LAMP结合ansible一键自动化部署wordpress以及动静态数据存储

整体网站架构图

机器

master-61     跳板机堡垒机
lb-5              负载均衡，反向代理 
lb-6                负载均衡 ，反向代理
web-7              nginx（wordpress）
web-8               nginx（wordpress）
db-51                maiadb
db-52                mysql
nfs-31             共享目录  lsyncd 实时备份
backup-41          备份机，对nfs的共享目录中的文件做一个备份

综合架构大作业

[root@master-61 /etc/ansible/roles/nginx_server]#tree /etc/ansible/
/etc/ansible/
├── '
├── \\
├── all_server.yml
├── ansible.cfg
├── hosts
├── lsblk_server.yml
├── mariadb_server.yml
├── nfs_server.yml
├── nginx_server.yml
├── roles
│   ├── all_server
│   │   ├── files
│   │   │   └── yumrpm.repo
│   │   ├── handlers
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   └── vars
│   ├── lsblk_server
│   │   ├── files
│   │   │   ├── lsyncd.conf
│   │   │   └── rsync.pad
│   │   ├── handlers
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   └── vars
│   ├── mariadb_server
│   │   ├── files
│   │   │   └── yumrpm.repo
│   │   ├── handlers
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   └── vars
│   ├── nfs_server
│   │   ├── files
│   │   │   └── exports
│   │   ├── handlers
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   └── vars
│   │       └── main.yml
│   ├── nginx_server
│   │   ├── files
│   │   │   ├── fastcgi_params
│   │   │   ├── latest-zh_CN.zip
│   │   │   ├── ssl_key
│   │   │   │   ├── server.crt
│   │   │   │   └── server.key
│   │   │   ├── wordpress.conf
│   │   │   └── yumrpm.repo
│   │   ├── handlers
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   └── vars
│   │       └── main.yml
│   ├── rsync_server
│   │   ├── files
│   │   │   ├── rsyncd.conf
│   │   │   └── rsync.pwd
│   │   ├── handlers
│   │   │   └── main.yml
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   └── vars
│   │       └── main.yml
│   ├── slb5_server
│   │   ├── files
│   │   │   ├── check_web.sh
│   │   │   ├── fastcgi_params
│   │   │   ├── keepalived.conf
│   │   │   ├── proxy_params.conf
│   │   │   ├── ssl_key
│   │   │   │   ├── server.crt
│   │   │   │   └── server.key
│   │   │   └── wordpress.conf
│   │   ├── handlers
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   └── vars
│   ├── slb6_server
│   │   ├── files
│   │   │   ├── check_vip.sh
│   │   │   ├── fastcgi_params
│   │   │   ├── keepalived.conf
│   │   │   ├── proxy_params.conf
│   │   │   ├── ssl_key
│   │   │   │   ├── server.crt
│   │   │   │   └── server.key
│   │   │   └── wordpress.conf
│   │   ├── handlers
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   └── vars
│   ├── sshd_server
│   │   ├── files
│   │   ├── handlers
│   │   │   └── main.yml
│   │   ├── tasks
│   │   │   └── main.yml
│   │   ├── templates
│   │   │   └── sshd_config.j2
│   │   └── vars
│   │       └── main.yml
│   └── web8_server
│       ├── files
│       │   └── wp-config.php
│       ├── handlers
│       ├── tasks
│       │   └── main.yml
│       ├── templates
│       └── vars
├── rsync_server.yml
├── slb5_server.yml
├── slb6_server.yml
├── sshd_server.yml
└── web8_server.yml

64 directories, 59 files

1、自建yum仓库

只下载不安装
yum install nfs-utils   --downloadonly   --downloaddir=/yumrepo/local_yum_rpm/


[root@master-61 /my-playbook]#mkdir /yumrpm
[root@master-61 /my-playbook]#cd /yumrpm/
[root@master-61 /yumrepo]#ls
[root@master-61 /yumrepo]#ls
all-rpm.tgz

