wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

yum -y install ntpdate
tail -1 /etc/crontab
*/05 * * * * root ntpdate ntp1.aliyun.com &>/dev/null

#1.修改默认端口号
[root@oldboy ~]# grep 2222 /etc/ssh/sshd_config 
Port 2222
#2.重启生效
[root@oldboy ~]# systemctl restart sshd
#优化连接速度
[root@oldboy ~]# sed -rn '/^UseDNS|^GSSAPIA/p' /etc/ssh/sshd_config
GSSAPIAuthentication no
UseDNS no
[root@oldboy ~]# systemctl restart sshd  # 重启生效

#查看默认的描述符 默认是1024
[root@oldboy ~]# ulimit -n
1024
#加大文件描述符
[root@oldboy ~]# tail -1 /etc/security/limits.conf 
* - nofile 65535
#重启系统生效
reboot
启动后查看是否生效
[root@oldboy ~]# ulimit -n
655350

[root@oldboy ~]# umount /tmp   # 临时关闭
[root@oldboy ~]# systemctl mask tmp.mount # 禁止开机自动运行

[root@oldboy ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=none
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=10.0.0.200
PREFIX=24
GATEWAY=10.0.0.2
DNS1=223.5.5.5
[root@oldboy ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens36
TYPE=Ethernet
BOOTPROTO=none
NAME=ens36
DEVICE=ens36
ONBOOT=yes
IPADDR=172.16.1.200
PREFIX=24
#重启生效
[root@oldboy ~]# yum -y install network-scripts
[root@oldboy ~]# systemctl restart network

[root@oldboy ~]#tail -1 /etc/profile
export PS1="[\[\e[34;1m\]\u@\[\e[0m\]\[\e[32;1m\]\H\[\e[0m\]\[\e[31;1m\] \W\[\e[0m\]]\\$"

[root@oldboy ~]#systemctl stop firewalld
[root@oldboy ~]#systemctl disable firewalld

[root@m02 ~]#> /etc/motd
[root@m02 ~]#> /etc/issue
[root@m02 ~]#> /etc/issue.net

#更改服务器IP地址
vim /etc/sysconfig/network-scripts/ifcfg-ens33
vim /etc/sysconfig/network-scripts/ifcfg-ens34
#更改服务器名称
hostnamectl set-hostname 服务器名称

#安装python不在支持3.8以下版本,需要安装更高的python版本
wget https://www.python.org/ftp/python/3.8.16/Python-3.8.16.tgz
tar xzf Python-3.8.16.tgz
cd Python-3.8.16
./configure --enable-optimizations
make -j$(nproc)
make altinstall
[root@m01 ~]# pip3.8 install ansible -i https://mirrors.aliyun.com/pypi/simple/
mkdir /etc/ansible
vim /etc/ansible/ansible.cfg# 默认没有、手动创建的。
[defaults]
host_key_checking = False # 控制 Ansible 是否检查远程主机的 SSH 密钥指纹
deprecation_warnings = False # 控制是否显示“弃用警告”
interpreter_python = /usr/bin/python3  # 指定使用的python3版本
[inventory] # 主机清单的位置默认/etc/ansible/hosts
[privilege_escalation] # sudo提权选项
[paramiko_connection] # 连接插件
[ssh_connection] # SSH远程连接插件
[persistent_connection]     # SSH持久连接选项 默认选项
[accelerate]
[selinux]
[colors] # 颜色选项 默认
[diff] # copy模块对比内容 默认

#重要配置
1.禁用 SSH 主机密钥检查 (host_key_checking = False)： 便于自动化，牺牲少量安全性。
2.禁用弃用警告 (deprecation_warnings = False)： 让输出更干净。
3.强制使用 Python 3 (interpreter_python = /usr/bin/python3)： 确保与现代系统的兼容性，这是一个非常重要的设置。


yum -y install sshpass  # 为了支持SSH用户名密码方式管理后端
5）搭建所需应用#安装python不在支持3.8以下版本,需要安装更高的python版本
wget https://www.python.org/ftp/python/3.8.16/Python-3.8.16.tgz
tar xzf Python-3.8.16.tgz
cd Python-3.8.16
./configure --enable-optimizations
make -j$(nproc)
make altinstall
[root@m01 ~]# pip3.8 install ansible -i https://mirrors.aliyun.com/pypi/simple/
mkdir /etc/ansible
vim /etc/ansible/ansible.cfg# 默认没有、手动创建的。
[defaults]
host_key_checking = False # 控制 Ansible 是否检查远程主机的 SSH 密钥指纹
deprecation_warnings = False # 控制是否显示“弃用警告”
interpreter_python = /usr/bin/python3  # 指定使用的python3版本
[inventory] # 主机清单的位置默认/etc/ansible/hosts
[privilege_escalation] # sudo提权选项
[paramiko_connection] # 连接插件
[ssh_connection] # SSH远程连接插件
[persistent_connection]     # SSH持久连接选项 默认选项
[accelerate]
[selinux]
[colors] # 颜色选项 默认
[diff] # copy模块对比内容 默认

