--- Systemd::Syslog[rsync-phabricator-home-dirs].orig\n+++ Systemd::Syslog[rsync-phabricator-home-dirs]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "File[/usr/libexec]", "parameters": "--- File[/usr/libexec].orig\n+++ File[/usr/libexec]\n\n+ mode => 0755\n+ owner => root\n+ ensure => directory\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.service]", "content": "--- /lib/systemd/system/phabricator_stats_job_quarterly_metrics.service.orig\n+++ /lib/systemd/system/phabricator_stats_job_quarterly_metrics.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=phabricator statistics mail - quarterly_metrics\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/quarterly_metrics.sh", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.service].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.service]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.service (phabricator_stats_job_quarterly_metrics.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Systemd::Service[wmf_auto_restart_prometheus-apache-exporter]", "parameters": "--- Systemd::Service[wmf_auto_restart_prometheus-apache-exporter].orig\n+++ Systemd::Service[wmf_auto_restart_prometheus-apache-exporter]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => present\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "Package[exim4-daemon-heavy]", "parameters": "--- Package[exim4-daemon-heavy].orig\n+++ Package[exim4-daemon-heavy]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "File[/var/log/phd/ssh.log]", "parameters": "--- File[/var/log/phd/ssh.log].orig\n+++ File[/var/log/phd/ssh.log]\n\n+ mode => 0640\n+ owner => vcs\n+ ensure => present\n+ require => File[/var/log/phd]\n+ group => root\n"}, {"resource": "File[/etc/logrotate.d/rsync-phabricator-home-dirs]", "content": "--- /etc/logrotate.d/rsync-phabricator-home-dirs.orig\n+++ /etc/logrotate.d/rsync-phabricator-home-dirs\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for rsync-phabricator-home-dirs\n+\n+/var/log/rsync-phabricator-home-dirs/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/rsync-phabricator-home-dirs].orig\n+++ File[/etc/logrotate.d/rsync-phabricator-home-dirs]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/usr/local/bin/yearly_metrics.sh]", "content": "--- /usr/local/bin/yearly_metrics.sh.orig\n+++ /usr/local/bin/yearly_metrics.sh\n@@ -0,0 +1,130 @@\n+#!/bin/bash\n+# Basic yearly statistics of Phabricator used for\n+# early January email to wikitech-l mailing list\n+# per T337388 - aklapper 20230523\n+# SPDX-License-Identifier: Apache-2.0\n+# ! this file is managed by puppet !\n+# ./modules/phabricator/files/yearly_metrics.sh\n+\n+source /etc/phab_yearly_metrics.conf\n+\n+#echo \"result_tasks_created\"\n+result_tasks_created=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(dateCreated) FROM phabricator_maniphest.maniphest_task WHERE\n+ FROM_UNIXTIME(dateCreated,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 12 MONTH,'%Y%m');\n+END\n+)\n+\n+#echo \"result_tasks_closed\"\n+result_tasks_closed=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(closedEpoch) FROM phabricator_maniphest.maniphest_task WHERE\n+ FROM_UNIXTIME(closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 12 MONTH,'%Y%m');\n+END\n+)\n+\n+#echo \"result_active_users\"\n+result_active_users=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(DISTINCT (authorPHID)) FROM phabricator_maniphest.maniphest_transaction WHERE\n+ FROM_UNIXTIME(dateCreated,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 12 MONTH,'%Y%m');\n+END\n+)\n+\n+#echo \"result_tasks_authors\"\n+result_tasks_authors=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(DISTINCT (authorPHID)) FROM phabricator_maniphest.maniphest_task WHERE\n+ FROM_UNIXTIME(dateCreated,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 12 MONTH,'%Y%m');\n+END\n+)\n+\n+#echo \"result_tasks_closers\"\n+result_tasks_closers=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(DISTINCT (closerPHID)) FROM phabricator_maniphest.maniphest_task WHERE\n+ FROM_UNIXTIME(closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 12 MONTH,'%Y%m');\n+END\n+)\n+\n+#echo \"result_tasks_authors_top20\"\n+result_tasks_authors_top20=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+SELECT usr.username AS user, COUNT(usr.username) AS created\n+ FROM phabricator_user.user usr JOIN phabricator_maniphest.maniphest_task tsk\n+ WHERE tsk.authorPHID = usr.phid\n+ AND FROM_UNIXTIME(tsk.closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 12 MONTH,'%Y%m')\n+ GROUP BY usr.username ORDER BY created DESC LIMIT 20;\n+END\n+)\n+\n+#echo \"result_tasks_closers_top20\"\n+result_tasks_closers_top20=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+SELECT usr.username AS user, COUNT(usr.username) AS closed\n+ FROM phabricator_user.user usr JOIN phabricator_maniphest.maniphest_task tsk \n+ WHERE tsk.closerPHID = usr.phid\n+ AND FROM_UNIXTIME(tsk.closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 12 MONTH,'%Y%m')\n+ GROUP BY usr.username ORDER BY closed DESC LIMIT 20;\n+END\n+)\n+\n+taskscreated=$(echo $result_tasks_created | sed 's/[^0-9]*//g')\n+tasksclosed=$(echo $result_tasks_closed | sed 's/[^0-9]*//g')\n+activeusers=$(echo $result_active_users | sed 's/[^0-9]*//g')\n+tasksauthors=$(echo $result_tasks_authors | cut -d \" \" -f3)\n+tasksclosers=$(echo $result_tasks_closers | cut -d \" \" -f3)\n+\n+year=$(date --date='1 year ago' +%Y)\n+\n+# the actual email\n+cat < 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/logrotate.d/phabricator_stats_job_project_changes]", "content": "--- /etc/logrotate.d/phabricator_stats_job_project_changes.orig\n+++ /etc/logrotate.d/phabricator_stats_job_project_changes\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for phabricator_stats_job_project_changes\n+\n+/var/log/phabricator_stats_job_project_changes/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/phabricator_stats_job_project_changes].orig\n+++ File[/etc/logrotate.d/phabricator_stats_job_project_changes]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_prometheus-apache-exporter]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_prometheus-apache-exporter].orig\n+++ Logrotate::Conf[wmf_auto_restart_prometheus-apache-exporter]\n\n+ ensure => present\n"}, {"resource": "Logrotate::Conf[phabricator_clean_tmp_files]", "parameters": "--- Logrotate::Conf[phabricator_clean_tmp_files].orig\n+++ Logrotate::Conf[phabricator_clean_tmp_files]\n\n+ ensure => present\n"}, {"resource": "File[/etc/gitconfig.d/00-header.gitconfig]", "content": "--- /etc/gitconfig.d/00-header.gitconfig.orig\n+++ /etc/gitconfig.d/00-header.gitconfig\n@@ -0,0 +1,2 @@\n+# vim: set ts=4 sw=4 et:\n+# This file is managed by Puppet", "parameters": "--- File[/etc/gitconfig.d/00-header.gitconfig].orig\n+++ File[/etc/gitconfig.d/00-header.gitconfig]\n\n+ notify => Exec[update-gitconfig]\n+ mode => 0444\n+ owner => root\n+ ensure => file\n+ group => root\n"}, {"resource": "File[/etc/logrotate.d/phabricator_stats_job_tech_news_weekly_stats]", "content": "--- /etc/logrotate.d/phabricator_stats_job_tech_news_weekly_stats.orig\n+++ /etc/logrotate.d/phabricator_stats_job_tech_news_weekly_stats\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for phabricator_stats_job_tech_news_weekly_stats\n+\n+/var/log/phabricator_stats_job_tech_news_weekly_stats/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/phabricator_stats_job_tech_news_weekly_stats].orig\n+++ File[/etc/logrotate.d/phabricator_stats_job_tech_news_weekly_stats]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Firewall::Service[rsyncd_access_srv-dumps]", "parameters": "--- Firewall::Service[rsyncd_access_srv-dumps].orig\n+++ Firewall::Service[rsyncd_access_srv-dumps]\n\n+ ensure => present\n+ port => [873, 1873]\n+ proto => tcp\n+ prio => 10\n+ srange => ['phab1004.eqiad.wmnet', 'phab2002.codfw.wmnet', 'clouddumps1001.wikimedia.org', 'clouddumps1002.wikimedia.org']\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "File[/usr/local/bin/chk_phuser]", "parameters": "--- File[/usr/local/bin/chk_phuser].orig\n+++ File[/usr/local/bin/chk_phuser]\n\n+ mode => 0550\n+ source => puppet:///modules/phabricator/chk_phuser.sh\n+ owner => root\n+ group => root\n"}, {"resource": "Systemd::Timer::Job[phabricator_stats_job_quarterly_metrics]", "parameters": "--- Systemd::Timer::Job[phabricator_stats_job_quarterly_metrics].orig\n+++ Systemd::Timer::Job[phabricator_stats_job_quarterly_metrics]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => phabricator statistics mail - quarterly_metrics\n+ command => /usr/local/bin/quarterly_metrics.sh\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-01,04,07,10-1 0:0:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "Phabricator::Logmail[tech_news_weekly_stats]", "parameters": "--- Phabricator::Logmail[tech_news_weekly_stats].orig\n+++ Phabricator::Logmail[tech_news_weekly_stats]\n\n+ ensure => absent\n+ weekday => Thursday\n+ rcpt_address => ['nwilson@wikimedia.org', 'jjonsson@wikimedia.org', 'bevellin@wikimedia.org', 'uzoma@wikimedia.org', 'stei@wikimedia.org']\n+ mysql_slave_port => 3323\n+ mysql_slave => m3-slave.codfw.wmnet\n+ minute => 0\n+ basedir => /usr/local/bin\n+ sndr_address => aklapper@wikimedia.org\n+ mysql_db_name => phabricator_maniphest\n+ require => Package[phabricator/deployment]\n+ hour => 12\n"}, {"resource": "Class[Admin]", "parameters": "--- Class[Admin].orig\n+++ Class[Admin]\n\n@@\n- groups => ['phabricator-roots']\n+ groups => ['phabricator-admin', 'phabricator-roots', 'phabricator-bulk-manager']\n"}, {"resource": "Firewall::Service[phabmain-smtp]", "parameters": "--- Firewall::Service[phabmain-smtp].orig\n+++ Firewall::Service[phabmain-smtp]\n\n+ ensure => absent\n+ port => 25\n+ proto => tcp\n+ prio => 10\n+ srange => ['mx-in1001.wikimedia.org', 'mx-in2001.wikimedia.org']\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Systemd::Timer[phabricator_clean_tmp_files]", "parameters": "--- Systemd::Timer[phabricator_clean_tmp_files].orig\n+++ Systemd::Timer[phabricator_clean_tmp_files]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-*-* 07:00:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => present\n+ unit_name => phabricator_clean_tmp_files.service\n+ splay => 0\n"}, {"resource": "Systemd::Unit[phabricator_task_dump.timer]", "parameters": "--- Systemd::Unit[phabricator_task_dump.timer].orig\n+++ Systemd::Unit[phabricator_task_dump.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_task_dump.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Sysuser[vcs]", "parameters": "--- Systemd::Sysuser[vcs].orig\n+++ Systemd::Sysuser[vcs]\n\n+ id => 497:497\n+ ensure => present\n+ shell => /bin/sh\n+ username => vcs\n+ usertype => user\n+ description => Phabricator vcs user\n+ home_dir => /var/lib/vcs\n+ allow_login => True\n+ additional_groups => ['vcs', 'phd']\n"}, {"resource": "File[/etc/rsyslog.d/40-phabricator-stats-job-project-changes.conf]", "content": "--- /etc/rsyslog.d/40-phabricator-stats-job-project-changes.conf.orig\n+++ /etc/rsyslog.d/40-phabricator-stats-job-project-changes.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"phabricator_stats_job_project_changes\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/phabricator_stats_job_project_changes/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-phabricator-stats-job-project-changes.conf].orig\n+++ File[/etc/rsyslog.d/40-phabricator-stats-job-project-changes.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]", "content": "--- /etc/nftables/input/10_envoy_tls_termination_src_sets.nft.orig\n+++ /etc/nftables/input/10_envoy_tls_termination_src_sets.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr @CACHES_ipv4 tcp dport { 443 } accept\n+ip6 saddr @CACHES_ipv6 tcp dport { 443 } accept", "parameters": "--- File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft].orig\n+++ File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]\n\n+ notify => ['Service[nftables]']\n+ mode => 0444\n+ tag => nft\n+ owner => root\n+ ensure => present\n+ require => ['Nftables::Set[CACHES]']\n+ group => root\n"}, {"resource": "Systemd::Syslog[phabricator_stats_job_quarterly_metrics]", "parameters": "--- Systemd::Syslog[phabricator_stats_job_quarterly_metrics].orig\n+++ Systemd::Syslog[phabricator_stats_job_quarterly_metrics]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "File[/etc/logrotate.d/backup-home-dirs]", "content": "--- /etc/logrotate.d/backup-home-dirs.orig\n+++ /etc/logrotate.d/backup-home-dirs\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for backup-home-dirs\n+\n+/var/log/backup-home-dirs/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/backup-home-dirs].orig\n+++ File[/etc/logrotate.d/backup-home-dirs]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Sudo::User[www-data]", "parameters": "--- Sudo::User[www-data].orig\n+++ Sudo::User[www-data]\n\n+ privileges => ['ALL=(phd) SETENV: NOPASSWD: /usr/local/bin/git-http-backend, /usr/bin/git']\n+ require => ['File[/usr/local/bin/git-http-backend]', 'Class[Sudo]']\n+ user => www-data\n+ ensure => present\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem]\n\n+ mode => 0440\n+ owner => envoy\n+ ensure => file\n+ show_diff => False\n+ backup => False\n+ group => envoy\n"}, {"resource": "File[/etc/rsyslog.d/40-phabricator-stats-job-community-metrics.conf]", "content": "--- /etc/rsyslog.d/40-phabricator-stats-job-community-metrics.conf.orig\n+++ /etc/rsyslog.d/40-phabricator-stats-job-community-metrics.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"phabricator_stats_job_community_metrics\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/phabricator_stats_job_community_metrics/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-phabricator-stats-job-community-metrics.conf].orig\n+++ File[/etc/rsyslog.d/40-phabricator-stats-job-community-metrics.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/usr/local/bin/phab_epipe.py]", "parameters": "--- File[/usr/local/bin/phab_epipe.py].orig\n+++ File[/usr/local/bin/phab_epipe.py]\n\n+ mode => 0555\n+ source => puppet:///modules/phabricator/phab_epipe.py\n+ owner => mail\n+ ensure => file\n+ group => mail\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_project_changes.service (phabricator_stats_job_project_changes.service)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_project_changes.service (phabricator_stats_job_project_changes.service)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_project_changes.service (phabricator_stats_job_project_changes.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[/srv/phab/libext/translations/src_static_dir_exists]", "parameters": "--- Exec[/srv/phab/libext/translations/src_static_dir_exists].orig\n+++ Exec[/srv/phab/libext/translations/src_static_dir_exists]\n\n+ creates => /srv/phab/phabricator/webroot/rsrc//srv/phab/libext/translations/src\n+ require => File[/srv/phab]\n+ command => /bin/ln -s /srv/phab/libext//srv/phab/libext/translations/src/rsrc/webroot-static /srv/phab/phabricator/webroot/rsrc//srv/phab/libext/translations/src\n+ onlyif => /usr/bin/test -e /srv/phab/libext//srv/phab/libext/translations/src/rsrc/webroot-static\n"}, {"resource": "Nftables::Service[envoy_tls_termination_src_sets]", "parameters": "--- Nftables::Service[envoy_tls_termination_src_sets].orig\n+++ Nftables::Service[envoy_tls_termination_src_sets]\n\n+ ensure => present\n+ port => 443\n+ proto => tcp\n+ src_sets => ['CACHES']\n+ prio => 10\n+ notrack => True\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Sudo::Group[phabricator-bulk-manager]", "parameters": "--- Sudo::Group[phabricator-bulk-manager].orig\n+++ Sudo::Group[phabricator-bulk-manager]\n\n+ privileges => ['ALL = NOPASSWD: /srv/phab/phabricator/bin/bulk make-silent --id *']\n+ require => ['Class[Sudo]']\n+ group => phabricator-bulk-manager\n+ ensure => present\n"}, {"resource": "Rsyslog::Conf[input-file-apache2-error]", "parameters": "--- Rsyslog::Conf[input-file-apache2-error].orig\n+++ Rsyslog::Conf[input-file-apache2-error]\n\n+ mode => 0444\n+ require => Rsyslog::Conf[imfile]\n+ priority => 10\n+ ensure => present\n"}, {"resource": "File[/etc/sudoers.d/www-data]", "content": "--- /etc/sudoers.d/www-data.orig\n+++ /etc/sudoers.d/www-data\n@@ -0,0 +1,3 @@\n+# This file is managed by Puppet!\n+\n+www-data ALL=(phd) SETENV: NOPASSWD: /usr/local/bin/git-http-backend, /usr/bin/git", "parameters": "--- File[/etc/sudoers.d/www-data].orig\n+++ File[/etc/sudoers.d/www-data]\n\n+ mode => 0440\n+ owner => root\n+ ensure => present\n+ validate_cmd => /usr/sbin/visudo -cqf %\n+ group => root\n"}, {"resource": "Package[s-nail]", "parameters": "--- Package[s-nail].orig\n+++ Package[s-nail]\n\n+ provider => apt\n+ ensure => present\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::phabricator::migration:\n+role::phabricator:\n - Collaboration Services"}, {"resource": "Service[phabricator_stats_job_yearly_metrics.timer]", "parameters": "--- Service[phabricator_stats_job_yearly_metrics.timer].orig\n+++ Service[phabricator_stats_job_yearly_metrics.timer]\n\n+ before => ['Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.timer (phabricator_stats_job_yearly_metrics.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "File[/etc/exim4/exim4.conf]", "content": "--- /etc/exim4/exim4.conf.orig\n+++ /etc/exim4/exim4.conf\n@@ -0,0 +1,197 @@\n+# This file is managed by puppet\n+\n+##########\n+# Macros #\n+##########\n+\n+CONFDIR=/etc/exim4\n+\n+###############################\n+# Main configuration settings #\n+###############################\n+\n+domainlist system_domains = @\n+domainlist local_domains = +system_domains : +phab_domains\n+\n+# Standard lists\n+domainlist phab_domains = phabricator.wikimedia.org\n+\n+hostlist wikimedia_nets = <; 208.80.152.0/22 ; 2620:0:860::/46 ; 198.35.26.0/23 ; 185.71.138.0/24 ; 2001:67c:930::/48 ; 2a02:ec80::/32 ; 2001:df2:e500::/48 ; 103.102.166.0/24 ; 185.15.58.0/24 ; 185.15.59.0/24 ; 195.200.68.0/24 ; 10.0.0.0/8 ; 127.0.0.0/8 ; ::1/128\n+hostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ;\n+\n+# Administration\n+log_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn\n+message_logs = false\n+\n+# Policy control\n+acl_smtp_connect = acl_check_connect\n+acl_smtp_rcpt = acl_check_rcpt\n+acl_smtp_data = acl_check_data\n+\n+# Allow Phab, RT, OTRS to use any sender address\n+untrusted_set_sender = *\n+local_from_check = false\n+\n+system_filter = CONFDIR/system_filter\n+\n+# Resource control\n+check_spool_space = 50M\n+smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets\n+smtp_accept_queue_per_connection = 500\n+\n+deliver_queue_load_max = 800.0\n+queue_only_load = 100.0\n+remote_max_parallel = 500\n+\n+smtp_connect_backlog = 128\n+smtp_receive_timeout = 1m\n+smtp_accept_max = 4000\n+smtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}}\n+smtp_accept_reserve = 100\n+\n+# Lookups\n+host_lookup = *\n+rfc1413_hosts =\n+\n+# Other\n+never_users = root : daemon : bin\n+ignore_bounce_errors_after = 0h\n+\n+add_environment = <; PATH=/bin:/usr/bin\n+keep_environment =\n+\n+###############################\n+# Access Control Lists (ACLs) #\n+###############################\n+\n+begin acl\n+\n+acl_check_rcpt:\n+\n+\t# Accept if the source is local SMTP (a pipe)\n+\taccept hosts = :\n+\n+\t# Deny if the local part contains @, %, /, | or !, or starts with a dot\n+\tdeny local_parts = ^.*[@%!/|] : ^\\\\.\n+\n+\t# Accept relaying from networks we control. Note: no address verification\n+\t# is done at this point, which is good for mail submission, but may render\n+\t# recipient callout verification by affected hosts useless.\n+\taccept domains = ! +local_domains\n+\t\thosts = +relay_from_hosts\n+\t\tcontrol = submission/sender_retain\n+\n+\t# Require recipient domain to be local, or a domain we relay for\n+\trequire message = Relay not permitted\n+\t\tdomains = +local_domains : +relay_domains\n+\n+\t# Accept mail for postmaster without further policy checking,\n+\t# for compliance with the RFCs\n+\taccept local_parts = postmaster : abuse\n+\n+\t# Verify the recipient address for local domains, or require the\n+\t# recipient domain to exist for remote domains\n+\trequire verify = recipient\n+\n+\taccept\n+\n+acl_check_connect:\n+\t# We only accept mail from our own mail relays\n+\trequire message = This server does not accept external mail\n+\t\thosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets\n+\n+\taccept\n+\n+acl_check_data:\n+\taccept\n+\n+###########\n+# Routers #\n+###########\n+\n+begin routers\n+\n+# Use the system aliasfile /etc/aliases for system domains\n+system_aliases:\n+\tdriver = redirect\n+\tdomains = +system_domains\n+\tdata = ${lookup{$local_part}lsearch{/etc/aliases}}\n+\tpipe_transport = address_pipe\n+\tallow_fail\n+\tallow_defer\n+\tforbid_file\n+\n+# Mail destined for Phabricator\n+\n+eat:\n+\tdriver = redirect\n+\tdomains = +phab_domains\n+\tlocal_parts = no-reply\n+\tdata = :blackhole:\n+\n+phabricator_bound:\n+\tdriver = redirect\n+\tdomains = +phab_domains\n+\tredirect_router = phab\n+\tdata = general$local_part_suffix@$domain\n+\tno_verify\n+\n+phab:\n+\tdriver = accept\n+\tdomains = +phab_domains\n+\ttransport = phab_pipe\n+\n+# Send all mail not destined for the local machine via a set of\n+# mail relays (\"smart hosts\")\n+smart_route:\n+\tdriver = manualroute\n+\ttransport = remote_smtp\n+\t# Local mail is undeliverable and remote mail is forwarded\n+\troute_list = !+local_domains mx-out1001.wikimedia.org:mx-out2001.wikimedia.org\n+\n+##############\n+# Transports #\n+##############\n+\n+begin transports\n+\n+# Generic remote SMTP transport\n+\n+remote_smtp:\n+\tdriver = smtp\n+\thosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0\n+\n+# Generic pipe local delivery transport (for use by alias/forward files)\n+\n+address_pipe:\n+\tdriver = pipe\n+\treturn_output\n+\n+# phabricator transport\n+phab_pipe:\n+\tdriver = pipe\n+\tbatch_max = 5\n+\tcommand = /usr/local/bin/phab_epipe.py\n+\tenvironment = $address_data\n+\tuser = mail\n+\tgroup = mail\n+\treturn_fail_output\n+\n+###############\n+# Retry rules #\n+###############\n+\n+begin retry\n+\n+*\t*\tF,2h,15m; G,16h,1h,1.5; F,4d,6h\n+\n+#################\n+# Rewrite rules #\n+#################\n+\n+begin rewrite\n+\n+# T118176 - rewrite 'to/envelope-to' for mail to maint-announce\n+# this can be used to make phabricator accept maint-announce mails but needs\n+# to stay disabled until a phab application is setup to handle it\n+# maint-announce@wikimedia.org\tmaint-announce@phabricator.wikimedia.org\ttT", "parameters": "--- File[/etc/exim4/exim4.conf].orig\n+++ File[/etc/exim4/exim4.conf]\n\n+ notify => Service[exim4]\n+ mode => 0440\n+ owner => root\n+ ensure => present\n+ require => Package[exim4-config]\n+ group => Debian-exim\n"}, {"resource": "File[/home/mbinder]", "parameters": "--- File[/home/mbinder].orig\n+++ File[/home/mbinder]\n\n+ mode => 0644\n+ source => puppet:///modules/admin/home/skel\n+ recurse => remote\n+ owner => mbinder\n+ ensure => directory\n+ force => True\n+ group => 500\n"}, {"resource": "File[/etc/envoy/clusters.d]", "parameters": "--- File[/etc/envoy/clusters.d].orig\n+++ File[/etc/envoy/clusters.d]\n\n+ mode => 0755\n+ recurse => True\n+ owner => root\n+ ensure => directory\n+ purge => True\n+ group => root\n"}, {"resource": "Sudo::User[vcs]", "parameters": "--- Sudo::User[vcs].orig\n+++ Sudo::User[vcs]\n\n+ privileges => ['ALL=(phd) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/svnserve']\n+ require => ['User[vcs]', 'Class[Sudo]']\n+ user => vcs\n+ ensure => present\n"}, {"resource": "File[/var/log/phabricator_clean_tmp_files]", "parameters": "--- File[/var/log/phabricator_clean_tmp_files].orig\n+++ File[/var/log/phabricator_clean_tmp_files]\n\n+ mode => 0755\n+ owner => root\n+ ensure => directory\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for rsync-phabricator-repos.service (rsync-phabricator-repos.service)]", "parameters": "--- Exec[systemd daemon-reload for rsync-phabricator-repos.service (rsync-phabricator-repos.service)].orig\n+++ Exec[systemd daemon-reload for rsync-phabricator-repos.service (rsync-phabricator-repos.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Package[nodejs]", "parameters": "--- Package[nodejs].orig\n+++ Package[nodejs]\n\n+ before => ['File[/srv/phab/aphlict/config.json]']\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Ferm::Service[phabmain_smtp]", "parameters": "--- Ferm::Service[phabmain_smtp].orig\n+++ Ferm::Service[phabmain_smtp]\n\n+ ensure => absent\n+ port => 25\n+ proto => tcp\n+ prio => 10\n+ srange => ['mx-in1001.wikimedia.org', 'mx-in2001.wikimedia.org']\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Rsyslog::Input::File[apache2-error]", "parameters": "--- Rsyslog::Input::File[apache2-error].orig\n+++ Rsyslog::Input::File[apache2-error]\n\n+ ensure => present\n+ syslog_tag_prefix => input-file\n+ addmetadata => off\n+ addceetag => off\n+ reopen_on_truncate => on\n+ path => /var/log/apache2/*error*.log\n+ syslog_tag => apache2-error\n+ priority => 10\n"}, {"resource": "Systemd::Timer[phabricator_stats_job_quarterly_wmf_qls]", "parameters": "--- Systemd::Timer[phabricator_stats_job_quarterly_wmf_qls].orig\n+++ Systemd::Timer[phabricator_stats_job_quarterly_wmf_qls]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-01,04,07,10-1 0:0:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => phabricator_stats_job_quarterly_wmf_qls.service\n+ splay => 0\n"}, {"resource": "File[/etc/phabtools.conf]", "content": "--- /etc/phabtools.conf.orig\n+++ /etc/phabtools.conf\n@@ -0,0 +1,63 @@\n+[general]\n+dbhost = m3-slave.codfw.wmnet\n+dbport = 3323\n+dbslave = m3-slave.codfw.wmnet\n+slaveport = 3323\n+file_upload_timeout = 360\n+\n+[phmanifest]\n+user = manifest_user\n+passwd = manifest_pass\n+\n+[phuser]\n+user = app_user\n+passwd = app_pass\n+\n+[fabmigrate]\n+db = fab_migration\n+user = fabmigrate\n+passwd = ''\n+multi = 10\n+limit = 30\n+\n+[phab]\n+host = https://phabricator.wikimedia.org/api/\n+certificate = phabtools_cert\n+username = phabtools_user\n+\n+[oldfab]\n+cert = asdf\n+host = ''\n+user = ''\n+\n+[bz]\n+url = https://bugzilla.wikimedia.org/xmlrpc.cgi\n+Bugzilla_login =\n+Bugzilla_password =\n+\n+[bzmigrate]\n+db = bugzilla_migration\n+user = bz_user\n+passwd = bz_pass\n+fetch_multi = 50\n+create_multi = 13\n+update_limit = 400\n+update_multi = 1\n+populate_multi = 1\n+security = true\n+update_lookback = 86500\n+\n+[rtmigrate]\n+db = rt_migration\n+user = rt_user\n+passwd = rt_pass\n+fetch_multi = 30\n+create_multi = 10\n+update_limit = 400\n+update_multi = 10\n+update_lookback = 86500\n+\n+[rt]\n+url = https://rt.wikimedia.org/REST/1.0/\n+login =\n+passwd =", "parameters": "--- File[/etc/phabtools.conf].orig\n+++ File[/etc/phabtools.conf]\n\n+ mode => 0660\n+ require => Package[phabricator/deployment]\n+ owner => root\n+ group => root\n"}, {"resource": "Admin::Group[phabricator-admin]", "parameters": "--- Admin::Group[phabricator-admin].orig\n+++ Admin::Group[phabricator-admin]\n\n+ privileges => ['ALL = NOPASSWD: /srv/phab/phabricator/bin/cache purge --caches user', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/herald', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/remove', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/repository', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/phd', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/policy', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/worker', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/bulk make-silent --id *', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/auth strip --all-types --user *']\n+ ensure => present\n+ gid => 746\n"}, {"resource": "File[/var/log/phabricator_stats_job_project_changes]", "parameters": "--- File[/var/log/phabricator_stats_job_project_changes].orig\n+++ File[/var/log/phabricator_stats_job_project_changes]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Concat::Fragment[/etc/bacula_puppet_ca_chain]", "parameters": "--- Concat::Fragment[/etc/bacula_puppet_ca_chain].orig\n+++ Concat::Fragment[/etc/bacula_puppet_ca_chain]\n\n+ source => /var/lib/puppet/ssl/certs/ca.pem\n+ target => /etc/bacula/ssl/cert.pem\n+ order => 02\n"}, {"resource": "User[gjg]", "parameters": "--- User[gjg].orig\n+++ User[gjg]\n\n+ comment => Greg Grossmeier\n+ managehome => False\n+ ensure => present\n+ shell => /bin/bash\n+ groups => []\n+ allowdupe => False\n+ gid => 500\n+ home => /home/gjg\n+ uid => 2890\n"}, {"resource": "File[/usr/local/bin/quarterly_metrics.sh]", "content": "--- /usr/local/bin/quarterly_metrics.sh.orig\n+++ /usr/local/bin/quarterly_metrics.sh\n@@ -0,0 +1,106 @@\n+#!/bin/bash\n+# Basic quarterly statistics of Phabricator used for\n+# https://www.mediawiki.org/wiki/Technical_Community_Newsletter\n+# per T337387 - aklapper 20230523\n+# SPDX-License-Identifier: Apache-2.0\n+# ! this file is managed by puppet !\n+# ./modules/phabricator/files/quarterly_metrics.sh\n+\n+source /etc/phab_quarterly_metrics.conf\n+\n+#echo \"result_tasks_created\"\n+result_tasks_created=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(dateCreated) FROM phabricator_maniphest.maniphest_task WHERE\n+ FROM_UNIXTIME(dateCreated,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 3 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+#echo \"result_tasks_closed\"\n+result_tasks_closed=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(closedEpoch) FROM phabricator_maniphest.maniphest_task WHERE\n+ FROM_UNIXTIME(closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 3 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+#echo \"result_task_authors\"\n+result_tasks_authors=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(DISTINCT (authorPHID)) FROM phabricator_maniphest.maniphest_task WHERE\n+ FROM_UNIXTIME(dateCreated,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 3 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+#echo \"result_tasks_closers\"\n+result_tasks_closers=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+\n+SELECT COUNT(DISTINCT (closerPHID)) FROM phabricator_maniphest.maniphest_task WHERE\n+ FROM_UNIXTIME(closedEpoch,'%Y%m')>=DATE_FORMAT(NOW() - INTERVAL 3 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+taskscreated=$(echo $result_tasks_created | sed 's/[^0-9]*//g')\n+tasksclosed=$(echo $result_tasks_closed | sed 's/[^0-9]*//g')\n+tasksauthors=$(echo $result_tasks_authors | sed 's/[^0-9]*//g')\n+tasksclosers=$(echo $result_tasks_closers | sed 's/[^0-9]*//g')\n+\n+month=\"$(date -d '-1 month' +%m)\"\n+if [[ $month == 12 ]]; then\n+ year=\"$(date --date='-1 year' +'%Y')\"\n+else\n+ year=\"$(date +'%Y')\"\n+fi\n+lastquarter=$(date +\"Q$(expr $(expr $month - 1) / 3 + 1)/$year\")\n+\n+# the actual email\n+cat < 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Bacula::Client::Job[srv-repos-Monthly-1st-Wed-productionEqiad]", "parameters": "--- Bacula::Client::Job[srv-repos-Monthly-1st-Wed-productionEqiad].orig\n+++ Bacula::Client::Job[srv-repos-Monthly-1st-Wed-productionEqiad]\n\n+ require => Class[Bacula::Client]\n+ jobdefaults => Monthly-1st-Wed-productionEqiad\n+ fileset => srv-repos\n"}, {"resource": "File[/var/log/phabricator_task_dump]", "parameters": "--- File[/var/log/phabricator_task_dump].orig\n+++ File[/var/log/phabricator_task_dump]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_aphlict.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_aphlict.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_aphlict.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Auto restart job: aphlict\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/wmf-auto-restart -s aphlict", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_aphlict.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_aphlict.service]\n\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_aphlict.service (wmf_auto_restart_aphlict.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n- role_description => Temp role to allow migrating Phabricator data to a new server\n+ role_description => Phabricator (main) server\n"}, {"resource": "Service[phabricator_clean_tmp_files.timer]", "parameters": "--- Service[phabricator_clean_tmp_files.timer].orig\n+++ Service[phabricator_clean_tmp_files.timer]\n\n+ provider => systemd\n+ enable => True\n+ ensure => running\n"}, {"resource": "File[/srv/phab]", "parameters": "--- File[/srv/phab].orig\n+++ File[/srv/phab]\n\n+ require => Package[phabricator/deployment]\n"}, {"resource": "File[/lib/systemd/system/phabricator_clean_tmp_files.service]", "content": "--- /lib/systemd/system/phabricator_clean_tmp_files.service.orig\n+++ /lib/systemd/system/phabricator_clean_tmp_files.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=phabricator cleanup temp files\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/bin/find /tmp -ignore_readdir_race -user www-data -mtime +14 -delete", "parameters": "--- File[/lib/systemd/system/phabricator_clean_tmp_files.service].orig\n+++ File[/lib/systemd/system/phabricator_clean_tmp_files.service]\n\n+ notify => Exec[systemd daemon-reload for phabricator_clean_tmp_files.service (phabricator_clean_tmp_files.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/var/lib/scap/scap/bin]", "parameters": "--- File[/var/lib/scap/scap/bin].orig\n+++ File[/var/lib/scap/scap/bin]\n\n- require => Class[Scap::User]\n- owner => scap\n- ensure => directory\n- group => root\n"}, {"resource": "Systemd::Service[phabricator_stats_job_project_changes]", "parameters": "--- Systemd::Service[phabricator_stats_job_project_changes].orig\n+++ Systemd::Service[phabricator_stats_job_project_changes]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[phabricator_stats_job_project_changes.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "File[/usr/local/bin/arc]", "parameters": "--- File[/usr/local/bin/arc].orig\n+++ File[/usr/local/bin/arc]\n\n+ mode => 0755\n+ owner => root\n+ ensure => link\n+ target => /srv/phab/arcanist/bin/arc\n+ require => ['Package[phabricator/deployment]']\n+ group => root\n"}, {"resource": "File[/var/log/phd]", "parameters": "--- File[/var/log/phd].orig\n+++ File[/var/log/phd]\n\n+ owner => phd\n+ ensure => directory\n+ group => phd\n"}, {"resource": "Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "parameters": "--- Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet].orig\n+++ Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]\n\n+ ensure => present\n+ port => 9102\n+ proto => tcp\n+ prio => 10\n+ srange => ['backup1014.eqiad.wmnet']\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Systemd::Syslog[phabricator_stats_job_project_changes]", "parameters": "--- Systemd::Syslog[phabricator_stats_job_project_changes].orig\n+++ Systemd::Syslog[phabricator_stats_job_project_changes]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "User[vcs]", "parameters": "--- User[vcs].orig\n+++ User[vcs]\n\n+ ensure => present\n+ shell => /bin/sh\n+ groups => ['vcs', 'phd']\n+ password => *\n+ gid => 497\n+ home => /var/lib/vcs\n+ uid => 497\n+ system => True\n"}, {"resource": "Package[python3-phabricator]", "parameters": "--- Package[python3-phabricator].orig\n+++ Package[python3-phabricator]\n\n+ provider => apt\n+ ensure => present\n"}, {"resource": "File[/srv/repos]", "parameters": "--- File[/srv/repos].orig\n+++ File[/srv/repos]\n\n+ mode => 0755\n+ owner => phd\n+ ensure => directory\n+ group => www-data\n"}, {"resource": "Systemd::Timer::Job[phabricator_stats_job_quarterly_wmf_qls]", "parameters": "--- Systemd::Timer::Job[phabricator_stats_job_quarterly_wmf_qls].orig\n+++ Systemd::Timer::Job[phabricator_stats_job_quarterly_wmf_qls]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => phabricator statistics mail - quarterly_wmf_qls\n+ command => /usr/local/bin/quarterly_wmf_qls.sh\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-01,04,07,10-1 0:0:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "Concat::Fragment[/etc/rsyncd.conf-srv-dumps]", "parameters": "--- Concat::Fragment[/etc/rsyncd.conf-srv-dumps].orig\n+++ Concat::Fragment[/etc/rsyncd.conf-srv-dumps]\n\n+ order => 10\n+ target => /etc/rsyncd.conf\n"}, {"resource": "File[/etc/logrotate.d/phabricator_task_dump]", "content": "--- /etc/logrotate.d/phabricator_task_dump.orig\n+++ /etc/logrotate.d/phabricator_task_dump\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for phabricator_task_dump\n+\n+/var/log/phabricator_task_dump/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/phabricator_task_dump].orig\n+++ File[/etc/logrotate.d/phabricator_task_dump]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/var/log/wmf_auto_restart_envoyproxy]", "parameters": "--- File[/var/log/wmf_auto_restart_envoyproxy].orig\n+++ File[/var/log/wmf_auto_restart_envoyproxy]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Class[Phabricator::Aphlict]", "parameters": "--- Class[Phabricator::Aphlict].orig\n+++ Class[Phabricator::Aphlict]\n\n+ admin_port => 22281\n+ user => aphlict\n+ ensure => absent\n+ client_listen => 0.0.0.0\n+ client_port => 22280\n+ basedir => /srv/phab\n+ require => Class[Phabricator]\n+ enable_ssl => False\n+ group => aphlict\n+ admin_listen => 127.0.0.1\n"}, {"resource": "File[/lib/systemd/system/phabricator_task_dump.timer]", "content": "--- /lib/systemd/system/phabricator_task_dump.timer.orig\n+++ /lib/systemd/system/phabricator_task_dump.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of phabricator_task_dump.service\n+\n+[Timer]\n+Unit=phabricator_task_dump.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=Monday *-*-* 02:00:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phabricator_task_dump.timer].orig\n+++ File[/lib/systemd/system/phabricator_task_dump.timer]\n\n+ notify => Exec[systemd daemon-reload for phabricator_task_dump.timer (phabricator_task_dump.