Add VictoriaMetrics + Grafana DNS monitoring over the mesh

control runs VictoriaMetrics (loopback) and Grafana; every machine exports
node metrics and the nameservers export Knot stats (mod-stats + knot-exporter).
Scraping and the Grafana UI ride the ZeroTier mesh only, scoped by nftables to
the mesh /88; the public side stays closed by the Hetzner cloud firewall. The
provisioned DNS dashboard includes a per-zone SOA serial table to catch
primary/secondary drift. ZeroTier ULAs are centralised in mesh-hosts.nix.

machines/control/configuration.nix

@@ -2,6 +2,8 @@
   imports = [
     ../../modules/hetzner-firewall.nix
     ../../modules/static-ipv6.nix
+    ../../modules/monitoring/exporters.nix
+    ../../modules/monitoring/server.nix
   ];
 
   clan.core.sops.defaultGroups = [ "admins" ];

machines/ns1/configuration.nix

@@ -6,6 +6,7 @@ in
   imports = [
     ../../modules/dns/authoritative.nix
     ../../modules/static-ipv6.nix
+    ../../modules/monitoring/exporters.nix
   ];
 
   clan.core.sops.defaultGroups = [ "admins" ];

machines/ns2/configuration.nix

@@ -6,6 +6,7 @@ in
   imports = [
     ../../modules/dns/authoritative.nix
     ../../modules/static-ipv6.nix
+    ../../modules/monitoring/exporters.nix
   ];
 
   clan.core.sops.defaultGroups = [ "admins" ];