#重要配置
1.禁用 SSH 主机密钥检查 (host_key_checking = False)： 便于自动化，牺牲少量安全性。
2.禁用弃用警告 (deprecation_warnings = False)： 让输出更干净。
3.强制使用 Python 3 (interpreter_python = /usr/bin/python3)： 确保与现代系统的兼容性，这是一个非常重要的设置。


yum -y install sshpass  # 为了支持SSH用户名密码方式管理后端

[root@m01 ansible]#tree -L 4 /ansible
/ansible
├── backup
│   ├── backup.yml
│   └── test_ssh_connections.sh
├── hosts_sh
│   ├── hosts.txt
│   ├── ssh_batah.sh
│   └── test_ssh_connections.sh
└── roles
├── backup
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   ├── exports
│   │   ├── rsyncd.conf
│   │   ├── rsyncd.conf.j2
│   │   └── www.passwd
│   └── vars
│       └── main.yml
├── common
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   └── dnf.conf
│   └── vars
│       └── main.yml
├── db
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   ├── all1.sql
│   │   ├── all2.sql
│   │   ├── all.sql
│   │   ├── all.sql.bak
│   │   ├── my1.cnf
│   │   ├── my2.cnf
│   │   ├── redis.conf
│   │   └── redis.conf.j2
│   └── vars
│       └── main.yml
├── hosts
├── lb
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   ├── check_web.sh
│   │   ├── conf.d
│   │   ├── keepalived.conf
│   │   ├── keepalived.conf.j2
│   │   ├── lv_env
│   │   └── ssl_key
│   └── vars
│       └── main.yml
├── l.yml
├── nfs
│   ├── files
│   ├── handlers
│   │   └── main.yml
│   ├── tasks
│   │   └── main.yml
│   ├── templates
│   │   ├── exports
│   │   ├── lsyncd.conf
│   │   └── lsyncd.conf.j2
│   └── vars
│       └── main.yml
├── site.yml
└── webs
├── files
├── handlers
│   └── main.yml
├── tasks
│   ├── main.yml
│   └── main.yml.backup
├── templates
│   ├── apache-tomcat-9.0.113.tar.gz
│   ├── backup.sh
│   ├── code
│   ├── code.tar.gz
│   ├── conf.d
│   ├── conf.d.tar.gz
│   ├── jdk-8u181-linux-x64.rpm
│   ├── nginx.conf
│   ├── php.ini
│   ├── redis-5.3.7.tgz
│   ├── server.xml
│   ├── tomcat.service
│   └── www.conf
└── vars
└── main.yml

不清楚模块可以ansible-doc 模块查询
所有服务器免密传输
#在分发服务器m01上部署免密钥发送脚本
[root@m01 hosts_sh]#pwd
/ansible/hosts_sh

[root@m01 hosts_sh]# cat ssh_batah.sh 
#!/bin/bash

# 批量SSH免密钥配置脚本（支持免交互密码输入）
set -e

# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# 显示用法
echo -e "${GREEN}批量SSH免密钥配置脚本${NC}"
echo "使用方法: $0 <主机文件> <用户名> [密码文件] [SSH端口]"
echo "示例1: $0 hosts.txt root"
echo "示例2: $0 hosts.txt root passwords.txt"
echo "示例3: $0 hosts.txt root passwords.txt 2222"

# 检查参数
if [ $# -lt 2 ]; then
    echo -e "${RED}错误: 需要指定主机文件和用户名${NC}"
    exit 1
fi

HOST_FILE=$1
USERNAME=$2
PASS_FILE=$3
PORT=${4:-22}

# 检查文件是否存在
if [ ! -f "$HOST_FILE" ]; then
    echo -e "${RED}错误: 主机文件 $HOST_FILE 不存在${NC}"
    exit 1
fi

# 检查sshpass是否安装
if ! command -v sshpass &> /dev/null; then
    echo "安装sshpass工具..."
    if command -v apt-get &> /dev/null; then
        apt-get update && apt-get install -y sshpass
    elif command -v yum &> /dev/null; then
        yum install -y sshpass
    elif command -v dnf &> /dev/null; then
        dnf install -y sshpass
    else
        echo -e "${RED}错误: 无法自动安装sshpass，请手动安装${NC}"
        exit 1
    fi
fi

# 检查必需工具
for tool in ssh-keygen ssh-copy-id ssh; do
    if ! command -v $tool &> /dev/null; then
        echo -e "${RED}错误: $tool 未安装${NC}"
        exit 1
    fi
done

# 生成SSH密钥（如果不存在）
KEY_FILE="$HOME/.ssh/id_rsa"
if [ ! -f "$KEY_FILE" ]; then
    echo "生成SSH密钥..."
    ssh-keygen -t rsa -b 4096 -f "$KEY_FILE" -N "" -q
fi

# 读取主机列表
declare -a HOSTS
declare -a PASSWORDS

if [ -n "$PASS_FILE" ] && [ -f "$PASS_FILE" ]; then
    echo "使用密码文件: $PASS_FILE"
    # 从密码文件读取主机和密码
    while IFS= read -r line; do
        # 跳过空行和注释
        line=$(echo "$line" | sed 's/#.*//; s/^[[:space:]]*//; s/[[:space:]]*$//')
        [ -z "$line" ] && continue
        
        # 解析主机和密码
        host=$(echo "$line" | awk '{print $1}')
        pass=$(echo "$line" | awk '{print $2}')
        
        if [ -n "$host" ]; then
            HOSTS+=("$host")
            PASSWORDS+=("$pass")
        fi
    done < "$PASS_FILE"
else
    # 如果没有密码文件，从主机文件读取（只读主机，密码设为空）
    echo "警告: 未提供密码文件，将尝试从主机文件读取密码"
    while IFS= read -r line; do
        # 跳过空行和注释
        line=$(echo "$line" | sed 's/#.*//; s/^[[:space:]]*//; s/[[:space:]]*$//')
        [ -z "$line" ] && continue
        
        # 尝试解析主机和密码
        host=$(echo "$line" | awk '{print $1}')
        pass=$(echo "$line" | awk '{print $2}')
        
        if [ -n "$host" ]; then
            HOSTS+=("$host")
            PASSWORDS+=("$pass")
        fi
    done < "$HOST_FILE"
fi

if [ ${#HOSTS[@]} -eq 0 ]; then
    echo -e "${RED}错误: 主机列表为空${NC}"
    exit 1
fi

echo "开始处理 ${#HOSTS[@]} 个主机..."

