vidhar: knot-resolverflakes

author: Gregor Kleen <gkleen@yggdrasil.li> 2026-03-21 23:10:47 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2026-03-21 23:10:47 +0100
commit: f4291b152510eb13b31b59c97c3a49ec83adf528 (patch)
tree: ee2d370623163a3306f0c36c44d30b0d89d065d2
parent: d1cf2303f41e69fb32b043597ff10603befe1eb3 (diff)
download: nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar
nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.gz
nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.bz2
nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.xz
nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.zip
4 files changed, 44 insertions, 96 deletions
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix
index 11e6f55f..14d212e7 100644
--- a/hosts/vidhar/dns/default.nix
+++ b/hosts/vidhar/dns/default.nix
@@ -12,73 +12,36 @@ let
  in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
 in {
  config = {
-    services.unbound = {
+    services.knot-resolver = {
      enable = true;
-      resolveLocalQueries = false;
-      stateDir = "/var/lib/unbound";
-      localControlSocketPath = "/run/unbound/unbound.ctl";
-      enableRootTrustAnchor = false;
      settings = {
-        server = {
+        network.listen = [
-          interface = ["lo" "lan"];
+          { interface = "lo"; }
-          prefer-ip6 = true;
+          { interface = "lan"; freebind = true; }
-          access-control = ["0.0.0.0/0 allow" "::/0 allow"];
+        ];
-          root-hints = "${pkgs.dns-root-data}/root.hints";
+        forward = [
-          trust-anchor-file = "${pkgs.dns-root-data}/root.key";
+          {
-          trust-anchor-signaling = false;
+            subtree = "yggdrasil.";
-          ip-dscp = 20;
+            servers = [ { address = "::1@5353"; } ];
+            options.dnssec = false;
-          num-threads = 12;
+          }
-          so-reuseport = true;
+          {
-          msg-cache-slabs = 16;
+            subtree = "141.10.in-addr.arpa.";
-          rrset-cache-slabs = 16;
+            servers = [ { address = "::1@5353"; } ];
-          infra-cache-slabs = 16;
+            options.dnssec = false;
-          key-cache-slabs = 16;
+          }
+          {
-          rrset-cache-size = "100m";
+            subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa.";
-          msg-cache-size = "50m";
+            servers = [ { address = "::1@5353"; } ];
-          outgoing-range = 8192;
+            options.dnssec = false;
-          num-queries-per-thread = 4096;
+          }
+        ];
-          so-rcvbuf = "4m";
-          so-sndbuf = "4m";
-          # serve-expired = true;
-          # serve-expired-ttl = 86400;
-          # serve-expired-reply-ttl = 0;
-          prefetch = true;
-          prefetch-key = true;
-          minimal-responses = false;
-          extended-statistics = true;
-          rrset-roundrobin = true;
-          use-caps-for-id = true;
-          do-not-query-localhost = false;
-          local-zone = [
-            "141.10.in-addr.arpa. transparent"
-            "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent"
-            "yggdrasil. transparent"
-          ];
-          domain-insecure = [
-            "141.10.in-addr.arpa."
-            "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."
-            "yggdrasil."
