valkyrie: Enable unbound prometheus exporter

2024-02-28 22:49:50 +01:00 · 2024-02-28 22:49:50 +01:00 · e04fb83881
commit e04fb83881
parent 5f866a8b98
1 changed files with 66 additions and 52 deletions
--- a/machines/valkyrie/unbound/default.nix
+++ b/machines/valkyrie/unbound/default.nix
@ -1,68 +1,82 @@
 {
-  services.unbound = {
+  services = {
-    enable = true;
+    unbound = {
-    localControlSocketPath = "/run/unbound/unbound.ctl";
+      enable = true;
-    settings = {
+      localControlSocketPath = "/run/unbound/unbound.ctl";
-      server = {
+      settings = {
-        # Setting logfile to an empty string outputs to stderr
+        server = {
-        log-queries = false;
+          # Setting logfile to an empty string outputs to stderr
-        verbosity = 1;
+          log-queries = false;
          verbosity = 1;
-        port = 5335;
+          port = 5335;
-        do-ip4 = true;
+          do-ip4 = true;
-        do-ip6 = true;
+          do-ip6 = true;
-        do-udp = true;
+          do-udp = true;
-        do-tcp = true;
+          do-tcp = true;
-        prefer-ip6 = true;
+          prefer-ip6 = true;
-        hide-identity = true;
+          hide-identity = true;
-        hide-version = true;
+          hide-version = true;
-        # Trust glue only if it is within the server's authority
+          # Trust glue only if it is within the server's authority
-        harden-glue = true;
+          harden-glue = true;
-        # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+          # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
-        harden-dnssec-stripped = true;
+          harden-dnssec-stripped = true;
-        harden-referral-path = true;
+          harden-referral-path = true;
-        # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+          # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
-        # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+          # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
-        use-caps-for-id = false;
+          use-caps-for-id = false;
-        # Reduce EDNS reassembly buffer size.
+          # Reduce EDNS reassembly buffer size.
-        # Suggested by the unbound man page to reduce fragmentation reassembly problems
+          # Suggested by the unbound man page to reduce fragmentation reassembly problems
-        edns-buffer-size = 1472;
+          edns-buffer-size = 1472;
-        # Perform prefetching of close to expired message cache entries
+          # Perform prefetching of close to expired message cache entries
-        # This only applies to domains that have been frequently queried
+          # This only applies to domains that have been frequently queried
-        prefetch = true;
+          prefetch = true;
-        prefetch-key = true;
+          prefetch-key = true;
-        # This attempts to reduce latency by serving the outdated record before
+          # This attempts to reduce latency by serving the outdated record before
-        # updating it instead of the other way around. Alternative is to increase
+          # updating it instead of the other way around. Alternative is to increase
-        # cache-min-ttl to e.g. 3600.
+          # cache-min-ttl to e.g. 3600.
-        cache-min-ttl = 0;
+          cache-min-ttl = 0;
-        serve-expired = true;
+          serve-expired = true;
-        rrset-cache-size = "256m";
+          rrset-cache-size = "256m";
-        msg-cache-size = "128m";
+          msg-cache-size = "128m";
-        msg-cache-slabs = 4;
+          msg-cache-slabs = 4;
-        # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+          # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
-        num-threads = 2;
+          num-threads = 2;
-        # Ensure kernel buffer is large enough to not lose messages in traffic spikes
+          # Ensure kernel buffer is large enough to not lose messages in traffic spikes
-        so-rcvbuf = "1m";
+          so-rcvbuf = "8m";
-        # Ensure privacy of local IP ranges
+          # Ensure privacy of local IP ranges
-        private-address = [
+          private-address = [
-          "192.168.0.0/16"
+            "192.168.0.0/16"
-          "169.254.0.0/16"
+            "169.254.0.0/16"
-          "172.16.0.0/12"
+            "172.16.0.0/12"
-          "10.0.0.0/8"
+            "10.0.0.0/8"
-          "fd00::/8"
+            "fd00::/8"
-          "fe80::/10"
+            "fe80::/10"
-        ];
+          ];
        };
      };
    };
    prometheus.exporters = {
      node = {
        enable = true;
        enabledCollectors = [ "systemd" ];
      };
      unbound = {
        enable = true;
        unbound.host = "unix:///run/unbound/unbound.ctl";
      };
    };
  };