# 处理每个主机
SUCCESS=0
FAIL=0

for i in "${!HOSTS[@]}"; do
    HOST="${HOSTS[$i]}"
    PASSWORD="${PASSWORDS[$i]}"
    
    echo -e "${YELLOW}处理: $USERNAME@$HOST:$PORT${NC}"
    
    # 如果密码为空，提示输入
    if [ -z "$PASSWORD" ]; then
        echo -e "${YELLOW}提示: 未找到 $HOST 的密码，将尝试交互式输入${NC}"
        # 使用ssh-copy-id交互式输入密码
        if ssh-copy-id -i "$KEY_FILE.pub" -p $PORT $USERNAME@$HOST 2>/dev/null; then
            echo -e "${GREEN}✓ 公钥复制成功${NC}"
            SUCCESS=$((SUCCESS + 1))
        else
            echo -e "${RED}✗ 公钥复制失败${NC}"
            FAIL=$((FAIL + 1))
        fi
    else
        # 使用sshpass自动输入密码
        echo "使用sshpass自动部署..."
        if sshpass -p "$PASSWORD" ssh-copy-id -i "$KEY_FILE.pub" -p $PORT -o StrictHostKeyChecking=no $USERNAME@$HOST 2>/dev/null; then
            echo -e "${GREEN}✓ 公钥复制成功${NC}"
            SUCCESS=$((SUCCESS + 1))
            
            # 验证部署是否成功
            if ssh -o BatchMode=yes -o ConnectTimeout=5 -o StrictHostKeyChecking=no -p $PORT -i "$KEY_FILE" $USERNAME@$HOST "echo '连接测试成功'" 2>/dev/null; then
                echo -e "${GREEN}✓ SSH免密钥验证成功${NC}"
            else
                echo -e "${YELLOW}⚠ SSH免密钥验证失败，但公钥已复制${NC}"
            fi
        else
            echo -e "${RED}✗ 公钥复制失败${NC}"
            FAIL=$((FAIL + 1))
        fi
    fi
    
    echo ""
done

# 输出结果
echo "========================================"
echo -e "${GREEN}完成!${NC}"
echo -e "成功: ${GREEN}$SUCCESS${NC}, 失败: ${RED}$FAIL${NC}"
echo "========================================"

# 生成测试脚本
if [ $SUCCESS -gt 0 ]; then
    TEST_SCRIPT="test_ssh_connections.sh"
    cat > "$TEST_SCRIPT" << EOF
#!/bin/bash
echo "测试SSH免密钥连接..."
for i in "${!HOSTS[@]}"; do
    HOST="${HOSTS[\$i]}"
    echo -n "测试 \$HOST: "
    if ssh -o BatchMode=yes -o ConnectTimeout=5 -o StrictHostKeyChecking=no -p $PORT -i "$KEY_FILE" $USERNAME@\$HOST "echo '连接成功'" 2>/dev/null; then
        echo "✓ 成功"
    else
        echo "✗ 失败"
    fi
done
EOF
    chmod +x "$TEST_SCRIPT"
    echo -e "${GREEN}已生成测试脚本: $TEST_SCRIPT${NC}"
fi


#给ssh_batah.sh文件x的命令
chmod +x ssh_batah.sh

#建立指定hosts解析文件并写入所分发服务器IP
[root@m01 hosts_sh]# cat hosts.txt 
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.8
10.0.0.51
10.0.0.41
10.0.0.31

#执行脚本命令
[root@m01 ~]# ./ssh_batah.sh  hosts.txt root

[root@m01 ~]# mkdir -r /ansible/roles
[root@m01 ~]# cd /ansible/roles
在roles建立hosts文件
[root@m01 roles]#vim hosts
[lb]
172.16.1.5
172.16.1.6

[web]
172.16.1.7
172.16.1.8

[backup]
172.16.1.41

[db]
172.16.1.51
172.16.1.52

[nfs]
172.16.1.31

[VPN]
172.16.1.71

[root@m01 roles]# ansible-galaxy init common
[root@m01 roles]#tree common
common
├── files
├── handlers
│   └── main.yml
├── tasks
│   └── main.yml
├── templates
│   └── dnf.conf
└── vars
    └── main.yml
[root@m01 roles]#ll common/
total 0
drwxr-xr-x 2 root root  6 Dec 25 15:28 files
drwxr-xr-x 2 root root 22 Dec 25 15:28 handlers
drwxr-xr-x 2 root root 22 Dec 25 20:09 tasks
drwxr-xr-x 2 root root 22 Dec 25 20:07 templates
drwxr-xr-x 2 root root 22 Dec 25 15:28 vars

[root@m01 roles]#cat common/tasks/main.yml 
---
# tasks file for common
- name: Create Group
  group:
    name: www
    gid: 666

- name:  Create  User
  user:
    name: www
    uid: 666
    group: www
    create_home: false

- name: Create dnf server
  template:
    src: dnf.conf
    dest: /etc/dnf/dnf.conf

#通过命令生成roles角色目录
[root@m01 roles]# ansible-galaxy init backup
- Role backup was created successfully
#常用的目录
[root@m01 roles]# cd backup
[root@m01 backup]# ll
total 0
drwxr-xr-x 2 root root  6 Aug 29 11:43 files
drwxr-xr-x 2 root root 22 Aug 29 11:43 handlers
drwxr-xr-x 2 root root 22 Aug 29 11:43 tasks
drwxr-xr-x 2 root root  6 Aug 29 11:43 templates
drwxr-xr-x 2 root root 22 Aug 29 11:43 vars

