使用ansible部署DNS主从(ubuntu)

$ tree roles/dns-server
roles/dns-server
├── tasks
│   └── main.yml
├── templates
│   ├── backend.dns.j2
│   ├── internal.dns.j2
│   ├── named.conf.j2
│   ├── named.conf.local.j2
│   ├── named.conf.log.j2
│   └── named.conf.options.j2
└── vars
    └── main.yml

$ cat tasks/main.yml
---
- name: Install dns 
  apt:
    name: "{{ packages }}"
    state: present
  vars:
    packages:
      - bind9
      - bind9utils
      - bind9-doc
  become: true

- name: Create zone dir
  file:
    path: "{{ dns_zone_dir }}"
    state: directory
  become: true

- name: Copy dns configure file
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - src: named.conf.j2
      dest: /etc/bind/named.conf
    - src: named.conf.local.j2
      dest: /etc/bind/named.conf.local
    - src: named.conf.options.j2
      dest: /etc/bind/named.conf.options
    - src: named.conf.log.j2
      dest: /etc/bind/named.conf.log
    - src: backend.dns.j2
      dest: "{{ dns_zone_dir }}/backend.dns"
    - src: internal.dns.j2
      dest: "{{ dns_zone_dir }}/internal.dns"
  become: true

- name: Turn off ipv6
  lineinfile:
    path: /etc/default/bind9
    regexp: "^OPTIONS"
    line: 'OPTIONS="-u bind -4"'
  become: true

- name: Restart dns
  systemd:
    name: bind9
    state: restarted
    enabled: yes
  become: true

#正常来说应该使用replace或lineinfile模块来修改文件，但是正则匹配不到，就改成了使用sed
- name: Add write permission   #目的是为了从DNS服务器有写权限，可以同步解析
  shell: 'sed -i "s@/etc/bind/** r@/etc/bind/** rw@g" /etc/apparmor.d/usr.sbin.named'
  become: true

- name: Restart apparmor
  systemd:
    name: apparmor
    state: restarted
    enabled: yes
  become: true

- name: Restart dns
  systemd:
    name: bind9
    state: restarted
    enabled: yes
  become: true

$ tree templates/
templates/
├── backend.dns.j2    
├── internal.dns.j2
├── named.conf.j2
├── named.conf.local.j2
├── named.conf.log.j2
└── named.conf.options.j2

$ cat named.conf.
cat: named.conf.: No such file or directory
chenfei@ansible:~/ansible/roles/dns-server/templates$ cat named.conf.j2 
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.log";

$ cat named.conf.local.j2 
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "{{ dns_domain_backend }}" {
{% if  inventory_hostname in groups.dns_master %}
        type master;
{% elif inventory_hostname in groups.dns_slave %}
        type slave;
        masters { {{ dns_master_ip }}; };
        allow-notify { {{ dns_master_ip }}; };
{% endif %}
        file "{{ dns_zone_dir }}/backend.dns";
        forwarders {};
};

zone "{{ dns_domain_internal }}" {
{% if  inventory_hostname in groups.dns_master %}
        type master;
{% elif inventory_hostname in groups.dns_slave %}
        type slave;
        masters { {{ dns_master_ip }}; };
        allow-notify { {{ dns_master_ip }}; };
{% endif %}
        file "{{ dns_zone_dir }}/internal.dns";
        forwarders {};
};

$ cat named.conf.log.j2 
logging {
{% for log_type in dns_log_type %}
    channel {{ log_type.name }} {
        file "{{ log_type.name }}" versions 3 size 1g;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    category {{ log_type.type }} {
        {{ log_type.name }};
    };
{% endfor %}
};

$ cat named.conf.options.j2 
options {
        directory "/var/cache/bind";

        forwarders {
                114.114.114.114;
                8.8.8.8;
        };

        allow-query { any;};

        recursion yes;
        allow-transfer  { any; };
        dnssec-enable no;
        dnssec-validation no;

        auth-nxdomain no;    # conform to RFC1035
};

$ cat  backend.dns.j2 
$TTL   600 
@       IN      SOA      ns1 root (
                         3              ; Serial
                         3600         ; Refresh
                         86400         ; Retry
                         86400         ; Expire
                         86400 )       ; Negative Cache TTL

;
{% for list in dns_backend_list %}
{{ list.domain }}        IN        {{ list.type }}       {{ list.ip }}
{% endfor %}

$ cat internal.dns.j2 
$TTL   600 
@       IN      SOA      ns1 root (
                         3              ; Serial
                         3600         ; Refresh
                         86400         ; Retry
                         86400         ; Expire
                         86400 )       ; Negative Cache TTL

;
{% for list in dns_internal_list %}
{{ list.domain }}        IN        {{ list.type }}       {{ list.ip }}
{% endfor %}

$ cat main.yml 
dns_master_ip: "10.0.3.115"
dns_zone_dir: "/etc/bind/zone-tianchi"
dns_domain_backend: devilf.com
dns_domain_internal: test.com

dns_log_type:
  - name: query_log
    type: queries
  - name: update_log
    type: update
  - name: client_log
    type: client
  - name: network_log
    type: network
  - name: resolver_log
    type: resolver
  - name: lame-servers_log
    type: lame-servers

dns_backend_list:
  - domain: "@"
    type: NS
    ip: 10.0.3.93.
  - domain: ns1
    type: A
    ip: 10.0.3.93
  - domain: test
    type: A
    ip: 10.0.3.93
  - domain: www
    type: A
    ip: 10.0.3.93

dns_internal_list:
  - domain: "@"
    type: NS
    ip: 10.0.3.93.
  - domain: ns1
    type: A
    ip: 10.0.3.93
  - domain: web
    type: A
    ip: 10.0.3.93
  - domain: www
    type: A
    ip: 10.0.3.93

$ cat office/hosts 
[dns_master]
10.0.3.115

[dns_slave]
10.0.3.116

[dns:children]
dns_master
dns_slave

cat setup.yml
- hosts: dns
  roles:
    - role: dns-server

ansible-playbook -i office setup.yml -k -K