αα·αααΌαααα»ααααΆααααα»αααααΌααααααααααα ααα Ansible ααΆα αααΎαααΎααααΈαααα ααααΆαααΈααααααααΆααααΆαααααααΆααααααα·ααΈ Rails α α αΎααα½αα±ααααααΆααααα’αΎαααααααα»ααα·αααΆαααααΎαααααα ααααΆαααα αΆααααααα αΆαααΆααααα αααα»αβαα·αβα ααβα ααααβααααα βαααβααααβα’αααβαααααβαααβαα·αβαααβααΈβα’αααΈβαααβαααα»αβααΎαβα‘αΎαβαααβαα α αΎαβαα βααΈβαααα αα αααα»αβααααΌαβα’αΆαβα―αααΆαβαααααΌαβα’αααΈαβααΆααβα’ααβαααβαααα½αβα―αα αααα ααααΆαααα»αα’αΆα αα½αααααΆααααΆαααααααΎαααααΏαααααΎαααΆαααα αααααΆααααα½αααΈα’ααααααααα
ααΏαααααΌααααααααΌααααααΊααΆ ansible αααααα±ααα’αααααΌαα ααα»α αααααΆααααΆααααα½αααΎααααΈα’αα»αααααααααΈαααααααΆααααααΆααααααααΆαα»ααα ααΎαααΆαααΈαααααΈα ααααΆαααΆαααα SSH α αα·αααΆαααααααααα ααΈααααα α’ααααα·αα’αΆα ααα‘αΎααααααα·ααΈαααα½α αα·αααα½αααΆαααΆαααΆαααααααΆααααααα·ααΈααααα’ααααααααααΆαααααααααααΆαα½α docker ααΆααααα½ααα·αα·ααα αα·αα’αααααααααααααααααααα ααααΈαααα’αααααααα ααΎααααΈαααααααααα ααα α’αααααααΌαααααΉαααΈα’αααΈαααα’αααα ααααααΎ αα·αααααααααΎααΆα±αααα·αααααΆααα αααα αΎαααΆααΌαα ααα»ααααααα»ααα·ααααα α·αααααΉαααααα αααααααααα½α ααΆααααα ααΈ GitHub α¬α’αααααααΌα ααΆα "α αααα α αΎαααααΎαααΆα ααΆααΉαααααΎαααΆαα"
ααΎααΎαααααΌαααΆαα’αααΈαααα?
ααΌα ααααααα»αααΆααα·ααΆααα½α α αΎα ααΎααααΈαααααααααα ααα α’αααααααΌαααΉαααΈα’αααΈαααα’αααα ααααααΎ αα·αααααααααΎααΆα α αΌαααΎααααααα α α·αααααΆααΎααΎαααααΌαααΆαα’αααΈα αααααΆαααααααα·ααΈ Rails ααΎαααΉαααααΌαααΆααααα ααααααααααααΆα αααΎαα nginx, postgresql (redis, etc)α ααΎαααΈααααααααΎαααααΌαααΆαααααααΆααααΆαααα ruby ββα ααΆααΆααΆαααα’αααα»ααααα»αααΆαααα‘αΎαααΆααΆαααα rbenv (rvm, asdf...)α ααΆαααααΎαααΆαααΆααα’ααααααααα»αααΆαααΆα’αααααααΎααααΆαα root ααΊαααααααΆαααα·αα’αΆααααα ααΌα ααααα’αααααααΌααααααΎαα’αααααααΎααααΆααααΆα ααααα‘αα αα·αααααααα·αααα·ααααααΆααα αααααΆααααΈααα α’αααααααΌααααα αΌαααΌαααααααΎααα αααΆαααΈααα α ααααααΆαααααααααααΆαα nginx, postgres ααΆααΎα α αΎαα αΆααααααΎαααααΆααααααΆααα’αααααα
ααΆαααααα ααααΆαααααααααααΆαααΆαααΌα ααΆααααααα
- α αΌαααΆ root
- ααα‘αΎααααα αααααααααα
- αααααΎαα’αααααααΎααααΆααααααΈ ααααααα ααΆαααααααααα·αααα· ssh key
- ααααααα ααΆαααααααααααα αααααααααα (nginx ααΆααΎα) α αΎαααααΎαααΆααα½αααΆ
- ααΎααααααΎαα’αααααααΎααααΆαααα αααα»αααΌαααααΆααα·αααααα (α’αααα’αΆα αααααΎαααΌαααααΆααα·ααααααααααΆαα)
- α αΌαααΆα’αααααααΎααααΆααααααΈα
- ααα‘αΎα rbenv αα·α ruby
- ααΆαααα‘αΎααααα αα
- αααα»ααααα»αα‘αΎαααΌααααααα·ααΈ
- ααΎαααααΎαααΆααααΆαααΈααα Puma
ααΎαααΈααααα ααα ααααΆααααΆαα α»ααααααα’αΆα ααααΌαααΆαααααΎαααααααΎ capistrano αααΆαα αα ααΆααα ααααΈαααα’αα ααΆα’αΆα α ααααααΌααα αααα»ααααααΈα ααααααΆα ααααΌαααΆαα ααααααΆααααααααΎαααααααΆαααα·αα·ααααααααΆαα αααααΆααα±ααααααΎαααΆαααααααααα α ααααααΆαααααααα ααΆααααααααααΈαααααααΆαα ααααααα α αΆααααααΎα puma α‘αΎααα·αααα ααΆααα’αααααα’αΆα ααααΌαααΆαααααΎαααααααΎ Ansible ααα»ααααα ααα»α’αααΈ?
