[root@ws_monitoring ansible]# more README.TXT
1. 该ansible脚本集成了常用的一些功能
创建 web/cbs/store/download 站点
2.hosts采用分组,并对分组进行了加密,需要输入密码才能编辑
使用示例:创建cbs 站点
ansible-playbook cbs.yaml --ask-vault-pass
3.使用方法
创建 cbs 示例
如果要创建 cbs.chinasoft.com 这个站点
修改如下内容 roles/cbs/vars/main.yaml 变量中的 cbs_domain_name 为 需要创建的域名即可(*域名)
# vim roles/cbs/vars/main.yaml
cbs_domain_name: chinasoft.com
# cd /usr/local/src/ansible
# 创建 www 站点
# ansible-playbook chinasoft_co.yaml --ask-vault-pass
4.目录说明:
ansible的文件目录列表
├── cbs.yaml # 创建 cbs 站点入口文件
├── download.yaml # 创建download 站点入口文件
├── hosts
├── roles
│ ├── cbs
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── tasks
│ │ │ ├── commom.yaml
│ │ │ └── main.yaml
│ │ ├── templates
│ │ │ ├── cbs_apache_chinasoft.co.conf.j2
│ │ │ ├── cbs_nginx_index.html.j2
│ │ │ ├── cbs_nginx_chinasoft.co.conf.j2
│ │ │ ├── cbs_rewrite_chinasoft.co.conf.j2
│ │ │ ├── cbs_chinasoft_co_jp.crt.j2
│ │ │ ├── cbs_chinasoft_co_jp.key.j2
│ │ │ └── nginx_config_grammaer_check_test_and_reload.sh.j2
│ │ └── vars
│ │ └── main.yaml
...
├── store.yaml # 创建购物车的入口文件
└── chinasoft_co.yaml # 创建www站点入口文件
1.ansible的目录结构
[root@ws_monitoring ansible]# tree . ├── cbs.yaml ├── download.yaml ├── hosts ├── README.TXT ├── roles │ ├── cbs │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── commom.yaml │ │ │ └── main.yaml │ │ ├── templates │ │ │ ├── cbs_apache_chinasoft.co.conf.j2 │ │ │ ├── cbs_domain_check.sh.j2 │ │ │ ├── cbs_nginx_index.html.j2 │ │ │ ├── cbs_nginx_chinasoft.co.conf.j2 │ │ │ ├── cbs_rewrite_chinasoft.co.conf.j2 │ │ │ ├── cbs_chinasoft_co_jp.crt.j2 │ │ │ ├── cbs_chinasoft_co_jp.key.j2 │ │ │ └── nginx_config_grammaer_check_test_and_reload.sh.j2 │ │ └── vars │ │ └── main.yaml │ ├── download │ │ ├── tasks │ │ │ ├── commom.yaml │ │ │ └── main.yaml │ │ ├── templates │ │ │ ├── dl_apache_htaccess.j2 │ │ │ ├── dl_apache_chinasoft.co.conf.j2 │ │ │ ├── dl_download_new.php.j2 │ │ │ ├── dl_nginx_index.html.j2 │ │ │ ├── dl_nginx_chinasoft.co.conf.j2 │ │ │ ├── dl_rewrite_chinasoft.co.conf.j2 │ │ │ ├── dl_chinasoft_co_jp.crt.j2 │ │ │ └── dl_chinasoft_co_jp.key.j2 │ │ └── vars │ │ └── main.yaml │ ├── store │ │ ├── tasks │ │ │ ├── commom.yaml │ │ │ └── main.yaml │ │ ├── templates │ │ │ ├── sto_apache_chinasoft.co.conf.j2 │ │ │ ├── sto_chinasoft_com.crt.j2 │ │ │ ├── sto_chinasoft_com.key.j2 │ │ │ ├── sto_nginx_index.html.j2 │ │ │ ├── sto_nginx_chinasoft.co.conf.j2 │ │ │ ├── sto_rewrite_chinasoft.co.conf.j2 │ │ │ ├── sto_chinasoft_co_jp.crt.j2 │ │ │ └── sto_chinasoft_co_jp.key.j2 │ │ └── vars │ │ └── main.yaml │ └── chinasoft_co │ ├── tasks │ │ ├── commom.yaml │ │ └── main.yaml │ ├── templates │ │ ├── apache_chinasoft.co.conf.j2 │ │ ├── nginx_index.html.j2 │ │ ├── nginx_chinasoft.co.conf.j2 │ │ ├── rewrite_chinasoft.co.conf.j2 │ │ ├── chinasoft_co_jp.crt.j2 │ │ ├── chinasoft_co_jp.key.j2 │ │ ├── chinasoft_kr.crt.j2 │ │ ├── chinasoft_kr.key.j2 │ │ ├── chinasoft_net.crt.j2 │ │ └── chinasoft_net.key.j2 │ └── vars │ └── main.yaml ├── store.yaml └── chinasoft_co.yaml
2.编辑hosts目标服务器文件
[root@ws_monitoring ansible]# ansible-vault view hosts Vault password: [nodes] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ [cbs_servers] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ [store_servers] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ [download_servers] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ [ws_www_webs] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘ node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass=‘root‘
3.入口yaml文件
创建 www 站点
[root@ws_monitoring ansible]# more chinasoft_co.yaml - hosts: ws_www_webs remote_user: root become: yes become_method: sudo become_user: root gather_facts: no tasks: - import_role: name: chinasoft_co #- import_role: # name: download #- import_role: # name: store #- import_role: # name: uniconverter #- import_role: # name: shopcart
cbs 站点 [root@ws_monitoring ansible]# more cbs.yaml - hosts: cbs_servers remote_user: root become: yes become_method: sudo become_user: root gather_facts: no tasks: - import_role: name: cbs store 站点 [root@ws_monitoring ansible]# more store.yaml - hosts: store_servers remote_user: root become: yes become_method: sudo become_user: root gather_facts: no tasks: - import_role: name: store download 站点 [root@ws_monitoring ansible]# more download.yaml - hosts: download_servers remote_user: root become: yes become_method: sudo become_user: root gather_facts: no tasks: - import_role: name: download
# 参数配置
[root@ws_monitoring ansible]# more roles/chinasoft_co/vars/main.yaml domain_name: chinasoft.com.br is_ori_needed: true backup_dest_path: /opt nginx_dest_path: /usr/local/nginx/conf/vhost.d rewrite_nginx_dest_path: /usr/local/nginx/conf/rewrite.d http_dest_path: /usr/local/httpd-2.2.26/conf/vhost.d http_data_dest_path: /data/www/vhosts certification_dest_path: /usr/local/nginx/conf/cert2016 production_download: download production_store: store production_shopcart: shopcart production_uniconverter: uniconverter production_list: #- www #- images #- filmora #- pdf - recoverit #- drfone #- static-fr #- static-de #- static-es #- static-it #- static-pt
模板项目:
# apache 的模板
[root@ws_monitoring ansible]# more roles/chinasoft_co/templates/apache_chinasoft.co.conf.j2 <VirtualHost *:8080> ServerName {{item.item}}.{{domain_name}} ## for CDN Origin_site {% if is_ori_needed %}ServerAlias ori-{{item.item}}.{{domain_name}}{% endif %} {# ServerAlias downpool.{{domain_name}} #} {# ServerAlias ssl-{{item.item}}.{{domain_name}} #} UseCanonicalName Off ServerAdmin "admin@chinasoft.com" DocumentRoot /data/www/vhosts/{{item.item}}.{{domain_name}}/httpdocs DirectoryIndex index.html index.shtml index.php CustomLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/access/{{item.item}}.{{domain_name}}_access.log.%Y-%m-%d 86400" combined ErrorLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/error/{{item.item}}.{{domain_name}}_error.log.%Y-%m-%d 86400" <IfModule mod_ssl.c> SSLEngine off </IfModule> <Directory /data/www/vhosts/{{item.item}}.{{domain_name}}/httpdocs/> <IfModule sapi_apache2.c> php_admin_flag engine on php_admin_flag safe_mode on php_admin_value open_basedir ".:/data/www/vhosts/{{item.item}}.{{domain_name}}:/tmp" </IfModule> <IfModule mod_php5.c> php_admin_flag engine on php_admin_flag safe_mode on php_admin_value open_basedir ".:/data/www/vhosts/{{item.item}}.{{domain_name}}:/tmp" </IfModule> Options -ExecCGI FollowSymLinks +Includes AllowOverride All </Directory> Alias /servers "/data/www/vhosts/www_servers" <Directory "/data/www/vhosts/www_servers/"> Options -ExecCGI FollowSymLinks +Includes AllowOverride All </Directory> ErrorDocument 404 /404.html </VirtualHost>