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Service[prometheus-apache-exporter]", "parameters": "--- Service[prometheus-apache-exporter].orig\n+++ Service[prometheus-apache-exporter]\n\n+ require => Package[prometheus-apache-exporter]\n+ ensure => running\n"}, {"resource": "Phabricator::Libext[/srv/phab/libext/translations/src]", "parameters": "--- Phabricator::Libext[/srv/phab/libext/translations/src].orig\n+++ Phabricator::Libext[/srv/phab/libext/translations/src]\n\n+ require => ['Package[phabricator/deployment]']\n+ libname => /srv/phab/libext/translations/src\n+ rootdir => /srv/phab\n"}, {"resource": "Motd::Message[phabricator::migration]", "parameters": "--- Motd::Message[phabricator::migration].orig\n+++ Motd::Message[phabricator::migration]\n\n- priority => 5\n- ensure => present\n- message => phab2003 is a Temp role to allow migrating Phabricator data to a new server (phabricator::migration)\n"}, {"resource": "File_line[deselect_dst_root_ca_x3]", "parameters": "--- File_line[deselect_dst_root_ca_x3].orig\n+++ File_line[deselect_dst_root_ca_x3]\n\n+ notify => Exec[update-ca-certificates]\n+ match => ^!?mozilla/DST_Root_CA_X3\\.crt$\n+ path => /etc/ca-certificates.conf\n+ append_on_no_match => False\n+ require => Package[ca-certificates]\n+ line => !mozilla/DST_Root_CA_X3.crt\n"}, {"resource": "Sysctl::Parameters[TCP Fast Open]", "parameters": "--- Sysctl::Parameters[TCP Fast Open].orig\n+++ Sysctl::Parameters[TCP Fast Open]\n\n+ values => {'net.ipv4.tcp_fastopen': 3}\n+ priority => 70\n+ no_priority_prefix => False\n+ ensure => present\n"}, {"resource": "File_line[auto_restart_file_presence_envoyproxy]", "parameters": "--- File_line[auto_restart_file_presence_envoyproxy].orig\n+++ File_line[auto_restart_file_presence_envoyproxy]\n\n+ require => File[/etc/debdeploy-client/autorestarts.conf]\n+ line => envoyproxy\n+ ensure => absent\n+ path => /etc/debdeploy-client/autorestarts.conf\n"}, {"resource": "Sysctl::Conffile[phabricator network tuning]", "parameters": "--- Sysctl::Conffile[phabricator network tuning].orig\n+++ Sysctl::Conffile[phabricator network tuning]\n\n+ priority => 70\n+ no_priority_prefix => False\n+ ensure => present\n"}, {"resource": "Exec[verify-envoy-config]", "parameters": "--- Exec[verify-envoy-config].orig\n+++ Exec[verify-envoy-config]\n\n+ notify => Systemd::Service[envoyproxy.service]\n+ refreshonly => True\n+ command => /usr/local/sbin/build-envoy-config -c '/etc/envoy'\n+ user => root\n+ require => Package[envoyproxy]\n"}, {"resource": "Rsyslog::Input::File[apache2-access]", "parameters": "--- Rsyslog::Input::File[apache2-access].orig\n+++ Rsyslog::Input::File[apache2-access]\n\n+ ensure => present\n+ syslog_tag_prefix => input-file\n+ addmetadata => off\n+ addceetag => off\n+ reopen_on_truncate => on\n+ path => /var/log/apache2/*access*.log\n+ syslog_tag => apache2-access\n+ priority => 10\n"}, {"resource": "Group[vcs]", "parameters": "--- Group[vcs].orig\n+++ Group[vcs]\n\n+ ensure => present\n+ system => True\n+ gid => 497\n"}, {"resource": "Service[aphlict]", "parameters": "--- Service[aphlict].orig\n+++ Service[aphlict]\n\n+ hasrestart => False\n+ before => ['Exec[systemd daemon-reload for aphlict.service (aphlict)]']\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "Systemd::Service[phd]", "parameters": "--- Systemd::Service[phd].orig\n+++ Systemd::Service[phd]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => present\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => service\n+ service_params => {'ensure': 'stopped', 'enable': False, 'hasrestart': True}\n+ require => Class[Phabricator::Phd]\n+ monitoring_contact_group => admins\n"}, {"resource": "Class[Phabricator::Mailrelay]", "parameters": "--- Class[Phabricator::Mailrelay].orig\n+++ Class[Phabricator::Mailrelay]\n\n+ default => {'maint': False}\n+ phab_bot => {'root_dir': '/srv/phab/phabricator/'}\n+ direct_comments_allowed => {}\n+ address_routing => {}\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_project_changes.timer]", "parameters": "--- Systemd::Unit[phabricator_stats_job_project_changes.timer].orig\n+++ Systemd::Unit[phabricator_stats_job_project_changes.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_project_changes.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/srv/phab/aphlict/config.json]", "content": "--- /srv/phab/aphlict/config.json.orig\n+++ /srv/phab/aphlict/config.json\n@@ -0,0 +1,21 @@\n+{\n+ \"servers\": [\n+ {\n+ \"type\": \"client\",\n+ \"port\": 22280,\n+ \"listen\": \"0.0.0.0\"\n+\n+ },\n+ {\n+ \"type\": \"admin\",\n+ \"port\": 22281,\n+ \"listen\": \"127.0.0.1\"\n+ }\n+ ],\n+ \"logs\": [\n+ {\n+ \"path\": \"/var/log/aphlict/aphlict.log\"\n+ }\n+ ],\n+ \"pidfile\": \"/var/run/aphlict/aphlict.pid\"\n+}", "parameters": "--- File[/srv/phab/aphlict/config.json].orig\n+++ File[/srv/phab/aphlict/config.json]\n\n+ notify => ['Service[aphlict]']\n+ mode => 0644\n+ owner => aphlict\n+ ensure => absent\n+ group => aphlict\n"}, {"resource": "File[/var/log/phabricator_stats_job_tech_news_weekly_stats]", "parameters": "--- File[/var/log/phabricator_stats_job_tech_news_weekly_stats].orig\n+++ File[/var/log/phabricator_stats_job_tech_news_weekly_stats]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Mailalias[root]", "parameters": "--- Mailalias[root].orig\n+++ Mailalias[root]\n\n+ recipient => root@wikimedia.org\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.service]", "parameters": "--- Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.service].orig\n+++ Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_quarterly_wmf_qls.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Service[phabricator_stats_job_quarterly_metrics]", "parameters": "--- Systemd::Service[phabricator_stats_job_quarterly_metrics].orig\n+++ Systemd::Service[phabricator_stats_job_quarterly_metrics]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[phabricator_stats_job_quarterly_metrics.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "File[/usr/local/bin/phab_git_safedir.sh]", "parameters": "--- File[/usr/local/bin/phab_git_safedir.sh].orig\n+++ File[/usr/local/bin/phab_git_safedir.sh]\n\n+ mode => 0550\n+ source => puppet:///modules/phabricator/phab_git_safedir.sh\n+ owner => root\n+ group => root\n"}, {"resource": "File[/etc/gitconfig.d]", "parameters": "--- File[/etc/gitconfig.d].orig\n+++ File[/etc/gitconfig.d]\n\n+ mode => 0555\n+ recurse => True\n+ owner => root\n+ ensure => directory\n+ purge => True\n+ group => root\n"}, {"resource": "Systemd::Timer[phabricator_stats_job_quarterly_metrics]", "parameters": "--- Systemd::Timer[phabricator_stats_job_quarterly_metrics].orig\n+++ Systemd::Timer[phabricator_stats_job_quarterly_metrics]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-01,04,07,10-1 0:0:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => phabricator_stats_job_quarterly_metrics.service\n+ splay => 0\n"}, {"resource": "Admin::Hashuser[urbanecm]", "parameters": "--- Admin::Hashuser[urbanecm].orig\n+++ Admin::Hashuser[urbanecm]\n\n+ ensure_ssh_key => True\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_envoyproxy]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_envoyproxy].orig\n+++ Logrotate::Conf[wmf_auto_restart_envoyproxy]\n\n+ ensure => absent\n"}, {"resource": "Class[Profile::Phabricator::Logmail]", "parameters": "--- Class[Profile::Phabricator::Logmail].orig\n+++ Class[Profile::Phabricator::Logmail]\n\n+ deploy_target => phabricator/deployment\n+ mysql_slave_port => 3323\n+ mysql_slave => m3-slave.codfw.wmnet\n+ logmail => False\n+ sndr_address => aklapper@wikimedia.org\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.timer (wmf_auto_restart_envoyproxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.timer (wmf_auto_restart_envoyproxy.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.timer (wmf_auto_restart_envoyproxy.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/rsync-phabricator-repos.service]", "content": "--- /lib/systemd/system/rsync-phabricator-repos.service.orig\n+++ /lib/systemd/system/rsync-phabricator-repos.service\n@@ -0,0 +1,9 @@\n+[Unit]\n+Description=Transfer data periodically between hosts\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/sync-phabricator-repos\n+SuccessExitStatus=24", "parameters": "--- File[/lib/systemd/system/rsync-phabricator-repos.service].orig\n+++ File[/lib/systemd/system/rsync-phabricator-repos.service]\n\n+ notify => Exec[systemd daemon-reload for rsync-phabricator-repos.service (rsync-phabricator-repos.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Systemd::Timer[phabricator_stats_job_yearly_metrics]", "parameters": "--- Systemd::Timer[phabricator_stats_job_yearly_metrics].orig\n+++ Systemd::Timer[phabricator_stats_job_yearly_metrics]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-1-1 0:0:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => phabricator_stats_job_yearly_metrics.service\n+ splay => 0\n"}, {"resource": "File[/home/urbanecm/.my.cnf]", "content": "--- /home/urbanecm/.my.cnf.orig\n+++ /home/urbanecm/.my.cnf\n@@ -0,0 +1,6 @@\n+[client]\n+user=metrics_user\n+password=metrics_pass\n+database=phabricator_maniphest\n+host=m3-slave.codfw.wmnet\n+port=3323", "parameters": "--- File[/home/urbanecm/.my.cnf].orig\n+++ File[/home/urbanecm/.my.cnf]\n\n+ mode => 0440\n+ owner => urbanecm\n+ group => root\n"}, {"resource": "File[/etc/update-motd.d/06-backups-srv-repos]", "content": "--- /etc/update-motd.d/06-backups-srv-repos.orig\n+++ /etc/update-motd.d/06-backups-srv-repos\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+echo \"Backed up on this host: srv-repos\"", "parameters": "--- File[/etc/update-motd.d/06-backups-srv-repos].orig\n+++ File[/etc/update-motd.d/06-backups-srv-repos]\n\n+ mode => 0555\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Service[rsync-phabricator-home-dirs]", "parameters": "--- Systemd::Service[rsync-phabricator-home-dirs].orig\n+++ Systemd::Service[rsync-phabricator-home-dirs]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[rsync-phabricator-home-dirs.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "Exec[systemd daemon-reload for backup-home-dirs.service (backup-home-dirs.service)]", "parameters": "--- Exec[systemd daemon-reload for backup-home-dirs.service (backup-home-dirs.service)].orig\n+++ Exec[systemd daemon-reload for backup-home-dirs.service (backup-home-dirs.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/home/aklapper/.my.cnf]", "content": "--- /home/aklapper/.my.cnf.orig\n+++ /home/aklapper/.my.cnf\n@@ -0,0 +1,6 @@\n+[client]\n+user=metrics_user\n+password=metrics_pass\n+database=phabricator_maniphest\n+host=m3-slave.codfw.wmnet\n+port=3323", "parameters": "--- File[/home/aklapper/.my.cnf].orig\n+++ File[/home/aklapper/.my.cnf]\n\n+ mode => 0440\n+ owner => aklapper\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.service (phabricator_stats_job_yearly_metrics.service)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.service (phabricator_stats_job_yearly_metrics.service)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.service (phabricator_stats_job_yearly_metrics.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[php8.2-common]', 'Package[php8.2-opcache]', 'Package[php8.2-cli]', 'Package[php8.2-fpm]', 'Package[apache2]', 'Package[links]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]', 'Package[phabricator/deployment]', 'Package[php8.2-curl]', 'Package[php8.2-gd]', 'Package[php8.2-gmp]', 'Package[php8.2-intl]', 'Package[php8.2-mbstring]', 'Package[php8.2-ldap]', 'Package[php-apcu]', 'Package[php-mailparse]', 'Package[php8.2-xml]', 'Package[php8.2-mysql]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[python3-pygments]', 'Package[python3-phabricator]', 'Package[apachetop]', 'Package[subversion]', 'Package[s-nail]', 'Package[php8.2-common]', 'Package[php8.2-opcache]', 'Package[php8.2-cli]', 'Package[php8.2-fpm]', 'Package[nodejs]', 'Package[python3-mysqldb]', 'Package[python3-pymysql]', 'Package[exim4-config]', 'Package[exim4-daemon-heavy]', 'Package[apache2]', 'Package[links]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[git-lfs]', 'Package[python3-venv]', 'Package[phabricator/deployment]', 'Package[php8.2-curl]', 'Package[php8.2-gd]', 'Package[php8.2-gmp]', 'Package[php8.2-intl]', 'Package[php8.2-mbstring]', 'Package[php8.2-ldap]', 'Package[php-apcu]', 'Package[php-mailparse]', 'Package[php8.2-xml]', 'Package[php8.2-mysql]', 'Package[mariadb-client]', 'Package[prometheus-apache-exporter]']\n"}, {"resource": "File[/var/lib/scap/scap]", "parameters": "--- File[/var/lib/scap/scap].orig\n+++ File[/var/lib/scap/scap]\n\n- require => Class[Scap::User]\n- owner => scap\n- ensure => directory\n- group => root\n"}, {"resource": "Class[Profile::Resolving]", "parameters": "--- Class[Profile::Resolving].orig\n+++ Class[Profile::Resolving]\n\n@@\n- domain_search => ['codfw.wmnet']\n+ domain_search => ['eqiad.wmnet', 'codfw.wmnet']\n"}, {"resource": "Logrotate::Conf[aphlict]", "parameters": "--- Logrotate::Conf[aphlict].orig\n+++ Logrotate::Conf[aphlict]\n\n+ source => puppet:///modules/phabricator/logrotate_aphlict\n+ ensure => absent\n+ require => File[/var/log/aphlict/]\n"}, {"resource": "File[/etc/update-motd.d/06-backups-home]", "content": "--- /etc/update-motd.d/06-backups-home.orig\n+++ /etc/update-motd.d/06-backups-home\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+echo \"Backed up on this host: home\"", "parameters": "--- File[/etc/update-motd.d/06-backups-home].orig\n+++ File[/etc/update-motd.d/06-backups-home]\n\n+ mode => 0555\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Logrotate::Conf[rsync-phabricator-repos]", "parameters": "--- Logrotate::Conf[rsync-phabricator-repos].orig\n+++ Logrotate::Conf[rsync-phabricator-repos]\n\n+ ensure => absent\n"}, {"resource": "Systemd::Unit[rsync-phabricator-repos.timer]", "parameters": "--- Systemd::Unit[rsync-phabricator-repos.timer].orig\n+++ Systemd::Unit[rsync-phabricator-repos.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => rsync-phabricator-repos.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer[phabricator_stats_job_tech_news_weekly_stats]", "parameters": "--- Systemd::Timer[phabricator_stats_job_tech_news_weekly_stats].orig\n+++ Systemd::Timer[phabricator_stats_job_tech_news_weekly_stats]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'Thursday *-*-* 12:0:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => phabricator_stats_job_tech_news_weekly_stats.service\n+ splay => 0\n"}, {"resource": "Logrotate::Conf[phabricator_stats_job_community_metrics]", "parameters": "--- Logrotate::Conf[phabricator_stats_job_community_metrics].orig\n+++ Logrotate::Conf[phabricator_stats_job_community_metrics]\n\n+ ensure => absent\n"}, {"resource": "Exec[update-sysusers-vcs]", "parameters": "--- Exec[update-sysusers-vcs].orig\n+++ Exec[update-sysusers-vcs]\n\n+ command => /bin/systemd-sysusers /etc/sysusers.d/vcs.conf\n+ user => root\n+ path => /usr/bin:/usr/sbin:/bin\n+ onlyif => test -n \"$(systemd-sysusers --dry-run /etc/sysusers.d/vcs.conf 2>&1)\"\n+ provider => shell\n"}, {"resource": "Httpd::Conf[phabricator]", "parameters": "--- Httpd::Conf[phabricator].orig\n+++ Httpd::Conf[phabricator]\n\n+ priority => 50\n+ conf_type => sites\n+ ensure => present\n"}, {"resource": "File[/srv/homes]", "parameters": "--- File[/srv/homes].orig\n+++ File[/srv/homes]\n\n+ owner => root\n+ ensure => directory\n+ group => root\n"}, {"resource": "Class[Exim4]", "parameters": "--- Class[Exim4].orig\n+++ Class[Exim4]\n\n+ config_dir => /etc/exim4\n+ queuerunner => combined\n+ variant => heavy\n+ config => # This file is managed by puppet\n\n##########\n# Macros #\n##########\n\nCONFDIR=/etc/exim4\n\n###############################\n# Main configuration settings #\n###############################\n\ndomainlist system_domains = @\ndomainlist local_domains = +system_domains : +phab_domains\n\n# Standard lists\ndomainlist phab_domains = phabricator.wikimedia.org\n\nhostlist wikimedia_nets = <; 208.80.152.0/22 ; 2620:0:860::/46 ; 198.35.26.0/23 ; 185.71.138.0/24 ; 2001:67c:930::/48 ; 2a02:ec80::/32 ; 2001:df2:e500::/48 ; 103.102.166.0/24 ; 185.15.58.0/24 ; 185.15.59.0/24 ; 195.200.68.0/24 ; 10.0.0.0/8 ; 127.0.0.0/8 ; ::1/128\nhostlist relay_from_hosts = <; @[] ; 127.0.0.1 ; ::1 ;\n\n# Administration\nlog_selector = +address_rewrite +all_parents +delivery_size +deliver_time +incoming_interface +incoming_port +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn\nmessage_logs = false\n\n# Policy control\nacl_smtp_connect = acl_check_connect\nacl_smtp_rcpt = acl_check_rcpt\nacl_smtp_data = acl_check_data\n\n# Allow Phab, RT, OTRS to use any sender address\nuntrusted_set_sender = *\nlocal_from_check = false\n\nsystem_filter = CONFDIR/system_filter\n\n# Resource control\ncheck_spool_space = 50M\nsmtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets\nsmtp_accept_queue_per_connection = 500\n\ndeliver_queue_load_max = 800.0\nqueue_only_load = 100.0\nremote_max_parallel = 500\n\nsmtp_connect_backlog = 128\nsmtp_receive_timeout = 1m\nsmtp_accept_max = 4000\nsmtp_accept_max_per_host = ${if match_ip{$sender_host_address}{+wikimedia_nets}{50}{5}}\nsmtp_accept_reserve = 100\n\n# Lookups\nhost_lookup = *\nrfc1413_hosts =\n\n# Other\nnever_users = root : daemon : bin\nignore_bounce_errors_after = 0h\n\nadd_environment = <; PATH=/bin:/usr/bin\nkeep_environment =\n\n###############################\n# Access Control Lists (ACLs) #\n###############################\n\nbegin acl\n\nacl_check_rcpt:\n\n\t# Accept if the source is local SMTP (a pipe)\n\taccept hosts = :\n\n\t# Deny if the local part contains @, %, /, | or !, or starts with a dot\n\tdeny local_parts = ^.*[@%!/|] : ^\\\\.\n\n\t# Accept relaying from networks we control. Note: no address verification\n\t# is done at this point, which is good for mail submission, but may render\n\t# recipient callout verification by affected hosts useless.\n\taccept domains = ! +local_domains\n\t\thosts = +relay_from_hosts\n\t\tcontrol = submission/sender_retain\n\n\t# Require recipient domain to be local, or a domain we relay for\n\trequire message = Relay not permitted\n\t\tdomains = +local_domains : +relay_domains\n\n\t# Accept mail for postmaster without further policy checking,\n\t# for compliance with the RFCs\n\taccept local_parts = postmaster : abuse\n\n\t# Verify the recipient address for local domains, or require the\n\t# recipient domain to exist for remote domains\n\trequire verify = recipient\n\n\taccept\n\nacl_check_connect:\n\t# We only accept mail from our own mail relays\n\trequire message = This server does not accept external mail\n\t\thosts = <; 127.0.0.0/8 ; ::1 ; +wikimedia_nets\n\n\taccept\n\nacl_check_data:\n\taccept\n\n###########\n# Routers #\n###########\n\nbegin routers\n\n# Use the system aliasfile /etc/aliases for system domains\nsystem_aliases:\n\tdriver = redirect\n\tdomains = +system_domains\n\tdata = ${lookup{$local_part}lsearch{/etc/aliases}}\n\tpipe_transport = address_pipe\n\tallow_fail\n\tallow_defer\n\tforbid_file\n\n# Mail destined for Phabricator\n\neat:\n\tdriver = redirect\n\tdomains = +phab_domains\n\tlocal_parts = no-reply\n\tdata = :blackhole:\n\nphabricator_bound:\n\tdriver = redirect\n\tdomains = +phab_domains\n\tredirect_router = phab\n\tdata = general$local_part_suffix@$domain\n\tno_verify\n\nphab:\n\tdriver = accept\n\tdomains = +phab_domains\n\ttransport = phab_pipe\n\n# Send all mail not destined for the local machine via a set of\n# mail relays (\"smart hosts\")\nsmart_route:\n\tdriver = manualroute\n\ttransport = remote_smtp\n\t# Local mail is undeliverable and remote mail is forwarded\n\troute_list = !+local_domains mx-out1001.wikimedia.org:mx-out2001.wikimedia.org\n\n##############\n# Transports #\n##############\n\nbegin transports\n\n# Generic remote SMTP transport\n\nremote_smtp:\n\tdriver = smtp\n\thosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0\n\n# Generic pipe local delivery transport (for use by alias/forward files)\n\naddress_pipe:\n\tdriver = pipe\n\treturn_output\n\n# phabricator transport\nphab_pipe:\n\tdriver = pipe\n\tbatch_max = 5\n\tcommand = /usr/local/bin/phab_epipe.py\n\tenvironment = $address_data\n\tuser = mail\n\tgroup = mail\n\treturn_fail_output\n\n###############\n# Retry rules #\n###############\n\nbegin retry\n\n*\t*\tF,2h,15m; G,16h,1h,1.5; F,4d,6h\n\n#################\n# Rewrite rules #\n#################\n\nbegin rewrite\n\n# T118176 - rewrite 'to/envelope-to' for mail to maint-announce\n# this can be used to make phabricator accept maint-announce mails but needs\n# to stay disabled until a phab application is setup to handle it\n# maint-announce@wikimedia.org\tmaint-announce@phabricator.wikimedia.org\ttT\n\n+ filter => # Exim filter\n\nif first_delivery then\n\tif $acl_m0 is not \"trusted relay\" then\n\t\t# Remove any SpamAssassin headers and add local ones\n\t\theaders remove X-Spam-Score:X-Spam-Report:X-Spam-Checker-Version:X-Spam-Status:X-Spam-Level:X-Spam-Flag\n\tendif\n\tif $acl_m0 is not \"\" and $acl_m0 is not \"trusted relay\" then\n\t\theaders add \"X-Spam-Score: $acl_m0\"\n\t\theaders add \"X-Spam-Report: $acl_m1\"\n\tendif\nendif\n\n# reject these excessive bounces temporarily\nif $header_from: matches \"MAILER-DAEMON@fickja.de\" and $header_to: matches \"abuse@wikipedia.org\" then\n\tfail text \"Message rejected due to excessive volume. If you believe this is an error please contact postmaster@wikimedia.org\"\nendif\nif $header_from: matches \"keineantwortadresse@web.de\" and $header_to: matches \"abuse@wikipedia.org\" then\n\tfail text \"Message rejected due to excessive volume. If you believe this is an error please contact postmaster@wikimedia.org\"\nendif\n# quietly drop this spam T298038\nif $header_from: matches @unn-212-102-49-71\\\\.cdn77\\\\.com and $header_to: matches abuse@wikimediafoundation\\\\.org then\n\tseen finish\nendif\n\n"}, {"resource": "File[/etc/gitconfig.d/10-setup_proxy.gitconfig]", "content": "--- /etc/gitconfig.d/10-setup_proxy.gitconfig.orig\n+++ /etc/gitconfig.d/10-setup_proxy.gitconfig\n@@ -0,0 +1,11 @@\n+# git::systemconfig for 'setup proxy'\n+[http \"https://gerrit.googlesource.com\"]\n+proxy = http://url-downloader.codfw.wikimedia.org:8080\n+[http \"https://gerrit.wikimedia.org\"]\n+proxy = \n+[http \"https://github.com\"]\n+proxy = http://url-downloader.codfw.wikimedia.org:8080\n+[http \"https://gitlab.com\"]\n+proxy = http://url-downloader.codfw.wikimedia.org:8080\n+[http \"https://phabricator.wikimedia.org\"]\n+proxy = ", "parameters": "--- File[/etc/gitconfig.d/10-setup_proxy.gitconfig].orig\n+++ File[/etc/gitconfig.d/10-setup_proxy.gitconfig]\n\n+ notify => Exec[update-gitconfig]\n+ mode => 0444\n+ owner => root\n+ ensure => file\n+ group => root\n"}, {"resource": "Service[phabricator_stats_job_project_changes.timer]", "parameters": "--- Service[phabricator_stats_job_project_changes.timer].orig\n+++ Service[phabricator_stats_job_project_changes.timer]\n\n+ before => ['Exec[systemd daemon-reload for phabricator_stats_job_project_changes.timer (phabricator_stats_job_project_changes.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "File[/etc/nftables/input/10_bacula-file-daemon-backup1014.eqiad.wmnet.nft]", "content": "--- /etc/nftables/input/10_bacula-file-daemon-backup1014.eqiad.wmnet.nft.orig\n+++ /etc/nftables/input/10_bacula-file-daemon-backup1014.eqiad.wmnet.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr { 10.64.183.10 } tcp dport { 9102 } accept\n+ip6 saddr { 2620:0:861:13d:10:64:183:10 } tcp dport { 9102 } accept", "parameters": "--- File[/etc/nftables/input/10_bacula-file-daemon-backup1014.eqiad.wmnet.nft].orig\n+++ File[/etc/nftables/input/10_bacula-file-daemon-backup1014.eqiad.wmnet.nft]\n\n+ notify => ['Service[nftables]']\n+ mode => 0444\n+ tag => nft\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Unit[backup-home-dirs.service]", "parameters": "--- Systemd::Unit[backup-home-dirs.service].orig\n+++ Systemd::Unit[backup-home-dirs.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => backup-home-dirs.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh]", "parameters": "--- Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh].orig\n+++ Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ refreshonly => True\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/phab2003.codfw.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server\n\n+ subscribe => File[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]\n"}, {"resource": "Service[phabricator_stats_job_quarterly_metrics.timer]", "parameters": "--- Service[phabricator_stats_job_quarterly_metrics.timer].orig\n+++ Service[phabricator_stats_job_quarterly_metrics.timer]\n\n+ before => ['Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.timer (phabricator_stats_job_quarterly_metrics.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "File[/etc/default/prometheus-apache-exporter]", "content": "--- /etc/default/prometheus-apache-exporter.orig\n+++ /etc/default/prometheus-apache-exporter\n@@ -0,0 +1 @@\n+ARGS=\"--scrape_uri http://127.0.0.1/server-status/?auto\"", "parameters": "--- File[/etc/default/prometheus-apache-exporter].orig\n+++ File[/etc/default/prometheus-apache-exporter]\n\n+ notify => Service[prometheus-apache-exporter]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/logrotate.d/envoy]", "content": "--- /etc/logrotate.d/envoy.orig\n+++ /etc/logrotate.d/envoy\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for envoy\n+\n+/var/log/envoy/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/envoy].orig\n+++ File[/etc/logrotate.d/envoy]\n\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Logrotate::Conf[phabricator_stats_job_project_changes]", "parameters": "--- Logrotate::Conf[phabricator_stats_job_project_changes].orig\n+++ Logrotate::Conf[phabricator_stats_job_project_changes]\n\n+ ensure => absent\n"}, {"resource": "Ferm::Service[envoy_tls_termination_src_sets]", "parameters": "--- Ferm::Service[envoy_tls_termination_src_sets].orig\n+++ Ferm::Service[envoy_tls_termination_src_sets]\n\n+ ensure => present\n+ port => 443\n+ proto => tcp\n+ src_sets => ['CACHES']\n+ prio => 10\n+ notrack => True\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "File[/usr/local/sbin/envoyproxy-hot-restarter]", "parameters": "--- File[/usr/local/sbin/envoyproxy-hot-restarter].orig\n+++ File[/usr/local/sbin/envoyproxy-hot-restarter]\n\n+ mode => 0555\n+ source => puppet:///modules/envoyproxy/hot_restarter/hot-restarter.py\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/logrotate.d/exim4-paniclog]", "parameters": "--- File[/etc/logrotate.d/exim4-paniclog].orig\n+++ File[/etc/logrotate.d/exim4-paniclog]\n\n+ mode => 0444\n+ source => puppet:///modules/exim4/logrotate/exim4-paniclog\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/php/8.2/mods-available/apcu.ini]", "content": "--- /etc/php/8.2/mods-available/apcu.ini.orig\n+++ /etc/php/8.2/mods-available/apcu.ini\n@@ -2,5 +2,6 @@\n ;\n ; configuration for the apcu PHP extension\n ; priority=20\n+apc.shm_size = 4096M\n extension = apcu.so\n "}, {"resource": "Sysctl::Conffile[TCP Fast Open]", "parameters": "--- Sysctl::Conffile[TCP Fast Open].orig\n+++ Sysctl::Conffile[TCP Fast Open]\n\n+ priority => 70\n+ no_priority_prefix => False\n+ ensure => present\n"}, {"resource": "Service[wmf_auto_restart_prometheus-apache-exporter.timer]", "parameters": "--- Service[wmf_auto_restart_prometheus-apache-exporter.timer].orig\n+++ Service[wmf_auto_restart_prometheus-apache-exporter.timer]\n\n+ provider => systemd\n+ enable => True\n+ ensure => running\n"}, {"resource": "File[/etc/logrotate.d/phabricator_stats_job_yearly_metrics]", "content": "--- /etc/logrotate.d/phabricator_stats_job_yearly_metrics.orig\n+++ /etc/logrotate.d/phabricator_stats_job_yearly_metrics\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for phabricator_stats_job_yearly_metrics\n+\n+/var/log/phabricator_stats_job_yearly_metrics/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/phabricator_stats_job_yearly_metrics].orig\n+++ File[/etc/logrotate.d/phabricator_stats_job_yearly_metrics]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Phabricator::Logmail[project_changes]", "parameters": "--- Phabricator::Logmail[project_changes].orig\n+++ Phabricator::Logmail[project_changes]\n\n+ ensure => absent\n+ weekday => Monday\n+ rcpt_address => ['phabricator-reports@lists.wikimedia.org']\n+ mysql_slave_port => 3323\n+ mysql_slave => m3-slave.codfw.wmnet\n+ minute => 0\n+ basedir => /usr/local/bin\n+ sndr_address => aklapper@wikimedia.org\n+ mysql_db_name => phabricator_project\n+ require => Package[phabricator/deployment]\n+ hour => 0\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_prometheus-apache-exporter]", "content": "--- /etc/logrotate.d/wmf_auto_restart_prometheus-apache-exporter.orig\n+++ /etc/logrotate.d/wmf_auto_restart_prometheus-apache-exporter\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for wmf_auto_restart_prometheus-apache-exporter\n+\n+/var/log/wmf_auto_restart_prometheus-apache-exporter/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_prometheus-apache-exporter].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_prometheus-apache-exporter]\n\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_aphlict.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_aphlict.service].orig\n+++ Systemd::Unit[wmf_auto_restart_aphlict.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => wmf_auto_restart_aphlict.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-wmf-qls.conf]", "content": "--- /etc/rsyslog.d/40-phabricator-stats-job-quarterly-wmf-qls.conf.orig\n+++ /etc/rsyslog.d/40-phabricator-stats-job-quarterly-wmf-qls.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"phabricator_stats_job_quarterly_wmf_qls\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/phabricator_stats_job_quarterly_wmf_qls/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-wmf-qls.conf].orig\n+++ File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-wmf-qls.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/srv/dumps/WARNING_NEVER_PUT_PRIVATE_DATA_HERE_THIS_IS_SYNCED_TO_PUBLIC]", "parameters": "--- File[/srv/dumps/WARNING_NEVER_PUT_PRIVATE_DATA_HERE_THIS_IS_SYNCED_TO_PUBLIC].orig\n+++ File[/srv/dumps/WARNING_NEVER_PUT_PRIVATE_DATA_HERE_THIS_IS_SYNCED_TO_PUBLIC]\n\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Motd::Message[phabricator]", "parameters": "--- Motd::Message[phabricator].orig\n+++ Motd::Message[phabricator]\n\n+ priority => 5\n+ ensure => present\n+ message => phab2003 is a Phabricator (main) server (phabricator)\n"}, {"resource": "Sudo::Group[phabricator-admin]", "parameters": "--- Sudo::Group[phabricator-admin].orig\n+++ Sudo::Group[phabricator-admin]\n\n+ privileges => ['ALL = NOPASSWD: /srv/phab/phabricator/bin/cache purge --caches user', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/herald', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/remove', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/repository', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/phd', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/policy', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/worker', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/bulk make-silent --id *', 'ALL = NOPASSWD: /srv/phab/phabricator/bin/auth strip --all-types --user *']\n+ require => ['Class[Sudo]']\n+ group => phabricator-admin\n+ ensure => present\n"}, {"resource": "Service[rsync-phabricator-home-dirs.timer]", "parameters": "--- Service[rsync-phabricator-home-dirs.timer].orig\n+++ Service[rsync-phabricator-home-dirs.timer]\n\n+ before => ['Exec[systemd daemon-reload for rsync-phabricator-home-dirs.timer (rsync-phabricator-home-dirs.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "Logrotate::Conf[envoy]", "parameters": "--- Logrotate::Conf[envoy].orig\n+++ Logrotate::Conf[envoy]\n\n+ ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.timer (phabricator_stats_job_tech_news_weekly_stats.timer)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.timer (phabricator_stats_job_tech_news_weekly_stats.timer)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.timer (phabricator_stats_job_tech_news_weekly_stats.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/exim4/system_filter]", "content": "--- /etc/exim4/system_filter.orig\n+++ /etc/exim4/system_filter\n@@ -0,0 +1,24 @@\n+# Exim filter\n+\n+if first_delivery then\n+\tif $acl_m0 is not \"trusted relay\" then\n+\t\t# Remove any SpamAssassin headers and add local ones\n+\t\theaders remove X-Spam-Score:X-Spam-Report:X-Spam-Checker-Version:X-Spam-Status:X-Spam-Level:X-Spam-Flag\n+\tendif\n+\tif $acl_m0 is not \"\" and $acl_m0 is not \"trusted relay\" then\n+\t\theaders add \"X-Spam-Score: $acl_m0\"\n+\t\theaders add \"X-Spam-Report: $acl_m1\"\n+\tendif\n+endif\n+\n+# reject these excessive bounces temporarily\n+if $header_from: matches \"MAILER-DAEMON@fickja.de\" and $header_to: matches \"abuse@wikipedia.org\" then\n+\tfail text \"Message rejected due to excessive volume. If you believe this is an error please contact postmaster@wikimedia.org\"\n+endif\n+if $header_from: matches \"keineantwortadresse@web.de\" and $header_to: matches \"abuse@wikipedia.org\" then\n+\tfail text \"Message rejected due to excessive volume. If you believe this is an error please contact postmaster@wikimedia.org\"\n+endif\n+# quietly drop this spam T298038\n+if $header_from: matches @unn-212-102-49-71\\\\.cdn77\\\\.com and $header_to: matches abuse@wikimediafoundation\\\\.org then\n+\tseen finish\n+endif", "parameters": "--- File[/etc/exim4/system_filter].orig\n+++ File[/etc/exim4/system_filter]\n\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ require => Package[exim4-config]\n+ group => Debian-exim\n"}, {"resource": "File[/var/log/wmf_auto_restart_aphlict]", "parameters": "--- File[/var/log/wmf_auto_restart_aphlict].orig\n+++ File[/var/log/wmf_auto_restart_aphlict]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Service[bacula-fd]", "parameters": "--- Service[bacula-fd].orig\n+++ Service[bacula-fd]\n\n+ require => Package[bacula-fd]\n+ ensure => running\n"}, {"resource": "Service[rsync]", "parameters": "--- Service[rsync].orig\n+++ Service[rsync]\n\n+ subscribe => ['Concat[/etc/rsyncd.conf]', 'File[/etc/default/rsync]']\n+ require => Package[rsync]\n+ enable => True\n+ ensure => running\n"}, {"resource": "Rsyslog::Conf[phabricator_stats_job_community_metrics]", "parameters": "--- Rsyslog::Conf[phabricator_stats_job_community_metrics].orig\n+++ Rsyslog::Conf[phabricator_stats_job_community_metrics]\n\n+ mode => 0444\n+ require => File[/var/log/phabricator_stats_job_community_metrics]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Systemd::Timer::Job[phabricator_stats_job_community_metrics]", "parameters": "--- Systemd::Timer::Job[phabricator_stats_job_community_metrics].orig\n+++ Systemd::Timer::Job[phabricator_stats_job_community_metrics]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => phabricator statistics mail - community_metrics\n+ command => /usr/local/bin/community_metrics.sh\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-*-1 0:0:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "Ssh::Userkey[urbanecm]", "parameters": "--- Ssh::Userkey[urbanecm].orig\n+++ Ssh::Userkey[urbanecm]\n\n+ user => urbanecm\n+ ensure => present\n"}, {"resource": "Motd::Script[phabricator::migration]", "parameters": "--- Motd::Script[phabricator::migration].orig\n+++ Motd::Script[phabricator::migration]\n\n- priority => 5\n- ensure => present\n"}, {"resource": "File[/lib/systemd/system/rsync-phabricator-home-dirs.service]", "content": "--- /lib/systemd/system/rsync-phabricator-home-dirs.service.orig\n+++ /lib/systemd/system/rsync-phabricator-home-dirs.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Transfer data periodically between hosts\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/sync-phabricator-home-dirs", "parameters": "--- File[/lib/systemd/system/rsync-phabricator-home-dirs.service].orig\n+++ File[/lib/systemd/system/rsync-phabricator-home-dirs.service]\n\n+ notify => Exec[systemd daemon-reload for rsync-phabricator-home-dirs.service (rsync-phabricator-home-dirs.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Exec[create-/etc/bacula-keypair]", "parameters": "--- Exec[create-/etc/bacula-keypair].orig\n+++ Exec[create-/etc/bacula-keypair]\n\n+ before => File[/etc/bacula/ssl/server-keypair.pem]\n+ require => File[/etc/bacula/ssl]\n+ command => /bin/cat /var/lib/puppet/ssl/private_keys/phab2003.codfw.wmnet.pem /var/lib/puppet/ssl/certs/phab2003.codfw.wmnet.pem > /etc/bacula/ssl/server-keypair.pem\n+ creates => /etc/bacula/ssl/server-keypair.pem\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"collaboration-services\",role=\"phabricator::migration\",cluster=\"misc\"} 1.0\n+role_owner{team=\"collaboration-services\",role=\"phabricator\",cluster=\"misc\"} 1.0"}, {"resource": "Package[python3-mysqldb]", "parameters": "--- Package[python3-mysqldb].orig\n+++ Package[python3-mysqldb]\n\n+ provider => apt\n+ ensure => present\n"}, {"resource": "Systemd::Mask[phd.service]", "parameters": "--- Systemd::Mask[phd.service].orig\n+++ Systemd::Mask[phd.service]\n\n+ unit => phd.service\n"}, {"resource": "Phabricator::Libext[/srv/phab/libext/ava/src]", "parameters": "--- Phabricator::Libext[/srv/phab/libext/ava/src].orig\n+++ Phabricator::Libext[/srv/phab/libext/ava/src]\n\n+ require => ['Package[phabricator/deployment]']\n+ libname => /srv/phab/libext/ava/src\n+ rootdir => /srv/phab\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-aphlict.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-aphlict.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-aphlict.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"wmf_auto_restart_aphlict\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/wmf_auto_restart_aphlict/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-aphlict.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-aphlict.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Class[Profile::Phabricator::Monitoring]", "parameters": "--- Class[Profile::Phabricator::Monitoring].orig\n+++ Class[Profile::Phabricator::Monitoring]\n\n+ active_server => phab1004.eqiad.wmnet\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_project_changes.timer (phabricator_stats_job_project_changes.timer)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_project_changes.timer (phabricator_stats_job_project_changes.timer)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_project_changes.timer (phabricator_stats_job_project_changes.