[root@master-61 /yumrepo]#ll -h
total 84M
-rw-r--r-- 1 root root 84M Jun 14 13:52 all-rpm.tgz
[root@master-61 /yumrepo]#tar -zxf all-rpm.tgz 
[root@master-61 /yumrepo]#ll
total 85732
-rw-r--r-- 1 root root 87772321 Jun 14 13:52 all-rpm.tgz
drwxr-xr-x 2 root root    12288 Jun 14 13:38 local_yum_rpm


[root@master-61 /yumrpm]#yum install nginx -y


[root@master-61 /yumrpm]#cd /etc/nginx/conf.d/

[root@master-61 /etc/nginx/conf.d]#ls 
[root@master-61 /etc/nginx/conf.d]#vim download.conf
[root@master-61 /etc/nginx/conf.d]#cat download.conf 
server {

    listen 23456;
    server_name localhost;
    charset utf-8;
    location / {

        root /yumrpm/;
	autoindex on;
        autoindex_localtime on;
        autoindex_exact_size off;
    }
}


[root@master-61 /etc/nginx/conf.d]#systemctl start nginx
[root@master-61 /etc/nginx/conf.d]#systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.



[root@master-61 /etc/nginx/conf.d]#yum install createrepo -y

[root@master-61 /yumrepo]#createrepo  /yumrpm/
Spawning worker 0 with 42 pkgs
Spawning worker 1 with 41 pkgs
Spawning worker 2 with 41 pkgs
Spawning worker 3 with 41 pkgs
Workers Finished
Saving Primary metadata
Saving file lists metadata
Saving other metadata
Generating sqlite DBs
Sqlite DBs complete




[root@web-7 /etc/yum.repos.d]#cat yumrpm.repo 
[all-rpm]
name=all  repo
baseurl=http://10.0.0.61:23456
enabled=1
gpgcheck=0

[root@web-7 /etc/yum.repos.d]#yum clean all
[root@web-7 /etc/yum.repos.d]#yum makecache

2、免密登录（5、6、7、8、31、41、52）机器（bash脚本实现）

[root@master-61 /my-ssh]#cat mianmi.sh 
#!/bin/bash

#1、管理机master61机器创建公私钥
echo "开始创建密钥对"
if [ -f /root/.ssh/id_rsa ]
then
  echo "密钥对已存在，请检查"
else
  ssh-keygen -f /root/.ssh/id_rsa -N '' > /tmp/xming_ssh.log 2>&1
fi

#2、发送公钥到目标机器
#在管理机下载sshpass服务，实现非交互式
  yum install sshpass -y

  echo "发送公钥中...分发的机器列表为{5,6,7,8,31,41,52}"
for ip in {5,6,7,8,31,41,52}
do
  sshpass -p '222222' ssh-copy-id root@172.16.1.${ip} -o StrictHostKeyChecking=no > /tmp/xming_ssh.log 2>&1
  echo "正在验证免密结果"
  echo "远程获取主机名：$(ssh root@172.16.1.${ip} hostname)"
done

#4、远程修改目标机器的ssh配置文件，不允许密码登录，只能用密钥登录
for ip in {5,6,7,8,31,41,52}
do
  echo "正修改允许公钥登录参数...当前操作的机器是172.16.1.${ip}"
  ssh root@172.16.1.${ip} "sed -i '/PubkeyAuthentication/c PubkeyAuthentication yes' /etc/ssh/sshd_config"
  echo "正修改禁止密码登录参数...当前操作的机器是172.16.1.${ip}"
  ssh root@172.16.1.${ip} "sed -i '/PasswordAuthentication/c PasswordAuthentication no' /etc/ssh/sshd_config "
done

#5、修改只监听内网地址172.16.1.xx
for ip in {5,6,7,8,31,41,52}
do
  echo "正在修改监听地址...当前操作的机器是172.16.1.${ip}"
  ssh root@172.16.1.${ip} "sed -i '/ListenAddress 0.0.0.0/c ListenAddress  172.16.1.${ip}' /etc/ssh/sshd_config "
done

#6、验证目标机器ssh的修改情况
for ip in {5,6,7,8,31,41,52}
do
  echo "当前正在检查的机器172.16.1.${ip}"
  ssh root@172.16.1.${ip} "grep -E '^(PasswordAuthentication|PubkeyAuthentication|ListenAddress)' /etc/ssh/sshd_config"
done

echo '============批量修改目标机器sshd配置文件已完成==========='