[root@m01 backup]#cat  tasks/main.yml 
- name: Install rsync
  yum:
    name: rsync
    state: present

- name: Create file
  file:
    path: "{{ item.path }}"
    state: directory
    owner: www
    group: www
  loop:
    - { path: /backup }  
    - { path: /backup/web01 }  
    - { path: /backup/web02 }
    - { path: /data }

- name: Configure rsync  server
  template: 
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  loop:
    - { src: rsyncd.conf.j2,dest: /etc/rsyncd.conf,mode: '0644' }
    - { src: exports,dest: /etc/exports,mode: '0644' }
    - { src: www.passwd,dest: /etc/www.passwd,mode: '0600' }
  notify: Restart rsync Server
 
- name: Start rsync Server
  systemd:
    name: rsyncd
    state: started
    enabled: yes


#handlers配置文件
[root@m01 backup]# cat handlers/main.yml 
- name: Restart rsync Server
  systemd:
    name: rsyncd
    state: restarted
#密码文件
[root@m01 backup]#pwd
/ansible/roles/backup
[root@m01 backup]# cat templates/www.passwd 
www:123

#变量文件内容
[root@m01 backup]# cat vars/main.yml 
user: www
code_dir: /backup

#配置tenplate模板内容
[root@m01 roles]# cd /ansible/roles/backup/templates
[root@m01 templates]# pwd
/ansible/roles/backup/templates
[root@m01 templates]#cat rsyncd.conf.j2 
uid = {{ user}}
gid = {{ user}}
port = 873
fake super = yes
use chroot = no
max connections = 200
timeout = 600
ignore errors
read only = false
list = false
auth users = www
secrets file = /etc/www.passwd
log file = /var/log/rsyncd.log
####################################
[backup]
comment = welcome to oldboyedu backup!
path = {{code_dir}}

[data]
path = /dat

[root@m01 templates]# cd ..




#配置site.yml运行文件
[root@m01 backup]#cat /ansible/roles/site.yml 
- name: common
  hosts: all
  gather_facts: no

  roles:
    - common

- name: backup
  hosts: backup
  gather_facts: no

  roles:
    - backup

#运行
[root@m01 roles]# ansible-playbook site.yml -i hosts

#通过命令生成roles角色目录
[root@m01 roles]# ansible-galaxy init nfs
- Role backup was created successfully
#常用的目录
[root@m01 roles]# cd nfs
[root@m01 nfs]# ll
total 0
drwxr-xr-x 2 root root  6 Aug 29 11:43 files
drwxr-xr-x 2 root root 22 Aug 29 11:43 handlers
drwxr-xr-x 2 root root 22 Aug 29 11:43 tasks
drwxr-xr-x 2 root root  6 Aug 29 11:43 templates
drwxr-xr-x 2 root root 22 Aug 29 11:43 vars

#NFS端roles角色配置
#配置tasks文件
[root@m01 nfs]#cat tasks/main.yml 
---
# tasks file for nfs
- name: Create file
  file:
    path: "{{ item.path }}"
    state: directory
    owner: www
    group: www
  loop: 
    - { path: /data/wp }
    - { path: /data/zh }
    - { path: /data/zrlog }

- name: Configure NFS service resources
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: www
    group: www
  loop:
    - { src: "{{ path }}backup_nfs/wp",dest: /data/ }
    - { src: "{{ path }}backup_nfs/zh",dest: /data/ }
    - { src: "{{ path }}backup_nfs/zrlog",dest: /data/ }

- name: Install nfs lsyncd Server
  yum:
    name: "{{ item.name }}"
    state: present
  loop:
    - { name: nfs-utils }
    - { name: lsyncd }

- name: Conigure nfs lsyncd Server
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  loop:
    - { src: exports,dest: /etc/exports, mode: '0644' }
    - { src: lsyncd.conf,dest: /etc/lsyncd.conf, mode: '0644' }
    - { src: www.passwd,dest: /etc/www.passwd, mode: '0600' }
  notify: Restart nfs lsync Server

- name: Start nfs lsync Server
  systemd:
    name: "{{ item.name }}"
    state: started
    enabled: yes
  loop:
    - { name: nfs }
    - { name: lsyncd }


#变量文件内容
[root@m01 nfs]#cat vars/main.yml 
---
# vars file for nfs
path: /ansible/roles/nfs/templates/
`
#handlers配置文件
[root@m01 nfs]#cat handlers/main.yml 
---
# handlers file for nfs
- name: Restart nfs lsync Server
  systemd:
    name: "{{ item.name }}"      
    state: restarted
  loop:
    - { name: nfs }
    - { name: lsyncd }
  when: >
    (item.name == 'nfs' and nfs_check.rc == 0) or
    (item.name == 'lsyncd' and lsyncd_check.rc == 0
    


#配置tenplate模板内容
[root@m01 nfs]#cat templates/exports  
/data/wp 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/data/zh 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/data/zrlog 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
[root@m01 nfs]#cat templates/lsyncd.conf.j2 
settings {
logfile = "/var/log/lsyncd/lsyncd.log",
statusFile = "/var/log/lsyncd/lsyncd.status",
maxProcesses = 2,
nodaemon = false,
}
sync {
default.rsync,
source = "/data/",
target = "www@172.16.1.41::data",
delete = true,
delay = 1,
rsync = {
binary = "/usr/bin/rsync",
password_file = "/etc/www.passwd",
archive = true,
compress = true,
}
}