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[apt_update_php]", "parameters": "--- Exec[apt_update_php].orig\n+++ Exec[apt_update_php]\n\n+ refreshonly => True\n+ logoutput => True\n+ command => /usr/bin/apt-get update\n"}, {"resource": "Systemd::Unit[phabricator_clean_tmp_files.timer]", "parameters": "--- Systemd::Unit[phabricator_clean_tmp_files.timer].orig\n+++ Systemd::Unit[phabricator_clean_tmp_files.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => present\n+ unit => phabricator_clean_tmp_files.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Group[phabricator-bulk-manager]", "parameters": "--- Group[phabricator-bulk-manager].orig\n+++ Group[phabricator-bulk-manager]\n\n+ ensure => present\n+ allowdupe => False\n+ gid => 819\n"}, {"resource": "Class[Bacula::Client]", "parameters": "--- Class[Bacula::Client].orig\n+++ Class[Bacula::Client]\n\n+ client_version => 9\n+ director => backup1014.eqiad.wmnet\n+ directorpassword => ZmIW52TA72psk8uust0B6ujGHYzzJbW6\n+ fdport => 9102\n+ job_retention => 90 days\n+ file_retention => 90 days\n+ catalog => production\n"}, {"resource": "File[/etc/apache2/sites-available/50-phabricator.conf]", "content": "--- /etc/apache2/sites-available/50-phabricator.conf.orig\n+++ /etc/apache2/sites-available/50-phabricator.conf\n@@ -0,0 +1,84 @@\n+# Apache configuration for Phabricator (https://phabricator.wikimedia.org)\n+\n+# This file is managed by Puppet.\n+\n+\n+ ServerName phabricator.wikimedia.org\n+ ServerAlias phab.wmfusercontent.org\n+ ServerAlias bugzilla.wikimedia.org\n+ ServerAlias bugs.wikimedia.org\n+\n+ DocumentRoot /srv/phab/phabricator/webroot\n+\n+ SetEnv PHABRICATOR_ENV www\n+\n+ \n+ RemoteIPHeader X-Client-IP\n+ RemoteIPInternalProxy 10.192.27.12 127.0.0.1 2620:0:860:114:10:192:27:12 :1 fe80::425b:7fff:fef3:a3c4\n+ \n+ \n+ RewriteEngine on\n+\n+ # Allow longer URLs for phatality / form prefill\n+ LimitRequestLine 16384\n+\n+ # Read robots.txt from disk for the alternative domain\n+ RewriteCond \"%{HTTP_HOST}\" \"phab\\.wmfusercontent\\.org\"\n+ RewriteRule ^/robots.txt$ /srv/phab/robots.txt [L]\n+\n+ # Read robots.txt from disk for the alternative domain\n+ RewriteCond \"%{HTTP_HOST}\" \"bugzilla\\.wikimedia\\.org\"\n+ RewriteRule ^/robots.txt$ /srv/phab/robots.txt [L]\n+\n+ # Read robots.txt from disk for the alternative domain\n+ RewriteCond \"%{HTTP_HOST}\" \"bugs\\.wikimedia\\.org\"\n+ RewriteRule ^/robots.txt$ /srv/phab/robots.txt [L]\n+\n+\n+\n+ \n+ Require all granted\n+ \n+\n+\n+ \n+ Options Indexes FollowSymLinks MultiViews\n+ Require all granted\n+ \n+\n+ # needed to allow http basic auth (using https auth)\n+ SetEnvIf Authorization \"(.*)\" HTTP_AUTHORIZATION=$1\n+\n+ # php-fpm\n+ \n+ SetHandler \"proxy:unix:/run/php/fpm-www.sock|fcgi://localhost/\"\n+ \n+\n+ LogLevel warn\n+ ErrorLog /var/log/apache2/phabricator_error.log\n+ CustomLog /var/log/apache2/phabricator_access.log cee_ecs_accesslog_170\n+ ServerSignature Off\n+\n+\n+ RewriteCond %{HTTP:X-Forwarded-Proto} !https\n+ RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]\n+\n+ # Redirect server alias home to the main server name\n+ RewriteCond \"%{HTTP_HOST}\" \"phab\\.wmfusercontent\\.org\"\n+ RewriteRule ^/$ \"https://phabricator.wikimedia.org\" [R,L]\n+ # Redirect server alias home to the main server name\n+ RewriteCond \"%{HTTP_HOST}\" \"bugzilla\\.wikimedia\\.org\"\n+ RewriteRule ^/$ \"https://phabricator.wikimedia.org\" [R,L]\n+ # Redirect server alias home to the main server name\n+ RewriteCond \"%{HTTP_HOST}\" \"bugs\\.wikimedia\\.org\"\n+ RewriteRule ^/$ \"https://phabricator.wikimedia.org\" [R,L]\n+\n+\n+\n+ RewriteRule ^/rsrc/(.*) - [L,QSA]\n+ RewriteRule ^/favicon.ico - [L,QSA]\n+ RewriteRule ^/project/sprint/board/(.*) /project/board/$1 [L,QSA,R=301]\n+ RewriteRule ^/maniphest/task/create/? /maniphest/task/edit/form/1/ [L,QSA,NE,R=301]\n+ RewriteRule ^(.*)$ /index.php?__path__=$1 [B,L,QSA,UnsafeAllow3F]\n+\n+", "parameters": "--- File[/etc/apache2/sites-available/50-phabricator.conf].orig\n+++ File[/etc/apache2/sites-available/50-phabricator.conf]\n\n+ notify => Service[apache2]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/rsyslog.d/40-phabricator-stats-job-tech-news-weekly-stats.conf]", "content": "--- /etc/rsyslog.d/40-phabricator-stats-job-tech-news-weekly-stats.conf.orig\n+++ /etc/rsyslog.d/40-phabricator-stats-job-tech-news-weekly-stats.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"phabricator_stats_job_tech_news_weekly_stats\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/phabricator_stats_job_tech_news_weekly_stats/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-phabricator-stats-job-tech-news-weekly-stats.conf].orig\n+++ File[/etc/rsyslog.d/40-phabricator-stats-job-tech-news-weekly-stats.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.service (phabricator_stats_job_community_metrics.service)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.service (phabricator_stats_job_community_metrics.service)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.service (phabricator_stats_job_community_metrics.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/envoy/listeners.d]", "parameters": "--- File[/etc/envoy/listeners.d].orig\n+++ File[/etc/envoy/listeners.d]\n\n+ mode => 0755\n+ recurse => True\n+ owner => root\n+ ensure => directory\n+ purge => True\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/aphlict.service]", "content": "--- /lib/systemd/system/aphlict.service.orig\n+++ /lib/systemd/system/aphlict.service\n@@ -0,0 +1,19 @@\n+[Unit]\n+Description=Aphlict - Phabricator notification service\n+After=network.target auditd.service\n+\n+[Service]\n+Type=forking\n+User=aphlict\n+Group=aphlict\n+PIDFile=/var/run/aphlict/aphlict.pid\n+Environment=\"PHABRICATOR_ENV=aphlict\"\n+ExecStartPre=-/bin/mkdir -p /var/run/aphlict/\n+ExecStartPre=/bin/chown -R aphlict:aphlict /var/run/aphlict/\n+ExecStart=/srv/phab/phabricator/bin/aphlict start --config /srv/phab/aphlict/config.json\n+ExecStop=/srv/phab/phabricator/bin/aphlict stop --config /srv/phab/aphlict/config.json\n+Restart=on-failure\n+\n+[Install]\n+WantedBy=multi-user.target\n+Alias=aphlict.service", "parameters": "--- File[/lib/systemd/system/aphlict.service].orig\n+++ File[/lib/systemd/system/aphlict.service]\n\n+ notify => Exec[systemd daemon-reload for aphlict.service (aphlict)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Service[wmf_auto_restart_envoyproxy.timer]", "parameters": "--- Service[wmf_auto_restart_envoyproxy.timer].orig\n+++ Service[wmf_auto_restart_envoyproxy.timer]\n\n+ before => ['Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.timer (wmf_auto_restart_envoyproxy.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "File[/lib/systemd/system/phabricator_clean_tmp_files.timer]", "content": "--- /lib/systemd/system/phabricator_clean_tmp_files.timer.orig\n+++ /lib/systemd/system/phabricator_clean_tmp_files.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of phabricator_clean_tmp_files.service\n+\n+[Timer]\n+Unit=phabricator_clean_tmp_files.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-*-* 07:00:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phabricator_clean_tmp_files.timer].orig\n+++ File[/lib/systemd/system/phabricator_clean_tmp_files.timer]\n\n+ notify => Exec[systemd daemon-reload for phabricator_clean_tmp_files.timer (phabricator_clean_tmp_files.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/envoy/ssl]", "parameters": "--- File[/etc/envoy/ssl].orig\n+++ File[/etc/envoy/ssl]\n\n+ mode => 0740\n+ recurse => True\n+ owner => envoy\n+ ensure => directory\n+ group => envoy\n"}, {"resource": "File[/etc/rsyslog.d/00-imfile.conf]", "content": "--- /etc/rsyslog.d/00-imfile.conf.orig\n+++ /etc/rsyslog.d/00-imfile.conf\n@@ -0,0 +1 @@\n+module(load=\"imfile\")", "parameters": "--- File[/etc/rsyslog.d/00-imfile.conf].orig\n+++ File[/etc/rsyslog.d/00-imfile.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/rsyslog.d/40-phabricator-task-dump.conf]", "content": "--- /etc/rsyslog.d/40-phabricator-task-dump.conf.orig\n+++ /etc/rsyslog.d/40-phabricator-task-dump.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"phabricator_task_dump\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/phabricator_task_dump/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-phabricator-task-dump.conf].orig\n+++ File[/etc/rsyslog.d/40-phabricator-task-dump.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Ferm::Service[rsyncd_access_srv_dumps]", "parameters": "--- Ferm::Service[rsyncd_access_srv_dumps].orig\n+++ Ferm::Service[rsyncd_access_srv_dumps]\n\n+ ensure => present\n+ port => [873, 1873]\n+ proto => tcp\n+ prio => 10\n+ srange => ['phab1004.eqiad.wmnet', 'phab2002.codfw.wmnet', 'clouddumps1001.wikimedia.org', 'clouddumps1002.wikimedia.org']\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Exec[/srv/phab/libext/misc_static_dir_exists]", "parameters": "--- Exec[/srv/phab/libext/misc_static_dir_exists].orig\n+++ Exec[/srv/phab/libext/misc_static_dir_exists]\n\n+ creates => /srv/phab/phabricator/webroot/rsrc//srv/phab/libext/misc\n+ require => File[/srv/phab]\n+ command => /bin/ln -s /srv/phab/libext//srv/phab/libext/misc/rsrc/webroot-static /srv/phab/phabricator/webroot/rsrc//srv/phab/libext/misc\n+ onlyif => /usr/bin/test -e /srv/phab/libext//srv/phab/libext/misc/rsrc/webroot-static\n"}, {"resource": "Concat_fragment[/etc/rsyncd.conf-srv-dumps]", "content": "--- /etc/rsyncd.conf-srv-dumps.orig\n+++ /etc/rsyncd.conf-srv-dumps\n@@ -0,0 +1,20 @@\n+# This file is being maintained by Puppet.\n+# DO NOT EDIT\n+\n+[ srv-dumps ]\n+path = /srv/dumps\n+read only = yes\n+write only = no\n+list = yes\n+uid = 0\n+gid = 0\n+use chroot = yes\n+\n+\n+max connections = 0\n+\n+\n+\n+\n+hosts allow = phab1004.eqiad.wmnet phab2002.codfw.wmnet clouddumps1001.wikimedia.org clouddumps1002.wikimedia.org localhost\n+", "parameters": "--- Concat_fragment[/etc/rsyncd.conf-srv-dumps].orig\n+++ Concat_fragment[/etc/rsyncd.conf-srv-dumps]\n\n+ order => 10\n+ tag => _etc_rsyncd.conf\n+ target => /etc/rsyncd.conf\n"}, {"resource": "Systemd::Service[phabricator_stats_job_community_metrics]", "parameters": "--- Systemd::Service[phabricator_stats_job_community_metrics].orig\n+++ Systemd::Service[phabricator_stats_job_community_metrics]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[phabricator_stats_job_community_metrics.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.timer]", "parameters": "--- Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.timer].orig\n+++ Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_tech_news_weekly_stats.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.service (phabricator_stats_job_quarterly_wmf_qls.service)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.service (phabricator_stats_job_quarterly_wmf_qls.service)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.service (phabricator_stats_job_quarterly_wmf_qls.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/logrotate.d/phabricator_stats_job_community_metrics]", "content": "--- /etc/logrotate.d/phabricator_stats_job_community_metrics.orig\n+++ /etc/logrotate.d/phabricator_stats_job_community_metrics\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for phabricator_stats_job_community_metrics\n+\n+/var/log/phabricator_stats_job_community_metrics/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/phabricator_stats_job_community_metrics].orig\n+++ File[/etc/logrotate.d/phabricator_stats_job_community_metrics]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/var/log/rsync-phabricator-repos]", "parameters": "--- File[/var/log/rsync-phabricator-repos].orig\n+++ File[/var/log/rsync-phabricator-repos]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_envoyproxy.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_envoyproxy.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_envoyproxy.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Auto restart job: envoyproxy\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/wmf-auto-restart -s envoyproxy", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_envoyproxy.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_envoyproxy.service]\n\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.service (wmf_auto_restart_envoyproxy.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/phabricator]", "parameters": "--- File[/etc/phabricator].orig\n+++ File[/etc/phabricator]\n\n+ mode => 0750\n+ owner => root\n+ ensure => directory\n+ group => phab-deploy\n"}, {"resource": "File[/srv/phab/phabricator//support/aphlict/server/node_modules]", "parameters": "--- File[/srv/phab/phabricator//support/aphlict/server/node_modules].orig\n+++ File[/srv/phab/phabricator//support/aphlict/server/node_modules]\n\n+ notify => ['Service[aphlict]']\n+ owner => root\n+ ensure => link\n+ target => /srv/phab/aphlict/node_modules\n+ group => root\n"}, {"resource": "Logrotate::Conf[phabricator_task_dump]", "parameters": "--- Logrotate::Conf[phabricator_task_dump].orig\n+++ Logrotate::Conf[phabricator_task_dump]\n\n+ ensure => absent\n"}, {"resource": "File[/etc/sudoers.d/phabricator-bulk-manager]", "content": "--- /etc/sudoers.d/phabricator-bulk-manager.orig\n+++ /etc/sudoers.d/phabricator-bulk-manager\n@@ -0,0 +1,3 @@\n+# This file is managed by Puppet!\n+\n+%phabricator-bulk-manager ALL = NOPASSWD: /srv/phab/phabricator/bin/bulk make-silent --id *", "parameters": "--- File[/etc/sudoers.d/phabricator-bulk-manager].orig\n+++ File[/etc/sudoers.d/phabricator-bulk-manager]\n\n+ mode => 0440\n+ owner => root\n+ ensure => present\n+ validate_cmd => /usr/sbin/visudo -cqf %\n+ group => root\n"}, {"resource": "File[/etc/exim4/aliases]", "parameters": "--- File[/etc/exim4/aliases].orig\n+++ File[/etc/exim4/aliases]\n\n+ mode => 0755\n+ owner => root\n+ ensure => directory\n+ require => Package[exim4-config]\n+ group => Debian-exim\n"}, {"resource": "Systemd::Service[phabricator_stats_job_yearly_metrics]", "parameters": "--- Systemd::Service[phabricator_stats_job_yearly_metrics].orig\n+++ Systemd::Service[phabricator_stats_job_yearly_metrics]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[phabricator_stats_job_yearly_metrics.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "Systemd::Timer[backup-home-dirs]", "parameters": "--- Systemd::Timer[backup-home-dirs].orig\n+++ Systemd::Timer[backup-home-dirs]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-*-* 0:10:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => backup-home-dirs.service\n+ splay => 0\n"}, {"resource": "Class[Profile::Tlsproxy::Envoy]", "parameters": "--- Class[Profile::Tlsproxy::Envoy].orig\n+++ Class[Profile::Tlsproxy::Envoy]\n\n+ error_page => False\n+ services => [{'server_names': ['*'], 'port': 80}]\n+ sni_support => no\n+ header_key_format => none\n+ firewall_global => False\n+ request_headers_to_add => {}\n+ global_cert_name => phabricator.discovery.wmnet\n+ upstream_addr => phab2003.codfw.wmnet\n+ upstream_tls => False\n+ tls_port => 443\n+ use_remote_address => False\n+ websockets => True\n+ ssl_provider => cfssl\n+ firewall_src_sets => ['CACHES']\n+ listen_ipv6 => True\n+ upstream_response_timeout => 65.0\n+ fast_open_queue => 150\n+ cfssl_label => discovery2026\n+ retries => True\n+ rate_limit_enabled => False\n+ local_otel_reporting_pct => 0.0\n+ require => ['Class[Profile::Envoy]']\n+ cfssl_options => {'hosts': ['phabricator.wikimedia.org', 'phab.wmfusercontent.org', 'bugs.wikimedia.org', 'bugzilla.wikimedia.org']}\n+ access_log => False\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_aphlict.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_aphlict.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_aphlict.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => wmf_auto_restart_aphlict.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[input-file-apache2-access]", "parameters": "--- Rsyslog::Conf[input-file-apache2-access].orig\n+++ Rsyslog::Conf[input-file-apache2-access]\n\n+ mode => 0444\n+ require => Rsyslog::Conf[imfile]\n+ priority => 10\n+ ensure => present\n"}, {"resource": "Package[python3-pygments]", "parameters": "--- Package[python3-pygments].orig\n+++ Package[python3-pygments]\n\n+ provider => apt\n+ ensure => present\n"}, {"resource": "Profile::Auto_restarts::Service[envoyproxy]", "parameters": "--- Profile::Auto_restarts::Service[envoyproxy].orig\n+++ Profile::Auto_restarts::Service[envoyproxy]\n\n+ ensure => absent\n"}, {"resource": "Rsyslog::Conf[imfile]", "parameters": "--- Rsyslog::Conf[imfile].orig\n+++ Rsyslog::Conf[imfile]\n\n+ mode => 0444\n+ priority => 0\n+ ensure => present\n"}, {"resource": "Sysctl::Parameters[phabricator network tuning]", "parameters": "--- Sysctl::Parameters[phabricator network tuning].orig\n+++ Sysctl::Parameters[phabricator network tuning]\n\n+ values => {'net.ipv4.ip_local_port_range': [4001, 65534], 'net.ipv4.tcp_tw_reuse': 1}\n+ priority => 70\n+ no_priority_prefix => False\n+ ensure => present\n"}, {"resource": "Logrotate::Conf[phabricator_stats_job_quarterly_wmf_qls]", "parameters": "--- Logrotate::Conf[phabricator_stats_job_quarterly_wmf_qls].orig\n+++ Logrotate::Conf[phabricator_stats_job_quarterly_wmf_qls]\n\n+ ensure => absent\n"}, {"resource": "Exec[create chained cert /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]", "parameters": "--- Exec[create chained cert /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem].orig\n+++ Exec[create chained cert /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]\n\n+ require => Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh on intermediate ca change]\n+ unless => /usr/bin/test \"$(/bin/cat /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem | sha512sum)\"\n\n+ command => /bin/cat /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem > /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem\n+ subscribe => ['Exec[renew certificate - discovery2026__phabricator_discovery_wmnet_server]', 'File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]', 'File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem]']\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_envoyproxy.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_envoyproxy.service].orig\n+++ Systemd::Unit[wmf_auto_restart_envoyproxy.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => wmf_auto_restart_envoyproxy.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Unit[aphlict]", "parameters": "--- Systemd::Unit[aphlict].orig\n+++ Systemd::Unit[aphlict]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => aphlict\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -0,0 +1,55 @@\n+address:\n+ socket_address:\n+ port_value: 443\n+ address: '::'\n+ ipv4_compat: true\n+listener_filters:\n+- name: \"envoy.filters.listener.tls_inspector\"\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector\n+tcp_fast_open_queue_length: 150\n+filter_chains:\n+# Non-SNI support\n+- transport_socket:\n+ name: envoy.transport_sockets.tls\n+ typed_config:\n+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext\n+ common_tls_context:\n+ tls_certificates:\n+ - certificate_chain: { filename: \"/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem\" }\n+ private_key: { filename: \"/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem\" }\n+ filters:\n+ - name: envoy.http_connection_manager\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\n+ upgrade_configs:\n+ - upgrade_type: \"websocket\"\n+ stat_prefix: ingress_http\n+ route_config:\n+ virtual_hosts:\n+ - name: non_sni_port_80\n+ domains: [\"*\"]\n+ routes:\n+ - match: { prefix: \"/\" }\n+ route:\n+ cluster: local_port_80\n+ timeout: 65.0s\n+ retry_policy:\n+ num_retries: 1\n+ retry_on: \"5xx\"\n+ http_filters:\n+ - name: envoy.filters.http.router\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router\n+ http_protocol_options:\n+ accept_http_10: true\n+ server_header_transformation: APPEND_IF_ABSENT\n+ internal_address_config:\n+ unix_sockets: true\n+ cidr_ranges:\n+ - address_prefix: 10.0.0.0\n+ prefix_len: 8\n+ - address_prefix: 127.0.0.1\n+ prefix_len: 32\n+ - address_prefix: ::1\n+ prefix_len: 128", "parameters": "--- File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml].orig\n+++ File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]\n\n+ notify => Exec[verify-envoy-config]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Logrotate::Conf[phabricator_stats_job_quarterly_metrics]", "parameters": "--- Logrotate::Conf[phabricator_stats_job_quarterly_metrics].orig\n+++ Logrotate::Conf[phabricator_stats_job_quarterly_metrics]\n\n+ ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-phabricator-clean-tmp-files.conf]", "content": "--- /etc/rsyslog.d/40-phabricator-clean-tmp-files.conf.orig\n+++ /etc/rsyslog.d/40-phabricator-clean-tmp-files.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"phabricator_clean_tmp_files\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/phabricator_clean_tmp_files/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-phabricator-clean-tmp-files.conf].orig\n+++ File[/etc/rsyslog.d/40-phabricator-clean-tmp-files.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/var/log/wmf_auto_restart_prometheus-apache-exporter]", "parameters": "--- File[/var/log/wmf_auto_restart_prometheus-apache-exporter].orig\n+++ File[/var/log/wmf_auto_restart_prometheus-apache-exporter]\n\n+ mode => 0755\n+ owner => root\n+ ensure => directory\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_envoyproxy.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_envoyproxy.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_envoyproxy.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of wmf_auto_restart_envoyproxy.service\n+\n+[Timer]\n+Unit=wmf_auto_restart_envoyproxy.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 19:9:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_envoyproxy.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_envoyproxy.timer]\n\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.timer (wmf_auto_restart_envoyproxy.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_aphlict.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_aphlict.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_aphlict.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of wmf_auto_restart_aphlict.service\n+\n+[Timer]\n+Unit=wmf_auto_restart_aphlict.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 11:39:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_aphlict.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_aphlict.timer]\n\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_aphlict.timer (wmf_auto_restart_aphlict.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Systemd::Service[backup-home-dirs]", "parameters": "--- Systemd::Service[backup-home-dirs].orig\n+++ Systemd::Service[backup-home-dirs]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[backup-home-dirs.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_aphlict]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_aphlict].orig\n+++ Systemd::Syslog[wmf_auto_restart_aphlict]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "File[/etc/systemd/system/envoyproxy.service.d]", "parameters": "--- File[/etc/systemd/system/envoyproxy.service.d].orig\n+++ File[/etc/systemd/system/envoyproxy.service.d]\n\n+ mode => 0555\n+ owner => root\n+ ensure => directory\n+ group => root\n"}, {"resource": "Systemd::Syslog[backup-home-dirs]", "parameters": "--- Systemd::Syslog[backup-home-dirs].orig\n+++ Systemd::Syslog[backup-home-dirs]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Systemd::Syslog[phabricator_task_dump]", "parameters": "--- Systemd::Syslog[phabricator_task_dump].orig\n+++ Systemd::Syslog[phabricator_task_dump]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "File_line[auto_restart_file_presence_prometheus-apache-exporter]", "parameters": "--- File_line[auto_restart_file_presence_prometheus-apache-exporter].orig\n+++ File_line[auto_restart_file_presence_prometheus-apache-exporter]\n\n+ require => File[/etc/debdeploy-client/autorestarts.conf]\n+ line => prometheus-apache-exporter\n+ ensure => present\n+ path => /etc/debdeploy-client/autorestarts.conf\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_community_metrics.timer]", "parameters": "--- Systemd::Unit[phabricator_stats_job_community_metrics.timer].orig\n+++ Systemd::Unit[phabricator_stats_job_community_metrics.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_community_metrics.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]\n\n+ mode => 0440\n+ source => puppet:///modules/profile/pki/intermediates/discovery2026-cert.pem\n+ owner => envoy\n+ ensure => file\n+ group => envoy\n"}, {"resource": "File[/etc/exim4/update-exim4.conf.conf]", "content": "--- /etc/exim4/update-exim4.conf.conf.orig\n+++ /etc/exim4/update-exim4.conf.conf\n@@ -0,0 +1 @@\n+dc_eximconfig_configtype=none", "parameters": "--- File[/etc/exim4/update-exim4.conf.conf].orig\n+++ File[/etc/exim4/update-exim4.conf.conf]\n\n+ mode => 0444\n+ require => Package[exim4-config]\n+ owner => root\n+ group => root\n"}, {"resource": "Rsyslog::Conf[phabricator_clean_tmp_files]", "parameters": "--- Rsyslog::Conf[phabricator_clean_tmp_files].orig\n+++ Rsyslog::Conf[phabricator_clean_tmp_files]\n\n+ mode => 0444\n+ require => File[/var/log/phabricator_clean_tmp_files]\n+ priority => 40\n+ ensure => present\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_aphlict]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_aphlict].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_aphlict]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => Auto restart job: aphlict\n+ command => /usr/local/sbin/wmf-auto-restart -s aphlict\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 11:39:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ require => File[/usr/local/sbin/wmf-auto-restart]\n+ logfile_basedir => /var/log\n"}, {"resource": "File[/etc/bacula/bacula-fd.conf]", "content": "--- /etc/bacula/bacula-fd.conf.orig\n+++ /etc/bacula/bacula-fd.conf\n@@ -0,0 +1,47 @@\n+# This file has been autogenerated by puppet. Don't edit by hand\n+\n+# The directors allowed to connect to us\n+Director {\n+ Name = \"backup1014.eqiad.wmnet\"\n+ Password = \"ZmIW52TA72psk8uust0B6ujGHYzzJbW6\"\n+ # Have the Control channel encrypted\n+ TLS Enable = yes\n+ TLS Require = yes\n+ TLS CA Certificate File = \"/etc/ssl/certs/wmf-ca-certificates.crt\"\n+ TLS Verify Peer = yes\n+ TLS Certificate = \"/etc/bacula/ssl/cert.pem\"\n+ TLS Key = \"/etc/bacula/ssl/server.key\"\n+}\n+\n+#\n+# \"Global\" File daemon configuration specifications\n+#\n+FileDaemon {\n+ Name = \"phab2003.codfw.wmnet-fd\"\n+ FDport = 9102\n+ WorkingDirectory = /var/lib/bacula\n+ Pid Directory = /var/run/bacula\n+ Maximum Concurrent Jobs = 1\n+ Plugin Directory = \"/usr/lib/bacula\"\n+ # Have all data stored encrypted\n+ PKI Encryption = Yes\n+ PKI Signatures = Yes\n+ PKI Keypair = \"/etc/bacula/ssl/server-keypair.pem\"\n+ PKI Master Key = \"/var/lib/puppet/ssl/certs/ca.pem\"\n+ # Do enable Data channel encryption.\n+ TLS Enable = yes\n+ TLS Require = yes\n+ TLS Certificate = \"/etc/bacula/ssl/cert.pem\"\n+ TLS Key = \"/etc/bacula/ssl/server.key\"\n+ TLS CA Certificate File = \"/etc/ssl/certs/wmf-ca-certificates.crt\"\n+ # Heartbeat inverval = 0 # in secs\n+ # FDAddresses = # For director connections\n+ # FDSourceAddress = # For connecting to SD\n+ # Maximum Bandwidth Per Job =\n+}\n+\n+# Send all messages except skipped files back to Director\n+Messages {\n+ Name = Standard\n+ director = \"backup1014.eqiad.wmnet\" = all, !skipped, !restored\n+}", "parameters": "--- File[/etc/bacula/bacula-fd.conf].orig\n+++ File[/etc/bacula/bacula-fd.conf]\n\n+ notify => Service[bacula-fd]\n+ mode => 0400\n+ owner => root\n+ ensure => present\n+ require => ['Package[bacula-fd]']\n+ group => root\n"}, {"resource": "File[/etc/phab_project_changes.conf]", "content": "--- /etc/phab_project_changes.conf.orig\n+++ /etc/phab_project_changes.conf\n@@ -0,0 +1,8 @@\n+declare rcpt_address='phabricator-reports@lists.wikimedia.org'\n+declare sndr_address='aklapper@wikimedia.org'\n+\n+declare sql_host='m3-slave.codfw.wmnet'\n+declare sql_port='3323'\n+declare sql_user='metrics_user'\n+declare sql_name='phabricator_project'\n+declare sql_pass='metrics_pass'", "parameters": "--- File[/etc/phab_project_changes.conf].orig\n+++ File[/etc/phab_project_changes.conf]\n\n+ mode => 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Phabricator::Logmail[quarterly_metrics]", "parameters": "--- Phabricator::Logmail[quarterly_metrics].orig\n+++ Phabricator::Logmail[quarterly_metrics]\n\n+ ensure => absent\n+ rcpt_address => ['lgoto@wikimedia.org', 'aklapper@wikimedia.org']\n+ monthday => 1\n+ month => 01,04,07,10\n+ mysql_slave => m3-slave.codfw.wmnet\n+ mysql_slave_port => 3323\n+ minute => 0\n+ basedir => /usr/local/bin\n+ sndr_address => aklapper@wikimedia.org\n+ mysql_db_name => phabricator_maniphest\n+ require => Package[phabricator/deployment]\n+ hour => 0\n"}, {"resource": "File[/usr/local/sbin/envoyproxy-start]", "parameters": "--- File[/usr/local/sbin/envoyproxy-start].orig\n+++ File[/usr/local/sbin/envoyproxy-start]\n\n+ mode => 0555\n+ source => puppet:///modules/envoyproxy/hot_restarter/start-envoy.sh\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Syslog[phabricator_stats_job_tech_news_weekly_stats]", "parameters": "--- Systemd::Syslog[phabricator_stats_job_tech_news_weekly_stats].orig\n+++ Systemd::Syslog[phabricator_stats_job_tech_news_weekly_stats]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_clean_tmp_files.timer (phabricator_clean_tmp_files.timer)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_clean_tmp_files.timer (phabricator_clean_tmp_files.timer)].orig\n+++ Exec[systemd daemon-reload for phabricator_clean_tmp_files.timer (phabricator_clean_tmp_files.timer)]\n\n+ before => ['Service[phabricator_clean_tmp_files.timer]']\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/srv/phab/phabricator/scripts/ssh/]", "parameters": "--- File[/srv/phab/phabricator/scripts/ssh/].orig\n+++ File[/srv/phab/phabricator/scripts/ssh/]\n\n+ recurse => True\n+ owner => vcs\n+ path => /srv/phab/phabricator/scripts/ssh\n+ group => root\n"}, {"resource": "Systemd::Unit[backup-home-dirs.timer]", "parameters": "--- Systemd::Unit[backup-home-dirs.timer].orig\n+++ Systemd::Unit[backup-home-dirs.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => backup-home-dirs.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.timer (phabricator_stats_job_quarterly_wmf_qls.timer)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.timer (phabricator_stats_job_quarterly_wmf_qls.timer)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.timer (phabricator_stats_job_quarterly_wmf_qls.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Timer::Job[rsync-phabricator-home-dirs]", "parameters": "--- Systemd::Timer::Job[rsync-phabricator-home-dirs].orig\n+++ Systemd::Timer::Job[rsync-phabricator-home-dirs]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => Transfer data periodically between hosts\n+ command => /usr/local/sbin/sync-phabricator-home-dirs\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-*-* *:00/10:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh on intermediate ca change].orig\n+++ Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh on intermediate ca change]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ refreshonly => True\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/phab2003.codfw.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]\n+ subscribe => File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]\n"}, {"resource": "Class[Rsync::Server]", "parameters": "--- Class[Rsync::Server].orig\n+++ Class[Rsync::Server]\n\n+ rsyncd_conf => {}\n+ ensure_service => running\n+ address => 0.0.0.0\n+ rsync_opts => []\n+ timeout => 300\n+ use_chroot => yes\n"}, {"resource": "File[/etc/rsyslog.d/40-rsync-phabricator-home-dirs.conf]", "content": "--- /etc/rsyslog.d/40-rsync-phabricator-home-dirs.conf.orig\n+++ /etc/rsyslog.d/40-rsync-phabricator-home-dirs.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"rsync-phabricator-home-dirs\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/rsync-phabricator-home-dirs/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-rsync-phabricator-home-dirs.conf].orig\n+++ File[/etc/rsyslog.d/40-rsync-phabricator-home-dirs.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Envoyproxy::Conf[tls_terminator_443]", "parameters": "--- Envoyproxy::Conf[tls_terminator_443].orig\n+++ Envoyproxy::Conf[tls_terminator_443]\n\n+ priority => 0\n+ conf_type => listener\n"}, {"resource": "Package[envoyproxy]", "parameters": "--- Package[envoyproxy].orig\n+++ Package[envoyproxy]\n\n+ provider => apt\n+ ensure => present\n"}, {"resource": "File[/etc/bacula/ssl/server-keypair.pem]", "parameters": "--- File[/etc/bacula/ssl/server-keypair.pem].orig\n+++ File[/etc/bacula/ssl/server-keypair.pem]\n\n+ mode => 0400\n+ owner => bacula\n+ ensure => present\n+ group => bacula\n"}, {"resource": "Rsyslog::Conf[phabricator_stats_job_yearly_metrics]", "parameters": "--- Rsyslog::Conf[phabricator_stats_job_yearly_metrics].orig\n+++ Rsyslog::Conf[phabricator_stats_job_yearly_metrics]\n\n+ mode => 0444\n+ require => File[/var/log/phabricator_stats_job_yearly_metrics]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Class[Phabricator::Tools]", "parameters": "--- Class[Phabricator::Tools].orig\n+++ Class[Phabricator::Tools]\n\n+ gerritbot_token => gerritbot_token\n+ phabtools_cert => phabtools_cert\n+ dbslave_port => 3323\n+ phabtools_user => phabtools_user\n+ directory => /srv/phab/tools\n+ app_user => app_user\n+ dbmaster_port => 3323\n+ manifest_user => manifest_user\n+ dbmaster_host => m3-slave.codfw.wmnet\n+ bz_pass => bz_pass\n+ dbslave_host => m3-slave.codfw.wmnet\n+ manifest_pass => manifest_pass\n+ app_pass => app_pass\n+ rt_user => rt_user\n+ deploy_target => phabricator/deployment\n+ dump => False\n+ rt_pass => rt_pass\n+ bz_user => bz_user\n+ require => Package[phabricator/deployment]\n"}, {"resource": "Admin::Hashuser[gjg]", "parameters": "--- Admin::Hashuser[gjg].orig\n+++ Admin::Hashuser[gjg]\n\n+ ensure_ssh_key => True\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[php8.2-common]', 'Package[php8.2-opcache]', 'Package[php8.2-cli]', 'Package[php8.2-fpm]', 'Package[apache2]', 'Package[links]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]', 'Package[php8.2-curl]', 'Package[php8.2-gd]', 'Package[php8.2-gmp]', 'Package[php8.2-intl]', 'Package[php8.2-mbstring]', 'Package[php8.2-ldap]', 'Package[php-apcu]', 'Package[php-mailparse]', 'Package[php8.2-xml]', 'Package[php8.2-mysql]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[python3-pygments]', 'Package[python3-phabricator]', 'Package[apachetop]', 'Package[subversion]', 'Package[s-nail]', 'Package[php8.2-common]', 'Package[php8.2-opcache]', 'Package[php8.2-cli]', 'Package[php8.2-fpm]', 'Package[nodejs]', 'Package[python3-mysqldb]', 'Package[python3-pymysql]', 'Package[exim4-config]', 'Package[exim4-daemon-heavy]', 'Package[apache2]', 'Package[links]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[git-lfs]', 'Package[python3-venv]', 'Package[php8.2-curl]', 'Package[php8.2-gd]', 'Package[php8.2-gmp]', 'Package[php8.2-intl]', 'Package[php8.2-mbstring]', 'Package[php8.2-ldap]', 'Package[php-apcu]', 'Package[php-mailparse]', 'Package[php8.2-xml]', 'Package[php8.2-mysql]', 'Package[mariadb-client]', 'Package[prometheus-apache-exporter]']\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_envoyproxy.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_envoyproxy.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_envoyproxy.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => wmf_auto_restart_envoyproxy.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/sysusers.d/vcs.conf]", "content": "--- /etc/sysusers.d/vcs.conf.orig\n+++ /etc/sysusers.d/vcs.conf\n@@ -0,0 +1 @@\n+u\tvcs\t497:497\t\"Phabricator vcs user\"\t/var/lib/vcs\t/bin/sh", "parameters": "--- File[/etc/sysusers.d/vcs.conf].orig\n+++ File[/etc/sysusers.d/vcs.conf]\n\n+ mode => 0444\n+ owner => root\n+ ensure => file\n+ require => File[/etc/sysusers.d]\n+ group => root\n"}, {"resource": "File[/etc/rsyslog.d/40-rsync-phabricator-repos.conf]", "content": "--- /etc/rsyslog.d/40-rsync-phabricator-repos.conf.orig\n+++ /etc/rsyslog.d/40-rsync-phabricator-repos.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"rsync-phabricator-repos\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/rsync-phabricator-repos/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-rsync-phabricator-repos.conf].orig\n+++ File[/etc/rsyslog.d/40-rsync-phabricator-repos.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.timer (phabricator_stats_job_quarterly_metrics.timer)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.timer (phabricator_stats_job_quarterly_metrics.timer)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.timer (phabricator_stats_job_quarterly_metrics.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Logrotate::Conf[phabricator_stats_job_yearly_metrics]", "parameters": "--- Logrotate::Conf[phabricator_stats_job_yearly_metrics].orig\n+++ Logrotate::Conf[phabricator_stats_job_yearly_metrics]\n\n+ ensure => absent\n"}, {"resource": "Phabricator::Libext[/srv/phab/libext/misc]", "parameters": "--- Phabricator::Libext[/srv/phab/libext/misc].orig\n+++ Phabricator::Libext[/srv/phab/libext/misc]\n\n+ require => ['Package[phabricator/deployment]']\n+ libname => /srv/phab/libext/misc\n+ rootdir => /srv/phab\n"}, {"resource": "Rsyslog::Conf[phabricator_stats_job_project_changes]", "parameters": "--- Rsyslog::Conf[phabricator_stats_job_project_changes].orig\n+++ Rsyslog::Conf[phabricator_stats_job_project_changes]\n\n+ mode => 0444\n+ require => File[/var/log/phabricator_stats_job_project_changes]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "File[/var/log/rsync-phabricator-home-dirs]", "parameters": "--- File[/var/log/rsync-phabricator-home-dirs].orig\n+++ File[/var/log/rsync-phabricator-home-dirs]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.service (phabricator_stats_job_tech_news_weekly_stats.service)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.service (phabricator_stats_job_tech_news_weekly_stats.service)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.service (phabricator_stats_job_tech_news_weekly_stats.