Ansible 小記 - 用 playbook 安裝 nginx

上次介紹 playbook
接下來要在沒有很了解 playbook 以及 module 的情況下, 來實驗書上的第一個 playbook - nginx 安裝.

接下來的筆記就會規劃 不同 module 的指令還有 playbook 的實作

Lab: 安裝 nginx without TLS

在 playbook 目錄下

$ vi   web-notls.yml

- name: Configure webserver with nginx

 hosts: webservers

 sudo: True

 tasks:

   - name: install nginx

     apt: name=nginx update_cache=yes

   - name: copy nginx config file

     copy: src=files/nginx.conf  dest=/etc/nginx/sites-available/default

   - name: enable configuration

     file: >

       dest=/etc/nginx/sites-enabled/default

       src=/etc/nginx/sites-available/default

       state=link

   - name: copy index.html

     template: src=templates/index.html.j2 dest=/usr/share/nginx/html/index.html

       mode=0644

   - name: restart nginx

     service: name=nginx state=restarted

建立 預設的 conf 檔案( 對應上方的設定 )

在 playbook 目錄下

$ mkdir  files

建立設定檔

$ vi  files/nginx.conf

server {

       listen 80 default_server;

       listen [::]:80 default_server ipv6only=on;

       root /usr/share/nginx/html;

       index index.html index.htm;

       server_name localhost;

       location / {

                try_files $uri $uri/ =404;

       }

}

建立 templates 目錄

在 playbook 目錄下

$ mkdir  templates

建立首頁的範本

$ vi   templates/index.html.j2

<html>

<head>

   <title>Welcome to ansible</title>

</head>

<body>

<h1>nginx, configured by Ansible</h1>

<p>If you can see this, Ansible successfully installed nginx.</p>

<p>{{ ansible_managed }}</p>

</body>

</html>

修改 hosts 檔案( 因為上面的 web-notls.yml 對象是 webservers 群組  )

在 playbook 目錄下

新增 webservers 群組

$ vi  hosts

ubuntu_utah ansible_ssh_host=pcvm2-13.utah.geniracks.net

ubuntu_cenic ansible_ssh_host=pcvm2-28.instageni.cenic.net

[geni]

ubuntu_utah

ubuntu_cenic

[webservers]

ubuntu_utah

測試群組

$ ansible   webservers   -m ping

ubuntu_utah | success >> {

   "changed": false,

   "ping": "pong"

}

觀察目前目錄下物件

$ ls -R

ansible.cfg   files         hosts         templates     web-notls.yml

./files:

nginx.conf

./templates:

index.html.j2

執行  playbook

$ ansible-playbook   web-notls.yml

驗證 webservers 主機的 port 80

成功之後來進行另外一個 Lab

Lab: 使用 TLS support 的 nginx

在 playbooks 目錄下

$ vi   web-tls.yml

- name: Configure webserver with nginx and tls

 hosts: webservers

 sudo: True

 vars:

   key_file: /etc/nginx/ssl/nginx.key

   cert_file: /etc/nginx/ssl/nginx.crt

   conf_file: /etc/nginx/sites-available/default

   server_name: localhost

 tasks:

   - name: Install nginx

     apt: name=nginx update_cache=yes cache_valid_time=3600

   - name: create directories for ssl certificates

     file: path=/etc/nginx/ssl state=directory

   - name: copy TLS key

     copy: src=files/nginx.key dest={{ key_file }} owner=root mode=0600

     notify: restart nginx

   - name: copy TLS certificate

     copy: src=files/nginx.crt dest={{ cert_file }}

     notify: restart nginx

   - name: copy nginx config file

     template: src=templates/nginx.conf.j2 dest={{ conf_file }}

     notify: restart nginx

   - name: enable configuration

     file: dest=/etc/nginx/sites-enabled/default src={{ conf_file }} state=link

     notify: restart nginx

   - name: copy index.html

     template: src=templates/index.html.j2 dest=/usr/share/nginx/html/index.html mode=0644

 handlers:

   - name: restart nginx

     service: name=nginx state=restarted

手動建立憑證

在 playbooks 目錄下

使用 openssl 指令建立憑證

$ openssl  req  -x509  -nodes  -days 3650 -newkey rsa:2048 -subj /CN=localhost -keyout files/nginx.key -out files/nginx.crt

Generating a 2048 bit RSA private key

........................................+++

...............................................+++

writing new private key to 'files/nginx.key'

-----

驗證輸出

$ ls   files/

nginx.conf nginx.crt  nginx.key

建立 nginx.conf.j2  給支援 tls 設定檔使用 ( 跟沒有 TLS 的差異為紅色部分 )

在 playbooks 目錄下

$ vi  templatess/nginx.conf.j2

server {

       listen 80 default_server;

       listen [::]:80 default_server ipv6only=on;

       listen 443 ssl;

       root /usr/share/nginx/html;

       index index.html index.htm;

       server_name {{ server_name }};

       ssl_certificate {{ cert_file }};

       ssl_certificate_key {{ key_file }};

       location / {

                try_files $uri $uri/ =404;

       }

}

使用之前已經安裝過的主機測試  playbook

$ ansible-playbook   web-tls.yml

PLAY [Configure webserver with nginx and tls] *********************************

GATHERING FACTS ***************************************************************

ok: [ubuntu_utah]

TASK: [Install nginx] *********************************************************

ok: [ubuntu_utah]

TASK: [create directories for ssl certificates] *******************************

ok: [ubuntu_utah]

TASK: [copy TLS key] **********************************************************

ok: [ubuntu_utah]

TASK: [copy TLS certificate] **************************************************

ok: [ubuntu_utah]

TASK: [copy nginx config file] ************************************************

changed: [ubuntu_utah]

TASK: [enable configuration] **************************************************

ok: [ubuntu_utah]

TASK: [copy index.html] *******************************************************

changed: [ubuntu_utah]

NOTIFIED: [restart nginx] *****************************************************

changed: [ubuntu_utah]

PLAY RECAP ********************************************************************

ubuntu_utah                : ok=9    changed=3    unreachable=0    failed=0

測試完全新的 ubuntu_cenic 也okay

今天先到這邊

~ enjoy it