#配置site.yml运行文件
[root@m01 roles]#pwd
/ansible/roles
[root@m01 roles]#cat site.yml 
- name: backup
  hosts: backup
  gather_facts: no

  roles:
    - backup

- name: nfs
  hosts: nfs
  gather_facts: no
  
  roles:
    - nfs


#运行
[root@m01 roles]# ansible-playbook site.yml -i hosts

#通过命令生成roles角色目录
[root@m01 roles]# ansible-galaxy init db
- Role backup was created successfully
#常用的目录
[root@m01 roles]# cd db
[root@m01 db]# ll
total 0
drwxr-xr-x 2 root root  6 Aug 29 11:43 files
drwxr-xr-x 2 root root 22 Aug 29 11:43 handlers
drwxr-xr-x 2 root root 22 Aug 29 11:43 tasks
drwxr-xr-x 2 root root  6 Aug 29 11:43 templates
drwxr-xr-x 2 root root 22 Aug 29 11:43 vars

#tasks配置
[root@m01 db]#cat tasks/main.yml 
---
# tasks file for db
- name: Install mariadb redis server
  yum:
    name: "{{ item.name }}"
    state: present
  loop:
    - { name: mariadb-server }
    - { name: python3-PyMySQL }
    - { name: redis }

- name: Copy all1.sql to db01
  copy:
    src: "{{item.src}}" 
    dest: "{{item.dest}}"
  loop:
    - { src: /ansible/roles/db/templates/all1.sql,dest: /root/all.sql }
    - { src: /ansible/roles/db/templates/my1.cnf,dest: /etc/my.cnf }
  when: inventory_hostname == '10.0.0.51' or ansible_host == '172.16.1.51'

- name: Copy all1.sql to db02
  copy:
    src: "{{item.src}}" 
    dest: "{{item.dest}}" 
  loop:
    - { src: /ansible/roles/db/templates/all2.sql,dest: /root/all.sql }
    - { src: /ansible/roles/db/templates/my2.cnf,dest: /etc/my.cnf }
  when: inventory_hostname == '10.0.0.52' or ansible_host == '172.16.1.52'

- name: Create MySQL log directory
  file:
    path: /var/log/mysql
    state: directory
    owner: mysql
    group: mysql
    mode: '0755'

- name: Configure mysql redis server
  template:
    src: redis.conf.j2
    dest: /etc/redis.conf
    mode: 0640
  vars:
    redis_bind_ip: "{{ ansible_ens36.ipv4.address if ansible_ens36 is defined else '127.0.0.1' }}"
  notify: Restart mysql redis Server

- name: Start mariadb server
  systemd:
    name: "{{ item.name }}"
    state: started
    enabled: yes
  loop:
    - { name: mariadb }
    - { name: redis }

- name: import all.sql to 51
  mysql_db:
    name: all
    target: /root/all.sql
    state: import

- name: Restart mariadb server
  systemd:
    name: "{{ item.name }}"
    state: restarted
  loop:
    - { name: mariadb }
    - { name: redis }


    
#handlers配置
[root@m01 db]#cat handlers/main.yml 
---
# handlers file for db
- name: Restart mysql redis Server
  systemd:
    name: "{{ item.name }}"
    state: restarted
  loop:
    - { name: mariadb }
    - { name: redis }
  when: >
    (item.name == 'mariadb' and mysql_check.rc == 0 ) or
    (item.name == 'redis' and redis_check.rc == 0 )



#templates配置
[root@m01 db]#ll templates/
total 107132
-rw-r--r-- 1 root root 26216425 Jan  4 15:38 all1.sql
-rw-r--r-- 1 root root 26216066 Jan  4 15:38 all2.sql
-rw-r--r-- 1 root root 26215811 Jan  4 12:04 all.sql
-rw-r--r-- 1 root root 30818078 Jan  4 12:03 all.sql.bak
-rw-r--r-- 1 root root      392 Jan  4 15:45 my1.cnf
-rw-r--r-- 1 root root      332 Jan  4 15:45 my2.cnf
-rw-r----- 1 root root   107549 Jan  4 11:54 redis.conf
-rw-r----- 1 root root   107557 Jan  4 14:37 redis.conf.j2

#通过命令生成roles角色目录
[root@m01 roles]# ansible-galaxy init webs
- Role backup was created successfully
#常用的目录
[root@m01 roles]# cd db
[root@m01 webs]# ll
total 0
drwxr-xr-x 2 root root  6 Aug 29 11:43 files
drwxr-xr-x 2 root root 22 Aug 29 11:43 handlers
drwxr-xr-x 2 root root 22 Aug 29 11:43 tasks
drwxr-xr-x 2 root root  6 Aug 29 11:43 templates
drwxr-xr-x 2 root root 22 Aug 29 11:43 vars

#tasks配置文件
[root@m01 webs]#cat tasks/main.yml
---
# tasks file for webs
- name: Install Zabbix 6.0 repository
  shell: |
    rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/zabbix-release-6.0-4.el8.noarch.rpm
    dnf clean all
  args:
    executable: /bin/bash
  register: repo_install

- name: Creata  base repository
  yum_repository:
    name: nginx
    description: nginx-stable
    baseurl: http://nginx.org/packages/centos/7/$basearch/
    gpgcheck: no
    enabled:  yes

- name: Configu JDk rpm
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  loop:
    - { src: "{{ path }}jdk-8u181-linux-x64.rpm",dest: /root/jdk-8u181-linux-x64.rpm }

- name: Install Nginx PHP JDK Server
  yum:
    name: 
      - nginx
      - php
      - php-bcmath
      - php-cli
      - php-common
      - php-devel
      - php-embedded
      - php-fpm
      - php-gd
      - php-intl
      - php-mbstring
      - php-mysqlnd
      - php-opcache
      - php-pdo
      - php-process
      - php-xml
      - php-json
      - /root/jdk-8u181-linux-x64.rpm
    state: present
    disable_gpg_check: yes  # 跳过GPG签名验证