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Ferm::Service[ssh_cluster]", "parameters": "--- Ferm::Service[ssh_cluster].orig\n+++ Ferm::Service[ssh_cluster]\n\n+ ensure => present\n+ port => 22\n+ proto => tcp\n+ prio => 10\n+ srange => ['phab1004.eqiad.wmnet', 'phab2002.codfw.wmnet']\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Systemd::Timer[phabricator_task_dump]", "parameters": "--- Systemd::Timer[phabricator_task_dump].orig\n+++ Systemd::Timer[phabricator_task_dump]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'Monday *-*-* 02:00:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => phabricator_task_dump.service\n+ splay => 0\n"}, {"resource": "File[/etc/apache2/sites-enabled/50-phabricator.conf]", "parameters": "--- File[/etc/apache2/sites-enabled/50-phabricator.conf].orig\n+++ File[/etc/apache2/sites-enabled/50-phabricator.conf]\n\n+ notify => Service[apache2]\n+ owner => root\n+ ensure => link\n+ target => /etc/apache2/sites-available/50-phabricator.conf\n+ group => root\n"}, {"resource": "Group[phabricator-admin]", "parameters": "--- Group[phabricator-admin].orig\n+++ Group[phabricator-admin]\n\n+ ensure => present\n+ allowdupe => False\n+ gid => 746\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]\n\n+ names => []\n+ hosts => ['phabricator.wikimedia.org', 'phab.wmfusercontent.org', 'bugs.wikimedia.org', 'bugzilla.wikimedia.org']\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ ensure => present\n+ common_name => phabricator.discovery.wmnet\n"}, {"resource": "File[/var/log/phabricator_stats_job_yearly_metrics]", "parameters": "--- File[/var/log/phabricator_stats_job_yearly_metrics].orig\n+++ File[/var/log/phabricator_stats_job_yearly_metrics]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_project_changes.timer]", "content": "--- /lib/systemd/system/phabricator_stats_job_project_changes.timer.orig\n+++ /lib/systemd/system/phabricator_stats_job_project_changes.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of phabricator_stats_job_project_changes.service\n+\n+[Timer]\n+Unit=phabricator_stats_job_project_changes.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=Monday *-*-* 0:0:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_project_changes.timer].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_project_changes.timer]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_project_changes.timer (phabricator_stats_job_project_changes.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Class[Resolvconf]", "parameters": "--- Class[Resolvconf].orig\n+++ Class[Resolvconf]\n\n@@\n- domain_search => ['codfw.wmnet']\n+ domain_search => ['eqiad.wmnet', 'codfw.wmnet']\n"}, {"resource": "Php::Extension[apcu]", "parameters": "--- Php::Extension[apcu].orig\n+++ Php::Extension[apcu]\n\n+ config => {'extension': 'apcu.so', 'apc.shm_size': '4096M'}\n"}, {"resource": "File[/srv/phab/phabricator/scripts/daemon/]", "parameters": "--- File[/srv/phab/phabricator/scripts/daemon/].orig\n+++ File[/srv/phab/phabricator/scripts/daemon/]\n\n+ recurse => True\n+ owner => phd\n+ path => /srv/phab/phabricator/scripts/daemon\n+ group => root\n"}, {"resource": "File[/etc/ssh/userkeys/mbinder]", "content": "--- /etc/ssh/userkeys/mbinder.orig\n+++ /etc/ssh/userkeys/mbinder\n@@ -0,0 +1 @@\n+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLrpbK99cmNng3y8t1qYOvTKksI4TZKtQSTsF9RZ1pC maxbinder@Maxs-MacBook-Air.local", "parameters": "--- File[/etc/ssh/userkeys/mbinder].orig\n+++ File[/etc/ssh/userkeys/mbinder]\n\n+ mode => 0444\n+ owner => root\n+ ensure => file\n+ show_diff => False\n+ force => True\n+ group => root\n"}, {"resource": "File[/etc/sysctl.d/70-TCP-Fast-Open.conf]", "content": "--- /etc/sysctl.d/70-TCP-Fast-Open.conf.orig\n+++ /etc/sysctl.d/70-TCP-Fast-Open.conf\n@@ -0,0 +1,2 @@\n+# sysctl parameters managed by Puppet.\n+net.ipv4.tcp_fastopen = 3", "parameters": "--- File[/etc/sysctl.d/70-TCP-Fast-Open.conf].orig\n+++ File[/etc/sysctl.d/70-TCP-Fast-Open.conf]\n\n+ notify => Exec[update_sysctl]\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Class[Profile::Phabricator::Migration]", "parameters": "--- Class[Profile::Phabricator::Migration].orig\n+++ Class[Profile::Phabricator::Migration]\n\n- dst_hosts => ['phab2002.codfw.wmnet']\n- storage_user => phadmin\n- deploy_user => phab-deploy\n- phabdir => /srv/phab\n- src_host => phab1004.eqiad.wmnet\n"}, {"resource": "File[/etc/rsync.d]", "parameters": "--- File[/etc/rsync.d].orig\n+++ File[/etc/rsync.d]\n\n+ recurse => True\n+ owner => root\n+ ensure => absent\n+ force => True\n+ purge => True\n+ group => root\n"}, {"resource": "File[/etc/update-motd.d/05-phabricator--migration]", "content": "--- /etc/update-motd.d/05-phabricator--migration.orig\n+++ /etc/update-motd.d/05-phabricator--migration\n@@ -1,2 +0,0 @@\n-#!/bin/sh\n-printf \"%s\\n\" \"phab2003 is a Temp role to allow migrating Phabricator data to a new server (phabricator::migration)\"", "parameters": "--- File[/etc/update-motd.d/05-phabricator--migration].orig\n+++ File[/etc/update-motd.d/05-phabricator--migration]\n\n- mode => 0555\n- owner => root\n- ensure => present\n- group => root\n"}, {"resource": "Class[Phabricator]", "parameters": "--- Class[Phabricator].orig\n+++ Class[Phabricator]\n\n+ settings => {'darkconsole.enabled': False, 'differential.allow-self-accept': True, 'phabricator.base-uri': 'https://phabricator.wikimedia.org', 'security.alternate-file-domain': 'https://phab.wmfusercontent.org', 'mysql.host': 'm3-slave.codfw.wmnet', 'mysql.port': '3323', 'cluster.mailers': [{'key': 'wikimedia-smtp', 'type': 'smtp', 'options': {'host': 'localhost', 'port': 25}}], 'metamta.default-address': 'no-reply@phabricator.wikimedia.org', 'metamta.reply-handler-domain': 'phabricator.wikimedia.org', 'repository.default-local-path': '/srv/repos', 'phd.taskmasters': 4, 'events.listeners': [], 'diffusion.allow-http-auth': True, 'diffusion.ssh-host': 'git-ssh.wikimedia.org'}\n+ phabdir => /srv/phab\n+ timezone => UTC\n+ serveraliases => ['phab.wmfusercontent.org', 'bugzilla.wikimedia.org', 'bugs.wikimedia.org']\n+ phd_service_enable => False\n+ libraries => ['/srv/phab/libext/misc', '/srv/phab/libext/ava/src', '/srv/phab/libext/translations/src']\n+ config_deploy_vars => {'phabricator': {'www': {'database_username': 'app_user', 'database_password': 'app_pass'}, 'mail': {'database_username': 'app_user', 'database_password': 'app_pass'}, 'phd': {'database_username': 'phd_user', 'database_password': 'phd_pass'}, 'vcs': {'database_username': 'phd_user', 'database_password': 'phd_pass'}, 'redirects': {'database_username': 'phd_user', 'database_password': 'phd_pass', 'database_host': 'm3-slave.codfw.wmnet', 'field_index': '4rRUkCdImLQU'}, 'local': {'base_uri': 'https://phabricator.wikimedia.org', 'alternate_file_domain': 'https://phab.wmfusercontent.org', 'mail_default_address': 'no-reply@phabricator.wikimedia.org', 'mail_reply_handler_domain': 'phabricator.wikimedia.org', 'phd_taskmasters': 4, 'ssh_host': 'git-ssh.wikimedia.org', 'notification_servers': [{'type': 'client', 'host': 'phabricator.wikimedia.org', 'port': 443, 'protocol': 'https'}, {'type': 'admin', 'host': 'aphlict.discovery.wmnet', 'port': 22281, 'protocol': 'http'}], 'cluster_mailers': [{'key': 'wikimedia-smtp', 'type': 'smtp', 'options': {'host': 'localhost', 'port': 25}}], 'database_host': 'm3-slave.codfw.wmnet', 'database_port': '3323', 'gitlab_api_key': ''}}}\n+ confdir => /srv/phab/phabricator/conf\n+ enable_vcs => True\n+ mysql_admin_pass => admin_pass\n+ deploy_target => phabricator/deployment\n+ deploy_user => phab-deploy\n+ trusted_proxies => ['10.192.27.12', '127.0.0.1', '2620:0:860:114:10:192:27:12', ':1', 'fe80::425b:7fff:fef3:a3c4']\n+ serveradmin => \n+ manage_scap_user => True\n+ opcache_validate => 0\n+ mysql_admin_user => admin_user\n+ phd_service_ensure => stopped\n"}, {"resource": "Systemd::Unit[phabricator_task_dump.service]", "parameters": "--- Systemd::Unit[phabricator_task_dump.service].orig\n+++ Systemd::Unit[phabricator_task_dump.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_task_dump.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "parameters": "--- Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet].orig\n+++ Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]\n\n+ ensure => present\n+ port => 9102\n+ proto => tcp\n+ prio => 10\n+ srange => ['backup1014.eqiad.wmnet']\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Rsyslog::Conf[phabricator_stats_job_tech_news_weekly_stats]", "parameters": "--- Rsyslog::Conf[phabricator_stats_job_tech_news_weekly_stats].orig\n+++ Rsyslog::Conf[phabricator_stats_job_tech_news_weekly_stats]\n\n+ mode => 0444\n+ require => File[/var/log/phabricator_stats_job_tech_news_weekly_stats]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "File[/etc/logrotate.d/phd]", "parameters": "--- File[/etc/logrotate.d/phd].orig\n+++ File[/etc/logrotate.d/phd]\n\n+ mode => 0444\n+ source => puppet:///modules/phabricator/logrotate_phd\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-metrics.conf]", "content": "--- /etc/rsyslog.d/40-phabricator-stats-job-quarterly-metrics.conf.orig\n+++ /etc/rsyslog.d/40-phabricator-stats-job-quarterly-metrics.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"phabricator_stats_job_quarterly_metrics\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/phabricator_stats_job_quarterly_metrics/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-metrics.conf].orig\n+++ File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-metrics.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Package[bacula-fd]", "parameters": "--- Package[bacula-fd].orig\n+++ Package[bacula-fd]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "File[/etc/nftables/input/10_phabmain-smtp.nft]", "content": "--- /etc/nftables/input/10_phabmain-smtp.nft.orig\n+++ /etc/nftables/input/10_phabmain-smtp.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr { 208.80.153.75, 208.80.155.102 } tcp dport { 25 } accept\n+ip6 saddr { 2620:0:860:3:208:80:153:75, 2620:0:861:4:208:80:155:102 } tcp dport { 25 } accept", "parameters": "--- File[/etc/nftables/input/10_phabmain-smtp.nft].orig\n+++ File[/etc/nftables/input/10_phabmain-smtp.nft]\n\n+ notify => ['Service[nftables]']\n+ mode => 0444\n+ tag => nft\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_task_dump.service (phabricator_task_dump.service)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_task_dump.service (phabricator_task_dump.service)].orig\n+++ Exec[systemd daemon-reload for phabricator_task_dump.service (phabricator_task_dump.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Ssh::Userkey[gjg]", "parameters": "--- Ssh::Userkey[gjg].orig\n+++ Ssh::Userkey[gjg]\n\n+ user => gjg\n+ ensure => present\n"}, {"resource": "File[/var/log/phabricator_stats_job_quarterly_wmf_qls]", "parameters": "--- File[/var/log/phabricator_stats_job_quarterly_wmf_qls].orig\n+++ File[/var/log/phabricator_stats_job_quarterly_wmf_qls]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Exec[phab-git-safedir]", "parameters": "--- Exec[phab-git-safedir].orig\n+++ Exec[phab-git-safedir]\n\n+ notify => Exec[update-safedir-gitconfig]\n+ unless => /usr/bin/grep -q deployment-cache /etc/gitconfig\n+ command => /usr/local/bin/phab_git_safedir.sh\n"}, {"resource": "Exec[systemd daemon-reload for rsync-phabricator-repos.timer (rsync-phabricator-repos.timer)]", "parameters": "--- Exec[systemd daemon-reload for rsync-phabricator-repos.timer (rsync-phabricator-repos.timer)].orig\n+++ Exec[systemd daemon-reload for rsync-phabricator-repos.timer (rsync-phabricator-repos.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/phabricator/config.yaml]", "content": "--- /etc/phabricator/config.yaml.orig\n+++ /etc/phabricator/config.yaml\n@@ -0,0 +1,44 @@\n+---\n+phabricator:\n+ www:\n+ database_username: app_user\n+ database_password: app_pass\n+ mail:\n+ database_username: app_user\n+ database_password: app_pass\n+ phd:\n+ database_username: phd_user\n+ database_password: phd_pass\n+ vcs:\n+ database_username: phd_user\n+ database_password: phd_pass\n+ redirects:\n+ database_username: phd_user\n+ database_password: phd_pass\n+ database_host: m3-slave.codfw.wmnet\n+ field_index: 4rRUkCdImLQU\n+ local:\n+ base_uri: https://phabricator.wikimedia.org\n+ alternate_file_domain: https://phab.wmfusercontent.org\n+ mail_default_address: no-reply@phabricator.wikimedia.org\n+ mail_reply_handler_domain: phabricator.wikimedia.org\n+ phd_taskmasters: 4\n+ ssh_host: git-ssh.wikimedia.org\n+ notification_servers:\n+ - type: client\n+ host: phabricator.wikimedia.org\n+ port: 443\n+ protocol: https\n+ - type: admin\n+ host: aphlict.discovery.wmnet\n+ port: 22281\n+ protocol: http\n+ cluster_mailers:\n+ - key: wikimedia-smtp\n+ type: smtp\n+ options:\n+ host: localhost\n+ port: 25\n+ database_host: m3-slave.codfw.wmnet\n+ database_port: '3323'\n+ gitlab_api_key: ''", "parameters": "--- File[/etc/phabricator/config.yaml].orig\n+++ File[/etc/phabricator/config.yaml]\n\n+ mode => 0640\n+ owner => root\n+ ensure => present\n+ group => phab-deploy\n"}, {"resource": "Systemd::Timer::Job[phabricator_task_dump]", "parameters": "--- Systemd::Timer::Job[phabricator_task_dump].orig\n+++ Systemd::Timer::Job[phabricator_task_dump]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => phabricator public task dump\n+ command => /usr/bin/python3 /srv/phab/tools/public_task_dump.py\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': 'Monday *-*-* 02:00:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ require => Package[phabricator/deployment]\n+ logfile_basedir => /var/log\n"}, {"resource": "Service[phabricator_task_dump.timer]", "parameters": "--- Service[phabricator_task_dump.timer].orig\n+++ Service[phabricator_task_dump.timer]\n\n+ before => ['Exec[systemd daemon-reload for phabricator_task_dump.timer (phabricator_task_dump.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_yearly_metrics.service]", "parameters": "--- Systemd::Unit[phabricator_stats_job_yearly_metrics.service].orig\n+++ Systemd::Unit[phabricator_stats_job_yearly_metrics.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_yearly_metrics.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/default/exim4]", "content": "--- /etc/default/exim4.orig\n+++ /etc/default/exim4\n@@ -0,0 +1,24 @@\n+# /etc/default/exim4\n+# THIS FILE IS MANAGED BY PUPPET\n+\n+EX4DEF_VERSION=''\n+\n+# 'combined' -\t one daemon running queue and listening on SMTP port\n+# 'no' -\t no daemon running the queue\n+# 'separate' -\t two separate daemons\n+# 'ppp' - only run queue with /etc/ppp/ip-up.d/exim4.\n+# 'nodaemon' - no daemon is started at all.\n+# 'queueonly' - only a queue running daemon is started, no SMTP listener.\n+# setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4\n+QUEUERUNNER='combined'\n+# how often should we run the queue\n+QUEUEINTERVAL='1m'\n+# options common to quez-runner and listening daemon\n+COMMONOPTIONS=''\n+# more options for the daemon/process running the queue (applies to the one\n+# started in /etc/ppp/ip-up.d/exim4, too.\n+QUEUERUNNEROPTIONS=''\n+# special flags given to exim directly after the -q. See exim(8)\n+QFLAGS=''\n+# options for daemon listening on port 25\n+SMTPLISTENEROPTIONS=''", "parameters": "--- File[/etc/default/exim4].orig\n+++ File[/etc/default/exim4]\n\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ require => Package[exim4-config]\n+ group => root\n"}, {"resource": "File[/etc/bacula/ssl/server.key]", "parameters": "--- File[/etc/bacula/ssl/server.key].orig\n+++ File[/etc/bacula/ssl/server.key]\n\n+ mode => 0400\n+ source => /var/lib/puppet/ssl/private_keys/phab2003.codfw.wmnet.pem\n+ owner => bacula\n+ ensure => present\n+ show_diff => False\n+ group => bacula\n"}, {"resource": "Systemd::Timer[phabricator_stats_job_community_metrics]", "parameters": "--- Systemd::Timer[phabricator_stats_job_community_metrics].orig\n+++ Systemd::Timer[phabricator_stats_job_community_metrics]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-*-1 0:0:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => phabricator_stats_job_community_metrics.service\n+ splay => 0\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.service].orig\n+++ Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => present\n+ unit => wmf_auto_restart_prometheus-apache-exporter.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_envoyproxy]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_envoyproxy].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_envoyproxy]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => Auto restart job: envoyproxy\n+ command => /usr/local/sbin/wmf-auto-restart -s envoyproxy\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 19:9:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ require => File[/usr/local/sbin/wmf-auto-restart]\n+ logfile_basedir => /var/log\n"}, {"resource": "Puppet::Expose_agent_certs[/etc/bacula]", "parameters": "--- Puppet::Expose_agent_certs[/etc/bacula].orig\n+++ Puppet::Expose_agent_certs[/etc/bacula]\n\n+ notify => Service[bacula-fd]\n+ provide_keypair => True\n+ user => bacula\n+ ensure => present\n+ provide_private => True\n+ provide_pem => True\n+ provide_p12 => False\n+ ssldir => /var/lib/puppet/ssl\n+ require => Package[bacula-fd]\n+ group => bacula\n"}, {"resource": "Bacula::Client::Job[home-Monthly-1st-Wed-productionEqiad]", "parameters": "--- Bacula::Client::Job[home-Monthly-1st-Wed-productionEqiad].orig\n+++ Bacula::Client::Job[home-Monthly-1st-Wed-productionEqiad]\n\n+ require => Class[Bacula::Client]\n+ jobdefaults => Monthly-1st-Wed-productionEqiad\n+ fileset => home\n"}, {"resource": "Systemd::Syslog[envoy]", "parameters": "--- Systemd::Syslog[envoy].orig\n+++ Systemd::Syslog[envoy]\n\n+ readable_by => group\n+ ensure => present\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => envoy\n+ require => Package[envoyproxy]\n+ group => envoy\n+ base_dir => /var/log\n"}, {"resource": "File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]", "content": "--- /etc/systemd/system/envoyproxy.service.d/puppet-override.conf.orig\n+++ /etc/systemd/system/envoyproxy.service.d/puppet-override.conf\n@@ -0,0 +1,26 @@\n+[Service]\n+# TODO: support hot restarts, see for instance https://www.envoyproxy.io/docs/envoy/latest/operations/hot_restarter\n+# Ensure envoy can handle enough file descriptors\n+LimitNOFILE=65536\n+# Allow envoy to bind on a privileged port\n+AmbientCapabilities=CAP_NET_BIND_SERVICE\n+\n+ExecStart=\n+# We use the hot-restarter script to start envoy. Please note that \"restart\"\n+# in systemd terms is stop + start, so it will not hot-restart envoy.\n+# We will have to use \"reload\" to obtain the desired result -\n+# and have puppet run 'systemctl reload envoyproxy.service' instead.\n+Environment=\"ENVOY_CONFIG=/etc/envoy/envoy.yaml\"\n+Environment=\"SERVICE_ZONE=codfw\"\n+Environment=\"SERVICE_CLUSTER=misc\"\n+Environment=\"SERVICE_NODE=phab2003.codfw.wmnet\"\n+ExecStart=/usr/local/sbin/envoyproxy-hot-restarter /usr/local/sbin/envoyproxy-start \n+ExecReload=\n+ExecReload=/bin/kill -s HUP $MAINPID\n+\n+# Security settings\n+ProtectKernelModules=yes\n+ProtectKernelTunables=yes\n+PrivateTmp=yes\n+ProtectSystem=strict\n+ReadWritePaths=/var/log/envoy/", "parameters": "--- File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf].orig\n+++ File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]\n\n+ notify => Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Rsyslog::Conf[rsync-phabricator-repos]", "parameters": "--- Rsyslog::Conf[rsync-phabricator-repos].orig\n+++ Rsyslog::Conf[rsync-phabricator-repos]\n\n+ mode => 0444\n+ require => File[/var/log/rsync-phabricator-repos]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for rsync-phabricator-home-dirs.service (rsync-phabricator-home-dirs.service)]", "parameters": "--- Exec[systemd daemon-reload for rsync-phabricator-home-dirs.service (rsync-phabricator-home-dirs.service)].orig\n+++ Exec[systemd daemon-reload for rsync-phabricator-home-dirs.service (rsync-phabricator-home-dirs.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/srv/phab/tools/public_task_dump.py]", "parameters": "--- File[/srv/phab/tools/public_task_dump.py].orig\n+++ File[/srv/phab/tools/public_task_dump.py]\n\n+ mode => 0555\n+ require => Package[phabricator/deployment]\n+ owner => root\n+ group => root\n"}, {"resource": "Systemd::Timer::Job[phabricator_stats_job_project_changes]", "parameters": "--- Systemd::Timer::Job[phabricator_stats_job_project_changes].orig\n+++ Systemd::Timer::Job[phabricator_stats_job_project_changes]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => phabricator statistics mail - project_changes\n+ command => /usr/local/bin/project_changes.sh\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': 'Monday *-*-* 0:0:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_community_metrics.service]", "parameters": "--- Systemd::Unit[phabricator_stats_job_community_metrics.service].orig\n+++ Systemd::Unit[phabricator_stats_job_community_metrics.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_community_metrics.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.service]", "content": "--- /lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.service.orig\n+++ /lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=phabricator statistics mail - quarterly_wmf_qls\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/quarterly_wmf_qls.sh", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.service].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.service]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.service (phabricator_stats_job_quarterly_wmf_qls.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Rsyslog::Conf[phabricator_stats_job_quarterly_metrics]", "parameters": "--- Rsyslog::Conf[phabricator_stats_job_quarterly_metrics].orig\n+++ Rsyslog::Conf[phabricator_stats_job_quarterly_metrics]\n\n+ mode => 0444\n+ require => File[/var/log/phabricator_stats_job_quarterly_metrics]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Systemd::Service[phabricator_stats_job_quarterly_wmf_qls]", "parameters": "--- Systemd::Service[phabricator_stats_job_quarterly_wmf_qls].orig\n+++ Systemd::Service[phabricator_stats_job_quarterly_wmf_qls]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "File[/etc/logrotate.d/phabricator_stats_job_quarterly_metrics]", "content": "--- /etc/logrotate.d/phabricator_stats_job_quarterly_metrics.orig\n+++ /etc/logrotate.d/phabricator_stats_job_quarterly_metrics\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for phabricator_stats_job_quarterly_metrics\n+\n+/var/log/phabricator_stats_job_quarterly_metrics/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/phabricator_stats_job_quarterly_metrics].orig\n+++ File[/etc/logrotate.d/phabricator_stats_job_quarterly_metrics]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/srv/phab/phabricator/scripts/]", "parameters": "--- File[/srv/phab/phabricator/scripts/].orig\n+++ File[/srv/phab/phabricator/scripts/]\n\n+ mode => 0754\n+ recurse => True\n+ owner => phab-deploy\n+ path => /srv/phab/phabricator/scripts\n+ require => ['Package[phabricator/deployment]']\n+ group => phab-deploy\n"}, {"resource": "Exec[mask_phd.service]", "parameters": "--- Exec[mask_phd.service].orig\n+++ Exec[mask_phd.service]\n\n+ creates => /etc/systemd/system/phd.service\n+ command => /bin/systemctl mask phd.service\n"}, {"resource": "Systemd::Timer[phabricator_stats_job_project_changes]", "parameters": "--- Systemd::Timer[phabricator_stats_job_project_changes].orig\n+++ Systemd::Timer[phabricator_stats_job_project_changes]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'Monday *-*-* 0:0:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => phabricator_stats_job_project_changes.service\n+ splay => 0\n"}, {"resource": "Concat::Fragment[/etc/rsyncd.conf-header]", "parameters": "--- Concat::Fragment[/etc/rsyncd.conf-header].orig\n+++ Concat::Fragment[/etc/rsyncd.conf-header]\n\n+ order => 01\n+ target => /etc/rsyncd.conf\n"}, {"resource": "Service[wmf_auto_restart_aphlict.timer]", "parameters": "--- Service[wmf_auto_restart_aphlict.timer].orig\n+++ Service[wmf_auto_restart_aphlict.timer]\n\n+ before => ['Exec[systemd daemon-reload for wmf_auto_restart_aphlict.timer (wmf_auto_restart_aphlict.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_aphlict.timer (wmf_auto_restart_aphlict.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_aphlict.timer (wmf_auto_restart_aphlict.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_aphlict.timer (wmf_auto_restart_aphlict.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]", "parameters": "--- Envoyproxy::Listener[tls_terminator_443].orig\n+++ Envoyproxy::Listener[tls_terminator_443]\n\n+ priority => 0\n"}, {"resource": "Phabricator::Logmail[quarterly_wmf_qls]", "parameters": "--- Phabricator::Logmail[quarterly_wmf_qls].orig\n+++ Phabricator::Logmail[quarterly_wmf_qls]\n\n+ ensure => absent\n+ rcpt_address => ['aramirez@wikimedia.org', 'cbogen@wikimedia.org', 'mcollins@wikimedia.org', 'aklapper@wikimedia.org']\n+ monthday => 1\n+ month => 01,04,07,10\n+ mysql_slave => m3-slave.codfw.wmnet\n+ mysql_slave_port => 3323\n+ minute => 0\n+ basedir => /usr/local/bin\n+ sndr_address => aklapper@wikimedia.org\n+ mysql_db_name => phabricator_maniphest\n+ require => Package[phabricator/deployment]\n+ hour => 0\n"}, {"resource": "Profile::Auto_restarts::Service[prometheus-apache-exporter]", "parameters": "--- Profile::Auto_restarts::Service[prometheus-apache-exporter].orig\n+++ Profile::Auto_restarts::Service[prometheus-apache-exporter]\n\n+ ensure => present\n"}, {"resource": "Service[phd]", "parameters": "--- Service[phd].orig\n+++ Service[phd]\n\n+ hasrestart => True\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "File[/home/gjg/.my.cnf]", "content": "--- /home/gjg/.my.cnf.orig\n+++ /home/gjg/.my.cnf\n@@ -0,0 +1,6 @@\n+[client]\n+user=metrics_user\n+password=metrics_pass\n+database=phabricator_maniphest\n+host=m3-slave.codfw.wmnet\n+port=3323", "parameters": "--- File[/home/gjg/.my.cnf].orig\n+++ File[/home/gjg/.my.cnf]\n\n+ mode => 0440\n+ owner => gjg\n+ group => root\n"}, {"resource": "File[/var/spool/exim4/scan]", "parameters": "--- File[/var/spool/exim4/scan].orig\n+++ File[/var/spool/exim4/scan]\n\n+ mode => 1777\n+ owner => Debian-exim\n+ ensure => directory\n+ before => Service[exim4]\n+ require => ['Mount[/var/spool/exim4/scan]', 'Mount[/var/spool/exim4/db]']\n+ group => Debian-exim\n"}, {"resource": "Systemd::Syslog[phabricator_stats_job_yearly_metrics]", "parameters": "--- Systemd::Syslog[phabricator_stats_job_yearly_metrics].orig\n+++ Systemd::Syslog[phabricator_stats_job_yearly_metrics]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Systemd::Timer::Job[backup-home-dirs]", "parameters": "--- Systemd::Timer::Job[backup-home-dirs].orig\n+++ Systemd::Timer::Job[backup-home-dirs]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => create tarballs from /home dirs into /srv/homes\n+ command => /usr/local/bin/backup-home-dirs\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-*-* 0:10:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ require => File[/usr/local/bin/backup-home-dirs]\n+ logfile_basedir => /var/log\n"}, {"resource": "File[/var/log/envoy]", "parameters": "--- File[/var/log/envoy].orig\n+++ File[/var/log/envoy]\n\n+ mode => 0755\n+ owner => envoy\n+ ensure => directory\n+ force => True\n+ backup => False\n+ group => envoy\n"}, {"resource": "Ferm::Service[phabmain_http]", "parameters": "--- Ferm::Service[phabmain_http].orig\n+++ Ferm::Service[phabmain_http]\n\n+ ensure => present\n+ port => 80\n+ proto => tcp\n+ src_sets => ['DEPLOYMENT_HOSTS']\n+ prio => 10\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "User[aphlict]", "parameters": "--- User[aphlict].orig\n+++ User[aphlict]\n\n+ shell => /bin/false\n+ gid => aphlict\n+ system => True\n+ before => ['Service[aphlict]']\n+ require => Group[aphlict]\n+ home => /var/run/aphlict\n"}, {"resource": "Logrotate::Conf[phabricator_stats_job_tech_news_weekly_stats]", "parameters": "--- Logrotate::Conf[phabricator_stats_job_tech_news_weekly_stats].orig\n+++ Logrotate::Conf[phabricator_stats_job_tech_news_weekly_stats]\n\n+ ensure => absent\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-envoyproxy.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-envoyproxy.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-envoyproxy.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"wmf_auto_restart_envoyproxy\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/wmf_auto_restart_envoyproxy/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-envoyproxy.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-envoyproxy.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Logrotate::Conf[rsync-phabricator-home-dirs]", "parameters": "--- Logrotate::Conf[rsync-phabricator-home-dirs].orig\n+++ Logrotate::Conf[rsync-phabricator-home-dirs]\n\n+ ensure => absent\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_yearly_metrics.timer]", "parameters": "--- Systemd::Unit[phabricator_stats_job_yearly_metrics.timer].orig\n+++ Systemd::Unit[phabricator_stats_job_yearly_metrics.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_yearly_metrics.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Admin::Group[phabricator-bulk-manager]", "parameters": "--- Admin::Group[phabricator-bulk-manager].orig\n+++ Admin::Group[phabricator-bulk-manager]\n\n+ privileges => ['ALL = NOPASSWD: /srv/phab/phabricator/bin/bulk make-silent --id *']\n+ ensure => present\n+ gid => 819\n"}, {"resource": "Class[Profile::Admin]", "parameters": "--- Class[Profile::Admin].orig\n+++ Class[Profile::Admin]\n\n@@\n- groups => ['phabricator-roots']\n+ groups => ['phabricator-admin', 'phabricator-roots', 'phabricator-bulk-manager']\n"}, {"resource": "Exec[renew certificate - discovery2026__phabricator_discovery_wmnet_server]", "parameters": "--- Exec[renew certificate - discovery2026__phabricator_discovery_wmnet_server].orig\n+++ Exec[renew certificate - discovery2026__phabricator_discovery_wmnet_server]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ require => Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server]\n+ unless => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem -checkend 952200\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/phab2003.codfw.wmnet.pem -label discovery2026 -profile server /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server\n\n"}, {"resource": "Envoyproxy::Cluster[cluster_local_port_80]", "parameters": "--- Envoyproxy::Cluster[cluster_local_port_80].orig\n+++ Envoyproxy::Cluster[cluster_local_port_80]\n\n+ priority => 0\n"}, {"resource": "File[/var/log/aphlict/]", "parameters": "--- File[/var/log/aphlict/].orig\n+++ File[/var/log/aphlict/]\n\n+ owner => aphlict\n+ ensure => directory\n+ path => /var/log/aphlict\n+ before => ['Service[aphlict]']\n+ group => aphlict\n"}, {"resource": "Exec[/srv/phab/libext/ava/src_static_dir_exists]", "parameters": "--- Exec[/srv/phab/libext/ava/src_static_dir_exists].orig\n+++ Exec[/srv/phab/libext/ava/src_static_dir_exists]\n\n+ creates => /srv/phab/phabricator/webroot/rsrc//srv/phab/libext/ava/src\n+ require => File[/srv/phab]\n+ command => /bin/ln -s /srv/phab/libext//srv/phab/libext/ava/src/rsrc/webroot-static /srv/phab/phabricator/webroot/rsrc//srv/phab/libext/ava/src\n+ onlyif => /usr/bin/test -e /srv/phab/libext//srv/phab/libext/ava/src/rsrc/webroot-static\n"}, {"resource": "File[/var/run/aphlict/]", "parameters": "--- File[/var/run/aphlict/].orig\n+++ File[/var/run/aphlict/]\n\n+ owner => aphlict\n+ ensure => directory\n+ path => /var/run/aphlict\n+ before => ['File[/var/log/aphlict/]']\n+ group => aphlict\n"}, {"resource": "Package[apachetop]", "parameters": "--- Package[apachetop].orig\n+++ Package[apachetop]\n\n+ provider => apt\n+ ensure => present\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.timer]", "content": "--- /lib/systemd/system/phabricator_stats_job_yearly_metrics.timer.orig\n+++ /lib/systemd/system/phabricator_stats_job_yearly_metrics.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of phabricator_stats_job_yearly_metrics.service\n+\n+[Timer]\n+Unit=phabricator_stats_job_yearly_metrics.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-1-1 0:0:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.timer].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.timer]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.timer (phabricator_stats_job_yearly_metrics.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/nftables/input/10_phabmain_http.nft]", "content": "--- /etc/nftables/input/10_phabmain_http.nft.orig\n+++ /etc/nftables/input/10_phabmain_http.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr @DEPLOYMENT_HOSTS_ipv4 tcp dport { 80 } accept\n+ip6 saddr @DEPLOYMENT_HOSTS_ipv6 tcp dport { 80 } accept", "parameters": "--- File[/etc/nftables/input/10_phabmain_http.nft].orig\n+++ File[/etc/nftables/input/10_phabmain_http.nft]\n\n+ notify => ['Service[nftables]']\n+ mode => 0444\n+ tag => nft\n+ owner => root\n+ ensure => present\n+ require => ['Nftables::Set[DEPLOYMENT_HOSTS]']\n+ group => root\n"}, {"resource": "File[/etc/rsyslog.d/40-backup-home-dirs.conf]", "content": "--- /etc/rsyslog.d/40-backup-home-dirs.conf.orig\n+++ /etc/rsyslog.d/40-backup-home-dirs.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"backup-home-dirs\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/backup-home-dirs/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-backup-home-dirs.conf].orig\n+++ File[/etc/rsyslog.d/40-backup-home-dirs.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/phab_epipe.conf]", "content": "--- /etc/phab_epipe.conf.orig\n+++ /etc/phab_epipe.conf\n@@ -0,0 +1,8 @@\n+# This file is managed by Puppet.\n+\n+[default]\n+\n+maint = false\n+\n+[phab_bot]\n+root_dir = /srv/phab/phabricator/", "parameters": "--- File[/etc/phab_epipe.conf].orig\n+++ File[/etc/phab_epipe.conf]\n\n+ owner => mail\n+ ensure => file\n+ group => root\n"}, {"resource": "File[/usr/local/bin/backup-home-dirs]", "content": "--- /usr/local/bin/backup-home-dirs.orig\n+++ /usr/local/bin/backup-home-dirs\n@@ -0,0 +1,3 @@\n+#!/bin/bash\n+for user in $(ls /home); do\n+tar czfv /srv/homes/${user}-$(hostname -s).tar.gz /home/${user}; done", "parameters": "--- File[/usr/local/bin/backup-home-dirs].orig\n+++ File[/usr/local/bin/backup-home-dirs]\n\n+ mode => 0555\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Rsyslog::Conf[rsync-phabricator-home-dirs]", "parameters": "--- Rsyslog::Conf[rsync-phabricator-home-dirs].orig\n+++ Rsyslog::Conf[rsync-phabricator-home-dirs]\n\n+ mode => 0444\n+ require => File[/var/log/rsync-phabricator-home-dirs]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_aphlict]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_aphlict].orig\n+++ Logrotate::Conf[wmf_auto_restart_aphlict]\n\n+ ensure => absent\n"}, {"resource": "Logrotate::Conf[exim4-paniclog]", "parameters": "--- Logrotate::Conf[exim4-paniclog].orig\n+++ Logrotate::Conf[exim4-paniclog]\n\n+ source => puppet:///modules/exim4/logrotate/exim4-paniclog\n+ ensure => present\n"}, {"resource": "Systemd::Timer::Job[phabricator_stats_job_yearly_metrics]", "parameters": "--- Systemd::Timer::Job[phabricator_stats_job_yearly_metrics].orig\n+++ Systemd::Timer::Job[phabricator_stats_job_yearly_metrics]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => phabricator statistics mail - yearly_metrics\n+ command => /usr/local/bin/yearly_metrics.sh\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-1-1 0:0:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "File[/etc/phab_community_metrics.conf]", "content": "--- /etc/phab_community_metrics.conf.orig\n+++ /etc/phab_community_metrics.conf\n@@ -0,0 +1,8 @@\n+declare rcpt_address='wikitech-l@lists.wikimedia.org'\n+declare sndr_address='aklapper@wikimedia.org'\n+\n+declare sql_host='m3-slave.codfw.wmnet'\n+declare sql_port='3323'\n+declare sql_user='metrics_user'\n+declare sql_name='phabricator_maniphest'\n+declare sql_pass='metrics_pass'", "parameters": "--- File[/etc/phab_community_metrics.conf].orig\n+++ File[/etc/phab_community_metrics.conf]\n\n+ mode => 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/logrotate.d/phabricator_stats_job_quarterly_wmf_qls]", "content": "--- /etc/logrotate.d/phabricator_stats_job_quarterly_wmf_qls.orig\n+++ /etc/logrotate.d/phabricator_stats_job_quarterly_wmf_qls\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for phabricator_stats_job_quarterly_wmf_qls\n+\n+/var/log/phabricator_stats_job_quarterly_wmf_qls/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/phabricator_stats_job_quarterly_wmf_qls].orig\n+++ File[/etc/logrotate.d/phabricator_stats_job_quarterly_wmf_qls]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Rsyslog::Conf[backup-home-dirs]", "parameters": "--- Rsyslog::Conf[backup-home-dirs].orig\n+++ Rsyslog::Conf[backup-home-dirs]\n\n+ mode => 0444\n+ require => File[/var/log/backup-home-dirs]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_project_changes.service]", "parameters": "--- Systemd::Unit[phabricator_stats_job_project_changes.service].orig\n+++ Systemd::Unit[phabricator_stats_job_project_changes.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_project_changes.