ansible的playbook创建nginx站点配置示例

[root@sz_xxgc_cms_slave01_18_214 roles]# pwd
/usr/local/worksh/ansible_script/ansible/roles
[root@sz_xxgc_cms_slave01_18_214 roles]# tree cn_accounts/
cn_accounts/
├── tasks
│   ├── commom.yaml
│   └── main.yaml
├── templates
│   ├── accounts_nginx_chinasoft.com.conf.j2
│   ├── accounts_rewrite_chinasoft.com.conf.j2
│   ├── chinasoft_com_br.crt
│   ├── chinasoft_com_br.key
└── vars
    └── main.yaml

[root@sz_xxgc_cms_slave01_18_214 roles]# more cn_accounts/tasks/commom.yaml 
- name: "{{accounts_production_name}}=====Checking nginx configuration file if exists"
  stat:
    path: "{{accounts_nginx_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}.conf"
  register: accounts_nginx_ws_fcheck

- name: "{{accounts_production_name}}=====upload nginx configuration file to server"
  template:
    src: accounts_nginx_chinasoft.com.conf.j2
    dest: "{{accounts_nginx_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}.conf"
    owner: apache
    group: users
    mode: 0644
  when: not accounts_nginx_ws_fcheck.stat.exists


- name: "{{accounts_production_name}}=====Checking nginx's rewrite rule file if exists"
  stat:
    path: "{{accounts_rewrite_nginx_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}.conf"
  register: accounts_rewrite_ws_fcheck

- name: "{{accounts_production_name}}=====upload nginx's rewrite rule file to server"
  template:
    src: accounts_rewrite_chinasoft.com.conf.j2
    dest: "{{accounts_rewrite_nginx_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}.conf"
    owner: apache
    group: users
    mode: 0644
  when: not accounts_rewrite_ws_fcheck.stat.exists


#- name: "{{accounts_production_name}}=====Checking apache configuration file if exists"
#  stat:
#    path: "{{accounts_http_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}.conf"
#  register: accounts_apache_ws_fcheck
#
#- name: "{{accounts_production_name}}=====upload apache configuration file to server"
#  template:
#    src: accounts_apache_chinasoft.com.conf.j2
#    dest: "{{accounts_http_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}.conf"
#    owner: apache
#    group: users
#    mode: 0644
#  when: not accounts_apache_ws_fcheck.stat.exists


#- name: "{{accounts_production_name}}=====Checking web data httpdocs and create if not exists"
#  file:
#    path: "{{accounts_http_data_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}/httpdocs"
#    state: directory
#    owner: apache
#    group: users
#    mode: 0755

#- name: "{{accounts_production_name}}=====Checking data link and create if not exists"
#  file:
#    src: "{{accounts_http_data_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}/httpdocs"
#    dest: "{{accounts_http_data_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}/httpdocs/cbs_down"
#    state: link
#    owner: apache
#    group: users
#    mode: 0755

#- name: "{{accounts_production_name}}=====Checking data index.html and create if not exists"
#  stat:
#    path: "{{accounts_http_data_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}/httpdocs/index.html"
#  register: accounts_apache_data_ws_fcheck
#
#- name: "{{accounts_production_name}}=====upload www test data file to server"
#  template:
#    src: accounts_nginx_index.html.j2
#    dest: "{{accounts_http_data_dest_path}}/{{accounts_production_name}}.{{accounts_domain_name}}/httpdocs/index.html"
#    owner: apache
#    group: users
#    mode: 0644
#  when: not accounts_apache_data_ws_fcheck.stat.exists


- name: "{{accounts_production_name}}=====Checking certification path if not exists"
  file:
    path: "/usr/local/nginx/conf/cert2016"
    state: directory
    owner: apache
    group: users
    mode: 0755

- name: "{{accounts_production_name}}=====upload certification file to server"
  template:
    src: "{{item.src}}"
    dest: "{{accounts_certification_dest_path}}/{{item.dest}}"
    owner: apache
    group: users
    mode: 0644
  with_items: 
    - { src: "{{accounts_domain_name|regex_replace('\.' , '_')}}.crt", dest: "{{accounts_domain_name|regex_replace('\.' , '_')}}.crt" }
    - { src: "{{accounts_domain_name|regex_replace('\.' , '_')}}.key", dest: "{{accounts_domain_name|regex_replace('\.' , '_')}}.key" }

[root@sz_xxgc_cms_slave01_18_214 roles]# more cn_accounts/tasks/main.yaml 
- name: Deploy common site
  import_tasks: commom.yaml


