Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/wikioasis/salt/llms.txt

Use this file to discover all available pages before exploring further.

WikiOasis runs on a fleet of Debian virtual machines hosted on two bare-metal Proxmox hypervisors (metal-us-east-01 and metal-us-east-02) in a single US-East data centre. Each server role is given a structured hostname — <role>-<datacenter>-<rack><index> — which the Salt master uses to target the right configuration at the right machine using glob patterns in top.sls. All VMs communicate over the private DNS domain ovvin.wonet; public traffic enters through the HAProxy load balancers.

Internal network

Every virtual machine is reachable on the ovvin.wonet internal DNS domain. For example:
  • mw-us-east-011.ovvin.wonet — MediaWiki server 1, rack 01, US-East
  • proxy-us-east-021.ovvin.wonet — HAProxy load balancer, rack 02, US-East
  • db-c1-us-east-021.ovvin.wonet — MariaDB cluster-1 server, rack 02
The two bare-metal hosts carry public IP addresses (40.160.53.92 and 40.160.53.94) and forward ports to their VMs via iptables rules managed by the metal state. VMs themselves are addressed from the 10.0.1.0/24 (rack 01) and 10.0.2.0/24 (rack 02) private subnets. Dual-stack IPv6 is provisioned for VMs whose hostnames match *-us-east-0[0-9][0-9]* via the metal.vm_ipv6 state.

Server roles

mw*

MediaWiki application servers. Serve PHP-FPM via nginx and sit in the HAProxy mediawiki backend pool. Example: mw-us-east-011, mw-us-east-021.

staging*

Staging / canary server. Runs a full MediaWiki stack for pre-production testing. The canary vhost is test.wikioasis.org. Example: staging-us-east-021.

task*

Job runner / task server. Runs MediaWiki job queues via the mediawiki.jobrunner state alongside PHP-FPM and nginx. Example: task-us-east-011.

proxy*

HAProxy load balancers. Terminate HTTP and route to MediaWiki, apps, monitoring, and staging backends. Example: proxy-us-east-011, proxy-us-east-021.

db*

MariaDB database servers. Each cluster has its own server-level pillar override (e.g. db-c1-us-east-021 gets a 20 GB InnoDB buffer pool). Example: db-c1-us-east-021, db-other-us-east-011.

redis*

Redis cache servers. Shared caching layer for MediaWiki sessions and object cache. Per-server pillar can override maxmemory and eviction policy. Example: redis-us-east-011, redis-us-east-021.

opensearch*

OpenSearch search nodes. Form the wikioasis-search cluster over transport port 9300. Example: opensearch-us-east-011, opensearch-us-east-012.

monitoring*

Monitoring server. Runs Icinga 2, Icinga Web 2, Icinga Director, Prometheus, Grafana, and the StatsD exporter. Example: monitoring-us-east-021.

metal*

Bare-metal Proxmox hypervisors. Manage DNS/DHCP, IP forwarding, and VM IPv6 routing for hosted VMs. Example: metal-us-east-01, metal-us-east-02.

apps*

Applications server. Hosts ancillary services such as Phorge (task tracker), Zep (notifications), and the safety portal. Example: apps-us-east-021.

salt*

Salt master. Receives only the monitoring.nrpe_salt_master state — it monitors itself but is otherwise not managed by Salt.

How Salt targets minions

Salt resolves which states and pillar data a minion receives by matching the minion’s ID against the patterns in the relevant top.sls. WikiOasis uses three matching strategies:

Glob matching (default)

Simple shell-style wildcards match on the minion ID. A * matches any character sequence; [0-9] is a character class. 
# All minions get base + users + monitoring
'*':
  - base
  - users
  - monitoring.nrpe

# Only minions whose ID starts with "mw" get mediawiki.target
'mw*':
  - mediawiki.target

Compound matching

When a target expression needs Boolean logic (or, and, not) across minion IDs, set match: compound. The compound matcher is placed as the first item in the state list. 
'mw* or staging*':
  - match: compound
  - php
  - nginx
  - sentry_relay
  - monitoring.nrpe_mediawiki
This applies PHP-FPM, nginx, Sentry Relay, and MediaWiki monitoring to both production MediaWiki servers and the staging server.