-          ];
-        };
-        stub-zone = map (name: {
-          inherit name;
-          stub-addr = "127.0.0.1@5353";
-          stub-first = true;
-          stub-no-cache = true;
-          stub-prime = false;
-        }) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."];
      };
    };
+    fileSystems."/var/cache/knot-resolver" = {
+      fsType = "tmpfs";
+      options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ];
+    };
    systemd.services.knot = {
      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix
index 52a1818b..7b342b69 100644
--- a/hosts/vidhar/network/pppoe.nix
+++ b/hosts/vidhar/network/pppoe.nix
@@ -141,11 +141,5 @@ in {
      bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
      after = [ "sys-subsystem-net-devices-telekom.device" ];
    };
-    systemd.services.unbound = {
-      serviceConfig = {
-        Restart = lib.mkForce "always";
-      };
-    };
  };
 }
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 4a5fa3c8..35942c53 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -39,11 +39,6 @@ in {
          enable = true;
          configurationPath = pkgs.copyPathToStore "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
        };
-        unbound = {
-          enable = true;
-          unbound.host = "unix:///run/unbound/unbound.ctl";
-          group = config.services.unbound.group;
-        };
        wireguard = {
          enable = true;
          wireguardConfig =
@@ -164,10 +159,11 @@ in {
          ];
          scrape_interval = "10s";
        }
-        { job_name = "unbound";
+        { job_name = "knot-resolver";
          static_configs = [
-            { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
+            { targets = ["localhost:9167"]; }
          ];
+          metrics_path = "/metrics/prometheus";
          relabel_configs = relabelHosts;
          scrape_interval = "1s";
        }
@@ -241,7 +237,7 @@ in {
          [ { source_labels = ["__param_target"];
              target_label = "job";
              regex = "127\.0\.0\.1:53";
-              replacement = "unbound.dns_soa";
+              replacement = "knot-resolver.dns_soa";
            }
            { replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
              target_label = "__address__";
@@ -332,20 +328,6 @@ in {
      };
    };
-    users.users.${config.services.prometheus.exporters.unbound.user} = {
-      description = "Prometheus unbound exporter service user";
-      isSystemUser = true;
-      group = config.services.unbound.group;
-    };
-    systemd.services."prometheus-unbound-exporter" = {
-      wantedBy = [ "unbound.service" ];
-      serviceConfig = {
-        DynamicUser = false;
-        Restart = lib.mkForce "always";
-        RestartSec = "5";
-      };
-    };
    systemd.services."prometheus-nftables-exporter" = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
@@ -501,6 +483,20 @@ in {
      sopsFile = ./zte_dsl01.mgmt.yggdrasil;
    };
+    systemd.sockets."prometheus-knot-resolver-exporter" = {
+      unitConfig.WantedBy = [ "sockets.target" ];
+      socketConfig.ListenStream = "[::1]:9167";
+    };
+    systemd.services."prometheus-knot-resolver-exporter" = {
+      unitConfig = {
+        BindsTo = [ "knot-resolver.service" ];
+      };
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd /run/knot-resolver/kres-api.sock";
+      };
+    };
    services.corerad = {
      enable = true;
      settings = {
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 9d667fd6..4b009c0d 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -44,11 +44,6 @@ with lib;
          fsType = "zfs";
        };
-      # "/var/lib/unbound" =
-      #   { device = "ssd-raid1/local/var-lib-unbound";
-      #     fsType = "zfs";
-      #   };
      # "/var/lib/dhcp" =
      #   { device = "ssd-raid1/local/var-lib-dhcp";
      #     fsType = "zfs";
author	Gregor Kleen <gkleen@yggdrasil.li>	2026-03-21 23:10:47 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2026-03-21 23:10:47 +0100
commit	f4291b152510eb13b31b59c97c3a49ec83adf528 (patch)
tree	ee2d370623163a3306f0c36c44d30b0d89d065d2
parent	d1cf2303f41e69fb32b043597ff10603befe1eb3 (diff)
download	nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.gz nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.bz2 nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.xz nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.zip

diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index 11e6f55f..14d212e7 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix
@@ -12,73 +12,36 @@ let
12	in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));	12	in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
13	in {	13	in {
14	config = {	14	config = {