αα ααΆααααααααα―αααΆα
Ansible ααΆαααΆαααΉααααΉα
ααααα αααααΆαααα
Playbook ααΊααΆα―αααΆα yml αααααααΎααΆααααααααααααα·ααα αα·αααααΆα’αααΈα’αααΈααα Ansible αα½αααααΎ αα·αααααα ααααααααΎαααααα αααααααΌαααααα·αααααΎα’αααΈαααα
---
- name: Simple playbook
hosts: all
αα
ααΈαααααΎααα·ααΆααααΆαααΆααααααΆααααα
αααααααααΎαααααΌαααΆαααα α
ααΆ Simple Playbook
α αΎαααΆαα·ααΆααααααΆαα½αααααΌαααΆαααααα·ααααα·αααααΆαααααΆαααΈαααΆααα’ααα ααΎαβα’αΆα
βαααααΆβαα»αβααΆβαααα»αβαα /ansible αααβααααΎβααααα playbook.yml
α αΎαααααΆααΆααααα
ansible-playbook ./playbook.yml
PLAY [Simple Playbook] ************************************************************************************************************************************
skipping: no hosts matched
Ansible αα·ααΆαααΆααΆαα·αααααΆαααααΆαααΈαααΆαα½ααααααααΌαααΉααααααΈααΆααα’ααα αα½αααααααΌαααααααΌαααΆαααΆααααααΈαα·ααα
α αΌαααΎααααααΎαααΆαα αααα»αααα―αααΆαααΌα ααααΆα
123.123.123.123
αααααΆαααααααααΎαααααΆαααααααααΆαααααΆαααΈα (ααΆαα§ααααααα·αααΆαααΈααα VPS ααααααΎααααααΆααααΆαααΆααααα α¬α’αααα’αΆα
α
α»αααααα localhost) α αΎααααααΆαα»αααΆαα
αααααααααα inventory
.
α’αααα’αΆα
ααΆαααααααααΎαααΆα ansible ααΆαα½αα―αααΆαααΆαααΎαααααα
ansible-playbook ./playbook.yml -i inventory
PLAY [Simple Playbook] ************************************************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************************************
PLAY RECAP ************************************************************************************************************************************
ααααα·αααΎα’αααααΆααα·αααα·α αΌαααααΎ ssh αα ααΆαααααΆαααΈααααααΆααααααΆαα ααα ansible ααΉαααααΆαα αα·ααααααΌαααααααΆαα’αααΈααααααααααΈα ααααΆαα (ααααΆαααΎα TASK [Gathering Facts]) αααααΆααααΈαααααΆααΉαααααααααΆαααΆαααααααΈαα½αααααΈααΈααΆαααααα·ααααα· (PLAY RECAP)α
ααΆαααααΆαααΎα ααΆααααααΆααααααΎαααααα’αααααααΎααααΆαααααα’αααααΆαα αΌααα αααα»αααααααααα ααΆααααααΆααΉααα·ααα ααΎααα αΆααααααααα αα αααα»αα―αααΆα playbook α’αααα’αΆα αααααΆααα’αααααααΎααααΆααααΆαααααααΌαααααΎααΎααααΈααααΆαααααααααΎααΆαααααΆα remote_user α ααααα ααααααΆαα’αααΈααααααααααΈα ααααΆα ααΆααΏαααα·αα αΆαααΆα ααααααΆααα’ααα α αΎαα’ααααα·ααα½αααααααααΆααααααααΆαααα»αααΆααααααΌαααΆααα αα·α αα ααΆααααααα’αΆα ααααΌαααΆααα·ααααααα
---
- name: Simple playbook
hosts: all
remote_user: root
become: true
gather_facts: no
ααΆαααααααααΎαααΆαααααα
αααααααααα α αΎαααααΌαααααΆααααΆααΆααααααΆααααααΎαααΆαα (ααααα·αααΎα’αααβααΆαβαααααΆααβα’αααβααααΎβααΆ root αααβα’αααβααβααααΌαβαααααΆααβααΆαβααααΆαβααΆα ααα
ααααΈβααααΆαβαα·αβααβααα ααΎααααΈβααα½αβααΆαβαα·αααα·βααΎαα‘αΎαα ααΌα
βαααβααΆαβαααααβαααα»αβα―αααΆαα become set to βtrueβ/βyesβ to activate privilege escalation.
αααααΈααΆααΆαα·αα
αααΆααααΆα ααα»α’αααΈααααα) α
αααα ααααΆα’αααααΉαααα½αααΆαααα α»αααααααααΆαααααΈααΆααα·ααααααΆ ansible αα·αα’αΆα αααααα’ααααααααα Python ααΆααα αααααΆααααα’αααα’αΆα αααααΆααααΆαααααα
ansible_python_interpreter: /usr/bin/python3
α’αααα’αΆα
ααααααααααααααααα’αααααΆα python αααααααΎααΆααααααααΆ whereis python
.