[root@master-61 /my-ssh]#cat ssh_restart.sh 
#!/bin/bash

#批量重启目标机器的ssh服务
for ip in {5,6,7,8,31,41,52}
do
  echo "正在重启sshd服务...当前机器是172.16.1.${ip}"
  ssh root@172.16.1.${ip} "systemctl restart sshd"
done

[root@master-61 /my-ssh]#cat ssh_restart.sh 
#!/bin/bash

#批量重启目标机器的ssh服务
for ip in {5,6,7,8,31,41,52}
do
  echo "正在重启sshd服务...当前机器是172.16.1.${ip}"
  ssh root@172.16.1.${ip} "systemctl restart sshd"
done

3、ansible列表

[root@master-61 /etc/ansible/roles/nginx_server]#tail -24 /etc/ansible/hosts 
[all:vars]
ansible_password=222222

[web]
172.16.1.7 
172.16.1.8

[nfs]
172.16.1.31

[rsync]
172.16.1.41

[db]
172.16.1.52

[slb5]
172.16.1.5

[slb6]
172.16.1.6

4、一键ansible发送yum仓库+ntp时间同步

61机器
[root@master-61 ~]#yum install  ntp -y
使用阿里云的时间同步服务器
server times.aliyun.com iburst prefer 
server ntp.aliyun.com iburst
server cn.pool.ntp.org iburst

启动
systemctl start ntpd
[root@master-61 ~]#systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.

[root@master-61 /etc/ansible]#tree roles/all_server/
roles/all_server/
├── files
│   └── yumrpm.repo
├── handlers
├── tasks
│   └── main.yml
├── templates
└── vars

5 directories, 2 files

1）files

[root@master-61 /etc/ansible/roles/all_server]#cat files/yumrpm.repo 
[all-rpm]
name=all  repo
baseurl=http://10.0.0.61:23456
enabled=1
gpgcheck=0

时间同步61机器
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 172.16.1.61 iburst prefer 

2）tasks

[root@master-61 /etc/ansible/roles/all_server]#cat tasks/main.yml 
  - name: 删除原来yum源
    shell: "rm -rf /etc/yum.repos.d/* warn=false"
  - name: 发送自建源
    copy: 
      src: yumrpm.repo
      dest: /etc/yum.repos.d/yumrpm.repo
  - name: 清理缓存
    shell: "yum  clean all warn=false"
  - name: 下载ntp时间同步服务
    yum:
      name: ntp
      state: latest
  - name: 发送配置文件
    copy: 
      src: ntp.conf
      dest: /etc/ntp.conf
  - name: 启动ntpd服务
    systemd:
        name: ntpd
        state: started
        enabled: yes

3）role

[root@master-61 /etc/ansible]#cat all_server.yml 
- hosts: all
  roles:
    - all_server

5、web集群剧本

[root@master-61 /etc/ansible/roles/nginx_server]#tree 
.
├── files
│   ├── fastcgi_params
│   ├── latest-zh_CN.zip
│   ├── ssl_key
│   │   ├── server.crt
│   │   └── server.key
│   ├── wordpress.conf
│   └── yumrpm.repo
├── handlers
├── tasks
│   └── main.yml
├── templates
└── vars
    └── main.yml

6 directories, 8 files

1）配置文件fire

1、nginx配置文件

server{
    listen 80;
    server_name wordpress.afeitt.cn;

    root /code/wordpress;
    index index.php index.html;

    location ~*  \.php$ {

        root /code/wordpress;
        fastcgi_index index.php;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }
}

2、参数文件

[root@master-61 /etc/ansible/roles/nginx_server]#cat files/fastcgi_params 

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# enable https
fastcgi_param HTTPS on;

