# Blackbox exporter on control: outside-in DNS probes against the public
# nameserver addresses (see blackbox-probes.nix for what and why). Bound to
# loopback — only VictoriaMetrics on the same host scrapes its /probe endpoint,
# and the scrape jobs that drive it live in server.nix. The probes leave control
# over the public internet to reach ns1/ns2, which is the path we want to test.
{
  lib,
  pkgs,
  ...
}:
let
  probes = import ./blackbox-probes.nix { inherit lib; };
in
{
  services.prometheus.exporters.blackbox = {
    enable = true;
    listenAddress = "127.0.0.1";
    port = 9115;
    # JSON is valid YAML; enableConfigCheck runs the exporter's own --config.check
    # against this file at build time, so a malformed prober is caught here.
    configFile = pkgs.writeText "blackbox.yml" (builtins.toJSON { inherit (probes) modules; });
    enableConfigCheck = true;
  };
}