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/phab_tech_news_weekly_stats.conf]", "content": "--- /etc/phab_tech_news_weekly_stats.conf.orig\n+++ /etc/phab_tech_news_weekly_stats.conf\n@@ -0,0 +1,7 @@\n+declare rcpt_address='nwilson@wikimedia.org,jjonsson@wikimedia.org,bevellin@wikimedia.org,uzoma@wikimedia.org,stei@wikimedia.org'\n+declare sndr_address='aklapper@wikimedia.org'\n+declare sql_host='m3-slave.codfw.wmnet'\n+declare sql_port='3323'\n+declare sql_user='metrics_user'\n+declare sql_name='phabricator_maniphest'\n+declare sql_pass='metrics_pass'", "parameters": "--- File[/etc/phab_tech_news_weekly_stats.conf].orig\n+++ File[/etc/phab_tech_news_weekly_stats.conf]\n\n+ mode => 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/bacula/ssl]", "parameters": "--- File[/etc/bacula/ssl].orig\n+++ File[/etc/bacula/ssl]\n\n+ mode => 0555\n+ owner => bacula\n+ ensure => directory\n+ group => bacula\n"}, {"resource": "Systemd::Service[wmf_auto_restart_aphlict]", "parameters": "--- Systemd::Service[wmf_auto_restart_aphlict].orig\n+++ Systemd::Service[wmf_auto_restart_aphlict]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[wmf_auto_restart_aphlict.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Auto restart job: prometheus-apache-exporter\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/wmf-auto-restart -s prometheus-apache-exporter", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.service]\n\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.service (wmf_auto_restart_prometheus-apache-exporter.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/phab_quarterly_metrics.conf]", "content": "--- /etc/phab_quarterly_metrics.conf.orig\n+++ /etc/phab_quarterly_metrics.conf\n@@ -0,0 +1,8 @@\n+declare rcpt_address='lgoto@wikimedia.org,aklapper@wikimedia.org'\n+declare sndr_address='aklapper@wikimedia.org'\n+\n+declare sql_host='m3-slave.codfw.wmnet'\n+declare sql_port='3323'\n+declare sql_user='metrics_user'\n+declare sql_name='phabricator_maniphest'\n+declare sql_pass='metrics_pass'", "parameters": "--- File[/etc/phab_quarterly_metrics.conf].orig\n+++ File[/etc/phab_quarterly_metrics.conf]\n\n+ mode => 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-prometheus-apache-exporter.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-prometheus-apache-exporter.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-prometheus-apache-exporter.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"wmf_auto_restart_prometheus-apache-exporter\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/wmf_auto_restart_prometheus-apache-exporter/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-prometheus-apache-exporter.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-prometheus-apache-exporter.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Admin::User[gjg]", "parameters": "--- Admin::User[gjg].orig\n+++ Admin::User[gjg]\n\n+ comment => Greg Grossmeier\n+ ensure => present\n+ shell => /bin/bash\n+ ssh_keys => ['ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPul+urK7qgLY7UucRRj9SljZFB/DWpMKZ1KMragNGbc greg@carbon12']\n+ groups => []\n+ home_dir => /home/gjg\n+ gid => 500\n+ uid => 2890\n"}, {"resource": "Systemd::Service[aphlict]", "parameters": "--- Systemd::Service[aphlict].orig\n+++ Systemd::Service[aphlict]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => service\n+ service_params => {'hasrestart': False}\n+ require => User[aphlict]\n+ monitoring_contact_group => admins\n"}, {"resource": "Nftables::Service[ssh_cluster]", "parameters": "--- Nftables::Service[ssh_cluster].orig\n+++ Nftables::Service[ssh_cluster]\n\n+ ensure => present\n+ port => 22\n+ proto => tcp\n+ prio => 10\n+ notrack => False\n+ src_ips => ['10.192.27.6', '10.64.16.101', '2620:0:860:114:10:192:27:6', '2620:0:861:102:10:64:16:101']\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Exec[systemd daemon-reload for aphlict.service (aphlict)]", "parameters": "--- Exec[systemd daemon-reload for aphlict.service (aphlict)].orig\n+++ Exec[systemd daemon-reload for aphlict.service (aphlict)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Nftables::Service[phabmain_http]", "parameters": "--- Nftables::Service[phabmain_http].orig\n+++ Nftables::Service[phabmain_http]\n\n+ ensure => present\n+ port => 80\n+ proto => tcp\n+ src_sets => ['DEPLOYMENT_HOSTS']\n+ prio => 10\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Systemd::Timer::Job[phabricator_stats_job_tech_news_weekly_stats]", "parameters": "--- Systemd::Timer::Job[phabricator_stats_job_tech_news_weekly_stats].orig\n+++ Systemd::Timer::Job[phabricator_stats_job_tech_news_weekly_stats]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => phabricator statistics mail - tech_news_weekly_stats\n+ command => /usr/local/bin/tech_news_weekly_stats.sh\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': 'Thursday *-*-* 12:0:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_task_dump.timer (phabricator_task_dump.timer)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_task_dump.timer (phabricator_task_dump.timer)].orig\n+++ Exec[systemd daemon-reload for phabricator_task_dump.timer (phabricator_task_dump.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/default/rsync]", "content": "--- /etc/default/rsync.orig\n+++ /etc/default/rsync\n@@ -0,0 +1,46 @@\n+#####################################################################\n+### THIS FILE IS MANAGED BY PUPPET\n+### puppet:///rsync/rsync.default.erb\n+#####################################################################\n+\n+# defaults file for rsync daemon mode\n+\n+# start rsync in daemon mode from init.d script?\n+# only allowed values are \"true\", \"false\", and \"inetd\"\n+# Use \"inetd\" if you want to start the rsyncd from inetd,\n+# all this does is prevent the init.d script from printing a message\n+# about not starting rsyncd (you still need to modify inetd's config yourself).\n+RSYNC_ENABLE=true\n+\n+# which file should be used as the configuration file for rsync.\n+# This file is used instead of the default /etc/rsyncd.conf\n+# Warning: This option has no effect if the daemon is accessed\n+# using a remote shell. When using a different file for\n+# rsync you might want to symlink /etc/rsyncd.conf to\n+# that file.\n+RSYNC_CONFIG_FILE=/etc/rsyncd.conf\n+\n+# what extra options to give rsync --daemon?\n+# that excludes the --daemon; that's always done in the init.d script\n+# Possibilities are:\n+# --address=123.45.67.89\t\t(bind to a specific IP address)\n+# --port=8730\t\t\t\t(bind to specified port; default 873)\n+RSYNC_OPTS=''\n+\n+# run rsyncd at a nice level?\n+# the rsync daemon can impact performance due to much I/O and CPU usage,\n+# so you may want to run it at a nicer priority than the default priority.\n+# Allowed values are 0 - 19 inclusive; 10 is a reasonable value.\n+RSYNC_NICE=''\n+\n+# run rsyncd with ionice?\n+# \"ionice\" does for IO load what \"nice\" does for CPU load.\n+# As rsync is often used for backups which aren't all that time-critical,\n+# reducing the rsync IO priority will benefit the rest of the system.\n+# See the manpage for ionice for allowed options.\n+# -c3 is recommended, this will run rsync IO at \"idle\" priority. Uncomment\n+# the next line to activate this.\n+# RSYNC_IONICE='-c3'\n+\n+# Don't forget to create an appropriate config file,\n+# else the daemon will not start.", "parameters": "--- File[/etc/default/rsync].orig\n+++ File[/etc/default/rsync]\n\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Service[phabricator_stats_job_community_metrics.timer]", "parameters": "--- Service[phabricator_stats_job_community_metrics.timer].orig\n+++ Service[phabricator_stats_job_community_metrics.timer]\n\n+ before => ['Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.timer (phabricator_stats_job_community_metrics.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.csr]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.csr].orig\n+++ File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.csr]\n\n+ mode => 0440\n+ owner => envoy\n+ ensure => file\n+ group => envoy\n"}, {"resource": "Admin::Hashuser[mbinder]", "parameters": "--- Admin::Hashuser[mbinder].orig\n+++ Admin::Hashuser[mbinder]\n\n+ ensure_ssh_key => True\n"}, {"resource": "File[/var/spool/exim4/db]", "parameters": "--- File[/var/spool/exim4/db].orig\n+++ File[/var/spool/exim4/db]\n\n+ mode => 1777\n+ owner => Debian-exim\n+ ensure => directory\n+ before => Service[exim4]\n+ require => ['Mount[/var/spool/exim4/scan]', 'Mount[/var/spool/exim4/db]']\n+ group => Debian-exim\n"}, {"resource": "File[/etc/logrotate.d/rsync-phabricator-repos]", "content": "--- /etc/logrotate.d/rsync-phabricator-repos.orig\n+++ /etc/logrotate.d/rsync-phabricator-repos\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for rsync-phabricator-repos\n+\n+/var/log/rsync-phabricator-repos/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/rsync-phabricator-repos].orig\n+++ File[/etc/logrotate.d/rsync-phabricator-repos]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/resolv.conf]", "content": "--- /etc/resolv.conf.orig\n+++ /etc/resolv.conf\n@@ -2,6 +2,6 @@\n #### THIS FILE IS MANAGED BY PUPPET\n #### as template('resolvconf/resolv.conf.erb')\n #####################################################################\n-search codfw.wmnet \n+search codfw.wmnet eqiad.wmnet\n options timeout:1 attempts:3 ndots:1\n nameserver 10.3.0.1"}, {"resource": "File_line[auto_restart_file_presence_aphlict]", "parameters": "--- File_line[auto_restart_file_presence_aphlict].orig\n+++ File_line[auto_restart_file_presence_aphlict]\n\n+ require => File[/etc/debdeploy-client/autorestarts.conf]\n+ line => aphlict\n+ ensure => absent\n+ path => /etc/debdeploy-client/autorestarts.conf\n"}, {"resource": "File[/usr/local/bin/git-http-backend]", "parameters": "--- File[/usr/local/bin/git-http-backend].orig\n+++ File[/usr/local/bin/git-http-backend]\n\n+ owner => root\n+ ensure => link\n+ target => /usr/lib/git-core/git-http-backend\n+ require => Package[git]\n+ group => root\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_envoyproxy]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_envoyproxy].orig\n+++ Rsyslog::Conf[wmf_auto_restart_envoyproxy]\n\n+ mode => 0444\n+ require => File[/var/log/wmf_auto_restart_envoyproxy]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Service[phabricator_stats_job_quarterly_wmf_qls.timer]", "parameters": "--- Service[phabricator_stats_job_quarterly_wmf_qls.timer].orig\n+++ Service[phabricator_stats_job_quarterly_wmf_qls.timer]\n\n+ before => ['Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.timer (phabricator_stats_job_quarterly_wmf_qls.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "Motd::Script[backups-home]", "parameters": "--- Motd::Script[backups-home].orig\n+++ Motd::Script[backups-home]\n\n+ tag => backup-motd\n+ priority => 6\n+ ensure => present\n"}, {"resource": "File[/srv/phab/phabricator/scripts/repository/]", "parameters": "--- File[/srv/phab/phabricator/scripts/repository/].orig\n+++ File[/srv/phab/phabricator/scripts/repository/]\n\n+ recurse => True\n+ owner => phd\n+ path => /srv/phab/phabricator/scripts/repository\n+ group => root\n"}, {"resource": "Concat[/etc/rsyncd.conf]", "parameters": "--- Concat[/etc/rsyncd.conf].orig\n+++ Concat[/etc/rsyncd.conf]\n\n+ warn => False\n+ ensure => present\n+ show_diff => True\n+ replace => True\n+ ensure_newline => False\n+ force => False\n+ format => plain\n+ mode => 0444\n+ owner => root\n+ path => /etc/rsyncd.conf\n+ order => alpha\n+ backup => puppet\n+ group => root\n"}, {"resource": "Class[Envoyproxy]", "parameters": "--- Class[Envoyproxy].orig\n+++ Class[Envoyproxy]\n\n+ pkg_name => envoyproxy\n+ admin_port => 9631\n+ runtime => {}\n+ ensure => present\n+ use_override => True\n+ service_cluster => misc\n"}, {"resource": "File[/etc/envoy/envoy.yaml]", "parameters": "--- File[/etc/envoy/envoy.yaml].orig\n+++ File[/etc/envoy/envoy.yaml]\n\n+ mode => 0644\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Class[Phabricator::Vcs]", "parameters": "--- Class[Phabricator::Vcs].orig\n+++ Class[Phabricator::Vcs]\n\n+ ssh_phab_service_ensure => absent\n+ phd_user => phd\n+ proxy => http://url-downloader.codfw.wikimedia.org:8080\n+ phd_log_dir => /var/log/phd\n+ basedir => /srv/phab\n+ require => ['Package[phabricator/deployment]']\n+ listen_addresses => []\n+ vcs_user => vcs\n+ ssh_port => 22\n"}, {"resource": "File[/etc/nftables/input/10_ssh_cluster.nft]", "content": "--- /etc/nftables/input/10_ssh_cluster.nft.orig\n+++ /etc/nftables/input/10_ssh_cluster.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr { 10.192.27.6, 10.64.16.101 } tcp dport { 22 } accept\n+ip6 saddr { 2620:0:860:114:10:192:27:6, 2620:0:861:102:10:64:16:101 } tcp dport { 22 } accept", "parameters": "--- File[/etc/nftables/input/10_ssh_cluster.nft].orig\n+++ File[/etc/nftables/input/10_ssh_cluster.nft]\n\n+ notify => ['Service[nftables]']\n+ mode => 0444\n+ tag => nft\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem]\n\n+ require => Exec[create chained cert /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]\n+ owner => envoy\n+ ensure => file\n+ group => envoy\n"}, {"resource": "Service[phabricator_stats_job_tech_news_weekly_stats.timer]", "parameters": "--- Service[phabricator_stats_job_tech_news_weekly_stats.timer].orig\n+++ Service[phabricator_stats_job_tech_news_weekly_stats.timer]\n\n+ before => ['Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.timer (phabricator_stats_job_tech_news_weekly_stats.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "Concat_fragment[/etc/rsyncd.conf-header]", "content": "--- /etc/rsyncd.conf-header.orig\n+++ /etc/rsyncd.conf-header\n@@ -0,0 +1,11 @@\n+# This file is being maintained by Puppet.\n+# DO NOT EDIT\n+\n+uid = nobody\n+gid = nogroup\n+use chroot = yes\n+\n+log format = %t %a %m %f %b\n+syslog facility = local3\n+timeout = 300\n+address = 0.0.0.0", "parameters": "--- Concat_fragment[/etc/rsyncd.conf-header].orig\n+++ Concat_fragment[/etc/rsyncd.conf-header]\n\n+ order => 01\n+ tag => _etc_rsyncd.conf\n+ target => /etc/rsyncd.conf\n"}, {"resource": "Cfssl::Cert[discovery2026__phabricator_discovery_wmnet_server]", "parameters": "--- Cfssl::Cert[discovery2026__phabricator_discovery_wmnet_server].orig\n+++ Cfssl::Cert[discovery2026__phabricator_discovery_wmnet_server]\n\n+ notify => Service[envoyproxy.service]\n+ ensure => present\n+ mode => 0740\n+ notify_services => []\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ hosts => ['phabricator.wikimedia.org', 'phab.wmfusercontent.org', 'bugs.wikimedia.org', 'bugzilla.wikimedia.org']\n+ owner => envoy\n+ before => Exec[verify-envoy-config]\n+ names => []\n+ provide_chain => True\n+ common_name => phabricator.discovery.wmnet\n+ renew_seconds => 952200\n+ before_services => []\n+ profile => server\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ outdir => /etc/envoy/ssl\n+ auto_renew => True\n+ require => Package[envoyproxy]\n+ group => envoy\n+ label => discovery2026\n"}, {"resource": "Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]", "parameters": "--- Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula].orig\n+++ Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]\n\n+ private_key => /var/lib/puppet/ssl/private_keys/phab2003.codfw.wmnet.pem\n+ owner => bacula\n+ public_key => /var/lib/puppet/ssl/certs/phab2003.codfw.wmnet.pem\n+ ensure => absent\n+ certfile => /var/lib/puppet/ssl/certs/ca.pem\n+ group => bacula\n+ outfile => /etc/bacula/ssl/server.p12\n"}, {"resource": "File[/lib/systemd/system/phd.service]", "content": "--- /lib/systemd/system/phd.service.orig\n+++ /lib/systemd/system/phd.service\n@@ -0,0 +1,18 @@\n+[Unit]\n+Description=phabricator-phd\n+After=syslog.target network.target mysql.service\n+Before=apache2.service\n+\n+[Service]\n+Type=forking\n+User=phd\n+Group=phd\n+Environment=\"PHABRICATOR_ENV=phd\"\n+RuntimeDirectory=phd\n+ExecStart=/srv/phab/phabricator/bin/phd start\n+ExecStop=/srv/phab/phabricator/bin/phd stop --force\n+RestartSec=10\n+Restart=always\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phd.service].orig\n+++ File[/lib/systemd/system/phd.service]\n\n+ notify => Exec[systemd daemon-reload for phd.service (phd)]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/bacula/ssl/server.p12]", "parameters": "--- File[/etc/bacula/ssl/server.p12].orig\n+++ File[/etc/bacula/ssl/server.p12]\n\n+ mode => 0440\n+ owner => bacula\n+ ensure => absent\n+ group => bacula\n"}, {"resource": "Systemd::Service[wmf_auto_restart_envoyproxy]", "parameters": "--- Systemd::Service[wmf_auto_restart_envoyproxy].orig\n+++ Systemd::Service[wmf_auto_restart_envoyproxy]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[wmf_auto_restart_envoyproxy.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "File[/etc/nftables/input/10_rsyncd_access_srv-dumps.nft]", "content": "--- /etc/nftables/input/10_rsyncd_access_srv-dumps.nft.orig\n+++ /etc/nftables/input/10_rsyncd_access_srv-dumps.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr { 10.192.27.6, 10.64.16.101, 208.80.154.142, 208.80.154.71 } tcp dport { 873, 1873 } accept\n+ip6 saddr { 2620:0:860:114:10:192:27:6, 2620:0:861:102:10:64:16:101, 2620:0:861:2:208:80:154:142, 2620:0:861:3:208:80:154:71 } tcp dport { 873, 1873 } accept", "parameters": "--- File[/etc/nftables/input/10_rsyncd_access_srv-dumps.nft].orig\n+++ File[/etc/nftables/input/10_rsyncd_access_srv-dumps.nft]\n\n+ notify => ['Service[nftables]']\n+ mode => 0444\n+ tag => nft\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Firewall::Service[envoy_tls_termination_src_sets]", "parameters": "--- Firewall::Service[envoy_tls_termination_src_sets].orig\n+++ Firewall::Service[envoy_tls_termination_src_sets]\n\n+ ensure => present\n+ port => 443\n+ proto => tcp\n+ src_sets => ['CACHES']\n+ prio => 10\n+ notrack => True\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Systemd::Service[rsync-phabricator-repos]", "parameters": "--- Systemd::Service[rsync-phabricator-repos].orig\n+++ Systemd::Service[rsync-phabricator-repos]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[rsync-phabricator-repos.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "File[/etc/sysctl.d/70-phabricator-network-tuning.conf]", "content": "--- /etc/sysctl.d/70-phabricator-network-tuning.conf.orig\n+++ /etc/sysctl.d/70-phabricator-network-tuning.conf\n@@ -0,0 +1,3 @@\n+# sysctl parameters managed by Puppet.\n+net.ipv4.ip_local_port_range = 4001 65534\n+net.ipv4.tcp_tw_reuse = 1", "parameters": "--- File[/etc/sysctl.d/70-phabricator-network-tuning.conf].orig\n+++ File[/etc/sysctl.d/70-phabricator-network-tuning.conf]\n\n+ notify => Exec[update_sysctl]\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Profile::Auto_restarts::Service[aphlict]", "parameters": "--- Profile::Auto_restarts::Service[aphlict].orig\n+++ Profile::Auto_restarts::Service[aphlict]\n\n+ ensure => absent\n"}, {"resource": "Rsync::Quickdatacopy[phabricator-home-dirs]", "parameters": "--- Rsync::Quickdatacopy[phabricator-home-dirs].orig\n+++ Rsync::Quickdatacopy[phabricator-home-dirs]\n\n+ dest_host => phab2002.codfw.wmnet\n+ module_path => /srv/homes\n+ ensure => present\n+ source_host => phab1004.eqiad.wmnet\n+ server_uses_stunnel => False\n+ progress => False\n+ auto_sync => True\n+ delete => True\n+ ignore_missing_file_errors => False\n+ auto_interval => {'start': 'OnCalendar', 'interval': '*-*-* *:00/10:00'}\n"}, {"resource": "Logrotate::Conf[backup-home-dirs]", "parameters": "--- Logrotate::Conf[backup-home-dirs].orig\n+++ Logrotate::Conf[backup-home-dirs]\n\n+ ensure => absent\n"}, {"resource": "Exec[update-gitconfig]", "parameters": "--- Exec[update-gitconfig].orig\n+++ Exec[update-gitconfig]\n\n+ refreshonly => True\n+ command => /bin/cat /etc/gitconfig.d/*.gitconfig > /etc/gitconfig\n"}, {"resource": "Concat_fragment[/etc/bacula_puppet_ca_chain]", "parameters": "--- Concat_fragment[/etc/bacula_puppet_ca_chain].orig\n+++ Concat_fragment[/etc/bacula_puppet_ca_chain]\n\n+ order => 02\n+ tag => _etc_bacula_ssl_cert.pem\n+ source => /var/lib/puppet/ssl/certs/ca.pem\n+ target => /etc/bacula/ssl/cert.pem\n"}, {"resource": "File[/etc/update-motd.d/05-phabricator]", "content": "--- /etc/update-motd.d/05-phabricator.orig\n+++ /etc/update-motd.d/05-phabricator\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+printf \"%s\\n\" \"phab2003 is a Phabricator (main) server (phabricator)\"", "parameters": "--- File[/etc/update-motd.d/05-phabricator].orig\n+++ File[/etc/update-motd.d/05-phabricator]\n\n+ mode => 0555\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_prometheus-apache-exporter]", "parameters": "--- Systemd::Timer[wmf_auto_restart_prometheus-apache-exporter].orig\n+++ Systemd::Timer[wmf_auto_restart_prometheus-apache-exporter]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 13:4:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => present\n+ unit_name => wmf_auto_restart_prometheus-apache-exporter.service\n+ splay => 0\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_envoyproxy]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_envoyproxy].orig\n+++ Systemd::Syslog[wmf_auto_restart_envoyproxy]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Systemd::Timer[rsync-phabricator-home-dirs]", "parameters": "--- Systemd::Timer[rsync-phabricator-home-dirs].orig\n+++ Systemd::Timer[rsync-phabricator-home-dirs]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-*-* *:00/10:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => rsync-phabricator-home-dirs.service\n+ splay => 0\n"}, {"resource": "Package[prometheus-apache-exporter]", "parameters": "--- Package[prometheus-apache-exporter].orig\n+++ Package[prometheus-apache-exporter]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Package[python3-pymysql]", "parameters": "--- Package[python3-pymysql].orig\n+++ Package[python3-pymysql]\n\n+ provider => apt\n+ ensure => present\n"}, {"resource": "Exec[systemd daemon-reload for rsync-phabricator-home-dirs.timer (rsync-phabricator-home-dirs.timer)]", "parameters": "--- Exec[systemd daemon-reload for rsync-phabricator-home-dirs.timer (rsync-phabricator-home-dirs.timer)].orig\n+++ Exec[systemd daemon-reload for rsync-phabricator-home-dirs.timer (rsync-phabricator-home-dirs.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]", "content": "--- /etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr.orig\n+++ /etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr\n@@ -0,0 +1,17 @@\n+{\n+ \"CN\": \"phabricator.discovery.wmnet\",\n+ \"hosts\": [\n+ \"phabricator.wikimedia.org\",\n+ \"phab.wmfusercontent.org\",\n+ \"bugs.wikimedia.org\",\n+ \"bugzilla.wikimedia.org\",\n+ \"phabricator.discovery.wmnet\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr].orig\n+++ File[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]\n\n+ mode => 0400\n+ owner => root\n+ ensure => file\n+ group => root\n"}, {"resource": "Service[rsync-phabricator-repos.timer]", "parameters": "--- Service[rsync-phabricator-repos.timer].orig\n+++ Service[rsync-phabricator-repos.timer]\n\n+ before => ['Exec[systemd daemon-reload for rsync-phabricator-repos.timer (rsync-phabricator-repos.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "Exec[systemd daemon-reload for phd.service (phd)]", "parameters": "--- Exec[systemd daemon-reload for phd.service (phd)].orig\n+++ Exec[systemd daemon-reload for phd.service (phd)]\n\n+ before => ['Service[phd]']\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_clean_tmp_files.service (phabricator_clean_tmp_files.service)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_clean_tmp_files.service (phabricator_clean_tmp_files.service)].orig\n+++ Exec[systemd daemon-reload for phabricator_clean_tmp_files.service (phabricator_clean_tmp_files.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_quarterly_metrics.timer]", "parameters": "--- Systemd::Unit[phabricator_stats_job_quarterly_metrics.timer].orig\n+++ Systemd::Unit[phabricator_stats_job_quarterly_metrics.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_quarterly_metrics.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_aphlict]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_aphlict].orig\n+++ Rsyslog::Conf[wmf_auto_restart_aphlict]\n\n+ mode => 0444\n+ require => File[/var/log/wmf_auto_restart_aphlict]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_envoyproxy]", "parameters": "--- Systemd::Timer[wmf_auto_restart_envoyproxy].orig\n+++ Systemd::Timer[wmf_auto_restart_envoyproxy]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 19:9:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => wmf_auto_restart_envoyproxy.service\n+ splay => 0\n"}, {"resource": "User[mbinder]", "parameters": "--- User[mbinder].orig\n+++ User[mbinder]\n\n+ comment => Max Binder\n+ managehome => False\n+ ensure => present\n+ shell => /bin/bash\n+ groups => []\n+ allowdupe => False\n+ gid => 500\n+ home => /home/mbinder\n+ uid => 14304\n"}, {"resource": "Motd::Script[backups-srv-repos]", "parameters": "--- Motd::Script[backups-srv-repos].orig\n+++ Motd::Script[backups-srv-repos]\n\n+ tag => backup-motd\n+ priority => 6\n+ ensure => present\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_community_metrics.service]", "content": "--- /lib/systemd/system/phabricator_stats_job_community_metrics.service.orig\n+++ /lib/systemd/system/phabricator_stats_job_community_metrics.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=phabricator statistics mail - community_metrics\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/community_metrics.sh", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_community_metrics.service].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_community_metrics.service]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.service (phabricator_stats_job_community_metrics.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "parameters": "--- Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet].orig\n+++ Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet]\n\n+ ensure => present\n+ port => 9102\n+ proto => tcp\n+ prio => 10\n+ notrack => False\n+ src_ips => ['10.64.183.10', '2620:0:861:13d:10:64:183:10']\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Systemd::Timer::Job[phabricator_clean_tmp_files]", "parameters": "--- Systemd::Timer::Job[phabricator_clean_tmp_files].orig\n+++ Systemd::Timer::Job[phabricator_clean_tmp_files]\n\n+ monitoring_contact_groups => admins\n+ ensure => present\n+ private_tmp => False\n+ description => phabricator cleanup temp files\n+ command => /usr/bin/find /tmp -ignore_readdir_race -user www-data -mtime +14 -delete\n+ success_exit_status => []\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-*-* 07:00:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_community_metrics.timer]", "content": "--- /lib/systemd/system/phabricator_stats_job_community_metrics.timer.orig\n+++ /lib/systemd/system/phabricator_stats_job_community_metrics.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of phabricator_stats_job_community_metrics.service\n+\n+[Timer]\n+Unit=phabricator_stats_job_community_metrics.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-*-1 0:0:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_community_metrics.timer].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_community_metrics.timer]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.timer (phabricator_stats_job_community_metrics.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/home/urbanecm]", "parameters": "--- File[/home/urbanecm].orig\n+++ File[/home/urbanecm]\n\n+ mode => 0644\n+ source => puppet:///modules/admin/home/urbanecm\n+ recurse => remote\n+ owner => urbanecm\n+ ensure => directory\n+ force => True\n+ group => 500\n"}, {"resource": "File[/home/gjg]", "parameters": "--- File[/home/gjg].orig\n+++ File[/home/gjg]\n\n+ mode => 0644\n+ source => puppet:///modules/admin/home/skel\n+ recurse => remote\n+ owner => gjg\n+ ensure => directory\n+ force => True\n+ group => 500\n"}, {"resource": "Rsyslog::Conf[phabricator_task_dump]", "parameters": "--- Rsyslog::Conf[phabricator_task_dump].orig\n+++ Rsyslog::Conf[phabricator_task_dump]\n\n+ mode => 0444\n+ require => File[/var/log/phabricator_task_dump]\n+ priority => 40\n+ ensure => absent\n"}, {"resource": "Admin::User[mbinder]", "parameters": "--- Admin::User[mbinder].orig\n+++ Admin::User[mbinder]\n\n+ comment => Max Binder\n+ ensure => present\n+ shell => /bin/bash\n+ ssh_keys => ['ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLrpbK99cmNng3y8t1qYOvTKksI4TZKtQSTsF9RZ1pC maxbinder@Maxs-MacBook-Air.local']\n+ groups => []\n+ home_dir => /home/mbinder\n+ gid => 500\n+ uid => 14304\n"}, {"resource": "Systemd::Timer[rsync-phabricator-repos]", "parameters": "--- Systemd::Timer[rsync-phabricator-repos].orig\n+++ Systemd::Timer[rsync-phabricator-repos]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-*-* *:00/10:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => rsync-phabricator-repos.service\n+ splay => 0\n"}, {"resource": "Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.timer (phabricator_stats_job_yearly_metrics.timer)]", "parameters": "--- Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.timer (phabricator_stats_job_yearly_metrics.timer)].orig\n+++ Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.timer (phabricator_stats_job_yearly_metrics.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/rsyslog.d/10-input-file-apache2-error.conf]", "content": "--- /etc/rsyslog.d/10-input-file-apache2-error.conf.orig\n+++ /etc/rsyslog.d/10-input-file-apache2-error.conf\n@@ -0,0 +1,8 @@\n+# This file managed by puppet rsyslog::input::file\n+\n+input(type=\"imfile\"\n+ File=\"/var/log/apache2/*error*.log\"\n+ reopenOnTruncate=\"on\"\n+ addMetadata=\"off\"\n+ addCeeTag=\"off\"\n+ Tag=\"input-file-apache2-error\")", "parameters": "--- File[/etc/rsyslog.d/10-input-file-apache2-error.conf].orig\n+++ File[/etc/rsyslog.d/10-input-file-apache2-error.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Exec[mkdir /var/spool/exim4/scan]", "parameters": "--- Exec[mkdir /var/spool/exim4/scan].orig\n+++ Exec[mkdir /var/spool/exim4/scan]\n\n+ creates => /var/spool/exim4/scan\n+ require => Package[exim4-daemon-heavy]\n+ path => /bin:/usr/bin\n"}, {"resource": "Rsyslog::Conf[envoy]", "parameters": "--- Rsyslog::Conf[envoy].orig\n+++ Rsyslog::Conf[envoy]\n\n+ mode => 0444\n+ require => File[/var/log/envoy]\n+ priority => 40\n+ ensure => present\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_prometheus-apache-exporter]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_prometheus-apache-exporter].orig\n+++ Systemd::Syslog[wmf_auto_restart_prometheus-apache-exporter]\n\n+ readable_by => all\n+ ensure => present\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Class[Profile::Phabricator::Datasync]", "parameters": "--- Class[Profile::Phabricator::Datasync].orig\n+++ Class[Profile::Phabricator::Datasync]\n\n+ dumps_rsync_clients => ['phab1004.eqiad.wmnet', 'phab2002.codfw.wmnet', 'clouddumps1001.wikimedia.org', 'clouddumps1002.wikimedia.org']\n+ active_server => phab1004.eqiad.wmnet\n+ home_sync_dir => /srv/homes\n+ passive_server => phab2002.codfw.wmnet\n"}, {"resource": "Rsync::Server::Module[srv-dumps]", "parameters": "--- Rsync::Server::Module[srv-dumps].orig\n+++ Rsync::Server::Module[srv-dumps]\n\n+ chroot => True\n+ ensure => present\n+ lock_file => /var/run/rsyncd.lock\n+ qos_low => False\n+ read_only => yes\n+ auto_firewall => True\n+ write_only => no\n+ max_connections => 0\n+ path => /srv/dumps\n+ list => yes\n+ gid => 0\n+ hosts_allow => ['phab1004.eqiad.wmnet', 'phab2002.codfw.wmnet', 'clouddumps1001.wikimedia.org', 'clouddumps1002.wikimedia.org']\n+ uid => 0\n"}, {"resource": "File[/etc/rsyslog.d/40-envoy.conf]", "content": "--- /etc/rsyslog.d/40-envoy.conf.orig\n+++ /etc/rsyslog.d/40-envoy.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"envoy\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/envoy/syslog.log\"\n+ fileOwner=\"envoy\" fileGroup=\"envoy\"\n+ fileCreateMode=\"0640\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-envoy.conf].orig\n+++ File[/etc/rsyslog.d/40-envoy.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Service[phabricator_task_dump]", "parameters": "--- Systemd::Service[phabricator_task_dump].orig\n+++ Systemd::Service[phabricator_task_dump]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[phabricator_task_dump.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.service (wmf_auto_restart_envoyproxy.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.service (wmf_auto_restart_envoyproxy.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.service (wmf_auto_restart_envoyproxy.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.timer]", "content": "--- /lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.timer.orig\n+++ /lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of phabricator_stats_job_tech_news_weekly_stats.service\n+\n+[Timer]\n+Unit=phabricator_stats_job_tech_news_weekly_stats.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=Thursday *-*-* 12:0:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.timer].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.timer]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.timer (phabricator_stats_job_tech_news_weekly_stats.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/rsync-phabricator-repos.timer]", "content": "--- /lib/systemd/system/rsync-phabricator-repos.timer.orig\n+++ /lib/systemd/system/rsync-phabricator-repos.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of rsync-phabricator-repos.service\n+\n+[Timer]\n+Unit=rsync-phabricator-repos.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-*-* *:00/10:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/rsync-phabricator-repos.timer].orig\n+++ File[/lib/systemd/system/rsync-phabricator-repos.timer]\n\n+ notify => Exec[systemd daemon-reload for rsync-phabricator-repos.timer (rsync-phabricator-repos.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Ssh::Userkey[mbinder]", "parameters": "--- Ssh::Userkey[mbinder].orig\n+++ Ssh::Userkey[mbinder]\n\n+ user => mbinder\n+ ensure => present\n"}, {"resource": "Exec[phabricator-admin_ensure_members]", "parameters": "--- Exec[phabricator-admin_ensure_members].orig\n+++ Exec[phabricator-admin_ensure_members]\n\n+ logoutput => True\n+ command => /usr/bin/gpasswd phabricator-admin -M aklapper,gjg,urbanecm\n+ path => /usr/bin:/bin\n+ require => ['User[aklapper]', 'User[gjg]', 'User[urbanecm]']\n+ unless => getent group phabricator-admin | xargs test -z || getent group phabricator-admin | cut -d ':' -f 4 | grep -E ^aklapper,gjg,urbanecm$\n"}, {"resource": "File[/srv/phab/phabricator/scripts/mail/]", "parameters": "--- File[/srv/phab/phabricator/scripts/mail/].orig\n+++ File[/srv/phab/phabricator/scripts/mail/]\n\n+ mode => 0755\n+ recurse => True\n+ owner => root\n+ path => /srv/phab/phabricator/scripts/mail\n+ require => ['Package[phabricator/deployment]']\n+ group => root\n"}, {"resource": "Class[Profile::Backup::Host]", "parameters": "--- Class[Profile::Backup::Host].orig\n+++ Class[Profile::Backup::Host]\n\n+ client_version => 9\n+ director => backup1014.eqiad.wmnet\n+ days => ['Sat', 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri']\n+ enable => True\n+ pool => productionEqiad\n+ director_seed => changeme\n"}, {"resource": "File[/usr/local/bin/project_changes.sh]", "content": "--- /usr/local/bin/project_changes.sh.orig\n+++ /usr/local/bin/project_changes.sh\n@@ -0,0 +1,771 @@\n+#!/bin/bash\n+# send project changes in Phabricator for the last week (T85183)\n+# to phabricator-reports@lists.wikimedia.org (T136660)\n+# ! this file is managed by puppet !