# nginx 的配置模板
[root@ws_monitoring ansible]# more roles/chinasoft_co/templates/nginx_chinasoft.co.conf.j2 server { listen 80; server_name {% if item.item == ‘www‘ %}{{domain_name}} {% endif %}{{item.item}}.{{domain_name}} {% if is_ori_needed %}ori-{{item.item}}.{{domain_name}}{% endif %}; index index.html index.shtml index.php ; include rewrite.d/{% if item.item == ‘www‘ %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}.conf ; root /data/www/vhosts/{% if item.item == ‘www‘ %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/httpdocs ; access_log /data/www/logs/nginx_log/access/{% if item.item == ‘www‘ %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_access.log main ; error_log /data/www/logs/nginx_log/error/{% if item.item == ‘www‘ %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_error.log ; error_page 404 403 /404.html; rewrite ^/(.*)$ https://{% if item.item == ‘www‘ %}www.{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/$1 permanent; if ($http_user_agent ~ Ezooms) { return 403; } location ~ ^.*\.(htaccess|htpasswd|ini|sh)$ { deny all; } location ~ \.php$ { proxy_pass http://php_pool; include proxy_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ proxy_pass http://php_pool; expires -1; } } } server { listen 443; server_name {% if item.item == ‘www‘ %}{{domain_name}} {% endif %}{{ item.item }}.{{domain_name}} {% if is_ori_needed %}ori-{{ item.item }}.{{domain_name}}{% endif %}; ssl on; ssl_certificate cert2016/{{domain_name|regex_replace(‘\.‘ , ‘_‘)}}.crt; ssl_certificate_key cert2016/{{domain_name|regex_replace(‘\.‘ , ‘_‘)}}.key; ssl_dhparam cert2016/dh_2048.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RS A-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES- CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on; add_header ‘Access-Control-Allow-Origin‘ ‘*‘; access_log /data/www/logs/nginx_log/access/{% if item.item == ‘www‘ %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_access.log main ; error_log /data/www/logs/nginx_log/error/{% if item.item == ‘www‘ %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_error.log ; root /data/www/vhosts/{% if item.item == ‘www‘ %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/{% if item.item == ‘www‘ %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}.conf ; error_page 404 403 /404.html; if ($http_user_agent ~ Ezooms) { return 403; } location ~ ^.*\.(htaccess|htpasswd|ini|sh)$ { deny all; } location ~ \.php$ { proxy_pass http://php_pool; include proxy_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ proxy_pass http://php_pool; expires -1; } } }
# index.html 首页模板
[root@ws_monitoring ansible]# more roles/chinasoft_co/templates/nginx_index.html.j2 <h1>this is {{ item.item }}.{{domain_name}} on the server <h1>
# 默认跳转规则模板
[root@ws_monitoring ansible]# more roles/chinasoft_co/templates/rewrite_chinasoft.co.conf.j2 {% if item.item == ‘www‘ %} if ($host ~* ^{{domain_name}}$){ rewrite ^(.*)$ https://www.{{domain_name}}$1 permanent;} {% endif %} if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1 permanent;} if ($request_uri ~ ^/(index|indice).html) { rewrite ^ / permanent;} # 主要的任务规则 [root@ws_monitoring ansible]# more roles/chinasoft_co/tasks/main.yaml - name: Deploy common site import_tasks: commom.yaml [root@ws_monitoring ansible]# more roles/chinasoft_co/tasks/commom.yaml #- name : let shell command result registe to be current time # command : "echo `date +%Y%m%d%H%M%S`" # register : current_time # #- name: Copy multiple files in Ansible with different permissions # copy: # src: "{{ item.src }}" # dest: "{{ item.dest }}" # mode: "{{ item.mode }}" # with_items: # - { src: "{{nginx_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: ‘0644‘} # - { src: "{{rewrite_nginx_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: ‘0644‘} # - { src: "{{certification_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: ‘0644‘} # - { src: "{{http_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: ‘0644‘} - name: Checking nginx configuration file if exists stat: path: "{{nginx_dest_path}}/{%if item == ‘www‘ %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}" register: nginx_ws_cn_fcheck with_items: "{{ production_list }}" - name: upload nginx configuration file to server template: src: nginx_chinasoft.co.conf.j2 dest: "{{nginx_dest_path}}/{%if item.item == ‘www‘ %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}" owner: apache group: users mode: 0644 when: not item.stat.exists with_items: "{{ nginx_ws_cn_fcheck.results}}" - name: Checking nginx‘s rewrite rule file if exists stat: path: "{{rewrite_nginx_dest_path}}/{%if item == ‘www‘ %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}" register: rewrite_ws_fcheck with_items: "{{ production_list }}" - name: upload nginx‘s rewrite rule file to server template: src: rewrite_chinasoft.co.conf.j2 dest: "{{rewrite_nginx_dest_path}}/{%if item.item == ‘www‘ %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}" owner: apache group: users mode: 0644 when: not item.stat.exists with_items: "{{ rewrite_ws_fcheck.results}}" - name: Checking apache configuration file if exists stat: path: "{{http_dest_path}}/{%if item == ‘www‘ %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}" register: apache_ws_fcheck with_items: "{{ production_list }}" - name: upload apache configuration file to server template: src: apache_chinasoft.co.conf.j2 dest: "{{http_dest_path}}/{%if item.item == ‘www‘ %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}" owner: apache group: users mode: 0644 when: not item.stat.exists with_items: "{{ apache_ws_fcheck.results}}" - name: Checking web data httpdocs and create if not exists file: path: "{{http_data_dest_path}}/{%if item == ‘www‘ %}{{domain_name}}{% else %}{{item}}.{{domain_name}}{% endif %}/httpdocs" state: directory owner: apache group: users mode: 0755 with_items: "{{ production_list }}" #- name: Checking data link and create if not exists # file: # src: "{{http_data_dest_path}}/download.{{domain_name}}.conf/httpdocs" # dest: "{{http_data_dest_path}}/download.{{domain_name}}.conf/httpdocs/cbs_down" # state: link # owner: apache # group: users # mode: 0755 - name: Checking data index.html and create if not exists stat: path: "{{http_data_dest_path}}/{%if item == ‘www‘ %}{{domain_name}}{% else %}{{item}}.{{domain_name}}{% endif %}/httpdocs/index.html" register: apache_data_ws_fcheck with_items: "{{ production_list }}" - name: upload www test data file to server template: src: nginx_index.html.j2 dest: "{{http_data_dest_path}}/{%if item.item == ‘www‘ %}{{domain_name}}{% else %}{{item.item}}.{{domain_name}}{% endif %}/httpdocs/index.html" owner: apache group: users mode: 0644 when: not item.stat.exists with_items: "{{ apache_data_ws_fcheck.results}}" - name: Checking certification path if not exists file: path: "/usr/local/nginx/conf/cert2016" state: directory owner: apache group: users mode: 0755 - name: upload certification file to server template: src: "{{item.src}}" dest: "{{certification_dest_path}}/{{item.dest}}" owner: apache group: users mode: 0644 with_items: - { src: "{{domain_name|regex_replace(‘\\.‘ , ‘_‘)}}.crt.j2", dest: "{{domain_name|regex_replace(‘\\.‘ , ‘_‘)}}.crt" } - { src: "{{domain_name|regex_replace(‘\\.‘ , ‘_‘)}}.key.j2", dest: "{{domain_name|regex_replace(‘\\.‘ , ‘_‘)}}.key" }