ααΆαααα‘αΎααααα αααααααααα
ααΆαα
ααα
αΆααααααααΆααααα Ansible αα½αααΆααααΌαα»αααΆα
αααΎααααααΆααααααΎααΆαααΆαα½ααααα
αααααααααααααααα ααΌα
ααααααΎααα·αα
αΆαααΆα
ααααααααααααΈα bash αααααΆααα ααα»ααααΆαα½αα‘αΎαα α₯α‘αΌααααααΎαααααΌαααΆααααΌαα»ααα½ααααα»αα
αααααααΌαα»αααΆαααααααΎααααΈααααΎαα
αα
α»ααααααααΆααααααααα αα·αααα‘αΎααααα
ααααααααααα αααα»αααΆα Ubuntu Linux αα
ααΎ VPS αααααααα»α ααΌα
ααααααΎααααΈααα‘αΎααααα
αα αααα»αααααΎ apt-get
ΠΈ
ααααααααααααα αααααααααΎαααΆαα½αααΉααα·α αα ααΆαααααΌαα
---
- name: Simple playbook
hosts: all
remote_user: root
become: true
gather_facts: no
tasks:
- name: Update system
apt: update_cache=yes
- name: Install system dependencies
apt:
name: git,nginx,redis,postgresql,postgresql-contrib
state: present
Task ααΊαα·αααΆαα·α
αα
ααΆαααα Ansible ααΉαα’αα»αααααα
ααΎαααΆαααΈαααααΈα
ααααΆαα ααΎαααααααααααα±ααααΆααα·α
αα
ααΌα
ααααααΎαα’αΆα
ααΆαααΆαααΆαααααα·ααααα·ααααααΆαα
αααα»ααααααα ααα»α α αΎαααΎααααααΆ αααααααΎααΆααααααααααααααααΌαα»αααΆααααΆαααα½α ααΎααΆααααΌαααααΎα’αααΈααααα αααα»αααααΈβααα apt: update_cache=yes
- αα·ααΆαααΆααΎααααΈααααΎαα
αα
α»ααααααααΆααααα
αααααααααααααααααΎαααΌαα»α apt α ααΆααααααααΆααΈααΈαααΊαααα»αααααΆαααααα·α
α ααΎααααααΌααααααΈαααα
αααα½ααα
αααΌαα»α apt α αΎααα·ααΆαααΆαα½αααααΊ state
αα½αααααααΆαααΆ present
αααααΊααΎααα·ααΆαααΆααα‘αΎααααα
ααααΆαααααα αα
αααα»ααα·ααΈααααααααααΆααα ααΎαα’αΆα
ααααΆαααα½αααα±αααα»ααα½αααΆ α¬ααααΎαα
αα
α»ααααααααΆααα½αααΆαααααααΆααααααααΆααααααΌα state
. ααΌαα
αααΆαααΆαααααΆααααααΌααααααΎααααΈααααΎααΆαααΆαα½α postgresql ααΎαααααΌαααΆααααα
αα postgresql-contrib αααααΎααααα»αααα‘αΎαα₯α‘αΌααααα ααΆααααΈααααααα α’αααααααΌαααΉα α αΎαααααΎααΆααααααα½αα―α ααΉααα·αααααΎααααααααα
ααΆαααααααααΎαααΆαααααα αααααααααα α αΎααα·αα·αααααΎαααΆαααα ααααααΌαααΆαααα‘αΎαα
ααΆααααααΎαα’αααααααΎααααΆααααααΈα
ααΎααααΈααααΎααΆαααΆαα½αα’αααααααΎααααΆαα Ansible ααααΆααααΌαα»αααααα - α’αααααααΎααααΆααα α αΌααααααααα·α αα ααΆααα½αααααααααα (αααα»αααΆαααΆααααααααααααααααΆαααα½α α αΎαααααααα ααααα ααΈαααααααα·ααααα ααΎααααΈαα»αα±ααα ααααααΆααΆαααααα»αααΆααααα)α
---
- name: Simple playbook
# ...
tasks:
# ...
- name: Add a new user
user:
name: my_user
shell: /bin/bash
password: "{{ 123qweasd | password_hash('sha512') }}"
ααΎααααααΎαα’αααααααΎααααΆααααααΈ ααααααααααααΆααα αα·αααΆααααααααΆαααααααΆααααΆα α αΎααααααΆααααααΎααα½ααααα αΆααΆα αααΎαα α α»αβααΎβαααααβα’αααβααααΎβααααΌαβααΆαβαα»αβααααΆβαααααΆααβαααΆαααΈαβααααα? α αΎαβααΆαβαα»αβαααβαααααΆααβααΆβα’ααααβα αααΆααβαααα»αβααααα βαααβααΊααΆβαααα·αβα’αΆαααααβααΆααα ααΎααααΈα αΆααααααΎα α αΌαααΎαααΆαααααααα’αααααααΎααααΆαα αα·αααΆααααααααΆαααα ααΆα’ααα α αΎααα α α»ααααα ααααα’ααααα αααα»αααΉααααα αΆαααΈααααα’αα·αααααΈαααΆααααααααΆααα
---
- name: Simple playbook
# ...
tasks:
# ...
- name: Add a new user
user:
name: "{{ user }}"
shell: /bin/bash
password: "{{ user_password | password_hash('sha512') }}"
α’αααβααααΌαβααΆαβαααααβαααα»αβααααα βα αΆααβαααβααααΎβααααααβαα½αβααααα
ααΎαααΉααααα αΆαααΈαααααααα’ααααα αααα»αα―αααΆαααΆαααΎαααααα
123.123.123.123
[all:vars]
user=my_user
user_password=123qweasd
ααΌαααααααααΆααααΆαααααΆα [all:vars]
- ααΆαα·ααΆαααΆαααα»ααααααΆααααα’αααααααΊααΆα’ααα (vars) α αΎααα½αααΆα’αΆα
α’αα»ααααααΆαα
αααααααΆαααΈαααΆααα’αα (ααΆααα’αα) α
ααΆααα
ααΆαααα½αα±ααα
αΆααα’αΆαααααααααααα "{{ user_password | password_hash('sha512') }}"
. ααΏααααααΊααΆ ansible αα·αααα‘αΎαα’αααααααΎααααΆααααΆαααα user_add
ααΌα
ααΆα’αααααΉαααααΎααΆαααααα α αΎαααΆαααααΆαα»ααα·ααααααααΆααα’αααααααααΆαα αααααΆααΌαα ααα»αααααΎαααααΌααααααααααααΆααααααααΆαααα
ααΆ hash ααΆαα»α αααααΆααΆααααααααΆαααααααΎα
αααααααααα’αααααααΎααααΆααααααααΎααα αααα»α sudo α ααααααΆαααΆααααα αα»αααα ααΎαααααΌαααααΎα±ααααααΆααααΆ ααΆααααα»ααααααα αααααααααΆαααααΆααααΆααααΉαααααΎαααααααααααΆααααΎαααα