\n+# ./modules/phabricator/file/project_changes.sh\n+\n+source /etc/phab_project_changes.conf\n+\n+#echo \"result_creations_and_name_changes\"\n+result_creations_and_name_changes=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/project/profile/\", p1.id) AS url, project_transaction1.oldValue, project_transaction1.newValue, parent.name AS parentProject, user.userName\n+ FROM project_transaction project_transaction1\n+ LEFT OUTER JOIN\n+ (SELECT project.name, project_transaction2.objectPHID, project_transaction2.transactionType\n+ FROM project_transaction AS project_transaction2\n+ JOIN project\n+ WHERE (project_transaction2.transactionType = \"project:parent\"\n+ OR project_transaction2.transactionType = \"project:milestone\")\n+ AND SUBSTRING(project_transaction2.newValue, 2,30) = project.phid\n+ AND project_transaction2.dateModified > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 1 WEEK))) parent\n+ ON parent.objectPHID = project_transaction1.objectPHID\n+ JOIN phabricator_user.user\n+ JOIN project p1\n+ WHERE project_transaction1.transactionType = \"project:name\"\n+ AND p1.phid = project_transaction1.objectPHID\n+ AND project_transaction1.authorPHID = user.phid\n+ AND project_transaction1.dateModified > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 1 WEEK));\n+\n+END\n+)\n+\n+#echo \"result_color_changes\"\n+result_color_changes=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/project/profile/\", project.id) AS url, project_transaction.oldValue, project_transaction.newValue, project.name\n+ FROM project_transaction\n+ JOIN project\n+ WHERE project_transaction.transactionType = \"project:color\"\n+ AND project_transaction.objectPHID = project.phid\n+ AND project_transaction.dateModified > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 1 WEEK));\n+\n+END\n+)\n+\n+#echo \"result_policy_locking_archiving_changes\"\n+result_policy_locking_archiving_changes=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/project/profile/\", project.id) AS url, project_transaction.oldValue, project_transaction.newValue,\n+ project_transaction.transactionType, project.name\n+ FROM project_transaction\n+ JOIN project\n+ WHERE (project_transaction.transactionType = \"core:join-policy\"\n+ OR project_transaction.transactionType = \"core:edit-policy\"\n+ OR project_transaction.transactionType = \"core:view-policy\"\n+ OR project_transaction.transactionType = \"project:locked\"\n+ OR project_transaction.transactionType = \"project:status\")\n+ AND (project_transaction.oldValue != \"null\"\n+ OR project_transaction.newValue NOT IN (\"\\\"public\\\"\", \"\\\"users\\\"\"))\n+ AND project_transaction.objectPHID = project.phid\n+ AND project_transaction.dateModified > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 1 WEEK));\n+\n+END\n+)\n+\n+#echo \"result_column_changes\"\n+result_column_changes=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/project/board/\", prj.id) AS url, usr.userName, prj.name AS projectName, cl.name AS columnName, cltr.oldValue, cltr.newValue\n+ FROM phabricator_project.project_columntransaction cltr\n+ JOIN phabricator_project.project prj\n+ JOIN phabricator_project.project_column pcl\n+ JOIN phabricator_user.user usr\n+ JOIN phabricator_project.project_column cl\n+ WHERE (cltr.transactionType = \"project:col:name\"\n+ OR cltr.transactionType = \"project:col:status\")\n+ AND cltr.objectPHID = pcl.phid\n+ AND pcl.projectPHID = prj.phid\n+ AND cltr.authorPHID = usr.phid\n+ AND cl.phid = cltr.objectPHID\n+ AND cltr.dateModified > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 1 WEEK));\n+\n+END\n+)\n+\n+#echo \"result_editengine_changes\"\n+result_editengine_changes=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/view/\", seec.id) AS form, seect.transactionType, u.userName AS\n+user\n+ FROM phabricator_search.search_editengineconfigurationtransaction seect\n+ INNER JOIN phabricator_search.search_editengineconfiguration seec ON seec.phid = seect.objectPHID\n+ INNER JOIN phabricator_user.user u ON seect.authorPHID = u.phid\n+ WHERE seect.dateModified > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 1 WEEK)) \n+ ORDER BY seec.id,seect.dateModified;\n+\n+END\n+)\n+\n+#echo \"result_archived_projects_open_tasks\"\n+# see https://phabricator.wikimedia.org/T133649\n+result_archived_projects_open_tasks=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/project/profile/\", p.id) AS url, sub.parentProject AS parentProject, p.name AS projectName, count(p.name) AS n\n+ FROM phabricator_maniphest.edge edg\n+ JOIN phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_project.project p\n+ LEFT JOIN (SELECT p3.name AS parentProject, p3.phid FROM phabricator_project.project p3) sub\n+ ON sub.phid = p.parentProjectPHID\n+ WHERE edg.dst LIKE 'PHID-PROJ-%'\n+ AND edg.src LIKE 'PHID-TASK-%'\n+ AND p.phid = edg.dst\n+ AND p.status = 100\n+ AND t.phid = edg.src\n+ AND (t.status = \"open\" OR t.status = \"progress\" OR t.status = \"stalled\")\n+ AND edg.src NOT IN\n+ (SELECT edg2.src\n+ FROM phabricator_maniphest.edge edg2\n+ JOIN phabricator_maniphest.maniphest_task t2\n+ JOIN phabricator_project.project p2\n+ WHERE edg2.dst LIKE 'PHID-PROJ-%'\n+ AND edg2.src LIKE 'PHID-TASK-%'\n+ AND edg2.dst != \"PHID-PROJ-onnxucoedheq3jevknyr\"\n+ AND p2.phid = edg2.dst\n+ AND p2.status = 0\n+ AND t2.phid = edg2.src\n+ AND (t.status = \"open\" OR t.status = \"progress\" OR t.status = \"stalled\"))\n+ GROUP BY p.name\n+ ORDER BY n DESC;\n+\n+END\n+)\n+\n+# echo \"result_problematic_color_icon_combos\"\n+# see https://phabricator.wikimedia.org/T249806\n+result_problematic_color_icon_combos=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/project/profile/\", id) AS url, name, color, icon\n+ FROM phabricator_project.project\n+ WHERE status != \"100\"\n+ AND ((color = \"violet\" AND icon != \"group\")\n+ OR (color = \"yellow\" AND icon != \"tag\")\n+ OR (color = \"orange\" AND (icon != \"goal\" AND icon != \"release\"\n+ AND name NOT LIKE \"Cloud-Services-Origin-%\"))\n+ OR (color = \"checkered\" AND icon != \"account\")\n+ OR (color = \"green\" AND icon != \"timeline\")\n+ OR color = \"indigo\"\n+ OR (color = \"pink\" AND id != 32 AND id != 1825)\n+ OR (color = \"red\" AND id != 6674 AND icon != \"policy\" AND icon != \"bugs\")\n+ OR (color = \"grey\" AND icon != \"meta\" AND name != \"Trash\"));\n+\n+END\n+)\n+\n+# echo \"result_inactive_users_assigned_tasks\"\n+# see https://phabricator.wikimedia.org/T157740\n+result_inactive_users_assigned_tasks=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/p/\", u.userName) AS userName, e.src AS taskPHID, e.dst AS \"projectPHID of task\" \n+ FROM phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_user.user u\n+ JOIN phabricator_maniphest.edge e\n+ WHERE u.isDisabled = 1\n+ AND t.ownerPHID = u.phid\n+ AND (t.status = \"open\" OR t.status = \"progress\" OR t.status = \"stalled\")\n+ AND e.src = t.phid\n+ AND e.dst LIKE \"PHID-PROJ-%\"\n+ ORDER BY u.userName, taskPHID;\n+\n+END\n+)\n+\n+# echo \"result_new_user_assignees\"\n+# see https://phabricator.wikimedia.org/T195780\n+# and https://phabricator.wikimedia.org/T227388\n+result_new_user_assignees=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+SELECT DISTINCT CONCAT(\"https://phabricator.wikimedia.org/p/\", u.userName) AS userName,\n+ CONCAT(\"https://phabricator.wikimedia.org/T\", t.id) AS id,\n+ from_unixtime(t.dateModified) AS claimedOn\n+ FROM phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_user.user u ON u.userName = t.ownerOrdering\n+ WHERE t.dateModified > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 6 WEEK))\n+ AND (t.status = \"open\" OR t.status = \"progress\" OR t.status = \"stalled\")\n+ AND u.dateCreated > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 8 WEEK))\n+ AND u.isDisabled = 0\n+ AND t.ownerOrdering IS NOT NULL\n+ AND t.closerPHID IS NULL\n+ AND t.phid NOT IN\n+ (SELECT e.src FROM phabricator_maniphest.edge e\n+ WHERE e.type = 41 AND e.dst = \"PHID-PROJ-onnxucoedheq3jevknyr\") \n+ AND t.ownerOrdering IN\n+ (SELECT t.ownerOrdering FROM phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_user.user u\n+ WHERE u.userName = t.ownerOrdering\n+ AND u.dateCreated > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 8 WEEK))\n+ GROUP BY t.ownerOrdering HAVING COUNT(t.ownerOrdering) < 4)\n+ ORDER BY claimedOn, userName;\n+\n+END\n+)\n+\n+#echo \"result_user_profile_urls\"\n+# see https://phabricator.wikimedia.org/T250946\n+result_user_profile_urls=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/p/\", u.userName) AS userName\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_profile up\n+ WHERE up.userPHID = u.phid\n+ AND u.isDisabled = 0\n+ AND up.blurb LIKE \"%http%\"\n+ AND up.dateModified > (UNIX_TIMESTAMP() - 605300);\n+END\n+)\n+\n+#echo \"result_workboard_column_triggers\"\n+# see https://phabricator.wikimedia.org/T260427\n+result_workboard_column_triggers=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/p/\", u.userName) AS author,\n+ CONCAT(\"https://phabricator.wikimedia.org/project/board/\", p.id) AS url,\n+ pc.name AS columnname\n+ FROM phabricator_project.project p\n+ INNER JOIN phabricator_project.project_column pc\n+ INNER JOIN phabricator_project.project_triggertransaction ptt\n+ INNER JOIN phabricator_user.user u\n+ WHERE pc.projectPHID = p.phid\n+ AND pc.triggerPHID = ptt.objectPHID\n+ AND ptt.transactionType = \"ruleset\"\n+ AND ptt.authorPHID = u.phid\n+ AND ptt.dateModified > (UNIX_TIMESTAMP() - 605300)\n+ ORDER BY ptt.dateModified;\n+END\n+)\n+\n+#echo \"result_dashboard_panels\"\n+# see https://phabricator.wikimedia.org/T260428\n+result_dashboard_panels=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/W\", dp.id) AS panel,\n+ u.userName AS author,\n+ u.isDisabled AS disabled,\n+ dp.name AS panelName,\n+ dp.viewPolicy AS viewPolicy\n+ FROM phabricator_dashboard.dashboard_panel dp\n+ INNER JOIN phabricator_user.user u\n+ WHERE dp.authorPHID = u.phid\n+ AND dp.dateModified > (UNIX_TIMESTAMP() - 605300)\n+ ORDER BY dp.dateModified;\n+END\n+)\n+\n+#echo \"result_dashboards\"\n+# see https://phabricator.wikimedia.org/T323471\n+result_dashboards=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/dashboard/view/\", d.id) AS dashboard,\n+ d.phid,\n+ u.userName AS author,\n+ u.isDisabled AS disabled,\n+ d.name AS dashboardName,\n+ d.viewPolicy AS viewPolicy\n+ FROM phabricator_dashboard.dashboard d\n+ INNER JOIN phabricator_user.user u\n+ WHERE d.authorPHID = u.phid\n+ AND d.dateModified > (UNIX_TIMESTAMP() - 605300)\n+ ORDER BY d.dateModified;\n+END\n+)\n+\n+#echo \"result_portals\"\n+# see https://phabricator.wikimedia.org/T323477\n+result_portals=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/portal/view/\", dpo.id) AS portal,\n+ dpo.phid,\n+ u.userName AS author,\n+ u.isDisabled AS userDisabled,\n+ dpo.name AS panelName,\n+ dpo.viewPolicy AS viewPolicy\n+ FROM phabricator_dashboard.dashboard_portal dpo\n+ INNER JOIN phabricator_dashboard.dashboard_portaltransaction dpot\n+ INNER JOIN phabricator_user.user u\n+ WHERE dpo.phid = dpot.objectPHID\n+ AND dpot.authorPHID = u.phid\n+ AND dpot.transactionType = \"core:create\"\n+ AND dpo.dateModified > (UNIX_TIMESTAMP() - 605300);\n+END\n+)\n+\n+# echo \"result_renamed_diffusion_striker_repos\"\n+# see https://phabricator.wikimedia.org/T197699\n+result_renamed_diffusion_striker_repos=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT rt.oldValue AS oldName, rt.newValue AS newName, u.userName AS user\n+ FROM phabricator_repository.repository_transaction rt\n+ INNER JOIN phabricator_user.user u ON rt.authorPHID = u.phid\n+ WHERE rt.transactionType = \"repo:name\"\n+ AND rt.dateCreated > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 1 WEEK))\n+ AND oldValue != \"null\"\n+ AND rt.objectPHID IN\n+ (SELECT objectPHID FROM phabricator_repository.repository_transaction sb\n+ WHERE sb.transactionType = \"core:create\"\n+ AND sb.authorPHID = \"PHID-USER-osw2bumzx5lwf3mf65t3\");\n+\n+END\n+)\n+\n+#echo \"result_past_due_dates\"\n+# see https://phabricator.wikimedia.org/T249807\n+result_past_due_dates=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/T\", t.id) AS Task, FROM_UNIXTIME(cfs.fieldValue) AS DueDate\n+ FROM phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_maniphest.maniphest_customfieldstorage cfs\n+ WHERE cfs.fieldIndex = \"GGorRQHBaRdo\"\n+ AND FROM_UNIXTIME(cfs.fieldValue) < (NOW() - INTERVAL 1 MONTH)\n+ AND t.phid = cfs.objectPHID\n+ AND (t.status = \"open\" OR t.status = \"progress\" OR t.status = \"stalled\")\n+ ORDER BY cfs.fieldValue;\n+END\n+)\n+\n+#echo \"result_deadline_tasks_without_due_dates\"\n+# see https://phabricator.wikimedia.org/T380915\n+result_deadline_tasks_without_due_dates=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/T\", t.id) AS task\n+ FROM phabricator_maniphest.maniphest_task t\n+ WHERE t.subtype = \"deadline\"\n+ AND (t.status = \"open\" OR t.status = \"stalled\" OR t.status = \"progress\")\n+ AND t.phid NOT IN\n+ (SELECT cfs.objectPHID\n+ FROM phabricator_maniphest.maniphest_customfieldstorage cfs\n+ WHERE cfs.fieldIndex = \"GGorRQHBaRdo\");\n+END\n+)\n+\n+#echo \"result_parent_projects_without_desc\"\n+# see https://phabricator.wikimedia.org/T249805\n+result_parent_projects_without_desc=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/tag/\", p.primarySlug) AS parentproject\n+ FROM phabricator_project.project p\n+ WHERE p.parentProjectPHID IS NULL\n+ AND p.status != 100\n+ AND p.phid NOT IN\n+ (SELECT p.phid\n+ FROM phabricator_project.project p\n+ JOIN phabricator_project.project_customfieldstorage cfs\n+ WHERE cfs.objectPHID = p.phid\n+ AND fieldIndex = \"0.9QWd3nmyTs\")\n+ ORDER BY p.primarySlug;\n+END\n+)\n+\n+#echo \"result_sub_projects_without_desc\"\n+# see https://phabricator.wikimedia.org/T249805\n+result_sub_projects_without_desc=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/tag/\", pp.primarySlug) AS parentproject, p.name AS subproject\n+ FROM phabricator_project.project p\n+ JOIN phabricator_project.project pp\n+ WHERE pp.phid = p.parentProjectPHID\n+ AND pp.status != 100\n+ AND p.status != 100\n+ AND p.phid NOT IN\n+ (SELECT p.phid\n+ FROM phabricator_project.project p\n+ JOIN phabricator_project.project_customfieldstorage cfs\n+ WHERE p.status != 100\n+ AND cfs.objectPHID = p.phid\n+ AND fieldIndex = \"0.9QWd3nmyTs\")\n+ ORDER BY pp.primarySlug,p.name;\n+END\n+)\n+\n+#echo \"result_herald_rules_archived_projects\"\n+# see https://phabricator.wikimedia.org/T327508\n+result_herald_rules_archived_projects=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/H\",hr.id) AS heraldRule,\n+ CONCAT(\"https://phabricator.wikimedia.org/project/profile/\", p.id) AS archivedProject\n+ FROM phabricator_herald.herald_rule hr\n+ INNER JOIN phabricator_herald.edge e ON e.src = hr.phid\n+ INNER JOIN phabricator_project.project p ON e.dst = p.phid\n+ INNER JOIN phabricator_herald.herald_action ha ON ha.ruleID = hr.id\n+ WHERE hr.isDisabled = 0\n+ AND p.status = 100\n+ AND (ha.action = \"projects.add\" OR ha.action = \"projects.remove\")\n+ AND ha.target LIKE CONCAT('%', p.phid, '%');\n+END\n+)\n+\n+#echo \"result_herald_rules_inactive_authors\"\n+result_herald_rules_inactive_authors=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+ SELECT CONCAT(\"https://phabricator.wikimedia.org/H\", h.id) AS heraldRule,\n+ u.userName AS author\n+ FROM phabricator_herald.herald_rule h\n+ INNER JOIN phabricator_user.user u\n+ WHERE h.authorPHID = u.phid\n+ AND h.isDisabled = 0\n+ AND h.ruleType = \"personal\"\n+ AND h.authorPHID NOT IN\n+ (SELECT trs.authorPHID FROM phabricator_maniphest.maniphest_transaction trs\n+ INNER JOIN phabricator_user.user u\n+ WHERE FROM_UNIXTIME(trs.dateModified) >= (NOW() - INTERVAL 6 MONTH)\n+ AND trs.authorPHID = u.phid)\n+ ORDER BY heraldRule;\n+END\n+)\n+\n+# echo \"result_cookie_licked_stalled_tasks\"\n+# see https://phabricator.wikimedia.org/T228575\n+result_cookie_licked_stalled_tasks=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/T\", t.id) AS taskID, u.userName, from_unixtime(ta.dateModified) AS assignedSince\n+ FROM phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_user.user u\n+ JOIN phabricator_maniphest.maniphest_transaction ta\n+ WHERE (ta.transactionType = \"reassign\"\n+ AND ta.dateModified < (UNIX_TIMESTAMP() - 126144000))\n+ AND u.phid = SUBSTR(ta.newValue, INSTR(ta.newValue, 'PHID-USER-'), 30)\n+ AND ta.objectPHID = t.phid\n+ AND t.ownerPHID = u.phid\n+ AND t.status = \"stalled\"\n+ AND t.phid NOT IN\n+ (SELECT ta.objectPHID FROM phabricator_maniphest.maniphest_transaction ta\n+ WHERE (ta.transactionType = \"reassign\"\n+ AND ta.dateModified > (UNIX_TIMESTAMP() - 126144000)))\n+ ORDER BY ta.dateModified;\n+\n+END\n+)\n+\n+# echo \"result_cookie_licked_open_tasks_with_patch_for_review\"\n+# see https://phabricator.wikimedia.org/T228575\n+result_cookie_licked_open_tasks_with_patch_for_review=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/T\", t.id) AS taskID, u.userName, from_unixtime(ta.dateModified) AS assignedSince\n+ FROM phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_user.user u\n+ JOIN phabricator_maniphest.maniphest_transaction ta\n+ WHERE (ta.transactionType = \"reassign\"\n+ AND ta.dateModified < (UNIX_TIMESTAMP() - 126144000))\n+ AND u.phid = SUBSTR(ta.newValue, INSTR(ta.newValue, 'PHID-USER-'), 30)\n+ AND ta.objectPHID = t.phid\n+ AND t.ownerPHID = u.phid\n+ AND (t.status = \"open\" OR t.status = \"progress\")\n+ AND t.phid IN\n+ (SELECT e.src FROM phabricator_maniphest.edge e\n+ WHERE e.type = 41 AND e.dst = \"PHID-PROJ-onnxucoedheq3jevknyr\") \n+ AND t.phid NOT IN\n+ (SELECT ta.objectPHID FROM phabricator_maniphest.maniphest_transaction ta\n+ WHERE (ta.transactionType = \"reassign\"\n+ AND ta.dateModified > (UNIX_TIMESTAMP() - 126144000)))\n+ ORDER BY ta.dateModified;\n+\n+END\n+)\n+\n+# echo \"result_cookie_licked_open_tasks_without_patch_for_review\"\n+# see https://phabricator.wikimedia.org/T228575\n+result_cookie_licked_open_tasks_without_patch_for_review=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/T\", t.id) AS taskID, u.userName, from_unixtime(ta.dateModified) AS assignedSince\n+ FROM phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_user.user u\n+ JOIN phabricator_maniphest.maniphest_transaction ta\n+ WHERE (ta.transactionType = \"reassign\"\n+ AND ta.dateModified < (UNIX_TIMESTAMP() - 126144000))\n+ AND u.phid = SUBSTR(ta.newValue, INSTR(ta.newValue, 'PHID-USER-'), 30)\n+ AND ta.objectPHID = t.phid\n+ AND t.ownerPHID = u.phid\n+ AND (t.status = \"open\" OR t.status = \"progress\")\n+ AND t.phid NOT IN\n+ (SELECT e.src FROM phabricator_maniphest.edge e\n+ WHERE e.type = 41 AND e.dst = \"PHID-PROJ-onnxucoedheq3jevknyr\") \n+ AND t.phid NOT IN\n+ (SELECT ta.objectPHID FROM phabricator_maniphest.maniphest_transaction ta\n+ WHERE (ta.transactionType = \"reassign\"\n+ AND ta.dateModified > (UNIX_TIMESTAMP() - 126144000)))\n+ ORDER BY ta.dateModified;\n+\n+END\n+)\n+\n+# echo \"result_old_stalled_tasks\"\n+# see https://phabricator.wikimedia.org/T252522\n+result_old_stalled_tasks=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/T\", mt.id) AS taskID,\n+IF (mt.viewPolicy = \"public\", mt.title, \"---restricted---\") as taskTitle,\n+FROM_UNIXTIME(mta1.dateCreated) AS stalled_date\n+ FROM phabricator_maniphest.maniphest_task mt\n+ JOIN phabricator_user.user u ON u.phid=mt.authorPHID\n+ INNER JOIN phabricator_maniphest.maniphest_transaction mta1\n+ WHERE mt.status = \"stalled\"\n+ AND mt.phid NOT IN\n+ (SELECT e.src FROM phabricator_maniphest.edge e\n+ WHERE e.type = 41\n+ AND e.dst=\"PHID-PROJ-bchzb6qpl3jhgs2oq6um\")\n+ AND mt.phid NOT IN\n+ (SELECT e.src FROM phabricator_maniphest.edge e\n+ WHERE e.type = 3)\n+ AND mt.phid = mta1.objectPHID\n+ AND mta1.transactionType = \"status\"\n+ AND mta1.newValue = \"\\\"stalled\\\"\"\n+ AND FROM_UNIXTIME(mta1.dateCreated) <= (NOW() - INTERVAL 36 MONTH)\n+ AND mt.phid NOT IN\n+ (SELECT mta2.objectPHID FROM phabricator_maniphest.maniphest_transaction mta2\n+ WHERE mta2.transactionType = \"status\"\n+ AND mta2.newValue = \"\\\"stalled\\\"\"\n+ AND FROM_UNIXTIME(mta2.dateCreated) >= (NOW() - INTERVAL 36 MONTH))\n+ ORDER BY mta1.dateCreated;\n+\n+END\n+)\n+\n+#echo \"result_old_inprogress_tasks\"\n+# see https://phabricator.wikimedia.org/T380300\n+result_old_inprogress_tasks=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/T\", t.id) AS taskID\n+ FROM phabricator_maniphest.maniphest_task t\n+ JOIN phabricator_maniphest.maniphest_transaction ta\n+ WHERE (ta.transactionType = \"status\"\n+ AND ta.newValue = \"\\\"progress\\\"\"\n+ AND ta.dateModified < (UNIX_TIMESTAMP() - 31536000))\n+ AND ta.objectPHID = t.phid\n+ AND t.status = \"progress\"\n+ AND t.phid NOT IN\n+ (SELECT ta.objectPHID\n+ FROM phabricator_maniphest.maniphest_transaction ta\n+ WHERE (ta.transactionType = \"status\"\n+ AND ta.dateModified > (UNIX_TIMESTAMP() - 31536000)))\n+ GROUP BY t.id\n+ ORDER BY ta.dateModified;\n+\n+END\n+)\n+\n+#echo \"result_editengine_forms_disabled_subscribers\"\n+# see https://phabricator.wikimedia.org/T403887\n+result_editengine_forms_disabled_subscribers=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT u.userName AS disabledUser,\n+ CONCAT('https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/defaults/',seec.id) AS formId\n+ FROM phabricator_search.search_editengineconfiguration seec, JSON_TABLE(seec.properties, \"$.defaults.subscriberPHIDs[*]\" COLUMNS (subscriberPHID VARCHAR(30) PATH \"$\")) AS jt\n+ JOIN phabricator_user.user u ON jt.subscriberPHID = u.phid\n+ WHERE u.isDisabled = 1\n+ AND seec.isDisabled = 0;\n+\n+END\n+)\n+\n+#echo \"result_editengine_forms_disabled_assignees\"\n+# see https://phabricator.wikimedia.org/T403887\n+result_editengine_forms_disabled_assignees=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT u.userName AS disabledUser,\n+ CONCAT('https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/defaults/',seec.id) AS formId\n+ FROM phabricator_search.search_editengineconfiguration seec, JSON_TABLE(seec.properties, \"$.defaults.owner[*]\" COLUMNS (owner VARCHAR(30) PATH \"$\")) AS jt\n+ JOIN phabricator_user.user u ON jt.owner = u.phid\n+ WHERE u.isDisabled = 1\n+ AND seec.isDisabled = 0;\n+\n+END\n+)\n+\n+#echo \"result_editengine_forms_disabled_projects\"\n+# see https://phabricator.wikimedia.org/T403887\n+result_editengine_forms_disabled_projects=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT p.name AS disabledProject,\n+ CONCAT('https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/defaults/',seec.id) AS formId\n+ FROM phabricator_search.search_editengineconfiguration seec, JSON_TABLE(seec.properties, \"$.defaults.projectPHIDs[*]\" COLUMNS (projectPHID VARCHAR(30) PATH \"$\")) AS jt\n+ JOIN phabricator_project.project p ON jt.projectPHID = p.phid\n+ WHERE p.status = 100\n+ AND seec.isDisabled = 0;\n+\n+END\n+)\n+\n+\n+#echo \"result_userprojects_disabled_users\"\n+# see https://phabricator.wikimedia.org/T404411\n+result_userprojects_disabled_users=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/project/view/\",p.id,\"/\") AS projectURL,\n+ p.name AS project,\n+ u.userName AS user\n+ FROM phabricator_project.project p\n+ INNER JOIN phabricator_user.user u\n+ ON p.name LIKE CONCAT('User-', u.userName)\n+ WHERE u.isDisabled = 1\n+ AND p.status != 100;\n+\n+END\n+)\n+\n+\n+#echo \"result_userprojects_nonexisting_users\"\n+# see https://phabricator.wikimedia.org/T404411\n+result_userprojects_nonexisting_users=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+SELECT CONCAT(\"https://phabricator.wikimedia.org/project/view/\",p.id,\"/\") AS projectURL,\n+ p.name AS project\n+ FROM phabricator_project.project p\n+ WHERE p.name LIKE \"User-%\"\n+ AND p.name NOT LIKE \"User-notice%\"\n+ AND p.name != \"User-Testing\"\n+ AND p.status != 100\n+ AND NOT EXISTS\n+ (SELECT 1 FROM phabricator_user.user u\n+ WHERE p.name LIKE CONCAT('User-', u.userName));\n+\n+END\n+)\n+\n+# the actual email\n+cat < 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Envoyproxy::Tls_terminator[443]", "parameters": "--- Envoyproxy::Tls_terminator[443].orig\n+++ Envoyproxy::Tls_terminator[443]\n\n+ connect_timeout => 1.0\n+ retry_policy => {'num_retries': 1, 'retry_on': '5xx'}\n+ request_headers_to_add => {}\n+ header_key_format => none\n+ global_key_path => /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem\n+ has_error_page => False\n+ use_remote_address => False\n+ upstreams => [{'server_names': ['*'], 'cert_path': None, 'key_path': None, 'upstream_port': 80, 'upstream_addr': 'phab2003.codfw.wmnet'}]\n+ global_cert_path => /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem\n+ websockets => True\n+ listen_ipv6 => True\n+ upstream_response_timeout => 65.0\n+ fast_open_queue => 150\n+ response_headers_to_add => {}\n+ rate_limit_enabled => False\n+ local_otel_reporting_pct => 0.0\n+ access_log => False\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_project_changes.service]", "content": "--- /lib/systemd/system/phabricator_stats_job_project_changes.service.orig\n+++ /lib/systemd/system/phabricator_stats_job_project_changes.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=phabricator statistics mail - project_changes\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/project_changes.sh", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_project_changes.service].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_project_changes.service]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_project_changes.service (phabricator_stats_job_project_changes.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/rsyslog.d/10-input-file-apache2-access.conf]", "content": "--- /etc/rsyslog.d/10-input-file-apache2-access.conf.orig\n+++ /etc/rsyslog.d/10-input-file-apache2-access.conf\n@@ -0,0 +1,8 @@\n+# This file managed by puppet rsyslog::input::file\n+\n+input(type=\"imfile\"\n+ File=\"/var/log/apache2/*access*.log\"\n+ reopenOnTruncate=\"on\"\n+ addMetadata=\"off\"\n+ addCeeTag=\"off\"\n+ Tag=\"input-file-apache2-access\")", "parameters": "--- File[/etc/rsyslog.d/10-input-file-apache2-access.conf].orig\n+++ File[/etc/rsyslog.d/10-input-file-apache2-access.conf]\n\n+ notify => Service[rsyslog]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.service]", "parameters": "--- Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.service].orig\n+++ Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_tech_news_weekly_stats.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/logrotate.d/aphlict]", "parameters": "--- File[/etc/logrotate.d/aphlict].orig\n+++ File[/etc/logrotate.d/aphlict]\n\n+ mode => 0444\n+ source => puppet:///modules/phabricator/logrotate_aphlict\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/phabricator/script-vars]", "content": "--- /etc/phabricator/script-vars.orig\n+++ /etc/phabricator/script-vars\n@@ -2,6 +2,6 @@\n # Sourced by /usr/local/sbin/phab_deploy_* scripts\n #\n PHAB_DIR='/srv/phab'\n-PHAB_STORAGE_USER='phadmin'\n-PHAB_STORAGE_PASS='fakefakefake'\n+PHAB_STORAGE_USER='admin_user'\n+PHAB_STORAGE_PASS='admin_pass'\n PHAB_DEPLOY_USER='phab-deploy'"}, {"resource": "Systemd::Unit[phd]", "parameters": "--- Systemd::Unit[phd].orig\n+++ Systemd::Unit[phd]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => present\n+ unit => phd\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/envoy]", "parameters": "--- File[/etc/envoy].orig\n+++ File[/etc/envoy]\n\n+ mode => 0755\n+ owner => root\n+ ensure => directory\n+ group => root\n"}, {"resource": "Systemd::Service[envoyproxy.service]", "parameters": "--- Systemd::Service[envoyproxy.service].orig\n+++ Systemd::Service[envoyproxy.service]\n\n+ override => True\n+ restart => False\n+ monitoring_critical => False\n+ ensure => present\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => service\n+ service_params => {'restart': '/bin/systemctl reload envoyproxy.service'}\n+ monitoring_contact_group => admins\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => present\n+ unit => wmf_auto_restart_prometheus-apache-exporter.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.service]", "content": "--- /lib/systemd/system/phabricator_stats_job_yearly_metrics.service.orig\n+++ /lib/systemd/system/phabricator_stats_job_yearly_metrics.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=phabricator statistics mail - yearly_metrics\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/yearly_metrics.sh", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.service].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.service]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.service (phabricator_stats_job_yearly_metrics.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Nftables::Service[phabmain-smtp]", "parameters": "--- Nftables::Service[phabmain-smtp].orig\n+++ Nftables::Service[phabmain-smtp]\n\n+ ensure => absent\n+ port => 25\n+ proto => tcp\n+ prio => 10\n+ notrack => False\n+ src_ips => ['208.80.153.75', '208.80.155.102', '2620:0:860:3:208:80:153:75', '2620:0:861:4:208:80:155:102']\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_prometheus-apache-exporter]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_prometheus-apache-exporter].orig\n+++ Rsyslog::Conf[wmf_auto_restart_prometheus-apache-exporter]\n\n+ mode => 0444\n+ require => File[/var/log/wmf_auto_restart_prometheus-apache-exporter]\n+ priority => 40\n+ ensure => present\n"}, {"resource": "Systemd::Unit[phabricator_clean_tmp_files.service]", "parameters": "--- Systemd::Unit[phabricator_clean_tmp_files.service].orig\n+++ Systemd::Unit[phabricator_clean_tmp_files.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => present\n+ unit => phabricator_clean_tmp_files.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "Package[mariadb-client]", "parameters": "--- Package[mariadb-client].orig\n+++ Package[mariadb-client]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "File[/lib/systemd/system/phabricator_task_dump.service]", "content": "--- /lib/systemd/system/phabricator_task_dump.service.orig\n+++ /lib/systemd/system/phabricator_task_dump.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=phabricator public task dump\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/bin/python3 /srv/phab/tools/public_task_dump.py", "parameters": "--- File[/lib/systemd/system/phabricator_task_dump.service].orig\n+++ File[/lib/systemd/system/phabricator_task_dump.service]\n\n+ notify => Exec[systemd daemon-reload for phabricator_task_dump.service (phabricator_task_dump.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Phabricator::Logmail[community_metrics]", "parameters": "--- Phabricator::Logmail[community_metrics].orig\n+++ Phabricator::Logmail[community_metrics]\n\n+ ensure => absent\n+ rcpt_address => wikitech-l@lists.wikimedia.org\n+ monthday => 1\n+ mysql_slave_port => 3323\n+ mysql_slave => m3-slave.codfw.wmnet\n+ minute => 0\n+ basedir => /usr/local/bin\n+ sndr_address => aklapper@wikimedia.org\n+ mysql_db_name => phabricator_maniphest\n+ require => Package[phabricator/deployment]\n+ hour => 0\n"}, {"resource": "Systemd::Unit[rsync-phabricator-home-dirs.service]", "parameters": "--- Systemd::Unit[rsync-phabricator-home-dirs.service].orig\n+++ Systemd::Unit[rsync-phabricator-home-dirs.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => rsync-phabricator-home-dirs.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "Git::Systemconfig[setup proxy]", "parameters": "--- Git::Systemconfig[setup proxy].orig\n+++ Git::Systemconfig[setup proxy]\n\n+ priority => 10\n+ ensure => present\n+ settings => {'http \"https://gerrit.googlesource.com\"': {'proxy': 'http://url-downloader.codfw.wikimedia.org:8080'}, 'http \"https://github.com\"': {'proxy': 'http://url-downloader.codfw.wikimedia.org:8080'}, 'http \"https://gitlab.com\"': {'proxy': 'http://url-downloader.codfw.wikimedia.org:8080'}, 'http \"https://gerrit.wikimedia.org\"': {'proxy': ''}, 'http \"https://phabricator.wikimedia.org\"': {'proxy': ''}}\n"}, {"resource": "Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]", "parameters": "--- Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)].orig\n+++ Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]\n\n+ before => ['Service[envoyproxy.service]']\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/usr/local/bin/community_metrics.sh]", "content": "--- /usr/local/bin/community_metrics.sh.orig\n+++ /usr/local/bin/community_metrics.sh\n@@ -0,0 +1,240 @@\n+#!/bin/bash\n+# send the number of active users on Bugzilla Phabricator\n+# in the last month to \"community metrics\" team\n+# per T81784 - dzahn 20121219\n+# per T1003 - dzahn,aklapper 20141205\n+# ! this file is managed by puppet !\n+# ./modules/phabricator/files/community_metrics.sh\n+\n+source /etc/phab_community_metrics.conf\n+\n+#echo \"result_activemaniphestusers\"\n+result_activemaniphestusers=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u $sql_user $sql_name << END\n+\n+SELECT COUNT(DISTINCT authorPHID) FROM maniphest_transaction WHERE\n+ FROM_UNIXTIME(dateCreated,'%Y%m')=date_format(NOW() - INTERVAL 1 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+#echo \"result_authors\"\n+result_authors=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT COUNT(DISTINCT authorPHID) FROM maniphest_task WHERE\n+ FROM_UNIXTIME(dateCreated,'%Y%m')=date_format(NOW() - INTERVAL 1 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+#echo \"result_resolvers\"\n+result_resolvers=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT COUNT(DISTINCT authorPHID) FROM maniphest_transaction WHERE (transactionType=\"mergedinto\" OR\n+ (transactionType=\"status\" AND (oldValue=\"\\\"open\\\"\" OR oldValue=\"\\\"stalled\\\"\") AND\n+ (newValue=\"\\\"resolved\\\"\" OR newValue=\"\\\"invalid\\\"\" OR newValue=\"\\\"declined\\\"\"))) AND\n+ FROM_UNIXTIME(dateCreated,'%Y%m')=date_format(NOW() - INTERVAL 1 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+#echo \"result_projectsboardmove\"\n+result_projectsboardmove=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT COUNT(DISTINCT (edge.dst)) FROM phabricator_maniphest.edge INNER JOIN phabricator_maniphest.maniphest_transaction WHERE FROM_UNIXTIME(maniphest_transaction.dateModified,'%Y%m')=date_format(NOW() - INTERVAL 1 MONTH,'%Y%m') AND maniphest_transaction.transactionType = \"core:columns\" AND edge.type = 41 AND edge.src = maniphest_transaction.objectPHID AND edge.dst = SUBSTR(maniphest_transaction.newValue, INSTR(maniphest_transaction.newValue, 'PHID-PROJ-'), 30);\n+\n+END\n+)\n+\n+#echo \"result_taskscreated\"\n+result_taskscreated=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT COUNT(*) AS '' FROM maniphest_task WHERE\n+ FROM_UNIXTIME(dateCreated,'%Y%m')=date_format(NOW() - INTERVAL 1 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+#echo \"result_tasksclosed\"\n+result_tasksclosed=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT COUNT(*) AS '' FROM maniphest_task WHERE\n+ FROM_UNIXTIME(closedEpoch,'%Y%m')=date_format(NOW() - INTERVAL 1 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+#echo \"result_tasksopen\"\n+result_tasksopen=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT COUNT(*) AS '' FROM maniphest_task WHERE (status = \"open\" OR status = \"stalled\");\n+\n+END\n+)\n+\n+#echo \"result_tasksopen_open\"\n+result_tasksopen_open=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT COUNT(*) AS '' FROM maniphest_task WHERE status = \"open\";\n+\n+END\n+)\n+\n+#echo \"result_tasksopen_stalled\"\n+result_tasksopen_stalled=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT COUNT(*) AS '' FROM maniphest_task WHERE status = \"stalled\";\n+\n+END\n+)\n+\n+#echo \"results_mediantasksopen_unbreaknow\"\n+result_mediantasksopen_unbreaknow=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT avg(t1.dateCreated) as '' FROM (SELECT @rownum:=@rownum+1 as row_nr, d.dateCreated FROM maniphest_task d, (SELECT @rownum:=0) r WHERE (d.priority = \"100\" AND d.status = \"open\") ORDER BY d.dateCreated) as t1, (SELECT COUNT(*) AS total_rows FROM maniphest_task d WHERE (d.priority = \"100\" AND d.status = \"open\")) as t2 WHERE 1 AND t1.row_nr IN ( floor((total_rows+1)/2), floor((total_rows+2)/2));\n+\n+END\n+)\n+\n+#echo \"rm_needstriage\"\n+result_mediantasksopen_needstriage=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT avg(t1.dateCreated) as '' FROM (SELECT @rownum:=@rownum+1 as row_nr, d.dateCreated FROM maniphest_task d, (SELECT @rownum:=0) r WHERE (d.priority = \"90\" AND d.status = \"open\") ORDER BY d.dateCreated) as t1, (SELECT COUNT(*) AS total_rows FROM maniphest_task d WHERE (d.priority = \"90\" AND d.status = \"open\")) as t2 WHERE 1 AND t1.row_nr IN ( floor((total_rows+1)/2), floor((total_rows+2)/2));\n+\n+END\n+)\n+\n+#echo \"rm_high\"\n+result_mediantasksopen_high=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT avg(t1.dateCreated) as '' FROM (SELECT @rownum:=@rownum+1 as row_nr, d.dateCreated FROM maniphest_task d, (SELECT @rownum:=0) r WHERE (d.priority = \"80\" AND d.status = \"open\") ORDER BY d.dateCreated) as t1, (SELECT COUNT(*) AS total_rows FROM maniphest_task d WHERE (d.priority = \"80\" AND d.status = \"open\")) as t2 WHERE 1 AND t1.row_nr IN ( floor((total_rows+1)/2), floor((total_rows+2)/2));\n+\n+END\n+)\n+\n+#echo \"rm_normal\"\n+result_mediantasksopen_normal=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT avg(t1.dateCreated) as '' FROM (SELECT @rownum:=@rownum+1 as row_nr, d.dateCreated FROM maniphest_task d, (SELECT @rownum:=0) r WHERE (d.priority = \"50\" AND d.status = \"open\") ORDER BY d.dateCreated) as t1, (SELECT COUNT(*) AS total_rows FROM maniphest_task d WHERE (d.priority = \"50\" AND d.status = \"open\")) as t2 WHERE 1 AND t1.row_nr IN ( floor((total_rows+1)/2), floor((total_rows+2)/2));\n+\n+END\n+)\n+\n+#echo \"rm_low\"\n+result_mediantasksopen_low=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT avg(t1.dateCreated) as '' FROM (SELECT @rownum:=@rownum+1 as row_nr, d.dateCreated FROM maniphest_task d, (SELECT @rownum:=0) r WHERE (d.priority = \"25\" AND d.status = \"open\") ORDER BY d.dateCreated) as t1, (SELECT COUNT(*) AS total_rows FROM maniphest_task d WHERE (d.priority = \"25\" AND d.status = \"open\")) as t2 WHERE 1 AND t1.row_nr IN ( floor((total_rows+1)/2), floor((total_rows+2)/2));\n+\n+END\n+)\n+\n+#echo \"rm_lowest\"\n+result_mediantasksopen_lowest=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user $sql_name << END\n+\n+SELECT avg(t1.dateCreated) as '' FROM (SELECT @rownum:=@rownum+1 as row_nr, d.dateCreated FROM maniphest_task d, (SELECT @rownum:=0) r WHERE (d.priority = \"10\" AND d.status = \"open\") ORDER BY d.dateCreated) as t1, (SELECT COUNT(*) AS total_rows FROM maniphest_task d WHERE (d.priority = \"10\" AND d.status = \"open\")) as t2 WHERE 1 AND t1.row_nr IN ( floor((total_rows+1)/2), floor((total_rows+2)/2));\n+\n+END\n+)\n+\n+#echo \"number of accounts created\"\n+result_accounts_created=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -h $sql_host -P $sql_port -u$sql_user phabricator_user << END\n+\n+SELECT COUNT(id) as '' FROM user WHERE FROM_UNIXTIME(dateCreated,'%Y%m')=date_format(NOW() - INTERVAL 1 MONTH,'%Y%m');\n+\n+END\n+)\n+\n+accountscreated=$(echo $result_accounts_created | tr -d '\\n')\n+\n+activemaniphestusers=$(echo $result_activemaniphestusers | cut -d \" \" -f3)\n+authors=$(echo $result_authors | cut -d \" \" -f3)\n+resolvers=$(echo $result_resolvers | cut -d \" \" -f3)\n+\n+projectsboardmove=$(echo $result_projectsboardmove | cut -d \" \" -f3)\n+\n+taskscreated=$(echo $result_taskscreated | cut -d \" \" -f3)\n+tasksclosed=$(echo $result_tasksclosed | cut -d \" \" -f3)\n+\n+tasksopen=$(echo $result_tasksopen | cut -d \" \" -f3)\n+tasksopen_open=$(echo $result_tasksopen_open | cut -d \" \" -f3)\n+tasksopen_stalled=$(echo $result_tasksopen_stalled | cut -d \" \" -f3)\n+\n+epochnow=$(date +%s)\n+# regex if we have zero open tasks (can happen for unbreaknow; see T159314):\n+regex='^[0-9]+$'\n+\n+mediantasksopen_unbreaknow_epoch=$(echo $result_mediantasksopen_unbreaknow | cut -d \" \" -f3 | sed 's/\\.0000//' | sed 's/\\.5000//')\n+if [[ $mediantasksopen_unbreaknow_epoch =~ $regex ]] ; then\n+ diff_unbreaknow=$((epochnow-mediantasksopen_unbreaknow_epoch))\n+ mediantasksopen_unbreaknow=$(echo $((diff_unbreaknow/86400)))\n+else\n+ mediantasksopen_unbreaknow=0\n+fi\n+\n+mediantasksopen_needstriage_epoch=$(echo $result_mediantasksopen_needstriage | cut -d \" \" -f3 | sed 's/\\.0000//' | sed 's/\\.5000//')\n+diff_needstriage=$((epochnow-mediantasksopen_needstriage_epoch))\n+mediantasksopen_needstriage=$(echo $((diff_needstriage/86400)))\n+\n+mediantasksopen_high_epoch=$(echo $result_mediantasksopen_high | cut -d \" \" -f3 | sed 's/\\.0000//' | sed 's/\\.5000//')\n+diff_high=$((epochnow-mediantasksopen_high_epoch))\n+mediantasksopen_high=$(echo $((diff_high/86400)))\n+\n+mediantasksopen_normal_epoch=$(echo $result_mediantasksopen_normal | cut -d \" \" -f3 | sed 's/\\.0000//' | sed 's/\\.5000//')\n+diff_normal=$((epochnow-mediantasksopen_normal_epoch))\n+mediantasksopen_normal=$(echo $((diff_normal/86400)))\n+\n+mediantasksopen_low_epoch=$(echo $result_mediantasksopen_low | cut -d \" \" -f3 | sed 's/\\.0000//' | sed 's/\\.5000//')\n+diff_low=$((epochnow-mediantasksopen_low_epoch))\n+mediantasksopen_low=$(echo $((diff_low/86400)))\n+\n+mediantasksopen_lowest_epoch=$(echo $result_mediantasksopen_lowest | cut -d \" \" -f3 | sed 's/\\.0000//' | sed 's/\\.5000//')\n+diff_lowest=$((epochnow-mediantasksopen_lowest_epoch))\n+mediantasksopen_lowest=$(echo $((diff_lowest/86400)))\n+\n+lastmonth=$(date --date=\"last month\" +%Y-%m)\n+\n+# the actual email\n+cat < Overview\" from the top bar\n+* Adjust the time frame in the upper right corner to your needs\n+* See the author names in the \"Submitters\" panel\n+\n+TODO: Numbers which refer to closed tasks might not be correct, as\n+described in https://phabricator.wikimedia.org/T1003 .