[root@sz_xxgc_cms_slave01_18_214 roles]# more cn_accounts/templates/accounts_nginx_chinasoft.com.conf.j2 
server {
    listen 80;
    server_name     {{accounts_production_name}}.{{accounts_domain_name}} {% if accounts_is_ori_needed  %}ori-{{accounts_production_name}}.{{accounts_domain_name}}{% endif %};
    access_log      /data/www/logs/nginx_log/access/{{ accounts_production_name }}.{{accounts_domain_name}}_access.log main ;
        error_log       /data/www/logs/nginx_log/error/{{ accounts_production_name }}.{{accounts_domain_name}}_error.log ;
    root            /data/www/vhosts/services/ucweb/_static/www ;
    index           index.html index.shtml ;
    include         rewrite.d/{{ accounts_production_name }}.{{accounts_domain_name}}.conf ;

    error_page  404 403             /404.html;

    if ($http_user_agent ~ Ezooms) {
        return 403;
    }

    location ~ ^.*.(htaccess|htpasswd|ini|sh)$ {
        deny all;
    }

    set $jump_accounts 0;

    if ($request_method = "GET") { 
        set $jump_accounts "${jump_accounts}1";
    }

    if ($jump_accounts = "01") {
        rewrite ^/(.*)$ https://{{accounts_production_name}}.{{accounts_domain_name}}/$1 permanent;
    }

    location / {
                try_files $uri $uri/ /index.html;
                #    expires -1;
        }
        location /api {
                add_header Cache-Control no-cache;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Scheme $scheme;
                proxy_pass http://ucweb_servers;
                expires -1;

        }

        location /v3/user/oauth {
                add_header Cache-Control no-cache;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Scheme $scheme;
        proxy_pass http://ucweb_servers;
                expires -1;

        }


}

server {
    listen 443;
    server_name     {{accounts_production_name}}.{{accounts_domain_name}} {% if accounts_is_ori_needed  %}ori-{{accounts_production_name}}.{{accounts_domain_name}}{% endif %};
    access_log      /data/www/logs/nginx_log/access/{{ accounts_production_name }}.{{accounts_domain_name}}_access.log main ;
        error_log       /data/www/logs/nginx_log/error/{{ accounts_production_name }}.{{accounts_domain_name}}_error.log ;
    root            /data/www/vhosts/services/ucweb/_static/www ;
    index           index.html index.shtml ;
    include         rewrite.d/{{ accounts_production_name }}.{{accounts_domain_name}}.conf ;
    error_page  404 403             /404.html;


    ssl_certificate         cert2016/{{accounts_domain_name|regex_replace('.' , '_')}}.crt;
        ssl_certificate_key     cert2016/{{accounts_domain_name|regex_replace('.' , '_')}}.key;
    ssl_dhparam             cert2016/dh_2048.pem;

    ssl_session_timeout     15m;
    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers     "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE
S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3
-SHA:!KRB5-DES-CBC3-SHA";

    if ($http_user_agent ~ Ezooms) {
        return 403;
    }

    location ~ ^.*.(htaccess|htpasswd|ini|sh)$ {
        deny all;
    }

    location / {
        try_files $uri $uri/ /index.html;
        #    expires -1;
    }       
    location /api {
        add_header Cache-Control no-cache;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_pass http://ucweb_servers;
        expires -1;

    }

    location /v3/user/oauth {
        add_header Cache-Control no-cache;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_pass http://ucweb_servers;
        expires -1;

    }

}

[root@sz_xxgc_cms_slave01_18_214 roles]# more cn_accounts/templates/accounts_rewrite_chinasoft.com.conf.j2 
if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1   permanent;}
if ($request_uri ~ ^/(index|indice).html) { rewrite    ^       / permanent;}

[root@sz_xxgc_cms_slave01_18_214 roles]# more cn_accounts/vars/main.yaml 
accounts_domain_name: chinasoft.cn
accounts_is_ori_needed: true

accounts_nginx_dest_path: /usr/local/nginx/conf/vhost.d
accounts_rewrite_nginx_dest_path: /usr/local/nginx/conf/rewrite.d
#accounts_http_dest_path: /usr/local/httpd-2.2.26/conf/vhost.d
accounts_http_data_dest_path: /data/www/vhosts
accounts_certification_dest_path: /usr/local/nginx/conf/cert2016

#accounts_production_accountsre: accountsre
#accounts_production_shopcart: shopcart
#accounts_production_uniconverter: uniconverter
accounts_production_name: accounts