2)任务文件（tasks）

[root@master-61 /etc/ansible/roles/nginx_server]#cat tasks/main.yml 
    - name: 1 创建组
      group:
        name: "{{ user_name}}"
        gid:  "{{ id }}"
    - name: 2 创建用户
      user:
        name: "{{ user_name }}"
        uid: "{{ id }}"
        group: "{{ user_name }}"
        create_home: no
        shell: /sbin/nologin
    - name: 3 下载nginx、php服务
      yum:
        name: "{{ item }}"
        state: latest
      loop: "{{ app_name }}"
    - name: 4 修改php-fpm配置文件
      shell: "sed -i '/^user/c user = www' /etc/php-fpm.d/www.conf warn=false"
    - name: 5 修改php-fpm配置文件
      shell: "sed -i '/^group/c group = www' /etc/php-fpm.d/www.conf warn=false"
    - name: 6 启动服务，设置开机自启
      systemd:
        name: "{{ item }}"
        state: started
        enabled: yes
      loop:
        - nginx
        - php-fpm
    - name: 7 创建目录
      file:
        path: /code/
        owner: www
        group: www
        state: directory
    - name: 8 解压源码包
      unarchive:
        src: latest-zh_CN.zip
        dest: /code/
    - name: 9 创建目录
      shell: "chown -R www:www /code/wordpress/ warn=false" 
    - name: 10 创建文件
      file: 
        path: /code/wordpress/wp-content/uploads
        state: directory
    - name: 11 清空虚拟机
      shell: "rm -rf /etc/nginx/conf.d/* warn=false"
    - name: 12 创建wordppress虚拟机
      copy: 
        src: wordpress.conf
        dest: /etc/nginx/conf.d/wordpress.conf
    - name: 13 发送fastcgi_params 支持https请求
      copy: 
        src: fastcgi_params
        dest: /etc/nginx/fastcgi_params
    - name: 14 重启nginx
      shell: "systemctl restart nginx"
    - name: 15 下载nfs
      yum:
        name: "{{ item }}"
        state: latest
      loop: 
        - nfs-utils
        - rpcbind
    - name: 16 挂载共享目录
      mount:
        src: 172.16.1.31:/my-wordpress
        path: /code/wordpress/wp-content/uploads
        fstype: nfs
        state: mounted

3）变量文件（vars）

[root@master-61 /etc/ansible]#cat roles/nginx_server/vars/main.yml 
user_name: www
id: 666
app_name: 
  - nginx
  - php71w-cli 
  - php71w-common 
  - php71w-devel 
  - php71w-embedded 
  - php71w-gd 
  - php71w-mcrypt 
  - php71w-mbstring 
  - php71w-pdo 
  - php71w-xml  
  - php71w-fpm  
  - php71w-mysqlnd  
  - php71w-opcache 
  - php71w-pecl-memcached 
  - php71w-pecl-redis 
  - php71w-pecl-mongodb 
  - php71w-json 
  - php71w-pecl-apcu 
  - php71w-pecl-apcu-devel

4）角色文件

[root@master-61 /etc/ansible]#cat nginx_server.yml 
- hosts: web
  roles:
    - nginx_server

5）执行命令

[root@master-61 /etc/ansible]#ansible-playbook  nginx_server.yml

6、db集群剧本

[root@master-61 /etc/ansible/roles]#mkdir mariadb_server/{files,handlers,tasks,templates,vars}
[root@master-61 /etc/ansible/roles]#tree mariadb_server/
mariadb_server/
├── files
├── handlers
├── tasks
├── templates
└── vars

[root@master-61 /etc/ansible]#tree roles/mariadb_server/
roles/mariadb_server/
├── files
│   └── yumrpm.repo
├── handlers
├── tasks
│   └── main.yml
├── templates
└── vars

1）配置文件fire

2）任务文件（tasks）

[root@master-61 /etc/ansible/roles/mariadb_server]#cat tasks/main.yml 
    - name: 1 下载服务mariadb
      yum:
        name: "{{ item }}"
        state: latest
      loop: 
        - mariadb-server
        - mariadb
    - name: 2 启动服务设置开机自启
      systemd:
        name: mariadb
        state: started
        enabled: yes
    - name: 3 修改密码授予远程访问
      shell: "mysqladmin  password '333333'"
    - name: 4 创建非交互式远程连接用户
      shell: mysql -uroot -p333333  -e "grant all privileges on *.* to afei@'%' identified by '333333';"
    - name: 5 创建wordpress数据库
      shell: mysql -uroot -p333333 -e "create database wordpress"

