Add blackbox exporter for outside-in DNS probes

control runs blackbox_exporter on loopback, probing each nameserver's public v4+v6 address for every zone: SOA (zone served) and DNSKEY (still signed, since blackbox has no DO-bit option). Probe definitions are shared between the exporter config and the VictoriaMetrics scrape jobs so they can't drift. Verified live against ns1/ns2 over v4 and v6.
2026-06-17 15:37:45 +07:00
parent 0544bf95e5
commit 54f607d063
6 changed files with 154 additions and 3 deletions
@@ -10,6 +10,7 @@
 }:
 let
  mesh = import ../mesh-hosts.nix { inherit config lib; };
+  probes = import ./blackbox-probes.nix { inherit lib; };
  vmPort = 8428;
  grafanaPort = 3000;
  controlV6 = mesh.hosts.control;
@@ -52,7 +53,10 @@ in
            (target "ns2" (v6 mesh.hosts.ns2) 9433)
          ];
        }
-      ];
+      ]
+      # Outside-in DNS probes via the blackbox exporter (blackbox.nix). The job
+      # list is generated from the same probe definitions the exporter uses.
+      ++ probes.scrapeConfigs;
    };
  };