中小型架构

架构需求：

1 架构网站：zrlog wecenter wordpress cloud
2 要求： 实现两个负载均衡器代理并介入keepalived高可用
3 实现全站https加密
4 实现两个web站点
5 实现nfs服务器存储网站静态资源
6 实现backup服务器能实时有nfs同步（rersync/lsync）过来的数据
实现全网备份功能（rsync）
7 实现服务器内部共享上网
8 实现各服务器之间时间同步
9 实现ansible一键操作
10 实现telport跳板机
11 实现firewall对负载均衡服务器开放指定端口

ansible：其功能实现基于SSH远程连接服务
批量系统配置、批量软件部署、批量文件拷贝、批量运行命令等功能
yum install epel-release -y
yum install ansible -y
生成公钥推送给每一天服务器

[root@m01 ~]# cat ssh-key.sh 
for i in 31 41 51 7 8 
do
sshpass -p 123456 ssh-copy-id -i ~/.ssh/id_rsa.pub rooe@172.16.1.$i

[root@m01 ~]# ansible --version
ansible 2.7.8

[root@m01 ~]# tree /etc/ansible/
/etc/ansible/
├── ansible.cfg
├── hosts
└── roles

ansible文件

[root@m01 ansible_role]# cat ansible.cfg 
[defaults]
inventory      = ./hosts
#library        = /usr/share/my_modules/
#module_utils   = /usr/share/my_module_utils/
#remote_tmp     = ~/.ansible/tmp
#local_tmp      = ~/.ansible/tmp

hosts文件

[root@m01 ansible_role]# cat hosts 

[oldboy]
172.16.1.31
172.16.1.41

[web]
172.16.1.7
172.16.1.8
[web:vars]
inventory_var=inventory_variables


[nfs]
172.16.1.31

[backup]
172.16.1.41

[db]
172.16.1.51

[lb]
172.16.1.5
172.16.1.6

[firewalld]
172.16.1.7
172.16.1.8
172.16.1.51
172.16.1.41
172.16.1.31

top.yml文件

[root@m01 ansible_role]# cat top.yml 
#- hosts: lb
#  roles:
#    - { role: keepalived , tags: kee }
#- hosts: all
#  roles:
#    - role: base

- hosts: db
  roles:
    - role: redis
    - role: mariadb
- hosts: nfs
  roles:
    - role: nfs

- hosts: web
  roles:
    - role: nginx-web
    - role: kodcloud-web
- hosts: backup
  roles:
    - role: backup
      tags: backup
- hosts: nfs
  roles:
    - role: nfs-lsyncd
- hosts: all
  roles:
    - { role: ntp , tags: ntp }

- hosts: lb
  roles:
    - role: kodcloud-proxy
    - role: keepalived
- hosts: firewalld
  roles:
    - role: firewalld
      tags: fire

基础环境ansible部署

[root@m01 ansible_role]# tree base/
base/
|-- files
|-- handlers
|   `-- main.yml
|-- tasks
|   `-- main.yml
`-- templates
    `-- sshd_config.j2

[root@m01 ansible_role]# cat base/tasks/main.yml 
- name: create group
  group:
    name: www
    gid: 666

- name: create user
  user:
    name: www
    uid: '666'
    group: '666'
    create_home: no
    shell: /sbin/nologin

- name: Disable Firewalld
  systemd:
    name: firewalld
    state: stopped
    enabled: no

- name: Disable Selinux
  selinux:
    state: disabled

- name: Create YUM_Repository Epel
  yum_repository:
    name: epel
    description: EPEL YUM repo
    baseurl: http://mirrors.aliyun.com/epel/7/$basearch
    gpgcheck: no

- name: Create YUM_Repository Base
  yum_repository:
    name: base
    description: BASE YUM repo
    baseurl: http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
    gpgcheck: no

- name: Create YUM_Repository Nginx
  yum_repository:
    name: nginx
    description: Nginx YUM repo
    baseurl: http://nginx.org/packages/centos/$releasever/$basearch/
    gpgcheck: no
  when: ( ansible_hostname is match ('web*') ) or 
        ( ansible_hostname is match ('lb*') )

- name: Create YUM_Repository PHP
  yum_repository:
    name: php
    description: PHP YUM repo
    baseurl: 
    mirrorlist: http://cdn.remirepo.net/enterprise/7/php71/mirror
    gpgcheck: no
  when: ( ansible_hostname is match ('web*') )

#- name: Installed Packages All
#  yum:
#    name: "{
  { base_packages }}"
#  vars:
#    base_packages:
#      - nfs-utils
#      - rsync
#      - wget
#      - unzip
#      - glances
#      - lrzsz
#      - vim
#      - net-tools
#      - bash-completion
#      - tree
#      - MySQL-python
#      - mariadb
#  ignore_errors: yes

- name: Changed SSH Configure
  template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
  notify: Restart SSH Server

- name: Set sysctl file limiits
  pam_limits:
    domain: '*'
    limit_type: "{
  { item.limit_type }}"
    limit_item: "{
  { item.limit_item }}"
    value: "{
  { item.value }}"
  loop:
      - { limit_type: 'soft',limit_item: 'nofile', value: '65535' }
      - { limit_type: 'hard',limit_item: 'nofile', value: '65535' }
      - { limit_type: 'soft',limit_item: 'nproc', value: '102400' }
      - { limit_type: 'hard',limit_item: 'nproc', value: '102400' }

[root@m01 ansible_role]# cat base/templates/sshd_config.j2 
#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with

[root@m01 ansible_role]# cat base/handlers/main.yml 
- name: Restart SSH Server
  systemd:
    name: php-fpm
    state: restarted

nginx部署

[root@m01 ansible_role]# cat nginx-web/tasks/main.yml 
- name: install nginx 
  yum:
    name: nginx
    state: present
- name: configure nginx server
  template: 
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    owner: root
    group: root
    mode: '0644'
  notify: Restart Nginx Server
- name: Systemd Nginx Server
  systemd:
    name: nginx
    state: started
    enabled: yes 

[root@m01 ansible_role]# cat nginx-web/templates/nginx.conf.j2 

user www;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    tcp_nopush     on;
    keepalive_timeout  65;
    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

[root@m01 ansible_role]# cat nginx-web/handlers/main.yml 
- name: Restemd Nginx Server
  systemd:
    name: nginx
    state: restarted

php部署

[root@m01 ansible_role]# cat php/tasks/main.yml 
- name: Installed PHP
  yum:
    name: "{
  { packages }}"
    state: