From 86d99c9095db270b9358c969e241d97fd2c5e7b3 Mon Sep 17 00:00:00 2001
From: Erwin Boskma <erwin@datarift.nl>
Date: Wed, 8 May 2024 16:50:40 +0200
Subject: [PATCH] valkyrie: Configure promtail for unbound

---
 machines/valkyrie/promtail/default.nix | 32 ++++++++++++++++++++++++++
 machines/valkyrie/unbound/default.nix  | 23 +++++++++++++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/machines/valkyrie/promtail/default.nix b/machines/valkyrie/promtail/default.nix
index c4abe59..e0636fa 100644
--- a/machines/valkyrie/promtail/default.nix
+++ b/machines/valkyrie/promtail/default.nix
@@ -24,6 +24,38 @@
             }
           ];
         }
+        {
+          job_name = "unbound";
+          static_configs = [
+            {
+              labels = {
+                job = "unbound";
+                __path__ = "/var/lib/unbound/unbound.log";
+              };
+            }
+          ];
+          pipeline_stages = [
+            { labeldrop = [ "filename" ]; }
+            {
+              match = {
+                selector = ''{job="unbound"} |~ " start | stopped |.*in-addr.arpa."'';
+                action = "drop";
+              };
+            }
+            {
+              match = {
+                selector = ''{job="unbound"} |= "reply:"'';
+                stages = [ { static_labels.dns = "reply"; } ];
+              };
+            }
+            {
+              match = {
+                selector = ''{job="unbound"} |~ "redirect |always_null|always_nxdomain"'';
+                stages = [ { static_labels.dns = "block"; } ];
+              };
+            }
+          ];
+        }
       ];
 
       server = {
diff --git a/machines/valkyrie/unbound/default.nix b/machines/valkyrie/unbound/default.nix
index ee63e5e..d0cb2bb 100644
--- a/machines/valkyrie/unbound/default.nix
+++ b/machines/valkyrie/unbound/default.nix
@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   services = {
     unbound = {
@@ -7,7 +8,11 @@
         server = {
           # Setting logfile to an empty string outputs to stderr
           log-queries = false;
-          verbosity = 1;
+          log-replies = true;
+          log-tag-queryreply = true;
+          log-local-actions = true;
+          logfile = "/var/log/unbound/unbound.log";
+          verbosity = 0;
 
           port = 5335;
           do-ip4 = true;
@@ -93,5 +98,21 @@
         unbound.host = "unix:///run/unbound/unbound.ctl";
       };
     };
+
+    logrotate = {
+      settings = {
+        unbound = {
+          files = [ "/var/log/unbound/unbound.log" ];
+          frequency = "daily";
+          rotate = 7;
+          compress = true;
+          delaycompress = true;
+          notifempty = true;
+          postrotate = ''
+            ${config.services.unbound.package}/bin/unbound-control log_reopen
+          '';
+        };
+      };
+    };
   };
 }