---
- name: Simple playbook
# ...
tasks:
# ...
- name: Ensure a 'sudo' group
group:
name: sudo
state: present
- name: Add a new user
user:
name: "{{ user }}"
shell: /bin/bash
password: "{{ user_password | password_hash('sha512') }}"
groups: "sudo"
α’αααΈβαααααβαααΆαβααΊβααΆααααβααΆαα ααΎαβααβααΆαβαααΌαα»αβαααα»αβαααααΆααβαααααΎαβαααα»α αααβααΆαβααΆαααααααααααβααααααβααΉα apt α αααααΆαααα ααΆαααααααααΆααα αΎααααα»αααΆαα
α»αααααααααα»αααααα
ααΆααα’αααααααΎααααΆαα (groups: "sudo"
).
ααΆααααΆαααααααααααααααααα»αααΆααααααααα ssh αα
ααΆααα’αααααααΎααααΆααααα ααΌα
ααααααΎαα’αΆα
α
αΌααααααααΎααΆαααααααΆαααΆααααααααΆααα
---
- name: Simple playbook
# ...
tasks:
# ...
- name: Ensure a 'sudo' group
group:
name: sudo
state: present
- name: Add a new user
user:
name: "{{ user }}"
shell: /bin/bash
password: "{{ user_password | password_hash('sha512') }}"
groups: "sudo"
- name: Deploy SSH Key
authorized_key:
user: "{{ user }}"
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
state: present
αααα»αααααΈαααααΆααα
ααΆαα½αα±ααα
αΆααα’αΆαααααα "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
β ααΆα
ααααααΆαα·ααΆααα―αααΆα id_rsa.pub (αααααααααα’αααα’αΆα
αα»αααααΆ) αααααΊααΆαααααααΆααΆααααααα ssh α αΎααααα
αΌαααΆαα
αααα»ααααααΈαααααααααΆαα’αα»ααααΆααααααΆααα’αααααααΎααααΆαααα
ααΎαααΆαααΈαααα
αα½ααΆααΈ
αα·α
αα
ααΆαααΆααααΈαααααΆαααααααΎαααΆαααααΎααααΆααα’αΆα
ααααΌαααΆαα
αΆααααααΆαααααΆαααΆααααα½ααα
ααΆαααα»ααα½ααααα·α
αα
ααΆα α αΎαααΆααΆααΆαααα’αααα»αααΆααααααΆαα»ααααα»ααααααΆα
ααααα‘ααααΈααααα
αααααααΆαα ααΎααααΈαα»αα±ααααΆαααααα αααααΆαααααααααααα Ansible ααΆα
αααααΆααα
ααΆααααααααα―αααΆααααααΆααααα αΆααα
ααΎαααααΌα αα½ααΆααΈααααΌαααααΆαααααα»ααααα½ααΆααΈααΆα
ααααα‘αα αααααΆαααα½ααΆααΈααΈαα½ααααΆαααααΆα
ααααα‘αααααααΆααααααααΌα
ααααΆ αα
ααΆααααα»ααα·α
αα
ααΆα α―αααΆα ααααΌ ααα―αααΆαααα
ααααααααΎααα
ααΆααααααααα―αααΆαα ./ansible/roles/user/tasks/main.yml
(ααααΊααΆα―αααΆαααααΆαααααααΉαααααΌαααΆααααα»α αα·αααααα·ααααα·αα
αααααααα½ααΆααΈααααΌαααΆαααααΆαααα
ααααα
αααα α―αααΆααα½ααΆααΈααααααααα’αΆα
ααααΆαααα
ααΆααΆα)α α₯α‘αΌαβααα α’αααβα’αΆα
βαααααβαα·α
αα
ααΆαβααΆααα’ααβαααβααΆααααβααΉαβα’αααβααααΎβαα
βα―αααΆαβαααα
# Create user and add him to groups
- name: Ensure a 'sudo' group
group:
name: sudo
state: present
- name: Add a new user
user:
name: "{{ user }}"
shell: /bin/bash
password: "{{ user_password | password_hash('sha512') }}"
groups: "sudo"
- name: Deploy SSH Key
authorized_key:
user: "{{ user }}"
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
state: present
αα αααα»αααααα α αΆαααα α’αααααααΌααααααααΆααααΎααααΈααααΎαα½ααΆααΈααααα’αααααααΎα
---
- name: Simple playbook
hosts: all
remote_user: root
gather_facts: no
tasks:
- name: Update system
apt: update_cache=yes
- name: Install system dependencies
apt:
name: git,nginx,redis,postgresql,postgresql-contrib
state: present
roles:
- user
ααΌα
ααααΆαααααααα, ααΆα’αΆα
ααα ααα»ααααΎααααΈααααΎαα
αα
α»ααααααααΆααααααααααα»ααααααΆαααΆαααααααααααΆααα’αα; ααΎααααΈααααΎααΌα
αααα’αααα’αΆα
ααααΌαααααααααα»α tasks
ααααα½αααααααΌαααΆαααααααα
αααα»α pre_tasks
.
