From e04fb838814f5bfb7e837a06528bd3a2e9f63400 Mon Sep 17 00:00:00 2001
From: Erwin Boskma <erwin@datarift.nl>
Date: Wed, 28 Feb 2024 22:49:50 +0100
Subject: [PATCH] valkyrie: Enable unbound prometheus exporter

---
 machines/valkyrie/unbound/default.nix | 118 ++++++++++++++------------
 1 file changed, 66 insertions(+), 52 deletions(-)

diff --git a/machines/valkyrie/unbound/default.nix b/machines/valkyrie/unbound/default.nix
index 5a87e04..d3d8706 100644
--- a/machines/valkyrie/unbound/default.nix
+++ b/machines/valkyrie/unbound/default.nix
@@ -1,68 +1,82 @@
 {
-  services.unbound = {
-    enable = true;
-    localControlSocketPath = "/run/unbound/unbound.ctl";
-    settings = {
-      server = {
-        # Setting logfile to an empty string outputs to stderr
-        log-queries = false;
-        verbosity = 1;
+  services = {
+    unbound = {
+      enable = true;
+      localControlSocketPath = "/run/unbound/unbound.ctl";
+      settings = {
+        server = {
+          # Setting logfile to an empty string outputs to stderr
+          log-queries = false;
+          verbosity = 1;
 
-        port = 5335;
-        do-ip4 = true;
-        do-ip6 = true;
-        do-udp = true;
-        do-tcp = true;
-        prefer-ip6 = true;
+          port = 5335;
+          do-ip4 = true;
+          do-ip6 = true;
+          do-udp = true;
+          do-tcp = true;
+          prefer-ip6 = true;
 
-        hide-identity = true;
-        hide-version = true;
+          hide-identity = true;
+          hide-version = true;
 
-        # Trust glue only if it is within the server's authority
-        harden-glue = true;
+          # Trust glue only if it is within the server's authority
+          harden-glue = true;
 
-        # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
-        harden-dnssec-stripped = true;
+          # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+          harden-dnssec-stripped = true;
 
-        harden-referral-path = true;
+          harden-referral-path = true;
 
-        # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
-        # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
-        use-caps-for-id = false;
+          # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+          # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+          use-caps-for-id = false;
 
-        # Reduce EDNS reassembly buffer size.
-        # Suggested by the unbound man page to reduce fragmentation reassembly problems
-        edns-buffer-size = 1472;
+          # Reduce EDNS reassembly buffer size.
+          # Suggested by the unbound man page to reduce fragmentation reassembly problems
+          edns-buffer-size = 1472;
 
-        # Perform prefetching of close to expired message cache entries
-        # This only applies to domains that have been frequently queried
-        prefetch = true;
-        prefetch-key = true;
+          # Perform prefetching of close to expired message cache entries
+          # This only applies to domains that have been frequently queried
+          prefetch = true;
+          prefetch-key = true;
 
-        # This attempts to reduce latency by serving the outdated record before
-        # updating it instead of the other way around. Alternative is to increase
-        # cache-min-ttl to e.g. 3600.
-        cache-min-ttl = 0;
-        serve-expired = true;
+          # This attempts to reduce latency by serving the outdated record before
+          # updating it instead of the other way around. Alternative is to increase
+          # cache-min-ttl to e.g. 3600.
+          cache-min-ttl = 0;
+          serve-expired = true;
 
-        rrset-cache-size = "256m";
-        msg-cache-size = "128m";
-        msg-cache-slabs = 4;
-        # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
-        num-threads = 2;
+          rrset-cache-size = "256m";
+          msg-cache-size = "128m";
+          msg-cache-slabs = 4;
+          # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+          num-threads = 2;
 
-        # Ensure kernel buffer is large enough to not lose messages in traffic spikes
-        so-rcvbuf = "1m";
+          # Ensure kernel buffer is large enough to not lose messages in traffic spikes
+          so-rcvbuf = "8m";
 
-        # Ensure privacy of local IP ranges
-        private-address = [
-          "192.168.0.0/16"
-          "169.254.0.0/16"
-          "172.16.0.0/12"
-          "10.0.0.0/8"
-          "fd00::/8"
-          "fe80::/10"
-        ];
+          # Ensure privacy of local IP ranges
+          private-address = [
+            "192.168.0.0/16"
+            "169.254.0.0/16"
+            "172.16.0.0/12"
+            "10.0.0.0/8"
+            "fd00::/8"
+            "fe80::/10"
+          ];
+        };
+      };
+    };
+
+    prometheus.exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+      };
+
+      unbound = {
+        enable = true;
+        unbound.host = "unix:///run/unbound/unbound.ctl";
       };
     };
   };