PFW changes added to the repo and pushed to the PFWs for application Network task tracked in T370481.

Thanks.

Iptables rules updated and applied to civicrm, payments, and payments_listener role for the API addresses. The frdev role did not have the other payment gateways rules so I'm not certain we need it on that role. Correct me if I'm wrong.

IP addresses from gr4vy.

Confirmed with cstone that nothing more is needed for this portion.

The private key has been configured and is in place on the civicrm, frdev, payments, and payments-listener roles. The file is available at:

• /etc/fundraising/gravy_api_cert.pem
• /etc/gravy_api_cert.pem

Ok. Looks like they are using google cloud computing for those endpoints. I'll have to check our config on the pfw, but this may necessitate moving from a strict allow list to a dns based iptables list. We have been able to avoid that for the payments role at this point.

New directory set up. All puppet instances of fundraise-up changed to fundraiseup. Files on disk on civi1002 copied to new location.

@Damilare I have added the key to the private repo and can add it to the hosts. What hosts/roles is this needed on? The ones I would think as possibilities are: payments, civicrm, frdev

Certificate revoked and change pushed.

[frack::puppet::private] 118a7ac5 Revoke aparker client cert

Civi and superset accounts disabled. Email removed from major gifts notifications in civi. Access removed from analytics archive google drive folder.

Updated the host name in the task since I hadn't bumped it up in the racking details of the parent task. Sorry about that.

Added estimated points (4) from today's standup but there was a call for more detail as to what is requested.

All the globalcollect/ingenico/worldline bits have been removed from puppet. Closing.

Old servers removed in following commit:

[frack::puppet] 5b22b90dd Remove ntp servers that are going to be deprecated (Dallas Wisehaupt:Dallas Wisehaupt)

Adding @AKanji-WMF on this to coordinate with Major Gifts for the benefactors site.

Per conversations at the offsite. icano will not currently need ssh and db access. This task can be reopened in the future if that changes.

Worked with Yamini to get the certificate installed on their machine yesterday at the offsite. Verified that access to civi was working again.

@SHust Thanks for letting us know. Yamini and use the existing ssl certificate and passwords on the new laptop. I've reached out to her to see if she needs me to resend the certificate and password.

Access approval.

Access approval.

Verified logins are working.

Account setup complete. User account created and added to the proper groups. SSH pubkey added. Yubikey pubkey added. Account and config pushed out and puppet runs completed. Email sent with instructions on how to connect.

Frack config has been updated to use the new ntp-[abc].anycast.wmnet servers. The previous dnsXXXX and ntp.anycast.wmnet entries have been removed.

PFW cleanup handled in T368178

Puppet config removed.

Deployed firewall rule to civi hosts to handle output traffic to pal-live.adyen.com.

iptables rules updated for new anycast servers. New servers added to hiera and deployed. Verified working with chronyc on frpm1002:

Access approval.

PFW update deployed. iptables changes applied. Closing.