ααΆαααα‘αΎα nginx
ααΎααα½αααααα‘αΎα Nginx αα½α α αΎα ααΎαααααΌααααααααΆ α αΎαααααΎαααΆαααΆα α αΌαααααΎααΆααααΆαααα αααα»ααα½ααΆααΈα ααααααααΎααα ααΆααααααααα―αααΆαα
- ansible
- roles
- nginx
- files
- tasks
- main.yml
- templates
α₯α‘αΌααααααΎαααααΌαααΆαα―αααΆα αα·αααααΌα ααΆααα»αααααΆαααΆααα½αααΆααΊααΆ ansible α ααααα―αααΆααααααααΆααααΌα ααΆα α αΎαααααΌααααΌαααααΆαααααααααααα j2 α αΎααα½αααα’αΆα ααααΎαααααα’ααααααααααΎαααααα curly ααααααΌα ααααΆα
αααααΎα nginx α
αΌα main.yml
α―αααΆαα αααααΆαααααα αΆαααααΎαααΆααααΌαα»αααααααααα
# Copy nginx configs and start it
- name: enable service nginx and start
systemd:
name: nginx
state: started
enabled: yes
αα
ααΈαααααΎααα·αααααΉααααα·ααΆαααΆ nginx ααααΌαααααααΌαααΆαα
αΆααααααΎα (αααααΊααΎαααΎαααααΎαααΆαααΆ) ααα»ααααααΎααα·ααΆαααααΆααααΆααΆααααΌαααααααΌαααΆαααΎαα
α₯α‘αΌααααααΌαα
ααααα―αααΆαααααααα
ααΆααααααααα
# Copy nginx configs and start it
- name: enable service nginx and start
systemd:
name: nginx
state: started
enabled: yes
- name: Copy the nginx.conf
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: '0644'
backup: yes
- name: Copy template my_app.conf
template:
src: my_app_conf.j2
dest: /etc/nginx/sites-available/my_app.conf
owner: root
group: root
mode: '0644'
ααΎααααααΎαα―αααΆαααααααα
ααΆαααααααα nginx αα (α’αααα’αΆα
ααααΆαααααααΆααααΈαααΆαααΈααα α¬αααααααΆααααααα½αα―α)α α αΎαααααΆα―αααΆαααααααα
ααΆαααααααααααααΆαααααααα·ααΈααααααΎααα
αααα»α sites_available directory (ααΆαα·αα
αΆαααΆα
ααα ααα»ααααααΆααααααααα)α αααα»αααααΈααααΌαααΎαααααΎαααΌαα»αα
ααααααΎααααΈα
ααααα―αααΆα (α―αααΆαααααΌααααα
αααα»α /ansible/roles/nginx/files/nginx.conf
) αα
αααα»αααΈααΈαααΎαα
ααααααααΌααααααα½ααααααααα’αααα ααααΌαα½ααααα
αααα»α /ansible/roles/nginx/templates/my_app.j2
) α αΎαααΆα’αΆα
ααΎααα
ααΌα
αααα
upstream {{ app_name }} {
server unix:{{ app_path }}/shared/tmp/sockets/puma.sock;
}
server {
listen 80;
server_name {{ server_name }} {{ inventory_hostname }};
root {{ app_path }}/current/public;
try_files $uri/index.html $uri.html $uri @{{ app_name }};
....
}
ααα
α·ααααα»αααΆααααΎααΆααααα
αΌα {{ app_name }}
, {{ app_path }}
, {{ server_name }}
, {{ inventory_hostname }}
- ααΆαααααααΊααΆα’αααααΆααα’αααααααααα Ansible ααΉααααα½ααα
αααα»αααααΌαα»ααααα
ααααα ααΆααΆαααααααααααααα·αααΎα’αααααααΎααααα
ααααααααΆαααααα»ααααααααααααΆαααΈαα α§ααΆα ααα ααΎαα’αΆα
ααααααα―αααΆαααΆαααΎαααααααααααΎαα
[production]
123.123.123.123
[staging]
231.231.231.231
[all:vars]
user=my_user
user_password=123qweasd
[production:vars]
server_name=production
app_path=/home/www/my_app
app_name=my_app
[staging:vars]
server_name=staging
app_path=/home/www/my_stage
app_name=my_stage_app
ααααα·αααΎα₯α‘αΌααααααΎαααΎαααααΎαααΆαααααα
αααααααααΎα ααΆααΉααααααααΆααα·α
αα
αααααΆααααααΆαααααααΆαααααΆαααΈαααΆααααΈαα ααα»αααααααα»ααααααΆαα½αααααΆααα αααααΆαααααααα·ααΈααααΆααααααα α’αααααΉααα»αααΈααα·ααααα α αΎααα·αααααΉααααα
αααα»ααα½ααΆααΈ αα·αααααα
αααααα»ααααααα ααα»ααααααααΆααα
αααα»αααΆαααααααα
ααΆαααααααα nginx αααααα {{ inventory_hostname }}
αα·αα
αΆαααΆα
ααααααΆαααα
αααα»αα―αααΆαααΆαααΎααααα - αααα
ααααα·αααΎα’αααα
ααααΆαα―αααΆαααΆαααΎααααααααααΆαααααΆαααΈαααΆα
αααΎα ααα»ααααααααΎαααΆααααααΆαααααα»ααααα½α αααα’αΆα