3）角色文件

[root@master-61 /etc/ansible]#cat mariadb_server.yml 
- hosts: db
  roles:
    - mariadb_server

4）执行命令

[root@master-61 /etc/ansible]#ansible-playbook  mariadb_server.yml

7、NFS剧本

[root@master-61 /etc/ansible/roles]#tree nfs_server/
nfs_server/
├── files
│   └── exports
├── handlers
├── tasks
│   └── main.yml
├── templates
└── vars
    └── main.yml

5 directories, 3 files

1）任务剧本（tasks）

[root@master-61 /etc/ansible/roles/nfs_server]#cat tasks/main.yml 
    - name: 1 下载服务
      yum:
        name: "{{ item }}"
        state: latest
      loop:
        - nfs-utils
        - rpcbind
    - name: 2 启动nfs服务
      systemd:
        name: "{{ item }}"
        state: started
        enabled: yes
      loop:
        - nfs
        - rpcbind.socket
    - name: 3 创建组
      group:
        name: "{{ user_name}}"
        gid:  "{{ id }}"
    - name: 4 创建用户
      user:
        name: "{{ user_name }}"
        uid: "{{ id }}"
        group: "{{ user_name }}"
        create_home: no
        shell: /sbin/nologin
    - name: 5 创建挂载目录
      file:
        path: /my-wordpress
        owner: "{{ user_name}}"
        group: "{{ user_name }}"
        state: directory
    - name: 6 发送配置文件
      copy: src=exports dest=/etc/exports
    - name: 7 更新配置文件
      systemd:
        name: nfs
        state: reloaded

2）变量剧本（vars）

[root@master-61 /etc/ansible/roles/nfs_server]#cat vars/main.yml 
user_name: www
id: 666

3）文件剧本（fires）

[root@master-61 /etc/ansible/roles/nfs_server]#cat files/exports 
/my-wordpress 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)

8、lsblk剧本

[root@master-61 /etc/ansible/roles/lsblk_server]#tree
.
├── files
│   ├── lsyncd.conf
│   └── rsync.pad
├── handlers
├── tasks
│   └── main.yml
├── templates
└── vars

5 directories, 3 files

1）tasks

[root@master-61 /etc/ansible/roles/lsblk_server]#cat tasks/main.yml 
    - name: 1 下载lsyncd服务
      yum: name=lsyncd state=latest
    - name: 2 将在本地写好的配置文件密码文件发给31机器
      copy:
        src: "{{ item.src}}"
        dest: /etc/
        mode: "{{ item.mode }}"
      loop:
        - { src: lsyncd.conf,mode: '644'}
        - { src: rsync.pad,mode: '600'}
    - name: 3 启动lsyncd服务
      systemd: name=lsyncd state=started

2）files

[root@master-61 /etc/ansible/roles/lsblk_server]#cat files/lsyncd.conf 
settings {
    logfile      ="/var/log/lsyncd/lsyncd.log",
    statusFile   ="/var/log/lsyncd/lsyncd.status",
    inotifyMode  = "CloseWrite",
    maxProcesses = 8,
    }

sync {
    default.rsync,
    source    = "/my-wordpress",
    target    = "rsync_xming@172.16.1.41::tantan",
    delete= true,
    exclude = {".*"},
    delay=1,
    rsync     = {
        binary    = "/usr/bin/rsync",
        archive   = true,
        compress  = true,
        verbose   = true,
        password_file="/etc/rsync.pad",
        _extra={"--bwlimit=200"}
        }
    }
[root@master-61 /etc/ansible/roles/lsblk_server]#cat files/rsync.pad 
111111

3）role

[root@master-61 /etc/ansible]#cat lsblk_server.yml 
- hosts: nfs
  roles:
    - lsblk_server

9、rstnc_server

[root@master-61 /etc/ansible/roles/slb5_server]#tree /etc/ansible/roles/rsync_server/
/etc/ansible/roles/rsync_server/
├── files
│   ├── rsyncd.conf
│   └── rsync.pwd
├── handlers
│   └── main.yml
├── tasks
│   └── main.yml
├── templates
└── vars
    └── main.yml