- name: Copy RPM files to target
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  loop:
    - { src: "{{ path1 }}zabbix-agent2-6.0.43-release2.el8.x86_64.rpm",dest: /tmp/zabbix-agent2-6.0.43-release2.el8.x86_64.rpm }
    - { src: "{{ path1 }}zabbix-agent2-plugin-mongodb-6.0.43-release2.el8.x86_64.rpm",dest: /tmp/zabbix-agent2-plugin-mongodb-6.0.43-release2.el8.x86_64.rpm }
    - { src: "{{ path1 }}zabbix-agent2-plugin-postgresql-6.0.43-release2.el8.x86_64.rpm",dest: /tmp/zabbix-agent2-plugin-postgresql-6.0.43-release2.el8.x86_64.rpm }
 
- name: Install with yum localinstall 
  shell: |
    yum localinstall -y /tmp/zabbix-agent2-*.rpm
  args:
    executable: /bin/bash

- name: Change directory ownership to www user
  file:
    path: /var/lib/php
    state: directory
    owner: www
    group: www
    recurse: yes 

- name: Configu JDk.rpm nginx_conf.d
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  loop:
    - { src: "{{ path }}www.conf",dest: /etc/php-fpm.d/www.conf  }
    - { src: "{{ path }}conf.d",dest: /etc/nginx }
    - { src: "{{ path }}backup.sh",dest: /root }
  notify: Restart Nginx PHP Tomcat Server

- name: Cron backup
  cron:
    name: backup
    minute: "0"
    hour: "2"
    job: "/root/backup.sh > /dev/null 2>&1"
    user: root
    state: present

- name: Create soft
  file:
    path: /soft
    state: directory

- name:  unpackage Tomcat code
  unarchive:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    creates: "{{ item.creates }}"
  loop:
    - { src: "{{ path }}apache-tomcat-9.0.113.tar.gz", dest: /soft/, creates: /soft/apache-tomcat-9.0.113 }
    - { src: "{{ path }}code.tar.gz", dest: /, creates: /code }
    - { src: "{{ path }}redis-5.3.7.tgz", dest: /root, creates: /root/redis-5.3.7 }

- name: Create ln -s
  file:
    src: /soft/apache-tomcat-9.0.113
    dest: /soft/tomcat
    state: link

- name:  Creata Nginx PHP server
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  loop:
    - { src: nginx.conf,dest: /etc/nginx/nginx.conf,mode: '0644' }
    - { src: tomcat.service,dest: /usr/lib/systemd/system/tomcat.service,mode: '0644' }
    - { src: server.xml,dest: /soft/tomcat/conf/server.xml,mode: '0600' }
    - { src: www.pwd,dest: /etc/www.pwd,mode: '0600' }
    - { src: php.ini,dest: /etc/php.ini,mode: '0644' }
  notify: Restart Nginx PHP Tomcat Server

- name: Compile and install Redis extensions
  shell: |
    cd /root/redis-5.3.7 && \
    phpize && \
    ./configure && \
    make && \
    make install

- name: 测试PHP配置
  command: php-fpm -t
  register: php_test
  notify: Restart Nginx PHP Tomcat Server

- name: mount wp zh zrlog
  mount:
    src: "{{ item.src}}"
    path: "{{ item.path }}"
    fstype: nfs
    state: mounted
  loop:
    - { src: "172.16.1.31:/data/wp",path: /code/wp/wordpress/wp-content/uploads }
    - { src: "172.16.1.31:/data/zh",path: /code/zh/uploads/question }
    - { src: "172.16.1.31:/data/zrlog",path: /code/zrlog/ROOT/attached }
  notify: Restart Nginx PHP Tomcat Server

- name: Start Nginx PHP Tomcat Server
  systemd:
    name: "{{ item.name }}"
    state: started
    enabled: yes
  loop:
    - { name: nginx }
    - { name: php-fpm }
    - { name: tomcat }

- name: restart tomcat
  systemd:
    name: tomcat
    state: restarted

- name: Copy sh to web01
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  loop:
    - { src: "{{ path }}setup_dual_gateway_persistent.sh",dest:  /root/setup_dual_gateway_persistent.sh,mode: '0755'}
    - { src: "{{ path1 }}zabbix_agent2.conf1",dest: /etc/zabbix/zabbix_agent2.conf,mode: '0644' }
  when: inventory_hostname == '10.0.0.7' or ansible_host == '172.16.1.7'
                                                                                                        
- name: Copy sh to web02
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  loop:
    - { src: "{{ path }}setup_dual_gateway_persistent.sh2",dest:  /root/setup_dual_gateway_persistent.sh,mode: '0755' }
    - { src: "{{ path1 }}zabbix_agent2.conf2",dest: /etc/zabbix/zabbix_agent2.conf,mode: '0644' }
  when: inventory_hostname == '10.0.0.8' or ansible_host == '172.16.1.8'

- name: Start zabbix-agent2 Server
  systemd:
    name: zabbix-agent2
    state: started
    enabled: yes

- name: 执行配置脚本
  shell: /root/setup_dual_gateway_persistent.sh
  register: result
  changed_when: "'配置完成' in result.stdout"


#handlers配置文件
[root@m01 webs]#cat handlers/main.yml 
---
# handlers file for webs
- name: Restart Nginx PHP Tomcat Server
  systemd:
    name: "{{ item.name }}"
    state: restarted
  loop:
    - { name: 'nginx' }
    - { name: 'php-fpm' }
    - { name: 'tomcat' }
  when: >
    (item.name == 'nginx' and (ng_re is defined and ng_re.rc == 0)) or
    (item.name == 'php-fpm' and (php_re is defined and php_re.rc == 0)) or
    (item.name == 'tomcat' and (tomcat_config_check is defined and tomcat_config_check.rc == 0)