ααααΌαααΆαααααΎαααααααΎααΆααααααααΆααΆααααααα
ansible-playbook -i inventory ./playbook.yml -l "staging"
αααααΎααα½ααααααΊααααΌαααΆαα―αααΆαααΆαααΎαααααααΆα ααααα‘αααααααΆαααααα»αααααααααααΆα α¬α’αααα’αΆα αααα αΌαααααΆααΌααα·ααΈααΆαααααααΆααααΈα ααααα·αααΎα’αααααΆααααΆαααΈααααααααααΆααΆα αααΎαα
α αΌαααΎααααααααα ααΆαααα‘αΎα nginx αα·αα αααααΆααααΈα ααααα―αααΆαααααααα ααΆαααααααα ααΎαααααΌααααααΎα symlink αααα»α sitest_enabled αα my_app.conf ααΈ sites_available α α αΎαα αΆααααααΎα nginx α‘αΎααα·αα
... # old code in mail.yml
- name: Create symlink to sites-enabled
file:
src: /etc/nginx/sites-available/my_app.conf
dest: /etc/nginx/sites-enabled/my_app.conf
state: link
- name: restart nginx
service:
name: nginx
state: restarted
α’αααΈααααααααΆαααΊααΆαααααα ααΈααα - αααΌαα»α ansible αααααααααΆαα½αααΉαααΆααααααααααααααααααΆαααααααα ααα»ααααααΆαα ααα»α αα½αα ααΆαααααα αΆααααααΎα nginx α‘αΎααα·ααα·αααΆαα ααα»α α’αααΈαααααα ααΎα’αααααΆαααααααααΆααααααΆααΎααα·ααααααααΆααααααααΆααΌα ααΆ "ααααΎααΌα ααα" ααΆαααααααααααααΎααα α αΆααααΌα ααΆ "ααααα½αααααΆαααααΆαααΆαααα" α α αΎαααΆαα αααΎαααααα·αααΆααααααα ansible ααααΎαααΆαα ααααα·αααΎαααα»αααΆααα½α α αΎα α¬αααα ααααααααααααααΌαααΆαααα‘αΎααα½α α αΎα ansible ααΉααα·αα·αααααΎαααΆ α αΎααααααα·α αα ααΆααααα ααΌα ααααΆαααααααα α―αααΆαααΉααα·αααααΌαααΆαα αααααα ααααα·αααΎαα½αααΆααααΌαααααΆααΆαααααα»αααΌαα’αααΈαααααΆααα ααΎαααΆαααΈαααα ααΎαα’αΆα ααΆαααααααααααααΈααΆ α αΎαα αΆααααααΎα nginx α‘αΎααα·αααΆααα»αααααΆααα―αααΆαααααααα ααΆααααααααααααΌαααΆαααααΆααααααΌαα ααΆαααΆαααααΆαα’αααΈααΆαα α»αααααααααααΆααααΏααααα
# Copy nginx configs and start it
- name: enable service nginx and start
systemd:
name: nginx
state: started
enabled: yes
- name: Copy the nginx.conf
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: '0644'
backup: yes
register: restart_nginx
- name: Copy template my_app.conf
template:
src: my_app_conf.j2
dest: /etc/nginx/sites-available/my_app.conf
owner: root
group: root
mode: '0644'
register: restart_nginx
- name: Create symlink to sites-enabled
file:
src: /etc/nginx/sites-available/my_app.conf
dest: /etc/nginx/sites-enabled/my_app.conf
state: link
- name: restart nginx
service:
name: nginx
state: restarted
when: restart_nginx.changed
ααααα·αααΎα―αααΆαααααααα
ααΆααααααααααΆαα½αααααΆααααααΌα α
αααΆααα
ααααααΉαααααΌαααΆαααααΎα‘αΎα α αΎαα’αααααΉαααααΌαααΆαα
α»αααααα restart_nginx
. α αΎααα»αααααΆααα’ααααααααααΌαααΆαα
α»αααααα ααααΆααααααΉαα
αΆααααααΎαα‘αΎααα·αα
α αΎαααΆααΆααα·αααΆαα α’αααααααΌααααααααα½ααΆααΈ nginx αα ααααα αααααα
ααΆαααα‘αΎα postgresql
ααΎαααααΌαααΎαααααΎαααΆα postgresql αααααααΎ systemd ααΆαααααααΌα
αααααΎαααΆαααααΎααΆαα½α nginx α αΎαααα’αΆα
αααααΎα user αααααΎαααΉαααααΎααΎααααΈα
αΌαααααΎ database αα·α database αααα½αα―ααααααα
ααααααααΎααα½ααΆααΈ /ansible/roles/postgresql/tasks/main.yml
:
# Create user in postgresql
- name: enable postgresql and start
systemd:
name: postgresql
state: started
enabled: yes
- name: Create database user
become_user: postgres
postgresql_user:
name: "{{ db_user }}"
password: "{{ db_password }}"
role_attr_flags: SUPERUSER
- name: Create database
become_user: postgres
postgresql_db:
name: "{{ db_name }}"
encoding: UTF-8
owner: "{{ db_user }}"
