Closing for now. If there are issues with access in the future we can work through them then.

Have added the other servers to config as they have been built out. Closing this for now.

Verified access with client certificate and logins to superset. Closing.

Verified cert is working and logins have been successful. Closing.

It's possible that this could be set on the DB side using update civicrm_option_group set is_reserved=0 where name='languages'; but that needs more research and confirmation.

SSL client certificate created and sent via email. Password sent via SMS. Civi account already existed from previous work so it was moved from blocked to active.

PFW task opened.

Template file in place and secrets added to the private puppet repo. iptables rules updated.

Added the SFTP credentials and info to the puppet-private repo so that it can be used soon. Still need to set up the necessary firewall connections and all.

Updated our check script to handle hosts in an INIT state as just warning instead of critical.

Thanks for the heads up. I have added kafka-jumbo1010 to the config to quiet the current alert. I'll see if I can add the others without triggering some other warning. Currently I have them in the config commented out so that we can easily add them as the new ones come online.

Verified cert is installed and access is working. Closing.

fundraise-up added to the $audit_processors array in the civicrm::audit manifest. Change pushed to puppet.

Yubikey request sent to techsupport. Will start the ssh account setup when we have confirmation that the yubikey is on the way.

SSL client certificate created and sent via email. Password sent via SMS.

SSL client certificate created and sent via email. Password sent via SMS.

Civi account created and set with random password. Email sent with instructions on how to change the password.

Welcome email sent. SSL client certificate created and sent via email. Password sent via SMS.

Yes, there is nothing for us to do here since we moved to using dns_to_ipset. Resolving.

Date: Mon, 11 Sep 2023 17:38:28
From: Lisa Seitz Gruwell
To: Erica Roden
Cc: Dallas Wisehaupt

Subject: Re: Superset Access Approval - James Baldwin & Angelito Reyes

Adding @ERoden-WMF to specify details of what is needed.

Adding @ERoden-WMF to specify details of what is needed.

Expecting the current volume of the calls for Payment Networks endpoint to be in the 2-8 req/s range to start. This should be ok from the fr-tech side.

Updated FR_Tech_Managed_Accounts, I think it's ready for transfer. I added the grafana bits.

Making progress on the VM testing. Can repeatedly install drupal and civicrm in stock installs but not fully automated yet. Still need to work out some redirect rules to remove the "index.php" portion of the url. Unsure if we'll throw nginx in the front and do the ssl client certs as a requirement for access as that may not be what we want long term.

@AKanji-WMF Yes this is misfiled. As far as I can tell, this isn't something we would be leading.

SSL cert revoke and CRL pushed out. Civi account moved to blocked. All other items verified as not applicable.

New cert put in place at /etc/fundraising/adyen-apple-pay-cert-20230831.pem. Swap over can done with a localsettings change.

Is this to be added on donate wiki or payments wiki? If it is donate wiki then this needs to go to the prod group since we don't have access to the CSP for that side.

Created puppetmaster and civitest instances to begin testing. Using bullseye for both as some config is not ready for bookworm yet. Testing using profile::simplelamp2 to start since that drops in apache, mariadb, and php for us.

Instance resized to g3.cores2.ram4.disk20 and back up and working as expected.

Reopening, not sure how I accidentally triggered resolution.

@Qgil I would like to downsize the current civicrm-drupal10 instance. It is currently using all of the 8 VCPUs and 16G of ram allocated for the project. To test puppetizing, we will need to run a standalone puppetmaster and a second instance to test the configs on. I would like to reduce the current instance from the g3.cores8.ram16.disk20 instance to a g3.cores2.ram4.disk20 instance. That will give us some extra cpus and memory to use for the puppetmaster and test instances.

Adding in some links on the CloudVPS setup for reference:
https://openstack-browser.toolforge.org/project/civicrm-prototype
https://horizon.wikimedia.org/project/ (project is civicrm-prototype)

@Qgil Thanks!