Range glob matching

Brace-style ranges let you target numbered hosts without listing each one explicitly: 
'*-us-east-0[0-9][0-9]*':
  - metal.vm_ipv6
This matches every VM hostname that follows the <role>-us-east-0NN naming convention and applies IPv6 routing configuration.

salt/top.sls — full assignment table

The state top.sls maps minion glob patterns to the state trees they receive. 
base:
  '*':
    - base
    - users
    - monitoring.nrpe
    - monitoring.nrpe_common
    - monitoring.nrpe_salt
    - monitoring.node_exporter
  'apps*':
    - php
    - nginx
    - monitoring.nrpe_nginx
    - monitoring.nrpe_php
    - monitoring.phpfpm_exporter
  'db*':
    - mariadb
    - mariadb.monitoring_user
    - mariadb.prometheus_user
    - mariadb.backup
    - mariadb.nrpe_backup
    - monitoring.mysqld_exporter
  'metal*':
    - metal
    - monitoring.nrpe_metal
  'proxy*':
    - haproxy
    - monitoring.nrpe_haproxy
    - monitoring.haproxy_exporter
    - mediawiki.proxy
  'monitoring*':
    - monitoring
    - monitoring.director
    - monitoring.nrpe_nginx
    - monitoring.prometheus
    - monitoring.grafana
    - monitoring.statsd_exporter
  'staging*':
    - mediawiki
  'mw*':
    - mediawiki.target
  'mw* or staging*':
    - match: compound
    - php
    - nginx
    - sentry_relay
    - monitoring.nrpe_nginx
    - monitoring.nrpe_php
    - monitoring.nrpe_mediawiki
    - monitoring.phpfpm_exporter
  'task*':
    - php
    - nginx
    - mediawiki.target
    - mediawiki.jobrunner
    - monitoring.nrpe_nginx
    - monitoring.nrpe_php
    - monitoring.phpfpm_exporter
  'opensearch*':
    - opensearch
    - monitoring.nrpe_opensearch
    - monitoring.opensearch_exporter
  'redis*':
    - redis
    - monitoring.nrpe_redis
    - monitoring.redis_exporter
  'salt*':
    - monitoring.nrpe_salt_master
  '*-us-east-0[0-9][0-9]*':
    - metal.vm_ipv6

pillar/top.sls — full assignment table

The pillar top.sls maps minion patterns to the pillar trees they receive. Notice that some clusters receive both the shared init.sls pillar and a per-host override file. 
base:
  '*':
    - base
    - users
    - private
  'apps*':
    - php
    - private
  'bastion*':
    - users.servers.bastion
  'db*':
    - mariadb
    - private
  'db-other-us-east-011*':
    - mariadb.db-other-us-east-011
  'db-pc-us-east-011*':
    - mariadb.db-pc-us-east-011
  'db-c1-us-east-021*':
    - mariadb.db-c1-us-east-021
  'metal* or *-us-east-0[0-9][0-9]*':
    - match: compound
    - metal
  'metal-us-east-01*':
    - metal.metal-us-east-01
  'metal-us-east-02*':
    - metal.metal-us-east-02
  'mw* or staging*':
    - match: compound
    - users.servers.mediawiki
    - php
    - nginx
    - mediawiki
  'proxy*':
    - haproxy
    - mediawiki
  'monitoring*':
    - monitoring
    - metal
    - private
  'task*':
    - users.servers.mediawiki
    - php
    - nginx
    - mediawiki
    - mediawiki.jobrunner
  'opensearch*':
    - opensearch
  'redis*':
    - redis
  'redis-us-east-011*':
    - redis.redis-us-east-011
  'redis-us-east-012*':
    - redis.redis-us-east-012
All minions receive the private pillar either directly (via the '*' rule) or through a role-specific rule (e.g. 'db*' and 'monitoring*'). This ensures every minion has access to the monitoring API credentials and other cross-cutting secrets.

Traffic flow

Internet


proxy-us-east-011 / proxy-us-east-021   (HAProxy, ports 80/443)

    ├── /wiki/*, *.wikioasis.org, *.skywiki.org, *.betaoasis.xyz
    │       └──▶ mw-us-east-011..022 + staging-us-east-021   (nginx + PHP-FPM)
    │                   │
    │                   ├──▶ db-*  (MariaDB, port 3306)
    │                   ├──▶ redis-*  (Redis, port 6379)
    │                   └──▶ opensearch-*  (OpenSearch, port 9200)

    ├── icinga.wikioasis.org / grafana.wikioasis.org
    │       └──▶ monitoring-us-east-021

    ├── phorge.wikioasis.org / zep.wikioasis.org
    │       └──▶ apps-us-east-021

    └── test.wikioasis.org   (canary)
            └──▶ staging-us-east-021
Background MediaWiki jobs are processed by task-us-east-011, which runs the same PHP-FPM and nginx stack as the mw* servers but additionally runs the mediawiki.jobrunner state.

Build docs developers (and LLMs) love

Get started for freeTalk to us