#vars
[root@m01 webs]#cat vars/main.yml 
---
# vars file for webs
path: /ansible/roles/webs/templates/
path1: /ansible/roles/webs/files/

[root@m01 webs]#ll files/
total 13056
-rw-r--r-- 1 root root 6160420 Jan  7 16:33 zabbix-agent2-6.0.43-release2.el8.x86_64.rpm
-rw-r--r-- 1 root root   14708 Jan  7 15:26 zabbix_agent2.conf1
-rw-r--r-- 1 root root   14708 Jan  7 15:26 zabbix_agent2.conf2
-rw-r--r-- 1 root root 3947240 Jan  7 16:33 zabbix-agent2-plugin-mongodb-6.0.43-release2.el8.x86_64.rpm
-rw-r--r-- 1 root root 3222208 Jan  7 16:33 zabbix-agent2-plugin-postgresql-6.0.43-release2.el8.x86_64.rpm

#templates文件
[root@m01 webs]#ll templates/
total 253460
-rw-r--r-- 1 root root  13049663 Dec  3 03:56 apache-tomcat-9.0.113.tar.gz
-rw-r--r-- 1 root root  76364324 Dec 25 17:45 code.tar.gz
drwxr-xr-x 2 root root       180 Dec 18 16:15 conf.d
-rw-r--r-- 1 root root      1229 Dec 25 20:53 conf.d.tar.gz
-rw-r--r-- 1 root root 170023183 Sep 27  2024 jdk-8u181-linux-x64.rpm
-rw-r--r-- 1 root root      1336 Dec 25 19:00 nginx.conf
-rw-r--r-- 1 root root     62269 Dec 25 19:22 php.ini
-rw------- 1 root root      2614 Dec 25 19:12 server.xml
-rw-r--r-- 1 root root       320 Dec 25 17:47 tomcat.service
-rw-r--r-- 1 root root     19404 Dec 25 17:52 www.conf
[root@m01 webs]#cat templates/nginx.conf 

user  www;
worker_processes  auto;
worker_cpu_affinity auto;   # 配置CPU自动亲和

error_log  /var/log/nginx/error.log notice;
pid        /run/nginx.pid;


events {
   use epoll;
   worker_connections  65535;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    charset utf-8,gbk; 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    server_tokens off;          # 禁止浏览器显示nginx版本号
    client_max_body_size 20m;  # 文件上传大小限制调整 默认1M
    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay         on;
    keepalive_timeout  65;


    # Gzip 压缩
    gzip on;
    gzip_disable "MSIE [1-6]\.";    #针对IE浏览器不进行压缩
    gzip_http_version 1.1;
    gzip_comp_level 2;      #压缩级别
    gzip_buffers 16 8k;     #压缩的缓冲区
    gzip_min_length 1024;   #文件大于1024字节才进行压缩，默认值20
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/jpeg;

    include /etc/nginx/conf.d/*.conf;
}



[root@m01 webs]#cat templates/server.xml 
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443"
               maxParameterCount="1000"
               />

    <Engine name="Catalina" defaultHost="localhost">


      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>

      <Host name="diy.oldboy.com"  appBase="/code/diy/"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="diy.oldboy.com" suffix=".log"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>

      <Host name="www.zrlog.com"  appBase="/code/zrlog/"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="zrlog" suffix=".log"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>
      <Host name="session.oldboy.com"  appBase="/session/"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="session" suffix=".log"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>

    </Engine>
  </Service>
</Server>



root@m01 webs]#cat templates/tomcat.service 
[Unit]
Description=Apache Tomcat Server
After=network.target remote-fs.target nss-lookup.target
 
[Service]
Type=forking
ExecStart=/soft/tomcat/bin/startup.sh
ExecStop=/soft/tomcat/bin/shutdown.sh
ExecRestart=/soft/tomcat/bin/shutdown.sh  && sleep2  && /soft/tomcat/bin/startup.sh
 
[Install]
WantedBy=multi-user.target

#通过命令生成roles角色目录
[root@m01 roles]# ansible-galaxy init lb
- Role backup was created successfully
#常用的目录
[root@m01 roles]# cd lb
[root@m01 lb]# ll
total 0
drwxr-xr-x 2 root root  6 Aug 29 11:43 files
drwxr-xr-x 2 root root 22 Aug 29 11:43 handlers
drwxr-xr-x 2 root root 22 Aug 29 11:43 tasks
drwxr-xr-x 2 root root  6 Aug 29 11:43 templates
drwxr-xr-x 2 root root 22 Aug 29 11:43 vxxxxxxxxxx #通过命令生成roles角色目录[root@m01 roles]# ansible-galaxy init lb- Role backup was created successfully#常用的目录[root@m01 roles]# cd lb[root@m01 lb]# lltotal 0drwxr-xr-x 2 root root  6 Aug 29 11:43 filesdrwxr-xr-x 2 root root 22 Aug 29 11:43 handlersdrwxr-xr-x 2 root root 22 Aug 29 11:43 tasksdrwxr-xr-x 2 root root  6 Aug 29 11:43 templatesdrwxr-xr-x 2 root root 22 Aug 29 11:43 v#通过命令生成roles角色目录[root@m01 roles]# ansible-galaxy init lbbash

# tasks配置文件
[root@m01 lb]#cat tasks/main.yml 
---
# tasks file for lb
- name: Creata  base repository
  yum_repository:
    name: nginx
    description: nginx-stable
    baseurl: http://nginx.org/packages/centos/7/$basearch/
    gpgcheck: no
    enabled:  yes