αααα»αααΉααα·ααααααΆααααΈααααααααααα’ααααα
αααα»αααΆαααΎααααααα αααααααΌαααΆαααααΎααΆα
αααΎααααα½α
ααα αΎα ααααΌα
ααΆααΆααααααααααααααααΌαα»α postgresql_db αα·α postgresql_user α ααααααΆαααααααα’αΆα
ααααΆααα
αααα»αα―αααΆαα ααΆαααααΆααα½αα±ααα
αΆααα’αΆαααααααααα»ααα
ααΈαααααΊ become_user: postgres
. ααΆααα·αααΊααΆααΆαααααΆαααΎα ααΆαααα’αααααααΎααααΆαα postgres ααα»ααααααααα’αΆα
α
αΌαααααΎααΌαααααΆααα·αααααα postgresql α αΎαααΆααααααα»ααααα»αααα»αααααα ααΆαααααΆααααα’αα»ααααΆαα±ααααΎαααααα·ααααα·ααΆααααααααΆαααα½αα±ααα’αααααααΎααααΆααααα (ααΆααΆααα·αααΆααααααα·αααΎααΎαααΆααα·αααα·α
αΌαααααΎ)α
ααΌα
ααααΆαααααααα α’ααααααα ααααΆααααΌααααααααααααΆαααα
pg_hba.conf ααΎααααΈα’αα»ααααΆαα±ααα’αααααααΎααααΈα
αΌαααααΎααΌαααααΆααα·ααααααα αααα’αΆα
ααααΌαααΆαααααΎααΆαααααααΌα
ααααΆααΉαααΎαααΆαααααΆααααααΌαααΆαααααααα
ααΆαααααααα nginx α
α αΎαααΆααΆααα·αααΆαα α’αααααααΌααααααααα½ααΆααΈ postgresql αα ααααα αααααααΆααα
ααΆαααα‘αΎα Ruby ββααΆαααα rbenv
Ansible αα·αααΆααααΌαα»ααααααΆααααααΎααΆαααΆαα½α rbenv αα ααα»ααααααΆααααΌαααΆαααα‘αΎααααααΆαααααΌα git repository α ααΌα
ααααβα αΎα αααα αΆβαααβααααΆαβααΆβαααα αΆβαα·αβαααααααΆαβαααα»αα α
αΌααααααΎααα½ααΆααΈαααααΆααααΆα /ansible/roles/ruby_rbenv/main.yml
α αΎαα
αΆααααααΎααααααααΆα
# Install rbenv and ruby
- name: Install rbenv
become_user: "{{ user }}"
git: repo=https://github.com/rbenv/rbenv.git dest=~/.rbenv
ααΎαααααΎααΆαααααΆααααα become_user ααααααα ααΎααααΈααααΎααΆααααααα’αααααααΎααααΆαααααααΎαααΆααααααΎααααααΆαααααααααααΆαααααα α αΆααααΆααααΈ rbenv ααααΌαααΆαααα‘αΎααα αααα»αααααααααααααΆ α αΎααα·αααααα ααΌααΆαααα·αααααααα α αΎαααΎαααααααΎαααΌαα»α git ααΎααααΈααααΌαααααΆαα ααααααααΆαα repo αα·α dest α
αααααΆααααααΎαααααΌαα α»αααααα rbenv init αα αααα»α bashrc α αΎααααααα rbenv αα PATH αα ααΈαααα αααααΆαααααααΎαααΆααααΌαα»α lineinfile:
- name: Add rbenv to PATH
become_user: "{{ user }}"
lineinfile:
path: ~/.bashrc
state: present
line: 'export PATH="${HOME}/.rbenv/bin:${PATH}"'
- name: Add rbenv init to bashrc
become_user: "{{ user }}"
lineinfile:
path: ~/.bashrc
state: present
line: 'eval "$(rbenv init -)"'
αααααΆααααα’αααααααΌαααα‘αΎα ruby_buildα
- name: Install ruby-build
become_user: "{{ user }}"
git: repo=https://github.com/rbenv/ruby-build.git dest=~/.rbenv/plugins/ruby-build
α αΎαααΈαααα»αααα‘αΎα Ruby α αααααααΌαααΆαααααΎααΆαααα rbenv αααααΊααΆααααααΆαα½αααΆααααααααΆ bash:
- name: Install ruby
become_user: "{{ user }}"
shell: |
export PATH="${HOME}/.rbenv/bin:${PATH}"
eval "$(rbenv init -)"
rbenv install {{ ruby_version }}
args:
executable: /bin/bash
ααΎααα·ααΆαααΆααΆααααααααΆαα½αααΆαααααααΌαααααα·ααααα· αα·αααΆαα½αα’αααΈα ααααααΆαααΆααααα αα ααΈαααααΎαααΆαααααααΆααααΆααα·ααααααΆ ansible αα·αααααΎαααΆαααΌααααααΆααα αααα»α bashrc αα»ααααααααΎαααΆαααΆααααααααΆα αααααΆααααααΆ rbenv ααΉαααααΌαααααααααααααΆαααα αααα»αααααααΈααααα½αα
αααα αΆαααααΆααααΊαααααΆαααααΆααα·ααααααΆααΆααααααααΆααααα·αααΆαααααΆαααΆαααΈαααααααααα’αΆα αααααΆαα αααααΊααΆααΉααα·αααΆαααΆααααα½ααα·αα·ααααααααααααααααααα·ααΆααΎαααα Ruby αααααααΌαααΆαααα‘αΎαα¬α’ααα ααΎαα’αΆα ααααΎααΆααααααα½αα―αααΆαα
- name: Install ruby
become_user: "{{ user }}"
shell: |
export PATH="${HOME}/.rbenv/bin:${PATH}"
eval "$(rbenv init -)"