5 directories, 5 files

1）tasks

[root@master-61 /etc/ansible/roles/rsync_server]#cat tasks/main.yml 
    - name: 1 下载rsyncd服务
      yum: name=rsync state=latest
    - name: 2 创建www组
      group:
        name: "{{ user_name }}"
        gid: "{{ id }}"
    - name: 3 创建www用户
      user:
        name: "{{ user_name }}"
        uid: "{{ id }}"
        group: "{{ id }}"
        create_home: no
        shell: /sbin/nologin
    - name: 4 创建目录及授权
      file:
        path: "{{ item }}"
        state: directory
        owner: "{{ user_name }}"
        group: "{{ user_name }}"
        mode: "755"
      loop:
        - /tantan
        - /momo
    - name: 5 将本地写好的配置文件密码文件发给41机器
      copy:
        src: "{{ item.src }}"
        dest: /etc/
        mode: "{{ item.mode }}"
      notify:
        - restart-rsyncd.service
      loop:
        - { src: rsyncd.conf,mode: '644' }
        - { src: rsync.pwd,mode: '600' }
    - name: 6 启动服务
      systemd:
        name: rsyncd
        state: started
        enabled: yes

2)files

[root@master-61 /etc/ansible/roles/rsync_server]#cat files/rsyncd.conf 
uid = xming
gid = xming
port = 873
fake super = yes 
use chroot = no
max connections = 200
timeout = 600
ignore errors
read only = false
list = false
auth users = rsync_xming
secrets file = /etc/rsync.pwd
log file = /var/log/rsyncd.log
####################################
[tantan]
comment = yuchaoit.cn about rsync
path = /tantan

[momo]
path = /momo
[root@master-61 /etc/ansible/roles/rsync_server]#cat files/rsync.pwd 
rsync_xming:111111

3)vars

[root@master-61 /etc/ansible/roles/rsync_server]#cat vars/main.yml 
user_name: 'xming'
id: '2222'

4)role

[root@master-61 /etc/ansible]#cat rsync_server.yml 
- hosts: rsync
  roles:
    - rsync_server

10、web7发送数据库文件到web8

[root@master-61 /etc/ansible/roles]#tree web_server/
web_server/
├── files
│   └── wp-config.php
├── handlers
├── tasks
│   └── main.yml
├── templates
└── vars

5 directories, 2 files

1）tasks

[root@master-61 /etc/ansible/roles/web_server]#cat tasks/main.yml 
  - name: 发送数据库文件到8
    copy: 
      src: wp-config.php
      dest: /code/wordpress/wp-config.php
  - name: 7 创建目录
    shell: "chown -R www:www /code/wordpress/" 

2）fires

[root@master-61 /etc/ansible]#cat roles/web8_server/files/wp-config.php 

3）role

[root@master-61 /etc/ansible]#cat web_server.yml 
- hosts: web
  roles:
    - web_server

11、负载均衡slb5

[root@master-61 /etc/ansible]#tree roles/slb5_server/
roles/slb5_server/
├── files
│   ├── check_web.sh
│   ├── fastcgi_params
│   ├── keepalived.conf
│   ├── proxy_params.conf
│   ├── ssl_key
│   │   ├── server.crt
│   │   └── server.key
│   └── wordpress.conf
├── handlers
├── tasks
│   └── main.yml
├── templates
└── vars

6 directories, 8 files

1.创建证书实现https

1、安装openssl
yum  install  openssl openssl-devel -y
2、创建目录
mkdir /etc/ansible/roles/nginx_server/files/ssl_key
3、进入目录
cd  /etc/ansible/roles/nginx_server/files/ssl_key
4、输入密码，闯进啊私钥文件
[root@master-61 /etc/ansible/roles/nginx_server/files/ssl_key]#openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:afei11
Verifying - Enter pass phrase for server.key:afei11

