Named9 Master Sync

Single Ansible role and playbooks to provision a named master (inotify watcher) and sync zones to a remote server when config changes.

One role named_sync with two modes:

1. Provision (master) – named_provision_master: true

   • Installs inotify-tools (BIND is not installed).
   • Deploys watcher script and systemd service.
   • Watches /etc/named.conf and /var/named/; on change runs the sync playbook.

2. Sync (remote) – default when named_provision_master is false

   • Ensures named9 is installed on the remote.
   • Copies /etc/named.conf and /var/named/ from the master to the remote.

• Debian / Ubuntu – named service bind9.
• CentOS / RHEL 7, 8, 9 – EPEL for inotify-tools; named service named. Default paths /etc/named.conf, /var/named/.

• roles/named_sync – Single role:
  • Provision task (tasks/provision_master.yml): inotify-tools, watcher script, systemd service.
  • Sync task (tasks/sync_zones.yml): install named on remote, copy named.conf and domains dir.
• playbooks/provision_master.yml – Runs on localhost (the machine you run it on). No inventory required. Provisions inotify-tools and the watcher.
• playbooks/sync_zones_to_remote.yml – Targets named_slaves; run by the watcher on change or manually (requires inventory).

Deploy this repo on the master (e.g. /opt/named-master-sync), then on the master run:

cd /opt/named-master-sync
ansible-playbook playbooks/provision_master.yml

The playbook runs on localhost (no inventory file needed). It installs inotify-tools, deploys the watcher script, and starts the systemd service. Ensure BIND and your config (/etc/named.conf, /var/named/) are already in place.

For the watcher to sync to remote(s), create an inventory on the master listing the slave(s):

cp inventory.example.yml inventory.yml
# Edit: set named_slaves with ansible_host (and named_sync_playbook_project_path if different).

Ensure the master can SSH to the slave as the user in the inventory (e.g. root or ansible). Host key verification: ansible.cfg sets host_key_checking = False so the watcher can run the sync playbook non-interactively. Alternatively, add the slave to the master’s known_hosts (as the user that runs the watcher, usually root):

ssh-keyscan -H <dns-slave-ip> >> ~root/.ssh/known_hosts

From the master:

cd /opt/named-master-sync
ansible-playbook -i inventory.yml playbooks/sync_zones_to_remote.yml

The watcher runs this automatically when /etc/named.conf or /var/named/ changes.

• Mode: named_provision_master – when true, run provision tasks; when false, run sync tasks (default: false).

• Provision (master):
  named_inotify_watch_paths, named_inotify_trigger_paths, named_sync_playbook_project_path, named_sync_playbook_file, named_sync_inventory_path, named_inotify_watch_script_path, named_watcher_user, named_watcher_group.
  named_ansible_venv_path – Optional. Path to a Python venv where Ansible is installed (e.g. /opt/ansible-venv). When set, the watcher runs $path/bin/ansible-playbook instead of ansible-playbook from PATH.

• Sync (remote):
  named_master_named_conf, named_master_domains_dir, named_remote_named_conf, named_remote_domains_dir, named_sync_remote_hosts.

See roles/named_sync/defaults/main.yml for defaults.

• Debian, Ubuntu, CentOS 7/8/9, or RHEL.
• Master: Ansible installed so the watcher can run ansible-playbook.
• SSH from master to remote(s); key-based auth and sudo recommended.