- name: Install nginx keepalived
  yum: 
    name: "{{ item.name }}"
    state: present
  loop:
    - { name: nginx }
    - { name: keepalived }

- name: Create nginx  server
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  loop:
    - { src: "{{ path }}conf.d",dest: /etc/nginx/ }
    - { src: "{{ path }}ssl_key",dest: /etc/nginx/ }

- name: Create keepalived server
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  loop:
    - { src: keepalived.conf.j2,dest: /etc/keepalived/keepalived.conf, mode: '0644' }
    - { src: check_web.sh,dest: /root/check_web.sh,mode: '0644' }
    - { src: lv_env,dest: /etc/nginx/lv_env,mode: '0644' }
  notify: Restart Nginx keepalived Server

- name: Crontab check_web.sh
  cron:
    name: Nginx check
    minute: "*"
    job: "/root/check_web.sh > /dev/null 2>&1"
    user: root
    state: present


- name: Start nginx keepalived server
  systemd:
    name: "{{ item.name }}"
    state: started
  loop:
    - { name: nginx }
    - { name: keepalived }

    
#handlers配置文件
[root@m01 lb]#cat handlers/main.yml 
---
# handlers file for lb
- name: Restart Nginx keepalived Server
  systemd:
    name: "{{ item.name }}"
    state: restarted
  loop:
    - { name: nginx }
    - { name: keepalived }
  when: >
    (item.name == 'nginx' and ng_re.rc == 0) or
    (item.name == 'keepalived' and keepalived_check.rc == 0)


#vars配置文件
[root@m01 lb]#cat vars/main.yml 
---
# vars file for lb
path: /ansible/roles/lb/templates/

#templates配置文件
[root@m01 lb]#ll templates/
total 16
-rwxr-xr-x 1 root root 362 Dec 25 22:47 check_web.sh
drwxr-xr-x 2 root root 125 Dec 26 16:52 conf.d
-rw-r--r-- 1 root root 335 Dec 25 22:46 keepalived.conf
-rw-r--r-- 1 root root 353 Dec 26 15:19 keepalived.conf.j2
-rw-r--r-- 1 root root 257 Dec 25 22:47 lv_env
drwxr-xr-x 2 root root  86 Dec 26 15:54 ssl_key

[root@m01 lb]#cat templates/check_web.sh 
#!/bin/sh
NG= ps -C nginx --no-header|wc -l
if [ $NG -eq 0 ]
then
#如果nginx不存在则尝试重启nginx
systemctl restart nginx
#等待1秒
sleep 1
#在重新检查nginx是否存在
NG= ps -C nginx --no-header|wc -l
if [ $NG -eq 0 ]
then
#如果$NG变量为0说明nginx还是没有启动、只能杀死keepalived
systemctl stop keepalived
fi
fi

[root@m01 lb]#cat templates/keepalived.conf.j2 
global_defs {
    router_id {{ inventory_hostname }}
}

vrrp_script check_web {
    script "/root/check_web.sh"
    interval 5
    weight -20
}

vrrp_instance VI_1 {
    state {{ 'MASTER' if inventory_hostname == 'lb01' else 'BACKUP' }}
    interface {{ keepalived_interface | default('ens33') }}
    virtual_router_id 50
    priority {{ 150 if inventory_hostname == 'lb01' else 100 }}
    
    {% if inventory_hostname == 'lb01' %}
    nopreempt
    {% endif %}
    
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    
    virtual_ipaddress {
        {{ vip_address | default('10.0.0.3') }}
    }
    
    track_script {
        check_web
    }
    
    # 单播通信配置（避免多播问题）
    unicast_src_ip {{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
    unicast_peer {
        {% for host in groups['lb'] %}
        {% if host != inventory_hostname %}
        {{ hostvars[host]['ansible_default_ipv4']['address'] | default('') }}
        {% endif %}
        {% endfor %}
    }
}

[root@m01 roles]#pwd
/ansible/roles

[root@m01 roles]#cat site.yml 
- name: common
  hosts: all
  gather_facts: no

  roles:
    - common

- name: backup
  hosts: backup
  gather_facts: no

  roles:
    - backup

- name: nfs
  hosts: nfs
  gather_facts: no
  
  roles:
    - nfs

- name: db
  hosts: db
  gather_facts: no

  roles:
    - db

- name: webs
  hosts: webs
  gather_facts: no

  roles:
     - webs

- name: lb
  hosts: 172.16.1.5
  gather_facts: yes

  roles:
     - lb

[root@m01 vpn]#ll
total 4
drwxr-xr-x 2 root root    6 Jan  6 11:10 files
drwxr-xr-x 2 root root   22 Jan  6 11:10 handlers
drwxr-xr-x 2 root root   22 Jan  6 11:44 tasks
drwxr-xr-x 2 root root   56 Jan  6 11:12 templates
drwxr-xr-x 2 root root   22 Jan  6 11:45 vars
vpn一键部署
#tasks
[root@m01 vpn]#cat tasks/main.yml 
---
# tasks file for vpn
- name: Copy gateway scripts
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: '0755'
  loop:
    - { src: "{{ path }}gateway_monitor.sh", dest: "/root/gateway_monitor.sh" }
    - { src: "{{ path }}setup_gateway.sh", dest: "/root/setup_gateway.sh" }
  when: path is defined

- name: Execute all gateway scripts
  command: "{{ item }}"
  loop:
    - /root/setup_gateway.sh
    - /root/gateway_monitor.sh
  args:
    chdir: /root
  register: script_results

#vars
---
# vars file for vpn
path: /ansible/roles/vpn/templates/