5、填写证书文件
[root@master-61 /etc/ansible/roles/nginx_server/files/ssl_key]#openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.....................+++
........+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:Cn
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:afeitt.cn
Organizational Unit Name (eg, section) []:afeitt.cn
Common Name (eg, your name or your server's hostname) []:afeitt.cn
Email Address []:1398787859@qq.com
[root@master-61 /etc/ansible/roles/nginx_server/files/ssl_key]#ls
server.crt  server.key

1）files

1、脑裂脚本

[root@master-61 /etc/ansible/roles/slb5_server]#cat files/check_web.sh 
#!/bin/bash
NGINX_STATUS=$(ps -ef|grep ngin[x]|wc -l)
# 如果nginx挂了
if [ ${NGINX_STATUS} == 0 ]
then
   systemctl restart nginx
   # 如果重启失败
   if [ $? == 1 ]
   then
         # keepalived没必要活着了
      systemctl stop keepalived
   fi
fi

2、参数文件

[root@master-61 /etc/ansible/roles/slb5_server]#cat files/fastcgi_params 

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# enable https
fastcgi_param HTTPS on;

3、keepalived配置文件

[root@master-61 /etc/ansible/roles/slb5_server]#cat files/keepalived.conf 
global_defs {
    router_id lb-5
}

vrrp_script check_web {
    script "/etc/keepalived/check_web.sh"
    interval 5
}

vrrp_instance VIP_1 {
    state MASTER
        interface eth0
        virtual_router_id 50
        priority 150
        advert_int 1
        authentication {
            auth_type PASS
            auth_pass 1111
        }
        virtual_ipaddress {
            10.0.0.3
        }
        track_script {
            check_web
        }
}

4、代理文件

[root@master-61 /etc/ansible/roles/slb5_server]#cat files/wordpress.conf 
upstream web-pools{
  server 172.16.1.7:80 weight=4;
  server 172.16.1.8:80 weight=1;

}

server{

  listen 80;
  server_name wordpress.afeitt.cn;
  rewrite ^(.*) https://$server_name$1 redirect;
}  


server {
  
  listen 443 ssl;
  server_name wordpress.afeitt.cn;

  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;

  location / {
    proxy_pass http://web-pools;
    include /etc/nginx/proxy_params.conf;

  }

}

5、反向代理参数文件

[root@master-61 /etc/ansible/roles/slb5_server]#cat files/proxy_params.conf 
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;

2）tasks

[root@master-61 /etc/ansible/roles/slb5_server]#cat tasks/main.yml 
  - name: 1 下载keepalived
    yum:
      name: "{{ item }}"
      state: latest
    loop:
      - nginx
      - keepalived
  - name: 2 发送脑裂脚本
    copy: 
      src: check_web.sh 
      dest: /etc/keepalived/
  - name: 3 修改权限
    shell: "chmod +x /etc/keepalived/check_web.sh warn=false"
  - name: 4 发送配置文件
    copy: 
      src: keepalived.conf
      dest: /etc/keepalived/keepalived.conf
  - name: 5 启动服务
    systemd:
      name: "{{ item }}"
      state: started
      enabled: yes
    loop: 
      - keepalived
      - nginx
  - name: 6 发送公私钥
    copy: 
      src: ssl_key
      dest: /etc/nginx/
  - name: 7 清空虚拟机
    shell: "rm -rf /etc/nginx/conf.d/* warn=false"
  - name: 8 发送反向代理文件
    copy: 
      src: wordpress.conf
      dest: /etc/nginx/conf.d/wordpress.conf
  - name: 9 发送fastcgi_params，支持https
    copy: 
      src: fastcgi_params
      dest: /etc/nginx/
  - name: 10 发送fastcgi_params，支持https
    copy:
      src: proxy_params.conf 
      dest: /etc/nginx/
  - name: 11 重启nginx
    shell: "systemctl restart nginx"

3）roles

[root@master-61 /etc/ansible]#cat slb5_server.yml 
- hosts: slb5
  roles:
    - slb5_server

12、负载均衡slb6

[root@master-61 /etc/ansible/roles/slb6_server]#tree
.
├── files
│   ├── check_vip.sh
│   ├── fastcgi_params
│   ├── keepalived.conf
│   ├── proxy_params.conf
│   ├── ssl_key
│   │   ├── server.crt
│   │   └── server.key
│   └── wordpress.conf
├── handlers
├── tasks
│   └── main.yml
├── templates
└── vars

