Berwn
54f607d063
control runs blackbox_exporter on loopback, probing each nameserver's public v4+v6 address for every zone: SOA (zone served) and DNSKEY (still signed, since blackbox has no DO-bit option). Probe definitions are shared between the exporter config and the VictoriaMetrics scrape jobs so they can't drift. Verified live against ns1/ns2 over v4 and v6.
25 lines
892 B
Nix
25 lines
892 B
Nix
# Blackbox exporter on control: outside-in DNS probes against the public
|
|
# nameserver addresses (see blackbox-probes.nix for what and why). Bound to
|
|
# loopback — only VictoriaMetrics on the same host scrapes its /probe endpoint,
|
|
# and the scrape jobs that drive it live in server.nix. The probes leave control
|
|
# over the public internet to reach ns1/ns2, which is the path we want to test.
|
|
{
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
probes = import ./blackbox-probes.nix { inherit lib; };
|
|
in
|
|
{
|
|
services.prometheus.exporters.blackbox = {
|
|
enable = true;
|
|
listenAddress = "127.0.0.1";
|
|
port = 9115;
|
|
# JSON is valid YAML; enableConfigCheck runs the exporter's own --config.check
|
|
# against this file at build time, so a malformed prober is caught here.
|
|
configFile = pkgs.writeText "blackbox.yml" (builtins.toJSON { inherit (probes) modules; });
|
|
enableConfigCheck = true;
|
|
};
|
|
}
|