\n+\n+Yours sincerely,\n+Fab Rick Aytor\n+\n+(via $(basename $0) on $(hostname) at $(date))\n+EOF", "parameters": "--- File[/usr/local/bin/community_metrics.sh].orig\n+++ File[/usr/local/bin/community_metrics.sh]\n\n+ mode => 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/phab_yearly_metrics.conf]", "content": "--- /etc/phab_yearly_metrics.conf.orig\n+++ /etc/phab_yearly_metrics.conf\n@@ -0,0 +1,7 @@\n+declare rcpt_address='aklapper@wikimedia.org,releng@lists.wikimedia.org'\n+declare sndr_address='aklapper@wikimedia.org'\n+declare sql_host='m3-slave.codfw.wmnet'\n+declare sql_port='3323'\n+declare sql_user='metrics_user'\n+declare sql_name='phabricator_maniphest'\n+declare sql_pass='metrics_pass'", "parameters": "--- File[/etc/phab_yearly_metrics.conf].orig\n+++ File[/etc/phab_yearly_metrics.conf]\n\n+ mode => 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_aphlict.service (wmf_auto_restart_aphlict.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_aphlict.service (wmf_auto_restart_aphlict.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_aphlict.service (wmf_auto_restart_aphlict.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_quarterly_metrics.service]", "parameters": "--- Systemd::Unit[phabricator_stats_job_quarterly_metrics.service].orig\n+++ Systemd::Unit[phabricator_stats_job_quarterly_metrics.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_quarterly_metrics.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/etc/exim4/dkim]", "parameters": "--- File[/etc/exim4/dkim].orig\n+++ File[/etc/exim4/dkim]\n\n+ mode => 0750\n+ owner => root\n+ ensure => directory\n+ require => Package[exim4-config]\n+ purge => True\n+ group => Debian-exim\n"}, {"resource": "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server]", "parameters": "--- Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server].orig\n+++ Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ require => Cfssl::Csr[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem 2>&1)\"\n\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/phab2003.codfw.wmnet.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server\n\n"}, {"resource": "Rsync::Quickdatacopy[phabricator-repos]", "parameters": "--- Rsync::Quickdatacopy[phabricator-repos].orig\n+++ Rsync::Quickdatacopy[phabricator-repos]\n\n+ dest_host => phab2002.codfw.wmnet\n+ module_path => /srv/repos\n+ ensure => present\n+ source_host => phab1004.eqiad.wmnet\n+ server_uses_stunnel => False\n+ progress => False\n+ auto_sync => True\n+ delete => True\n+ ignore_missing_file_errors => True\n+ auto_interval => {'start': 'OnCalendar', 'interval': '*-*-* *:00/10:00'}\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.timer]", "content": "--- /lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.timer.orig\n+++ /lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of phabricator_stats_job_quarterly_wmf_qls.service\n+\n+[Timer]\n+Unit=phabricator_stats_job_quarterly_wmf_qls.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-01,04,07,10-1 0:0:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.timer].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.timer]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.timer (phabricator_stats_job_quarterly_wmf_qls.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Mount[/var/spool/exim4/scan]", "parameters": "--- Mount[/var/spool/exim4/scan].orig\n+++ Mount[/var/spool/exim4/scan]\n\n+ atboot => True\n+ fstype => tmpfs\n+ ensure => mounted\n+ options => defaults\n+ before => Service[exim4]\n+ require => Exec[mkdir /var/spool/exim4/scan]\n+ device => none\n"}, {"resource": "Firewall::Service[phabmain_http]", "parameters": "--- Firewall::Service[phabmain_http].orig\n+++ Firewall::Service[phabmain_http]\n\n+ ensure => present\n+ port => 80\n+ proto => tcp\n+ src_sets => ['DEPLOYMENT_HOSTS']\n+ prio => 10\n+ notrack => False\n+ unrestricted_access => False\n+ desc => \n"}, {"resource": "Class[Phabricator::Config]", "parameters": "--- Class[Phabricator::Config].orig\n+++ Class[Phabricator::Config]\n\n+ deploy_target => phabricator/deployment\n+ storage_user => admin_user\n+ deploy_user => phab-deploy\n+ phabdir => /srv/phab\n+ storage_pass => admin_pass\n+ manage_scap_user => True\n+ deploy_root => /srv/deployment/phabricator/deployment\n+ config_deploy_vars => {'phabricator': {'www': {'database_username': 'app_user', 'database_password': 'app_pass'}, 'mail': {'database_username': 'app_user', 'database_password': 'app_pass'}, 'phd': {'database_username': 'phd_user', 'database_password': 'phd_pass'}, 'vcs': {'database_username': 'phd_user', 'database_password': 'phd_pass'}, 'redirects': {'database_username': 'phd_user', 'database_password': 'phd_pass', 'database_host': 'm3-slave.codfw.wmnet', 'field_index': '4rRUkCdImLQU'}, 'local': {'base_uri': 'https://phabricator.wikimedia.org', 'alternate_file_domain': 'https://phab.wmfusercontent.org', 'mail_default_address': 'no-reply@phabricator.wikimedia.org', 'mail_reply_handler_domain': 'phabricator.wikimedia.org', 'phd_taskmasters': 4, 'ssh_host': 'git-ssh.wikimedia.org', 'notification_servers': [{'type': 'client', 'host': 'phabricator.wikimedia.org', 'port': 443, 'protocol': 'https'}, {'type': 'admin', 'host': 'aphlict.discovery.wmnet', 'port': 22281, 'protocol': 'http'}], 'cluster_mailers': [{'key': 'wikimedia-smtp', 'type': 'smtp', 'options': {'host': 'localhost', 'port': 25}}], 'database_host': 'm3-slave.codfw.wmnet', 'database_port': '3323', 'gitlab_api_key': ''}}}\n"}, {"resource": "File[/srv/dumps]", "parameters": "--- File[/srv/dumps].orig\n+++ File[/srv/dumps]\n\n+ mode => 0755\n+ owner => root\n+ ensure => directory\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/backup-home-dirs.service]", "content": "--- /lib/systemd/system/backup-home-dirs.service.orig\n+++ /lib/systemd/system/backup-home-dirs.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=create tarballs from /home dirs into /srv/homes\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/backup-home-dirs", "parameters": "--- File[/lib/systemd/system/backup-home-dirs.service].orig\n+++ File[/lib/systemd/system/backup-home-dirs.service]\n\n+ notify => Exec[systemd daemon-reload for backup-home-dirs.service (backup-home-dirs.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/lib/systemd/system/backup-home-dirs.timer]", "content": "--- /lib/systemd/system/backup-home-dirs.timer.orig\n+++ /lib/systemd/system/backup-home-dirs.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of backup-home-dirs.service\n+\n+[Timer]\n+Unit=backup-home-dirs.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-*-* 0:10:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/backup-home-dirs.timer].orig\n+++ File[/lib/systemd/system/backup-home-dirs.timer]\n\n+ notify => Exec[systemd daemon-reload for backup-home-dirs.timer (backup-home-dirs.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Service[backup-home-dirs.timer]", "parameters": "--- Service[backup-home-dirs.timer].orig\n+++ Service[backup-home-dirs.timer]\n\n+ before => ['Exec[systemd daemon-reload for backup-home-dirs.timer (backup-home-dirs.timer)]']\n+ provider => systemd\n+ enable => False\n+ ensure => stopped\n"}, {"resource": "Systemd::Timer::Job[rsync-phabricator-repos]", "parameters": "--- Systemd::Timer::Job[rsync-phabricator-repos].orig\n+++ Systemd::Timer::Job[rsync-phabricator-repos]\n\n+ monitoring_contact_groups => admins\n+ ensure => absent\n+ private_tmp => False\n+ description => Transfer data periodically between hosts\n+ command => /usr/local/sbin/sync-phabricator-repos\n+ success_exit_status => [24]\n+ logfile_perms => all\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ syslog_force_stop => True\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-*-* *:00/10:00'}\n+ user => root\n+ syslog_match_startswith => True\n+ send_mail_to => root@phab2003.codfw.wmnet\n+ monitoring_enabled => False\n+ fixed_random_delay => False\n+ logfile_name => syslog.log\n+ environment => {}\n+ send_mail => False\n+ ignore_errors => False\n+ send_mail_only_on_error => True\n+ logging_enabled => True\n+ logfile_basedir => /var/log\n"}, {"resource": "Systemd::Syslog[rsync-phabricator-repos]", "parameters": "--- Systemd::Syslog[rsync-phabricator-repos].orig\n+++ Systemd::Syslog[rsync-phabricator-repos]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Service[envoyproxy.service]", "parameters": "--- Service[envoyproxy.service].orig\n+++ Service[envoyproxy.service]\n\n+ restart => /bin/systemctl reload envoyproxy.service\n+ enable => True\n+ ensure => running\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.timer]", "content": "--- /lib/systemd/system/phabricator_stats_job_quarterly_metrics.timer.orig\n+++ /lib/systemd/system/phabricator_stats_job_quarterly_metrics.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of phabricator_stats_job_quarterly_metrics.service\n+\n+[Timer]\n+Unit=phabricator_stats_job_quarterly_metrics.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-01,04,07,10-1 0:0:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.timer].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.timer]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.timer (phabricator_stats_job_quarterly_metrics.timer)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Logrotate::Conf[phd]", "parameters": "--- Logrotate::Conf[phd].orig\n+++ Logrotate::Conf[phd]\n\n+ source => puppet:///modules/phabricator/logrotate_phd\n+ ensure => present\n"}, {"resource": "File[/usr/local/bin/tech_news_weekly_stats.sh]", "content": "--- /usr/local/bin/tech_news_weekly_stats.sh.orig\n+++ /usr/local/bin/tech_news_weekly_stats.sh\n@@ -0,0 +1,78 @@\n+#!/bin/bash\n+# Weekly statistics of Phabricator for Tech News\n+# https://meta.wikimedia.org/wiki/Tech/News\n+# per T368460 - aklapper 20240626\n+# SPDX-License-Identifier: Apache-2.0\n+# ! this file is managed by puppet !\n+# ./modules/phabricator/files/tech_news_weekly_stats.sh\n+source /etc/phab_tech_news_weekly_stats.conf\n+timestamp=$(date)\n+#echo \"result_tasks\"\n+result_tasks=$(MYSQL_PWD=${sql_pass} /usr/bin/mysql -t --skip-column-names -h $sql_host -P $sql_port -u $sql_user phabricator_maniphest << END\n+SELECT DISTINCT CONCAT(\"[[phab:T\", t.id, \"]]\"), t.title, autr.userName, ownr.userName\n+ FROM phabricator_maniphest.maniphest_task t\n+ INNER JOIN phabricator_user.user autr ON autr.phid = t.authorPHID\n+ INNER JOIN phabricator_user.user ownr ON ownr.phid = t.ownerPHID\n+ WHERE t.status = \"resolved\"\n+ AND FROM_UNIXTIME(t.closedEpoch)>=(NOW() - INTERVAL 168 HOUR)\n+ AND t.viewPolicy = \"public\"\n+ AND autr.phid NOT IN\n+ (SELECT ua.userPHID\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_externalaccount ua\n+ ON ua.userPHID = u.phid\n+ WHERE ua.accountType = \"mediawiki\"\n+ AND ((ua.username LIKE '%(WMF)' OR ua.username LIKE '%-WMF')\n+ OR (ua.username LIKE '%(WMDE)' OR ua.username LIKE '%-WMDE')))\n+ AND autr.phid NOT IN\n+ (SELECT ue.userPHID\n+ FROM phabricator_user.user u\n+ INNER JOIN phabricator_user.user_email ue\n+ ON ue.userPHID = u.phid\n+ WHERE (ue.address LIKE '%@wikimedia.org' OR ue.address LIKE '%@wikimedia.de' OR ue.address LIKE '%@speedandfunction.com' OR ue.address LIKE '%@thisdot.co'))\n+ AND (ownr.phid IN\n+ (SELECT ua.userPHID FROM phabricator_user.user u INNER JOIN phabricator_user.user_externalaccount ua ON ua.userPHID = u.phid WHERE ua.accountType = \"mediawiki\" AND ((ua.username LIKE '%(WMF)' OR ua.username LIKE '%-WMF') OR (ua.username LIKE '%(WMDE)' OR ua.username LIKE '%-WMDE')))\n+ OR ownr.phid IN\n+ (SELECT ue.userPHID FROM phabricator_user.user u INNER JOIN phabricator_user.user_email ue ON ue.userPHID = u.phid WHERE (ue.address LIKE '%@wikimedia.org' OR ue.address LIKE '%@wikimedia.de' OR ue.address LIKE '%@speedandfunction.com' OR ue.address LIKE '%@thisdot.co')));\n+END\n+)\n+\n+# Remove first and last line in mysql table output\n+result_tasks=$(echo \"$result_tasks\" | sed '1d;$d')\n+# replace all | (created by the mariadb -t table parameter) with ||\n+result_tasks=$(echo \"$result_tasks\" | sed 's/|/||/g')\n+# remove last three letters of every line to remove \" ||\"\n+result_tasks=$(echo \"$result_tasks\" | sed -r 's/.{3}$//')\n+# remove first letter | of every line\n+result_tasks=$(echo \"$result_tasks\" | sed -r 's/^.//')\n+# add |- in a new line between all lines\n+result_tasks=$(echo \"$result_tasks\" | sed ':a;N;$!ba;s/\\n/\\n|\\-\\n/g')\n+\n+# the actual email\n+cat < 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Systemd::Service[phabricator_stats_job_tech_news_weekly_stats]", "parameters": "--- Systemd::Service[phabricator_stats_job_tech_news_weekly_stats].orig\n+++ Systemd::Service[phabricator_stats_job_tech_news_weekly_stats]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => absent\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]", "content": "--- /etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft.orig\n+++ /etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft\n@@ -0,0 +1,4 @@\n+# Managed by puppet\n+# \n+ip saddr @CACHES_ipv4 tcp dport { 443 } notrack\n+ip6 saddr @CACHES_ipv6 tcp dport { 443 } notrack", "parameters": "--- File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft].orig\n+++ File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]\n\n+ notify => ['Service[nftables]']\n+ mode => 0444\n+ tag => nft\n+ owner => root\n+ ensure => present\n+ require => ['Nftables::Set[CACHES]']\n+ group => root\n"}, {"resource": "Admin::User[urbanecm]", "parameters": "--- Admin::User[urbanecm].orig\n+++ Admin::User[urbanecm]\n\n+ comment => Martin Urbanec\n+ ensure => present\n+ shell => /bin/bash\n+ ssh_keys => ['ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKBGnnWotDTo/92I2MakxTAoBDYLbFA/+0uT2F5y4U5 urbanecm@LAPTOP-A3BHKQ07', 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFHTZ81VvnWUQtmYUfzIFUmtREeQoiC9hSAoI3fOrcK murbanec+prod@wmf']\n+ groups => []\n+ home_dir => /home/urbanecm\n+ gid => 500\n+ uid => 13367\n"}, {"resource": "Concat_fragment[/etc/bacula_puppet_agent_cert]", "parameters": "--- Concat_fragment[/etc/bacula_puppet_agent_cert].orig\n+++ Concat_fragment[/etc/bacula_puppet_agent_cert]\n\n+ order => 01\n+ tag => _etc_bacula_ssl_cert.pem\n+ source => /var/lib/puppet/ssl/certs/phab2003.codfw.wmnet.pem\n+ target => /etc/bacula/ssl/cert.pem\n"}, {"resource": "Systemd::Syslog[phabricator_stats_job_community_metrics]", "parameters": "--- Systemd::Syslog[phabricator_stats_job_community_metrics].orig\n+++ Systemd::Syslog[phabricator_stats_job_community_metrics]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Package[exim4-config]", "parameters": "--- Package[exim4-config].orig\n+++ Package[exim4-config]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Concat_file[/etc/bacula/ssl/cert.pem]", "parameters": "--- Concat_file[/etc/bacula/ssl/cert.pem].orig\n+++ Concat_file[/etc/bacula/ssl/cert.pem]\n\n+ show_diff => True\n+ replace => True\n+ ensure_newline => False\n+ force => False\n+ format => plain\n+ mode => 0644\n+ tag => _etc_bacula_ssl_cert.pem\n+ order => alpha\n+ backup => puppet\n"}, {"resource": "File[/var/log/phabricator_stats_job_community_metrics]", "parameters": "--- File[/var/log/phabricator_stats_job_community_metrics].orig\n+++ File[/var/log/phabricator_stats_job_community_metrics]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Class[Profile::Phabricator::Main]", "parameters": "--- Class[Profile::Phabricator::Main].orig\n+++ Class[Profile::Phabricator::Main]\n\n+ altdom => phab.wmfusercontent.org\n+ mysql_master_port => 3306\n+ rate_limits => {'request': 0, 'connection': 0}\n+ gitlab_api_key => \n+ timezone => UTC\n+ remote_aphlict_domain => aphlict.discovery.wmnet\n+ mysql_slave_port => 3323\n+ passive_server => phab2002.codfw.wmnet\n+ apc_shm_size => 4096M\n+ phab_diffusion_ssh_host => git-ssh.wikimedia.org\n+ enable_vcs => True\n+ phd_taskmasters => 4\n+ domain => phabricator.wikimedia.org\n+ deploy_target => phabricator/deployment\n+ dump_enabled => False\n+ deploy_user => phab-deploy\n+ use_lvs => False\n+ database_datadir => /var/lib/mysql\n+ manage_scap_user => True\n+ aphlict_ssl => False\n+ local_aphlict_enabled => False\n+ http_srange => ['DEPLOYMENT_HOSTS']\n+ active_server => phab1004.eqiad.wmnet\n+ opcache_validate => 0\n+ mysql_slave => m3-slave.codfw.wmnet\n+ remote_aphlict_admin_port => 22281\n+ mysql_master => m3-master.codfw.wmnet\n+ phab_root_dir => /srv/phab\n+ default_mail_address => no-reply@phabricator.wikimedia.org\n"}, {"resource": "File[/etc/envoy/admin-config.yaml]", "content": "--- /etc/envoy/admin-config.yaml.orig\n+++ /etc/envoy/admin-config.yaml\n@@ -0,0 +1,10 @@\n+---\n+access_log:\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog\n+ path: \"/var/log/envoy/admin-access.log\"\n+address:\n+ socket_address:\n+ address: 0.0.0.0\n+ port_value: 9631\n+ignore_global_conn_limit: true", "parameters": "--- File[/etc/envoy/admin-config.yaml].orig\n+++ File[/etc/envoy/admin-config.yaml]\n\n+ notify => Exec[verify-envoy-config]\n+ mode => 0555\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/envoy/stats-config.yaml]", "parameters": "--- File[/etc/envoy/stats-config.yaml].orig\n+++ File[/etc/envoy/stats-config.yaml]\n\n+ notify => Exec[verify-envoy-config]\n+ mode => 0555\n+ source => puppet:///modules/envoyproxy/stats-config.yaml\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "Exec[update-safedir-gitconfig]", "parameters": "--- Exec[update-safedir-gitconfig].orig\n+++ Exec[update-safedir-gitconfig]\n\n+ refreshonly => True\n+ command => /bin/cat /etc/gitconfig.d/*.gitconfig > /etc/gitconfig\n"}, {"resource": "File[/var/spool/exim4]", "parameters": "--- File[/var/spool/exim4].orig\n+++ File[/var/spool/exim4]\n\n+ mode => 0751\n+ owner => Debian-exim\n+ ensure => directory\n+ require => Package[exim4-daemon-heavy]\n+ group => Debian-exim\n"}, {"resource": "Mount[/var/spool/exim4/db]", "parameters": "--- Mount[/var/spool/exim4/db].orig\n+++ Mount[/var/spool/exim4/db]\n\n+ atboot => True\n+ fstype => tmpfs\n+ ensure => mounted\n+ options => defaults\n+ before => Service[exim4]\n+ require => Exec[mkdir /var/spool/exim4/scan]\n+ device => none\n"}, {"resource": "File[/usr/local/sbin/build-envoy-config]", "parameters": "--- File[/usr/local/sbin/build-envoy-config].orig\n+++ File[/usr/local/sbin/build-envoy-config]\n\n+ mode => 0555\n+ source => puppet:///modules/envoyproxy/build_envoy_config.py\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "User[urbanecm]", "parameters": "--- User[urbanecm].orig\n+++ User[urbanecm]\n\n+ comment => Martin Urbanec\n+ managehome => False\n+ ensure => present\n+ shell => /bin/bash\n+ groups => []\n+ allowdupe => False\n+ gid => 500\n+ home => /home/urbanecm\n+ uid => 13367\n"}, {"resource": "Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.timer]", "parameters": "--- Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.timer].orig\n+++ Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => phabricator_stats_job_quarterly_wmf_qls.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_aphlict]", "parameters": "--- Systemd::Timer[wmf_auto_restart_aphlict].orig\n+++ Systemd::Timer[wmf_auto_restart_aphlict]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 11:39:00'}]\n+ accuracy => 15sec\n+ fixed_random_delay => False\n+ ensure => absent\n+ unit_name => wmf_auto_restart_aphlict.service\n+ splay => 0\n"}, {"resource": "Systemd::Service[phabricator_clean_tmp_files]", "parameters": "--- Systemd::Service[phabricator_clean_tmp_files].orig\n+++ Systemd::Service[phabricator_clean_tmp_files]\n\n+ override => False\n+ restart => False\n+ monitoring_critical => False\n+ ensure => present\n+ monitoring_enabled => False\n+ migration_task => T407130\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[phabricator_clean_tmp_files.service]\n+ monitoring_contact_group => admins\n"}, {"resource": "File[/etc/phab_quarterly_wmf_qls.conf]", "content": "--- /etc/phab_quarterly_wmf_qls.conf.orig\n+++ /etc/phab_quarterly_wmf_qls.conf\n@@ -0,0 +1,7 @@\n+declare rcpt_address='aramirez@wikimedia.org,cbogen@wikimedia.org,mcollins@wikimedia.org,aklapper@wikimedia.org'\n+declare sndr_address='aklapper@wikimedia.org'\n+declare sql_host='m3-slave.codfw.wmnet'\n+declare sql_port='3323'\n+declare sql_user='metrics_user'\n+declare sql_name='phabricator_maniphest'\n+declare sql_pass='metrics_pass'", "parameters": "--- File[/etc/phab_quarterly_wmf_qls.conf].orig\n+++ File[/etc/phab_quarterly_wmf_qls.conf]\n\n+ mode => 0550\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem]", "parameters": "--- File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem].orig\n+++ File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem]\n\n+ mode => 0440\n+ owner => envoy\n+ ensure => file\n+ group => envoy\n"}, {"resource": "Class[Profile::Envoy]", "parameters": "--- Class[Profile::Envoy].orig\n+++ Class[Profile::Envoy]\n\n+ runtime => {}\n+ require => ['Class[Profile::Tcp_fast_open]']\n+ cluster => misc\n+ ensure => present\n"}, {"resource": "Systemd::Unit[rsync-phabricator-home-dirs.timer]", "parameters": "--- Systemd::Unit[rsync-phabricator-home-dirs.timer].orig\n+++ Systemd::Unit[rsync-phabricator-home-dirs.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ restart => False\n+ ensure => absent\n+ unit => rsync-phabricator-home-dirs.timer\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/var/log/backup-home-dirs]", "parameters": "--- File[/var/log/backup-home-dirs].orig\n+++ File[/var/log/backup-home-dirs]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "Systemd::Unit[envoyproxy.service]", "parameters": "--- Systemd::Unit[envoyproxy.service].orig\n+++ Systemd::Unit[envoyproxy.service]\n\n+ override_filename => puppet-override.conf\n+ override => True\n+ restart => False\n+ ensure => present\n+ unit => envoyproxy.service\n+ require => ['Class[Systemd]']\n"}, {"resource": "File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.service]", "content": "--- /lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.service.orig\n+++ /lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=phabricator statistics mail - tech_news_weekly_stats\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/tech_news_weekly_stats.sh", "parameters": "--- File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.service].orig\n+++ File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.service]\n\n+ notify => Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.service (phabricator_stats_job_tech_news_weekly_stats.service)]\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/var/log/phabricator_stats_job_quarterly_metrics]", "parameters": "--- File[/var/log/phabricator_stats_job_quarterly_metrics].orig\n+++ File[/var/log/phabricator_stats_job_quarterly_metrics]\n\n+ mode => 0755\n+ owner => root\n+ ensure => absent\n+ force => True\n+ backup => False\n+ group => root\n"}, {"resource": "File[/etc/envoy/runtime.yaml]", "content": "--- /etc/envoy/runtime.yaml.orig\n+++ /etc/envoy/runtime.yaml\n@@ -0,0 +1 @@\n+--- {}", "parameters": "--- File[/etc/envoy/runtime.yaml].orig\n+++ File[/etc/envoy/runtime.yaml]\n\n+ notify => Exec[verify-envoy-config]\n+ mode => 0555\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "Httpd::Site[phabricator]", "parameters": "--- Httpd::Site[phabricator].orig\n+++ Httpd::Site[phabricator]\n\n+ require => ['Package[phabricator/deployment]']\n+ priority => 50\n+ ensure => present\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_aphlict]", "content": "--- /etc/logrotate.d/wmf_auto_restart_aphlict.orig\n+++ /etc/logrotate.d/wmf_auto_restart_aphlict\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for wmf_auto_restart_aphlict\n+\n+/var/log/wmf_auto_restart_aphlict/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_aphlict].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_aphlict]\n\n+ mode => 0444\n+ owner => root\n+ ensure => absent\n+ group => root\n"}, {"resource": "File[/etc/ssh/userkeys/urbanecm]", "content": "--- /etc/ssh/userkeys/urbanecm.orig\n+++ /etc/ssh/userkeys/urbanecm\n@@ -0,0 +1,2 @@\n+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKBGnnWotDTo/92I2MakxTAoBDYLbFA/+0uT2F5y4U5 urbanecm@LAPTOP-A3BHKQ07\n+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFHTZ81VvnWUQtmYUfzIFUmtREeQoiC9hSAoI3fOrcK murbanec+prod@wmf", "parameters": "--- File[/etc/ssh/userkeys/urbanecm].orig\n+++ File[/etc/ssh/userkeys/urbanecm]\n\n+ mode => 0444\n+ owner => root\n+ ensure => file\n+ show_diff => False\n+ force => True\n+ group => root\n"}, {"resource": "Prometheus::Blackbox::Check::Tcp[phabricator-smtp]", "parameters": "--- Prometheus::Blackbox::Check::Tcp[phabricator-smtp].orig\n+++ Prometheus::Blackbox::Check::Tcp[phabricator-smtp]\n\n+ severity => task\n+ alert_after => 2m\n+ port => 25\n+ ip_families => ['ip4', 'ip6']\n+ use_client_auth => False\n+ client_auth_cert => /etc/prometheus/ssl/cert.pem\n+ client_auth_key => /etc/prometheus/ssl/server.key\n+ probe_runbook => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n+ server_name => phab2003\n+ certificate_expiry_days => 10\n+ timeout => 3s\n+ ip4 => 10.192.27.12\n+ team => collaboration-services\n+ ip6 => 2620:0:860:114:10:192:27:12\n+ force_tls => False\n+ site => codfw\n+ instance_label => phab2003\n+ prometheus_instance => ops\n"}, {"resource": "Service[exim4]", "parameters": "--- Service[exim4].orig\n+++ Service[exim4]\n\n+ require => Package[exim4-daemon-heavy]\n+ hasstatus => True\n+ ensure => running\n"}, {"resource": "Package[subversion]", "parameters": "--- Package[subversion].orig\n+++ Package[subversion]\n\n+ provider => apt\n+ ensure => present\n"}, {"resource": "Systemd::Syslog[phabricator_stats_job_quarterly_wmf_qls]", "parameters": "--- Systemd::Syslog[phabricator_stats_job_quarterly_wmf_qls].orig\n+++ Systemd::Syslog[phabricator_stats_job_quarterly_wmf_qls]\n\n+ readable_by => all\n+ ensure => absent\n+ programname_comparison => startswith\n+ log_filename => syslog.log\n+ force_stop => True\n+ owner => root\n+ group => root\n+ base_dir => /var/log\n"}, {"resource": "Class[Phabricator::Phd]", "parameters": "--- Class[Phabricator::Phd].orig\n+++ Class[Phabricator::Phd]\n\n+ basedir => /srv/phab\n+ require => ['Package[phabricator/deployment]']\n+ phd_log_dir => /var/log/phd\n+ phd_user => phd\n"}, {"resource": "File[/etc/envoy/clusters.d/00-cluster_local_port_80.yaml]", "content": "--- /etc/envoy/clusters.d/00-cluster_local_port_80.yaml.orig\n+++ /etc/envoy/clusters.d/00-cluster_local_port_80.yaml\n@@ -0,0 +1,13 @@\n+name: local_port_80\n+connect_timeout: 1.0s\n+type: strict_dns\n+lb_policy: round_robin\n+load_assignment:\n+ cluster_name: local_port_80\n+ endpoints:\n+ - lb_endpoints:\n+ - endpoint:\n+ address:\n+ socket_address:\n+ address: phab2003.codfw.wmnet\n+ port_value: 80", "parameters": "--- File[/etc/envoy/clusters.d/00-cluster_local_port_80.yaml].orig\n+++ File[/etc/envoy/clusters.d/00-cluster_local_port_80.yaml]\n\n+ notify => Exec[verify-envoy-config]\n+ mode => 0444\n+ owner => root\n+ ensure => present\n+ group => root\n"}, {"resource": "File[/etc/ssh/userkeys/gjg]", "content": "--- /etc/ssh/userkeys/gjg.orig\n+++ /etc/ssh/userkeys/gjg\n@@ -0,0 +1 @@\n+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPul+urK7qgLY7UucRRj9SljZFB/DWpMKZ1KMragNGbc greg@carbon12", "parameters": "--- File[/etc/ssh/userkeys/gjg].orig\n+++ File[/etc/ssh/userkeys/gjg]\n\n+ mode => 0444\n+ owner => root\n+ ensure => file\n+ show_diff => False\n+ force => True\n+ group => root\n"}], "perc_changed": "33.57%"}, "core": {"total": 3250, "only_in_self": ["File[/etc/update-motd.d/05-phabricator--migration]", "File[/var/lib/scap/scap/bin]", "File[/var/lib/scap/scap]"], "only_in_other": ["Concat[/etc/bacula/ssl/cert.pem]", "Concat[/etc/rsyncd.conf]", "Concat_file[/etc/bacula/ssl/cert.pem]", "Concat_file[/etc/rsyncd.conf]", "Concat_fragment[/etc/bacula_puppet_agent_cert]", "Concat_fragment[/etc/bacula_puppet_ca_chain]", "Concat_fragment[/etc/rsyncd.conf-header]", "Concat_fragment[/etc/rsyncd.conf-srv-dumps]", "Exec[/srv/phab/libext/ava/src_static_dir_exists]", "Exec[/srv/phab/libext/misc_static_dir_exists]", "Exec[/srv/phab/libext/translations/src_static_dir_exists]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server]", "Exec[apt_update_php]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]", "Exec[create-/etc/bacula-keypair]", "Exec[mask_phd.service]", "Exec[mkdir /var/spool/exim4/scan]", "Exec[phab-git-safedir]", "Exec[phabricator-admin_ensure_members]", "Exec[phabricator-bulk-manager_ensure_members]", "Exec[renew certificate - discovery2026__phabricator_discovery_wmnet_server]", "Exec[systemd daemon-reload for aphlict.service (aphlict)]", "Exec[systemd daemon-reload for backup-home-dirs.service (backup-home-dirs.service)]", "Exec[systemd daemon-reload for backup-home-dirs.timer (backup-home-dirs.timer)]", "Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]", "Exec[systemd daemon-reload for phabricator_clean_tmp_files.service (phabricator_clean_tmp_files.service)]", "Exec[systemd daemon-reload for phabricator_clean_tmp_files.timer (phabricator_clean_tmp_files.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.service (phabricator_stats_job_community_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.timer (phabricator_stats_job_community_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_project_changes.service (phabricator_stats_job_project_changes.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_project_changes.timer (phabricator_stats_job_project_changes.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.service (phabricator_stats_job_quarterly_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.timer (phabricator_stats_job_quarterly_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.service (phabricator_stats_job_quarterly_wmf_qls.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.timer (phabricator_stats_job_quarterly_wmf_qls.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.service (phabricator_stats_job_tech_news_weekly_stats.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.timer (phabricator_stats_job_tech_news_weekly_stats.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.service (phabricator_stats_job_yearly_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.timer (phabricator_stats_job_yearly_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_task_dump.service (phabricator_task_dump.service)]", "Exec[systemd daemon-reload for phabricator_task_dump.timer (phabricator_task_dump.timer)]", "Exec[systemd daemon-reload for phd.service (phd)]", "Exec[systemd daemon-reload for rsync-phabricator-home-dirs.service (rsync-phabricator-home-dirs.service)]", "Exec[systemd daemon-reload for rsync-phabricator-home-dirs.timer (rsync-phabricator-home-dirs.timer)]", "Exec[systemd daemon-reload for rsync-phabricator-repos.service (rsync-phabricator-repos.service)]", "Exec[systemd daemon-reload for rsync-phabricator-repos.timer (rsync-phabricator-repos.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_aphlict.service (wmf_auto_restart_aphlict.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_aphlict.timer (wmf_auto_restart_aphlict.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.service (wmf_auto_restart_envoyproxy.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.timer (wmf_auto_restart_envoyproxy.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.service (wmf_auto_restart_prometheus-apache-exporter.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.timer (wmf_auto_restart_prometheus-apache-exporter.timer)]", "Exec[update-gitconfig]", "Exec[update-safedir-gitconfig]", "Exec[update-sysusers-vcs]", "Exec[verify-envoy-config]", "File[/etc/apache2/sites-available/50-phabricator.conf]", "File[/etc/apache2/sites-enabled/50-phabricator.conf]", "File[/etc/bacula/bacula-fd.conf]", "File[/etc/bacula/ssl/server-keypair.pem]", "File[/etc/bacula/ssl/server.key]", "File[/etc/bacula/ssl/server.p12]", "File[/etc/bacula/ssl]", "File[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]", "File[/etc/default/exim4]", "File[/etc/default/prometheus-apache-exporter]", "File[/etc/default/rsync]", "File[/etc/envoy/admin-config.yaml]", "File[/etc/envoy/clusters.d/00-cluster_local_port_80.yaml]", "File[/etc/envoy/clusters.d]", "File[/etc/envoy/envoy.yaml]", "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "File[/etc/envoy/listeners.d]", "File[/etc/envoy/runtime.yaml]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem]", "File[/etc/envoy/ssl]", "File[/etc/envoy/stats-config.yaml]", "File[/etc/envoy]", "File[/etc/exim4/aliases]", "File[/etc/exim4/dkim]", "File[/etc/exim4/exim4.conf]", "File[/etc/exim4/system_filter]", "File[/etc/exim4/update-exim4.conf.conf]", "File[/etc/gitconfig.d/00-header.gitconfig]", "File[/etc/gitconfig.d/10-setup_proxy.gitconfig]", "File[/etc/gitconfig.d]", "File[/etc/logrotate.d/aphlict]", "File[/etc/logrotate.d/backup-home-dirs]", "File[/etc/logrotate.d/envoy]", "File[/etc/logrotate.d/exim4-paniclog]", "File[/etc/logrotate.d/phabricator_clean_tmp_files]", "File[/etc/logrotate.d/phabricator_stats_job_community_metrics]", "File[/etc/logrotate.d/phabricator_stats_job_project_changes]", "File[/etc/logrotate.d/phabricator_stats_job_quarterly_metrics]", "File[/etc/logrotate.d/phabricator_stats_job_quarterly_wmf_qls]", "File[/etc/logrotate.d/phabricator_stats_job_tech_news_weekly_stats]", "File[/etc/logrotate.d/phabricator_stats_job_yearly_metrics]", "File[/etc/logrotate.d/phabricator_task_dump]", "File[/etc/logrotate.d/phd]", "File[/etc/logrotate.d/rsync-phabricator-home-dirs]", "File[/etc/logrotate.d/rsync-phabricator-repos]", "File[/etc/logrotate.d/wmf_auto_restart_aphlict]", "File[/etc/logrotate.d/wmf_auto_restart_envoyproxy]", "File[/etc/logrotate.d/wmf_auto_restart_prometheus-apache-exporter]", "File[/etc/nftables/input/10_bacula-file-daemon-backup1014.eqiad.wmnet.nft]", "File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]", "File[/etc/nftables/input/10_phabmain-smtp.nft]", "File[/etc/nftables/input/10_phabmain_http.nft]", "File[/etc/nftables/input/10_rsyncd_access_srv-dumps.nft]", "File[/etc/nftables/input/10_ssh_cluster.nft]", "File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]", "File[/etc/phab_community_metrics.conf]", "File[/etc/phab_epipe.conf]", "File[/etc/phab_project_changes.conf]", "File[/etc/phab_quarterly_metrics.conf]", "File[/etc/phab_quarterly_wmf_qls.conf]", "File[/etc/phab_tech_news_weekly_stats.conf]", "File[/etc/phab_yearly_metrics.conf]", "File[/etc/phabricator/config.yaml]", "File[/etc/phabricator]", "File[/etc/phabtools.conf]", "File[/etc/rsync.d]", "File[/etc/rsyslog.d/00-imfile.conf]", "File[/etc/rsyslog.d/10-input-file-apache2-access.conf]", "File[/etc/rsyslog.d/10-input-file-apache2-error.conf]", "File[/etc/rsyslog.d/40-backup-home-dirs.conf]", "File[/etc/rsyslog.d/40-envoy.conf]", "File[/etc/rsyslog.d/40-phabricator-clean-tmp-files.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-community-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-project-changes.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-wmf-qls.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-tech-news-weekly-stats.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-yearly-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-task-dump.conf]", "File[/etc/rsyslog.d/40-rsync-phabricator-home-dirs.conf]", "File[/etc/rsyslog.d/40-rsync-phabricator-repos.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-aphlict.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-envoyproxy.