6 directories, 8 files

1）files

1、脑裂脚本

[root@master-61 /etc/ansible/roles/slb6_server]#cat files/check_vip.sh 
#!/bin/bash
MASTER_VIP=$(ssh 10.0.0.5 ip a|grep 10.0.0.11|wc -l)
MY_VIP=$(ip a|grep 10.0.0.11|wc -l)
# 如果远程有VIP并且自己本地也存在了VIP，就干掉自己
if [ ${MASTER_VIP} == 1 -a ${MY_VIP} == 1 ]
then
   systemctl stop keepalived
fi

2、参数文件

[root@master-61 /etc/ansible/roles/slb5_server]#cat files/fastcgi_params 

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# enable https
fastcgi_param HTTPS on;

3、keepalived配置文件

[root@master-61 /etc/ansible/roles/slb6_server]#cat files/keepalived.conf 
global_defs {
    script_user root
    enable_script_security
    router_id lb-6
}

# 定义脚本
vrrp_script check_vip {
    script "/etc/keepalived/check_vip.sh"
    interval 5 # 脚本执行的时间间隔
}

vrrp_instance VIP_1 {
    state BACKUP 
    interface eth0
    virtual_router_id 50
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.11
    }
    # 调动脚本
    track_script {
        check_vip
    }
}

4、代理文件

[root@master-61 /etc/ansible/roles/slb5_server]#cat files/wordpress.conf 
upstream web-pools{
  server 172.16.1.7:80 weight=4;
  server 172.16.1.8:80 weight=1;

}

server{

  listen 80;
  server_name wordpress.afeitt.cn;
  rewrite ^(.*) https://$server_name$1 redirect;
}  


server {
  
  listen 443 ssl;
  server_name wordpress.afeitt.cn;

  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;

  location / {
    proxy_pass http://web-pools;
    include /etc/nginx/proxy_params.conf;

  }

}

5、反向代理参数文件

[root@master-61 /etc/ansible/roles/slb5_server]#cat files/proxy_params.conf 
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;

2）tasts

[root@master-61 /etc/ansible/roles/slb6_server]#cat tasks/main.yml 
  - name: 1 下载keepalived
    yum:
      name: "{{ item }}"
      state: latest
    loop:
      - nginx
      - keepalived
  - name: 2 发送脑裂脚本
    copy: 
      src: check_vip.sh 
      dest: /etc/keepalived/
  - name: 3 修改权限
    shell: "chmod +x /etc/keepalived/check_web.sh warn=false"
  - name: 4 发送配置文件
    copy: 
      src: keepalived.conf
      dest: /etc/keepalived/keepalived.conf
  - name: 5 启动服务
    systemd:
      name: "{{ item }}"
      state: started
      enabled: yes
    loop: 
      - keepalived
      - nginx
  - name: 6 发送公私钥
    copy: 
      src: ssl_key
      dest: /etc/nginx/
  - name: 7 清空虚拟机
    shell: "rm -rf /etc/nginx/conf.d/* warn=false"
  - name: 8 发送反向代理文件
    copy: 
      src: wordpress.conf
      dest: /etc/nginx/conf.d/wordpress.conf
  - name: 9 发送fastcgi_params，支持https
    copy: 
      src: fastcgi_params
      dest: /etc/nginx/
  - name: 10 发送fastcgi_params，支持https
    copy:
      src: proxy_params.conf 
      dest: /etc/nginx/
  - name: 11 重启nginx
    shell: "systemctl restart nginx"

3）roles

[root@master-61 /etc/ansible]#cat slb6_server.yml 
- hosts: slb6
  roles:
    - slb6_server

执行顺序

ansible-playbook all_server.yml
ansible-playbook rsync_server.yml 
ansible-playbook nfs_server.yml
ansible-playbook lsblk_server.yml
ansible-playbook nginx_server.yml
ansible-playbook mariadb_server.yml
ansible-playbook web_server.yml
ansible-playbook slb5_server.yml
ansible-playbook slb6_server.yml