Add VictoriaLogs for centralized journald across all hosts

control runs VictoriaLogs (:9428, 30d, mesh-scoped) with a matching
Grafana datasource. Each host ships journald via systemd's own
journald.upload to the /insert/journald endpoint -- no extra agent.
control uploads over loopback so its logs survive a mesh outage; ns1
and ns2 push over the mesh.

modules/monitoring/exporters.nix

@@ -1,5 +1,6 @@
-# Metric exporters, imported by every machine. Host metrics everywhere; Knot DNS
-# metrics on the nameservers. Everything is reachable only over the ZeroTier mesh
+# Per-host observability agents, imported by every machine. Host metrics
+# everywhere; Knot DNS metrics on the nameservers; journald shipped to
+# VictoriaLogs on control. Everything is reachable only over the ZeroTier mesh
 # (see the firewall rule at the bottom); the public side is already closed by the
 # Hetzner cloud firewall.
 {
@@ -86,6 +87,22 @@ in
     ];
   };
 
+  # Ship journald to VictoriaLogs on control (services.victorialogs in
+  # server.nix). control uploads to loopback so its own logs survive a mesh
+  # outage; ns1/ns2 push over the mesh to control's ZeroTier address.
+  services.journald.upload = {
+    enable = true;
+    settings.Upload.URL =
+      let
+        dest =
+          if config.networking.hostName == "control" then
+            "127.0.0.1:9428"
+          else
+            "[${mesh.hosts.control}]:9428";
+      in
+      "http://${dest}/insert/journald";
+  };
+
   # Scrape ports reachable only from the ZeroTier mesh.
   networking.firewall.extraInputRules = ''
     ip6 saddr ${mesh.subnet} tcp dport { ${lib.concatMapStringsSep ", " toString ports} } accept