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-prometheus-apache-exporter.conf]", "File[/etc/ssh/userkeys/gjg]", "File[/etc/ssh/userkeys/mbinder]", "File[/etc/ssh/userkeys/urbanecm]", "File[/etc/sudoers.d/phabricator-admin]", "File[/etc/sudoers.d/phabricator-bulk-manager]", "File[/etc/sudoers.d/vcs]", "File[/etc/sudoers.d/www-data]", "File[/etc/sysctl.d/70-TCP-Fast-Open.conf]", "File[/etc/sysctl.d/70-phabricator-network-tuning.conf]", "File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/envoyproxy.service.d]", "File[/etc/sysusers.d/vcs.conf]", "File[/etc/update-motd.d/05-phabricator]", "File[/etc/update-motd.d/06-backups-home]", "File[/etc/update-motd.d/06-backups-srv-repos]", "File[/home/aklapper/.my.cnf]", "File[/home/gjg/.my.cnf]", "File[/home/gjg]", "File[/home/mbinder]", "File[/home/urbanecm/.my.cnf]", "File[/home/urbanecm]", "File[/lib/systemd/system/aphlict.service]", "File[/lib/systemd/system/backup-home-dirs.service]", "File[/lib/systemd/system/backup-home-dirs.timer]", "File[/lib/systemd/system/phabricator_clean_tmp_files.service]", "File[/lib/systemd/system/phabricator_clean_tmp_files.timer]", "File[/lib/systemd/system/phabricator_stats_job_community_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_community_metrics.timer]", "File[/lib/systemd/system/phabricator_stats_job_project_changes.service]", "File[/lib/systemd/system/phabricator_stats_job_project_changes.timer]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.timer]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.service]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.timer]", "File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.service]", "File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.timer]", "File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.timer]", "File[/lib/systemd/system/phabricator_task_dump.service]", "File[/lib/systemd/system/phabricator_task_dump.timer]", "File[/lib/systemd/system/phd.service]", "File[/lib/systemd/system/rsync-phabricator-home-dirs.service]", "File[/lib/systemd/system/rsync-phabricator-home-dirs.timer]", "File[/lib/systemd/system/rsync-phabricator-repos.service]", "File[/lib/systemd/system/rsync-phabricator-repos.timer]", "File[/lib/systemd/system/wmf_auto_restart_aphlict.service]", "File[/lib/systemd/system/wmf_auto_restart_aphlict.timer]", "File[/lib/systemd/system/wmf_auto_restart_envoyproxy.service]", "File[/lib/systemd/system/wmf_auto_restart_envoyproxy.timer]", "File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.service]", "File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.timer]", "File[/srv/dumps/WARNING_NEVER_PUT_PRIVATE_DATA_HERE_THIS_IS_SYNCED_TO_PUBLIC]", "File[/srv/dumps]", "File[/srv/homes]", "File[/srv/phab/aphlict/config.json]", "File[/srv/phab/phabricator//support/aphlict/server/node_modules]", "File[/srv/phab/phabricator/scripts/]", "File[/srv/phab/phabricator/scripts/daemon/]", "File[/srv/phab/phabricator/scripts/mail/]", "File[/srv/phab/phabricator/scripts/repository/]", "File[/srv/phab/phabricator/scripts/ssh/]", "File[/srv/phab/tools/public_task_dump.py]", "File[/srv/repos]", "File[/usr/libexec/phabricator-ssh-hook.sh]", "File[/usr/libexec]", "File[/usr/local/bin/arc]", "File[/usr/local/bin/backup-home-dirs]", "File[/usr/local/bin/chk_phuser]", "File[/usr/local/bin/community_metrics.sh]", "File[/usr/local/bin/git-http-backend]", "File[/usr/local/bin/phab_epipe.py]", "File[/usr/local/bin/phab_git_safedir.sh]", "File[/usr/local/bin/project_changes.sh]", "File[/usr/local/bin/quarterly_metrics.sh]", "File[/usr/local/bin/quarterly_wmf_qls.sh]", "File[/usr/local/bin/tech_news_weekly_stats.sh]", "File[/usr/local/bin/yearly_metrics.sh]", "File[/usr/local/sbin/build-envoy-config]", "File[/usr/local/sbin/envoyproxy-hot-restarter]", "File[/usr/local/sbin/envoyproxy-start]", "File[/var/log/aphlict/]", "File[/var/log/backup-home-dirs]", "File[/var/log/envoy]", "File[/var/log/phabricator_clean_tmp_files]", "File[/var/log/phabricator_stats_job_community_metrics]", "File[/var/log/phabricator_stats_job_project_changes]", "File[/var/log/phabricator_stats_job_quarterly_metrics]", "File[/var/log/phabricator_stats_job_quarterly_wmf_qls]", "File[/var/log/phabricator_stats_job_tech_news_weekly_stats]", "File[/var/log/phabricator_stats_job_yearly_metrics]", "File[/var/log/phabricator_task_dump]", "File[/var/log/phd/ssh.log]", "File[/var/log/phd]", "File[/var/log/rsync-phabricator-home-dirs]", "File[/var/log/rsync-phabricator-repos]", "File[/var/log/wmf_auto_restart_aphlict]", "File[/var/log/wmf_auto_restart_envoyproxy]", "File[/var/log/wmf_auto_restart_prometheus-apache-exporter]", "File[/var/run/aphlict/]", "File[/var/spool/exim4/db]", "File[/var/spool/exim4/scan]", "File[/var/spool/exim4]", "File_line[auto_restart_file_presence_aphlict]", "File_line[auto_restart_file_presence_envoyproxy]", "File_line[auto_restart_file_presence_prometheus-apache-exporter]", "File_line[deselect_dst_root_ca_x3]", "Group[aphlict]", "Group[phabricator-admin]", "Group[phabricator-bulk-manager]", "Group[vcs]", "Mailalias[root]", "Mount[/var/spool/exim4/db]", "Mount[/var/spool/exim4/scan]", "Package[apachetop]", "Package[bacula-fd]", "Package[envoyproxy]", "Package[exim4-config]", "Package[exim4-daemon-heavy]", "Package[mariadb-client]", "Package[nodejs]", "Package[prometheus-apache-exporter]", "Package[python3-mysqldb]", "Package[python3-phabricator]", "Package[python3-pygments]", "Package[python3-pymysql]", "Package[s-nail]", "Package[subversion]", "Service[aphlict]", "Service[backup-home-dirs.timer]", "Service[bacula-fd]", "Service[envoyproxy.service]", "Service[exim4]", "Service[phabricator_clean_tmp_files.timer]", "Service[phabricator_stats_job_community_metrics.timer]", "Service[phabricator_stats_job_project_changes.timer]", "Service[phabricator_stats_job_quarterly_metrics.timer]", "Service[phabricator_stats_job_quarterly_wmf_qls.timer]", "Service[phabricator_stats_job_tech_news_weekly_stats.timer]", "Service[phabricator_stats_job_yearly_metrics.timer]", "Service[phabricator_task_dump.timer]", "Service[phd]", "Service[prometheus-apache-exporter]", "Service[rsync-phabricator-home-dirs.timer]", "Service[rsync-phabricator-repos.timer]", "Service[rsync]", "Service[wmf_auto_restart_aphlict.timer]", "Service[wmf_auto_restart_envoyproxy.timer]", "Service[wmf_auto_restart_prometheus-apache-exporter.timer]", "User[aphlict]", "User[gjg]", "User[mbinder]", "User[urbanecm]", "User[vcs]"], "resource_diffs": [{"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::phabricator::migration:\n+role::phabricator:\n - Collaboration Services"}, {"resource": "File[/srv/phab]", "parameters": "--- File[/srv/phab].orig\n+++ File[/srv/phab]\n\n+ require => Package[phabricator/deployment]\n"}, {"resource": "File[/etc/resolv.conf]", "content": "--- /etc/resolv.conf.orig\n+++ /etc/resolv.conf\n@@ -2,6 +2,6 @@\n #### THIS FILE IS MANAGED BY PUPPET\n #### as template('resolvconf/resolv.conf.erb')\n #####################################################################\n-search codfw.wmnet \n+search codfw.wmnet eqiad.wmnet\n options timeout:1 attempts:3 ndots:1\n nameserver 10.3.0.1"}, {"resource": "File[/etc/php/8.2/mods-available/apcu.ini]", "content": "--- /etc/php/8.2/mods-available/apcu.ini.orig\n+++ /etc/php/8.2/mods-available/apcu.ini\n@@ -2,5 +2,6 @@\n ;\n ; configuration for the apcu PHP extension\n ; priority=20\n+apc.shm_size = 4096M\n extension = apcu.so\n "}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"collaboration-services\",role=\"phabricator::migration\",cluster=\"misc\"} 1.0\n+role_owner{team=\"collaboration-services\",role=\"phabricator\",cluster=\"misc\"} 1.0"}, {"resource": "File[/etc/phabricator/script-vars]", "content": "--- /etc/phabricator/script-vars.orig\n+++ /etc/phabricator/script-vars\n@@ -2,6 +2,6 @@\n # Sourced by /usr/local/sbin/phab_deploy_* scripts\n #\n PHAB_DIR='/srv/phab'\n-PHAB_STORAGE_USER='phadmin'\n-PHAB_STORAGE_PASS='fakefakefake'\n+PHAB_STORAGE_USER='admin_user'\n+PHAB_STORAGE_PASS='admin_pass'\n PHAB_DEPLOY_USER='phab-deploy'"}], "perc_changed": "9.48%"}, "main": {"total": 3250, "only_in_self": ["Class[Passwords::Mysql::Phorge_testdb]", "Class[Profile::Phabricator::Migration]", "Class[Role::Phabricator::Migration]", "File[/etc/update-motd.d/05-phabricator--migration]", "File[/var/lib/scap/scap/bin]", "File[/var/lib/scap/scap]", "Motd::Message[phabricator::migration]", "Motd::Script[phabricator::migration]"], "only_in_other": ["Admin::Group[phabricator-admin]", "Admin::Group[phabricator-bulk-manager]", "Admin::Groupmembers[phabricator-admin]", "Admin::Groupmembers[phabricator-bulk-manager]", "Admin::Hashgroup[phabricator-admin]", "Admin::Hashgroup[phabricator-bulk-manager]", "Admin::Hashuser[gjg]", "Admin::Hashuser[mbinder]", "Admin::Hashuser[urbanecm]", "Admin::User[gjg]", "Admin::User[mbinder]", "Admin::User[urbanecm]", "Backup::Set[home]", "Backup::Set[srv-repos]", "Bacula::Client::Job[home-Monthly-1st-Wed-productionEqiad]", "Bacula::Client::Job[srv-repos-Monthly-1st-Wed-productionEqiad]", "Cfssl::Cert[discovery2026__phabricator_discovery_wmnet_server]", "Cfssl::Csr[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]", "Class[Bacula::Client]", "Class[Envoyproxy]", "Class[Exim4]", "Class[Git::Globalconfig]", "Class[Passwords::Mysql::Phabricator]", "Class[Phabricator::Aphlict]", "Class[Phabricator::Config]", "Class[Phabricator::Mailrelay]", "Class[Phabricator::Phd]", "Class[Phabricator::Tools]", "Class[Phabricator::Vcs]", "Class[Phabricator]", "Class[Profile::Backup::Host]", "Class[Profile::Envoy]", "Class[Profile::Phabricator::Datasync]", "Class[Profile::Phabricator::Logmail]", "Class[Profile::Phabricator::Main]", "Class[Profile::Phabricator::Monitoring]", "Class[Profile::Phabricator::Performance]", "Class[Profile::Prometheus::Apache_exporter]", "Class[Profile::Tcp_fast_open]", "Class[Profile::Tlsproxy::Envoy]", "Class[Role::Phabricator]", "Class[Rsync::Server]", "Class[Sslcert::Ca_deselect_dstx3]", "Concat::Fragment[/etc/bacula_puppet_agent_cert]", "Concat::Fragment[/etc/bacula_puppet_ca_chain]", "Concat::Fragment[/etc/rsyncd.conf-header]", "Concat::Fragment[/etc/rsyncd.conf-srv-dumps]", "Concat[/etc/bacula/ssl/cert.pem]", "Concat[/etc/rsyncd.conf]", "Concat_file[/etc/bacula/ssl/cert.pem]", "Concat_file[/etc/rsyncd.conf]", "Concat_fragment[/etc/bacula_puppet_agent_cert]", "Concat_fragment[/etc/bacula_puppet_ca_chain]", "Concat_fragment[/etc/rsyncd.conf-header]", "Concat_fragment[/etc/rsyncd.conf-srv-dumps]", "Envoyproxy::Cluster[cluster_local_port_80]", "Envoyproxy::Conf[cluster_local_port_80]", "Envoyproxy::Conf[tls_terminator_443]", "Envoyproxy::Listener[tls_terminator_443]", "Envoyproxy::Tls_terminator[443]", "Exec[/srv/phab/libext/ava/src_static_dir_exists]", "Exec[/srv/phab/libext/misc_static_dir_exists]", "Exec[/srv/phab/libext/translations/src_static_dir_exists]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh on intermediate ca change]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server refresh]", "Exec[Generate cert discovery2026__phabricator_discovery_wmnet_server]", "Exec[apt_update_php]", "Exec[create chained cert /etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]", "Exec[create-/etc/bacula-keypair]", "Exec[mask_phd.service]", "Exec[mkdir /var/spool/exim4/scan]", "Exec[phab-git-safedir]", "Exec[phabricator-admin_ensure_members]", "Exec[phabricator-bulk-manager_ensure_members]", "Exec[renew certificate - discovery2026__phabricator_discovery_wmnet_server]", "Exec[systemd daemon-reload for aphlict.service (aphlict)]", "Exec[systemd daemon-reload for backup-home-dirs.service (backup-home-dirs.service)]", "Exec[systemd daemon-reload for backup-home-dirs.timer (backup-home-dirs.timer)]", "Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]", "Exec[systemd daemon-reload for phabricator_clean_tmp_files.service (phabricator_clean_tmp_files.service)]", "Exec[systemd daemon-reload for phabricator_clean_tmp_files.timer (phabricator_clean_tmp_files.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.service (phabricator_stats_job_community_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_community_metrics.timer (phabricator_stats_job_community_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_project_changes.service (phabricator_stats_job_project_changes.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_project_changes.timer (phabricator_stats_job_project_changes.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.service (phabricator_stats_job_quarterly_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_metrics.timer (phabricator_stats_job_quarterly_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.service (phabricator_stats_job_quarterly_wmf_qls.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_quarterly_wmf_qls.timer (phabricator_stats_job_quarterly_wmf_qls.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.service (phabricator_stats_job_tech_news_weekly_stats.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_tech_news_weekly_stats.timer (phabricator_stats_job_tech_news_weekly_stats.timer)]", "Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.service (phabricator_stats_job_yearly_metrics.service)]", "Exec[systemd daemon-reload for phabricator_stats_job_yearly_metrics.timer (phabricator_stats_job_yearly_metrics.timer)]", "Exec[systemd daemon-reload for phabricator_task_dump.service (phabricator_task_dump.service)]", "Exec[systemd daemon-reload for phabricator_task_dump.timer (phabricator_task_dump.timer)]", "Exec[systemd daemon-reload for phd.service (phd)]", "Exec[systemd daemon-reload for rsync-phabricator-home-dirs.service (rsync-phabricator-home-dirs.service)]", "Exec[systemd daemon-reload for rsync-phabricator-home-dirs.timer (rsync-phabricator-home-dirs.timer)]", "Exec[systemd daemon-reload for rsync-phabricator-repos.service (rsync-phabricator-repos.service)]", "Exec[systemd daemon-reload for rsync-phabricator-repos.timer (rsync-phabricator-repos.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_aphlict.service (wmf_auto_restart_aphlict.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_aphlict.timer (wmf_auto_restart_aphlict.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.service (wmf_auto_restart_envoyproxy.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_envoyproxy.timer (wmf_auto_restart_envoyproxy.timer)]", "Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.service (wmf_auto_restart_prometheus-apache-exporter.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_prometheus-apache-exporter.timer (wmf_auto_restart_prometheus-apache-exporter.timer)]", "Exec[update-gitconfig]", "Exec[update-safedir-gitconfig]", "Exec[update-sysusers-vcs]", "Exec[verify-envoy-config]", "Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "Ferm::Service[envoy_tls_termination_src_sets]", "Ferm::Service[phabmain_http]", "Ferm::Service[phabmain_smtp]", "Ferm::Service[rsyncd_access_srv_dumps]", "Ferm::Service[ssh_cluster]", "File[/etc/apache2/sites-available/50-phabricator.conf]", "File[/etc/apache2/sites-enabled/50-phabricator.conf]", "File[/etc/bacula/bacula-fd.conf]", "File[/etc/bacula/ssl/server-keypair.pem]", "File[/etc/bacula/ssl/server.key]", "File[/etc/bacula/ssl/server.p12]", "File[/etc/bacula/ssl]", "File[/etc/cfssl/csr/discovery2026__phabricator_discovery_wmnet_server.csr]", "File[/etc/default/exim4]", "File[/etc/default/prometheus-apache-exporter]", "File[/etc/default/rsync]", "File[/etc/envoy/admin-config.yaml]", "File[/etc/envoy/clusters.d/00-cluster_local_port_80.yaml]", "File[/etc/envoy/clusters.d]", "File[/etc/envoy/envoy.yaml]", "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "File[/etc/envoy/listeners.d]", "File[/etc/envoy/runtime.yaml]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server-key.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chain.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.chained.pem]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.csr]", "File[/etc/envoy/ssl/discovery2026__phabricator_discovery_wmnet_server.pem]", "File[/etc/envoy/ssl]", "File[/etc/envoy/stats-config.yaml]", "File[/etc/envoy]", "File[/etc/exim4/aliases]", "File[/etc/exim4/dkim]", "File[/etc/exim4/exim4.conf]", "File[/etc/exim4/system_filter]", "File[/etc/exim4/update-exim4.conf.conf]", "File[/etc/gitconfig.d/00-header.gitconfig]", "File[/etc/gitconfig.d/10-setup_proxy.gitconfig]", "File[/etc/gitconfig.d]", "File[/etc/logrotate.d/aphlict]", "File[/etc/logrotate.d/backup-home-dirs]", "File[/etc/logrotate.d/envoy]", "File[/etc/logrotate.d/exim4-paniclog]", "File[/etc/logrotate.d/phabricator_clean_tmp_files]", "File[/etc/logrotate.d/phabricator_stats_job_community_metrics]", "File[/etc/logrotate.d/phabricator_stats_job_project_changes]", "File[/etc/logrotate.d/phabricator_stats_job_quarterly_metrics]", "File[/etc/logrotate.d/phabricator_stats_job_quarterly_wmf_qls]", "File[/etc/logrotate.d/phabricator_stats_job_tech_news_weekly_stats]", "File[/etc/logrotate.d/phabricator_stats_job_yearly_metrics]", "File[/etc/logrotate.d/phabricator_task_dump]", "File[/etc/logrotate.d/phd]", "File[/etc/logrotate.d/rsync-phabricator-home-dirs]", "File[/etc/logrotate.d/rsync-phabricator-repos]", "File[/etc/logrotate.d/wmf_auto_restart_aphlict]", "File[/etc/logrotate.d/wmf_auto_restart_envoyproxy]", "File[/etc/logrotate.d/wmf_auto_restart_prometheus-apache-exporter]", "File[/etc/nftables/input/10_bacula-file-daemon-backup1014.eqiad.wmnet.nft]", "File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]", "File[/etc/nftables/input/10_phabmain-smtp.nft]", "File[/etc/nftables/input/10_phabmain_http.nft]", "File[/etc/nftables/input/10_rsyncd_access_srv-dumps.nft]", "File[/etc/nftables/input/10_ssh_cluster.nft]", "File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]", "File[/etc/phab_community_metrics.conf]", "File[/etc/phab_epipe.conf]", "File[/etc/phab_project_changes.conf]", "File[/etc/phab_quarterly_metrics.conf]", "File[/etc/phab_quarterly_wmf_qls.conf]", "File[/etc/phab_tech_news_weekly_stats.conf]", "File[/etc/phab_yearly_metrics.conf]", "File[/etc/phabricator/config.yaml]", "File[/etc/phabricator]", "File[/etc/phabtools.conf]", "File[/etc/rsync.d]", "File[/etc/rsyslog.d/00-imfile.conf]", "File[/etc/rsyslog.d/10-input-file-apache2-access.conf]", "File[/etc/rsyslog.d/10-input-file-apache2-error.conf]", "File[/etc/rsyslog.d/40-backup-home-dirs.conf]", "File[/etc/rsyslog.d/40-envoy.conf]", "File[/etc/rsyslog.d/40-phabricator-clean-tmp-files.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-community-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-project-changes.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-quarterly-wmf-qls.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-tech-news-weekly-stats.conf]", "File[/etc/rsyslog.d/40-phabricator-stats-job-yearly-metrics.conf]", "File[/etc/rsyslog.d/40-phabricator-task-dump.conf]", "File[/etc/rsyslog.d/40-rsync-phabricator-home-dirs.conf]", "File[/etc/rsyslog.d/40-rsync-phabricator-repos.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-aphlict.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-envoyproxy.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-prometheus-apache-exporter.conf]", "File[/etc/ssh/userkeys/gjg]", "File[/etc/ssh/userkeys/mbinder]", "File[/etc/ssh/userkeys/urbanecm]", "File[/etc/sudoers.d/phabricator-admin]", "File[/etc/sudoers.d/phabricator-bulk-manager]", "File[/etc/sudoers.d/vcs]", "File[/etc/sudoers.d/www-data]", "File[/etc/sysctl.d/70-TCP-Fast-Open.conf]", "File[/etc/sysctl.d/70-phabricator-network-tuning.conf]", "File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/envoyproxy.service.d]", "File[/etc/sysusers.d/vcs.conf]", "File[/etc/update-motd.d/05-phabricator]", "File[/etc/update-motd.d/06-backups-home]", "File[/etc/update-motd.d/06-backups-srv-repos]", "File[/home/aklapper/.my.cnf]", "File[/home/gjg/.my.cnf]", "File[/home/gjg]", "File[/home/mbinder]", "File[/home/urbanecm/.my.cnf]", "File[/home/urbanecm]", "File[/lib/systemd/system/aphlict.service]", "File[/lib/systemd/system/backup-home-dirs.service]", "File[/lib/systemd/system/backup-home-dirs.timer]", "File[/lib/systemd/system/phabricator_clean_tmp_files.service]", "File[/lib/systemd/system/phabricator_clean_tmp_files.timer]", "File[/lib/systemd/system/phabricator_stats_job_community_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_community_metrics.timer]", "File[/lib/systemd/system/phabricator_stats_job_project_changes.service]", "File[/lib/systemd/system/phabricator_stats_job_project_changes.timer]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_metrics.timer]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.service]", "File[/lib/systemd/system/phabricator_stats_job_quarterly_wmf_qls.timer]", "File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.service]", "File[/lib/systemd/system/phabricator_stats_job_tech_news_weekly_stats.timer]", "File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.service]", "File[/lib/systemd/system/phabricator_stats_job_yearly_metrics.timer]", "File[/lib/systemd/system/phabricator_task_dump.service]", "File[/lib/systemd/system/phabricator_task_dump.timer]", "File[/lib/systemd/system/phd.service]", "File[/lib/systemd/system/rsync-phabricator-home-dirs.service]", "File[/lib/systemd/system/rsync-phabricator-home-dirs.timer]", "File[/lib/systemd/system/rsync-phabricator-repos.service]", "File[/lib/systemd/system/rsync-phabricator-repos.timer]", "File[/lib/systemd/system/wmf_auto_restart_aphlict.service]", "File[/lib/systemd/system/wmf_auto_restart_aphlict.timer]", "File[/lib/systemd/system/wmf_auto_restart_envoyproxy.service]", "File[/lib/systemd/system/wmf_auto_restart_envoyproxy.timer]", "File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.service]", "File[/lib/systemd/system/wmf_auto_restart_prometheus-apache-exporter.timer]", "File[/srv/dumps/WARNING_NEVER_PUT_PRIVATE_DATA_HERE_THIS_IS_SYNCED_TO_PUBLIC]", "File[/srv/dumps]", "File[/srv/homes]", "File[/srv/phab/aphlict/config.json]", "File[/srv/phab/phabricator//support/aphlict/server/node_modules]", "File[/srv/phab/phabricator/scripts/]", "File[/srv/phab/phabricator/scripts/daemon/]", "File[/srv/phab/phabricator/scripts/mail/]", "File[/srv/phab/phabricator/scripts/repository/]", "File[/srv/phab/phabricator/scripts/ssh/]", "File[/srv/phab/tools/public_task_dump.py]", "File[/srv/repos]", "File[/usr/libexec/phabricator-ssh-hook.sh]", "File[/usr/libexec]", "File[/usr/local/bin/arc]", "File[/usr/local/bin/backup-home-dirs]", "File[/usr/local/bin/chk_phuser]", "File[/usr/local/bin/community_metrics.sh]", "File[/usr/local/bin/git-http-backend]", "File[/usr/local/bin/phab_epipe.py]", "File[/usr/local/bin/phab_git_safedir.sh]", "File[/usr/local/bin/project_changes.sh]", "File[/usr/local/bin/quarterly_metrics.sh]", "File[/usr/local/bin/quarterly_wmf_qls.sh]", "File[/usr/local/bin/tech_news_weekly_stats.sh]", "File[/usr/local/bin/yearly_metrics.sh]", "File[/usr/local/sbin/build-envoy-config]", "File[/usr/local/sbin/envoyproxy-hot-restarter]", "File[/usr/local/sbin/envoyproxy-start]", "File[/var/log/aphlict/]", "File[/var/log/backup-home-dirs]", "File[/var/log/envoy]", "File[/var/log/phabricator_clean_tmp_files]", "File[/var/log/phabricator_stats_job_community_metrics]", "File[/var/log/phabricator_stats_job_project_changes]", "File[/var/log/phabricator_stats_job_quarterly_metrics]", "File[/var/log/phabricator_stats_job_quarterly_wmf_qls]", "File[/var/log/phabricator_stats_job_tech_news_weekly_stats]", "File[/var/log/phabricator_stats_job_yearly_metrics]", "File[/var/log/phabricator_task_dump]", "File[/var/log/phd/ssh.log]", "File[/var/log/phd]", "File[/var/log/rsync-phabricator-home-dirs]", "File[/var/log/rsync-phabricator-repos]", "File[/var/log/wmf_auto_restart_aphlict]", "File[/var/log/wmf_auto_restart_envoyproxy]", "File[/var/log/wmf_auto_restart_prometheus-apache-exporter]", "File[/var/run/aphlict/]", "File[/var/spool/exim4/db]", "File[/var/spool/exim4/scan]", "File[/var/spool/exim4]", "File_line[auto_restart_file_presence_aphlict]", "File_line[auto_restart_file_presence_envoyproxy]", "File_line[auto_restart_file_presence_prometheus-apache-exporter]", "File_line[deselect_dst_root_ca_x3]", "Firewall::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "Firewall::Service[envoy_tls_termination_src_sets]", "Firewall::Service[phabmain-smtp]", "Firewall::Service[phabmain_http]", "Firewall::Service[rsyncd_access_srv-dumps]", "Firewall::Service[ssh_cluster]", "Git::Systemconfig[setup proxy]", "Group[aphlict]", "Group[phabricator-admin]", "Group[phabricator-bulk-manager]", "Group[vcs]", "Httpd::Conf[phabricator]", "Httpd::Site[phabricator]", "Logrotate::Conf[aphlict]", "Logrotate::Conf[backup-home-dirs]", "Logrotate::Conf[envoy]", "Logrotate::Conf[exim4-paniclog]", "Logrotate::Conf[phabricator_clean_tmp_files]", "Logrotate::Conf[phabricator_stats_job_community_metrics]", "Logrotate::Conf[phabricator_stats_job_project_changes]", "Logrotate::Conf[phabricator_stats_job_quarterly_metrics]", "Logrotate::Conf[phabricator_stats_job_quarterly_wmf_qls]", "Logrotate::Conf[phabricator_stats_job_tech_news_weekly_stats]", "Logrotate::Conf[phabricator_stats_job_yearly_metrics]", "Logrotate::Conf[phabricator_task_dump]", "Logrotate::Conf[phd]", "Logrotate::Conf[rsync-phabricator-home-dirs]", "Logrotate::Conf[rsync-phabricator-repos]", "Logrotate::Conf[wmf_auto_restart_aphlict]", "Logrotate::Conf[wmf_auto_restart_envoyproxy]", "Logrotate::Conf[wmf_auto_restart_prometheus-apache-exporter]", "Mailalias[root]", "Motd::Message[phabricator]", "Motd::Script[backups-home]", "Motd::Script[backups-srv-repos]", "Motd::Script[phabricator]", "Mount[/var/spool/exim4/db]", "Mount[/var/spool/exim4/scan]", "Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "Nftables::Service[envoy_tls_termination_src_sets]", "Nftables::Service[phabmain-smtp]", "Nftables::Service[phabmain_http]", "Nftables::Service[rsyncd_access_srv-dumps]", "Nftables::Service[ssh_cluster]", "Package[apachetop]", "Package[bacula-fd]", "Package[envoyproxy]", "Package[exim4-config]", "Package[exim4-daemon-heavy]", "Package[mariadb-client]", "Package[nodejs]", "Package[prometheus-apache-exporter]", "Package[python3-mysqldb]", "Package[python3-phabricator]", "Package[python3-pygments]", "Package[python3-pymysql]", "Package[s-nail]", "Package[subversion]", "Phabricator::Libext[/srv/phab/libext/ava/src]", "Phabricator::Libext[/srv/phab/libext/misc]", "Phabricator::Libext[/srv/phab/libext/translations/src]", "Phabricator::Logmail[community_metrics]", "Phabricator::Logmail[project_changes]", "Phabricator::Logmail[quarterly_metrics]", "Phabricator::Logmail[quarterly_wmf_qls]", "Phabricator::Logmail[tech_news_weekly_stats]", "Phabricator::Logmail[yearly_metrics]", "Profile::Auto_restarts::Service[aphlict]", "Profile::Auto_restarts::Service[envoyproxy]", "Profile::Auto_restarts::Service[prometheus-apache-exporter]", "Prometheus::Apache_exporter[default]", "Prometheus::Blackbox::Check::Tcp[phabricator-smtp]", "Puppet::Expose_agent_certs[/etc/bacula]", "Rsync::Quickdatacopy[phabricator-home-dirs]", "Rsync::Quickdatacopy[phabricator-repos]", "Rsync::Server::Module[srv-dumps]", "Rsyslog::Conf[backup-home-dirs]", "Rsyslog::Conf[envoy]", "Rsyslog::Conf[imfile]", "Rsyslog::Conf[input-file-apache2-access]", "Rsyslog::Conf[input-file-apache2-error]", "Rsyslog::Conf[phabricator_clean_tmp_files]", "Rsyslog::Conf[phabricator_stats_job_community_metrics]", "Rsyslog::Conf[phabricator_stats_job_project_changes]", "Rsyslog::Conf[phabricator_stats_job_quarterly_metrics]", "Rsyslog::Conf[phabricator_stats_job_quarterly_wmf_qls]", "Rsyslog::Conf[phabricator_stats_job_tech_news_weekly_stats]", "Rsyslog::Conf[phabricator_stats_job_yearly_metrics]", "Rsyslog::Conf[phabricator_task_dump]", "Rsyslog::Conf[rsync-phabricator-home-dirs]", "Rsyslog::Conf[rsync-phabricator-repos]", "Rsyslog::Conf[wmf_auto_restart_aphlict]", "Rsyslog::Conf[wmf_auto_restart_envoyproxy]", "Rsyslog::Conf[wmf_auto_restart_prometheus-apache-exporter]", "Rsyslog::Input::File[apache2-access]", "Rsyslog::Input::File[apache2-error]", "Service[aphlict]", "Service[backup-home-dirs.timer]", "Service[bacula-fd]", "Service[envoyproxy.service]", "Service[exim4]", "Service[phabricator_clean_tmp_files.timer]", "Service[phabricator_stats_job_community_metrics.timer]", "Service[phabricator_stats_job_project_changes.timer]", "Service[phabricator_stats_job_quarterly_metrics.timer]", "Service[phabricator_stats_job_quarterly_wmf_qls.timer]", "Service[phabricator_stats_job_tech_news_weekly_stats.timer]", "Service[phabricator_stats_job_yearly_metrics.timer]", "Service[phabricator_task_dump.timer]", "Service[phd]", "Service[prometheus-apache-exporter]", "Service[rsync-phabricator-home-dirs.timer]", "Service[rsync-phabricator-repos.timer]", "Service[rsync]", "Service[wmf_auto_restart_aphlict.timer]", "Service[wmf_auto_restart_envoyproxy.timer]", "Service[wmf_auto_restart_prometheus-apache-exporter.timer]", "Ssh::Userkey[gjg]", "Ssh::Userkey[mbinder]", "Ssh::Userkey[urbanecm]", "Sslcert::X509_to_pkcs12[puppet::expose_agent_cert: /etc/bacula]", "Sudo::Group[phabricator-admin]", "Sudo::Group[phabricator-bulk-manager]", "Sudo::User[vcs]", "Sudo::User[www-data]", "Sysctl::Conffile[TCP Fast Open]", "Sysctl::Conffile[phabricator network tuning]", "Sysctl::Parameters[TCP Fast Open]", "Sysctl::Parameters[phabricator network tuning]", "Systemd::Mask[phd.service]", "Systemd::Service[aphlict]", "Systemd::Service[backup-home-dirs]", "Systemd::Service[envoyproxy.service]", "Systemd::Service[phabricator_clean_tmp_files]", "Systemd::Service[phabricator_stats_job_community_metrics]", "Systemd::Service[phabricator_stats_job_project_changes]", "Systemd::Service[phabricator_stats_job_quarterly_metrics]", "Systemd::Service[phabricator_stats_job_quarterly_wmf_qls]", "Systemd::Service[phabricator_stats_job_tech_news_weekly_stats]", "Systemd::Service[phabricator_stats_job_yearly_metrics]", "Systemd::Service[phabricator_task_dump]", "Systemd::Service[phd]", "Systemd::Service[rsync-phabricator-home-dirs]", "Systemd::Service[rsync-phabricator-repos]", "Systemd::Service[wmf_auto_restart_aphlict]", "Systemd::Service[wmf_auto_restart_envoyproxy]", "Systemd::Service[wmf_auto_restart_prometheus-apache-exporter]", "Systemd::Syslog[backup-home-dirs]", "Systemd::Syslog[envoy]", "Systemd::Syslog[phabricator_clean_tmp_files]", "Systemd::Syslog[phabricator_stats_job_community_metrics]", "Systemd::Syslog[phabricator_stats_job_project_changes]", "Systemd::Syslog[phabricator_stats_job_quarterly_metrics]", "Systemd::Syslog[phabricator_stats_job_quarterly_wmf_qls]", "Systemd::Syslog[phabricator_stats_job_tech_news_weekly_stats]", "Systemd::Syslog[phabricator_stats_job_yearly_metrics]", "Systemd::Syslog[phabricator_task_dump]", "Systemd::Syslog[rsync-phabricator-home-dirs]", "Systemd::Syslog[rsync-phabricator-repos]", "Systemd::Syslog[wmf_auto_restart_aphlict]", "Systemd::Syslog[wmf_auto_restart_envoyproxy]", "Systemd::Syslog[wmf_auto_restart_prometheus-apache-exporter]", "Systemd::Sysuser[vcs]", "Systemd::Timer::Job[backup-home-dirs]", "Systemd::Timer::Job[phabricator_clean_tmp_files]", "Systemd::Timer::Job[phabricator_stats_job_community_metrics]", "Systemd::Timer::Job[phabricator_stats_job_project_changes]", "Systemd::Timer::Job[phabricator_stats_job_quarterly_metrics]", "Systemd::Timer::Job[phabricator_stats_job_quarterly_wmf_qls]", "Systemd::Timer::Job[phabricator_stats_job_tech_news_weekly_stats]", "Systemd::Timer::Job[phabricator_stats_job_yearly_metrics]", "Systemd::Timer::Job[phabricator_task_dump]", "Systemd::Timer::Job[rsync-phabricator-home-dirs]", "Systemd::Timer::Job[rsync-phabricator-repos]", "Systemd::Timer::Job[wmf_auto_restart_aphlict]", "Systemd::Timer::Job[wmf_auto_restart_envoyproxy]", "Systemd::Timer::Job[wmf_auto_restart_prometheus-apache-exporter]", "Systemd::Timer[backup-home-dirs]", "Systemd::Timer[phabricator_clean_tmp_files]", "Systemd::Timer[phabricator_stats_job_community_metrics]", "Systemd::Timer[phabricator_stats_job_project_changes]", "Systemd::Timer[phabricator_stats_job_quarterly_metrics]", "Systemd::Timer[phabricator_stats_job_quarterly_wmf_qls]", "Systemd::Timer[phabricator_stats_job_tech_news_weekly_stats]", "Systemd::Timer[phabricator_stats_job_yearly_metrics]", "Systemd::Timer[phabricator_task_dump]", "Systemd::Timer[rsync-phabricator-home-dirs]", "Systemd::Timer[rsync-phabricator-repos]", "Systemd::Timer[wmf_auto_restart_aphlict]", "Systemd::Timer[wmf_auto_restart_envoyproxy]", "Systemd::Timer[wmf_auto_restart_prometheus-apache-exporter]", "Systemd::Unit[aphlict]", "Systemd::Unit[backup-home-dirs.service]", "Systemd::Unit[backup-home-dirs.timer]", "Systemd::Unit[envoyproxy.service]", "Systemd::Unit[phabricator_clean_tmp_files.service]", "Systemd::Unit[phabricator_clean_tmp_files.timer]", "Systemd::Unit[phabricator_stats_job_community_metrics.service]", "Systemd::Unit[phabricator_stats_job_community_metrics.timer]", "Systemd::Unit[phabricator_stats_job_project_changes.service]", "Systemd::Unit[phabricator_stats_job_project_changes.timer]", "Systemd::Unit[phabricator_stats_job_quarterly_metrics.service]", "Systemd::Unit[phabricator_stats_job_quarterly_metrics.timer]", "Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.service]", "Systemd::Unit[phabricator_stats_job_quarterly_wmf_qls.timer]", "Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.service]", "Systemd::Unit[phabricator_stats_job_tech_news_weekly_stats.timer]", "Systemd::Unit[phabricator_stats_job_yearly_metrics.service]", "Systemd::Unit[phabricator_stats_job_yearly_metrics.timer]", "Systemd::Unit[phabricator_task_dump.service]", "Systemd::Unit[phabricator_task_dump.timer]", "Systemd::Unit[phd]", "Systemd::Unit[rsync-phabricator-home-dirs.service]", "Systemd::Unit[rsync-phabricator-home-dirs.timer]", "Systemd::Unit[rsync-phabricator-repos.service]", "Systemd::Unit[rsync-phabricator-repos.timer]", "Systemd::Unit[wmf_auto_restart_aphlict.service]", "Systemd::Unit[wmf_auto_restart_aphlict.timer]", "Systemd::Unit[wmf_auto_restart_envoyproxy.service]", "Systemd::Unit[wmf_auto_restart_envoyproxy.timer]", "Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.service]", "Systemd::Unit[wmf_auto_restart_prometheus-apache-exporter.timer]", "User[aphlict]", "User[gjg]", "User[mbinder]", "User[urbanecm]", "User[vcs]"], "resource_diffs": [{"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[php8.2-common]', 'Package[php8.2-opcache]', 'Package[php8.2-cli]', 'Package[php8.2-fpm]', 'Package[apache2]', 'Package[links]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]', 'Package[php8.2-curl]', 'Package[php8.2-gd]', 'Package[php8.2-gmp]', 'Package[php8.2-intl]', 'Package[php8.2-mbstring]', 'Package[php8.2-ldap]', 'Package[php-apcu]', 'Package[php-mailparse]', 'Package[php8.2-xml]', 'Package[php8.2-mysql]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[python3-pygments]', 'Package[python3-phabricator]', 'Package[apachetop]', 'Package[subversion]', 'Package[s-nail]', 'Package[php8.2-common]', 'Package[php8.2-opcache]', 'Package[php8.2-cli]', 'Package[php8.2-fpm]', 'Package[nodejs]', 'Package[python3-mysqldb]', 'Package[python3-pymysql]', 'Package[exim4-config]', 'Package[exim4-daemon-heavy]', 'Package[apache2]', 'Package[links]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[git-lfs]', 'Package[python3-venv]', 'Package[php8.2-curl]', 'Package[php8.2-gd]', 'Package[php8.2-gmp]', 'Package[php8.2-intl]', 'Package[php8.2-mbstring]', 'Package[php8.2-ldap]', 'Package[php-apcu]', 'Package[php-mailparse]', 'Package[php8.2-xml]', 'Package[php8.2-mysql]', 'Package[mariadb-client]', 'Package[prometheus-apache-exporter]']\n"}, {"resource": "Class[Resolvconf]", "parameters": "--- Class[Resolvconf].orig\n+++ Class[Resolvconf]\n\n@@\n- domain_search => ['codfw.wmnet']\n+ domain_search => ['eqiad.wmnet', 'codfw.wmnet']\n"}, {"resource": "Php::Extension[apcu]", "parameters": "--- Php::Extension[apcu].orig\n+++ Php::Extension[apcu]\n\n+ config => {'extension': 'apcu.so', 'apc.shm_size': '4096M'}\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Class[Admin]", "parameters": "--- Class[Admin].orig\n+++ Class[Admin]\n\n@@\n- groups => ['phabricator-roots']\n+ groups => ['phabricator-admin', 'phabricator-roots', 'phabricator-bulk-manager']\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::phabricator::migration:\n+role::phabricator:\n - Collaboration Services"}, {"resource": "Class[Profile::Admin]", "parameters": "--- Class[Profile::Admin].orig\n+++ Class[Profile::Admin]\n\n@@\n- groups => ['phabricator-roots']\n+ groups => ['phabricator-admin', 'phabricator-roots', 'phabricator-bulk-manager']\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n- role_description => Temp role to allow migrating Phabricator data to a new server\n+ role_description => Phabricator (main) server\n"}, {"resource": "File[/srv/phab]", "parameters": "--- File[/srv/phab].orig\n+++ File[/srv/phab]\n\n+ require => Package[phabricator/deployment]\n"}, {"resource": "File[/etc/resolv.conf]", "content": "--- /etc/resolv.conf.orig\n+++ /etc/resolv.conf\n@@ -2,6 +2,6 @@\n #### THIS FILE IS MANAGED BY PUPPET\n #### as template('resolvconf/resolv.conf.erb')\n #####################################################################\n-search codfw.wmnet \n+search codfw.wmnet eqiad.wmnet\n options timeout:1 attempts:3 ndots:1\n nameserver 10.3.0.1"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[php8.2-common]', 'Package[php8.2-opcache]', 'Package[php8.2-cli]', 'Package[php8.2-fpm]', 'Package[apache2]', 'Package[links]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]', 'Package[phabricator/deployment]', 'Package[php8.2-curl]', 'Package[php8.2-gd]', 'Package[php8.2-gmp]', 'Package[php8.2-intl]', 'Package[php8.2-mbstring]', 'Package[php8.2-ldap]', 'Package[php-apcu]', 'Package[php-mailparse]', 'Package[php8.2-xml]', 'Package[php8.2-mysql]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[python3-pygments]', 'Package[python3-phabricator]', 'Package[apachetop]', 'Package[subversion]', 'Package[s-nail]', 'Package[php8.2-common]', 'Package[php8.2-opcache]', 'Package[php8.2-cli]', 'Package[php8.2-fpm]', 'Package[nodejs]', 'Package[python3-mysqldb]', 'Package[python3-pymysql]', 'Package[exim4-config]', 'Package[exim4-daemon-heavy]', 'Package[apache2]', 'Package[links]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[git-lfs]', 'Package[python3-venv]', 'Package[phabricator/deployment]', 'Package[php8.2-curl]', 'Package[php8.2-gd]', 'Package[php8.2-gmp]', 'Package[php8.2-intl]', 'Package[php8.2-mbstring]', 'Package[php8.2-ldap]', 'Package[php-apcu]', 'Package[php-mailparse]', 'Package[php8.2-xml]', 'Package[php8.2-mysql]', 'Package[mariadb-client]', 'Package[prometheus-apache-exporter]']\n"}, {"resource": "Class[Profile::Resolving]", "parameters": "--- Class[Profile::Resolving].orig\n+++ Class[Profile::Resolving]\n\n@@\n- domain_search => ['codfw.wmnet']\n+ domain_search => ['eqiad.wmnet', 'codfw.wmnet']\n"}, {"resource": "File[/etc/php/8.2/mods-available/apcu.ini]", "content": "--- /etc/php/8.2/mods-available/apcu.ini.orig\n+++ /etc/php/8.2/mods-available/apcu.ini\n@@ -2,5 +2,6 @@\n ;\n ; configuration for the apcu PHP extension\n ; priority=20\n+apc.shm_size = 4096M\n extension = apcu.so\n "}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"collaboration-services\",role=\"phabricator::migration\",cluster=\"misc\"} 1.0\n+role_owner{team=\"collaboration-services\",role=\"phabricator\",cluster=\"misc\"} 1.0"}, {"resource": "File[/etc/phabricator/script-vars]", "content": "--- /etc/phabricator/script-vars.orig\n+++ /etc/phabricator/script-vars\n@@ -2,6 +2,6 @@\n # Sourced by /usr/local/sbin/phab_deploy_* scripts\n #\n PHAB_DIR='/srv/phab'\n-PHAB_STORAGE_USER='phadmin'\n-PHAB_STORAGE_PASS='fakefakefake'\n+PHAB_STORAGE_USER='admin_user'\n+PHAB_STORAGE_PASS='admin_pass'\n PHAB_DEPLOY_USER='phab-deploy'"}], "perc_changed": "17.23%"}}}