if ! rbenv versions | grep -q {{ ruby_version }}
then rbenv install {{ ruby_version }} && rbenv global {{ ruby_version }}
fi
args:
executable: /bin/bash
α’αααΈααααα αααααΊααααΌαααα‘αΎα bundlerα
- name: Install bundler
become_user: "{{ user }}"
shell: |
export PATH="${HOME}/.rbenv/bin:${PATH}"
eval "$(rbenv init -)"
gem install bundler
α αΎαααααααα αααααααα½ααΆααΈααααααΎα ruby_rbenv αα ααααα αααααααΆααα
α―αααΆααααααΆαα αααααααα
ααΆααΌαα
ααΆαααα‘αΎαα’αΆα
ααααΌαααΆααααα
αααα
ααΈαααα αααααΆαααα α’αααΈααααα
ααααααααΊααααΌαααααΎαααΆα capistrano α αΎαααΆααΉαα
ααααααΌαααααααα½αα―α αααααΎαααα―αααΆαα
αΆαααΆα
α αα·αααΎαααααΎαααΆααααααα·ααΈ (ααααα·αααΎα’αααΈαααααΌαααΆααααααααααΉαααααΌα)α αααααΆαααΆαααΆααααα capistrano ααΆααΏαααααααΌαα±ααααΆαα―αααΆαααααααα
ααΆααααααααααααααααΌα
ααΆ database.yml
α¬ .env
αα½αααΆα’αΆα
ααααΌαααΆαα
ααααααΌα
α―αααΆα αα·αααααΌαααααΆαα nginx αααα ααΆαααααΆαααα·ααααααααα½αα αα»ααααα
ααααα―αααΆα α’αααααααΌααααααΎααα
ααΆαααααααααααααααΆαααα½αααΆ α’αααΈαα½αααΌα
αααα
# Copy shared files for deploy
- name: Ensure shared dir
become_user: "{{ user }}"
file:
path: "{{ app_path }}/shared/config"
state: directory
ααΎααααααΆαααααααα½αααα»ααααα α αΎα ansible ααΉααααααΎααααααααααααααααααα·ααααα·αααΎα αΆαααΆα αα
αα»ααα Ansible
ααΎαααΆαααααααΆααααΆααα·ααααααΆα’αααα’αΆα
ααΆααα·αααααααααααΆααααΌα
ααΆααΆααααααααΆααααααα’αααααααΎα ααααα·αααΎα’αααααΆααααααΎα .env
α―αααΆααααααΆαααααααα·ααΈ αα·α database.yml
αααααΆαααα ααΆααααΌαααααΆααα·ααααααααααΆααααααααααααα ααΆααΆααΆαααα’αααα»αααΆαααΆαααα½αααααΈαααααα αααααΆααααααααααααααΆααααΌαααΆαααααΎ
ααααααααΎαα―αααΆααααααΆααα’ααα /ansible/vars/all.yml
(αα
ααΈαααα’αααα’αΆα
αααααΎαα―αααΆαααααααααααΆαααααΆαααααα»αααααααααααΆαααααΆαααΈα ααΌα
ααΆαα
αααα»αα―αααΆαααΆαααΎαααααα production.yml, staging.yml ααα)α
α’αααααΆααα’αααααααααΌαααααααΌαααΆαα’αα·αααααΈαααααΌαααααααααα
α―αααΆαααααααααααΎααΆααααααααααα yml αααααααΆαα
# System vars
user_password: 123qweasd
db_password: 123qweasd
# ENV vars
aws_access_key_id: xxxxx
aws_secret_access_key: xxxxxx
aws_bucket: bucket_name
rails_secret_key_base: very_secret_key_base
αααααΆααααΈαααα―αααΆααααα’αΆα ααααΌαααΆαα’αα·αααααΈααααααααΎααΆααααααααΆα
ansible-vault encrypt ./vars/all.yml
ααΆααααααΆ αα αααα’αα·αααααΈα α’αααααΉαααααΌααααααααΆααααααααΆαααααααΆααααΆααα·ααααΈαα α’αααβα’αΆα βααΎαβααΎαβα’αααΈβαααβααΉαβααΆαβαα βαααα»αβα―αααΆαβαααααΆααβααΈβα α βααΆαααβαααααΆβαααα
αααααΆααααα½αααΈ ansible-vault decrypt
α―αααΆαα’αΆα
ααααΌαααΆααα·ααααΈα αααααα αα·ααααααΆααααα’αα·αααααΈααααααααα
α’ααααα·αα
αΆαααΆα
ααα·ααααΈαα―αααΆαααΎααααΈααααΎαααΆαααα α’ααααααααΆαα»αααΆαααα’αα·αααααΈα α αΎαααααΎαααΆαααααα
ααααααααααΎα’αΆαα»ααααα --ask-vault-pass
. Ansible ααΉααα½αααααΆααααααααΆαα ααΆαααα’ααα αα·αααααα·ααααα·ααΆααα·α
αα
α αα·ααααααααΆααα’ααααΉααα
ααααααΌαααΆαα’αα·αααααΈαα
ααΆααααααααΆαααααααααααΆαααααα»αααΆα αααΎααα hosts αα·α ansible vault ααΉαααΎααα ααΌα αααα
ansible-playbook -i inventory ./playbook.yml -l "staging" --ask-vault-pass
ααα»αααααααα»αααΉααα·ααααααα±ααα’αααααΌαα’αααααααααααααααααα ααα αα·ααα½ααΆααΈαα ααΌααααααααΆααααααα½αα―αα αααααΆααα ansible ααΊαααααα - ααααα·αααΎα’ααααα·ααααααΈα’αααΈαααααααΌαααααΎ αααααΆααΉααα·αααααΎααΆαααααΆααα’αααααα
ααααα: www.habr.com