15	services.unbound = {	15	services.knot-resolver = {
16	enable = true;	16	enable = true;
17	resolveLocalQueries = false;
18	stateDir = "/var/lib/unbound";
19	localControlSocketPath = "/run/unbound/unbound.ctl";
20	enableRootTrustAnchor = false;
21	settings = {	17	settings = {
22	server = {	18	network.listen = [
23	interface = ["lo" "lan"];	19	{ interface = "lo"; }
24	prefer-ip6 = true;	20	{ interface = "lan"; freebind = true; }
25	access-control = ["0.0.0.0/0 allow" "::/0 allow"];	21	];
26	root-hints = "${pkgs.dns-root-data}/root.hints";	22	forward = [
27	trust-anchor-file = "${pkgs.dns-root-data}/root.key";	23	{
28	trust-anchor-signaling = false;	24	subtree = "yggdrasil.";
29	ip-dscp = 20;	25	servers = [ { address = "::1@5353"; } ];
30		26	options.dnssec = false;
31	num-threads = 12;	27	}
32	so-reuseport = true;	28	{
33	msg-cache-slabs = 16;	29	subtree = "141.10.in-addr.arpa.";
34	rrset-cache-slabs = 16;	30	servers = [ { address = "::1@5353"; } ];
35	infra-cache-slabs = 16;	31	options.dnssec = false;
36	key-cache-slabs = 16;	32	}
37		33	{
38	rrset-cache-size = "100m";	34	subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa.";
39	msg-cache-size = "50m";	35	servers = [ { address = "::1@5353"; } ];
40	outgoing-range = 8192;	36	options.dnssec = false;
41	num-queries-per-thread = 4096;	37	}
42		38	];
43	so-rcvbuf = "4m";
44	so-sndbuf = "4m";
45
46	# serve-expired = true;
47	# serve-expired-ttl = 86400;
48	# serve-expired-reply-ttl = 0;
49
50	prefetch = true;
51	prefetch-key = true;
52
53	minimal-responses = false;
54
55	extended-statistics = true;
56
57	rrset-roundrobin = true;
58	use-caps-for-id = true;
59
60	do-not-query-localhost = false;
61	local-zone = [
62	"141.10.in-addr.arpa. transparent"
63	"1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent"
64	"yggdrasil. transparent"
65	];
66	domain-insecure = [
67	"141.10.in-addr.arpa."
68	"1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."
69	"yggdrasil."
70	];
71	};
72
73	stub-zone = map (name: {
74	inherit name;
75	stub-addr = "127.0.0.1@5353";
76	stub-first = true;
77	stub-no-cache = true;
78	stub-prime = false;
79	}) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."];
80	};	39	};
81	};	40	};
		41	fileSystems."/var/cache/knot-resolver" = {
		42	fsType = "tmpfs";
		43	options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ];
		44	};
82		45
83	systemd.services.knot = {	46	systemd.services.knot = {
84	unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];	47	unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];


diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix index 52a1818b..7b342b69 100644 --- a/hosts/vidhar/network/pppoe.nix +++ b/hosts/vidhar/network/pppoe.nix
@@ -141,11 +141,5 @@ in {
141	bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];	141	bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
142	after = [ "sys-subsystem-net-devices-telekom.device" ];	142	after = [ "sys-subsystem-net-devices-telekom.device" ];
143	};	143	};
144
145	systemd.services.unbound = {
146	serviceConfig = {
147	Restart = lib.mkForce "always";
148	};
149	};
150	};	144	};
151	}	145	}


diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 4a5fa3c8..35942c53 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -39,11 +39,6 @@ in {
39	enable = true;	39	enable = true;
40	configurationPath = pkgs.copyPathToStore "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";	40	configurationPath = pkgs.copyPathToStore "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
41	};	41	};
42	unbound = {
43	enable = true;
44	unbound.host = "unix:///run/unbound/unbound.ctl";
45	group = config.services.unbound.group;
46	};
47	wireguard = {	42	wireguard = {
48	enable = true;	43	enable = true;
49	wireguardConfig =	44	wireguardConfig =
@@ -164,10 +159,11 @@ in {
164	];	159	];
165	scrape_interval = "10s";	160	scrape_interval = "10s";
166	}	161	}
167	{ job_name = "unbound";	162	{ job_name = "knot-resolver";
168	static_configs = [	163	static_configs = [
169	{ targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }	164	{ targets = ["localhost:9167"]; }
170	];	165	];
		166	metrics_path = "/metrics/prometheus";
171	relabel_configs = relabelHosts;	167	relabel_configs = relabelHosts;
172	scrape_interval = "1s";	168	scrape_interval = "1s";
173	}	169	}
@@ -241,7 +237,7 @@ in {
241	[ { source_labels = ["__param_target"];	237	[ { source_labels = ["__param_target"];
242	target_label = "job";	238	target_label = "job";
243	regex = "127\.0\.0\.1:53";	239	regex = "127\.0\.0\.1:53";
244	replacement = "unbound.dns_soa";	240	replacement = "knot-resolver.dns_soa";
245	}	241	}
246	{ replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";	242	{ replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
247	target_label = "__address__";	243	target_label = "__address__";
@@ -332,20 +328,6 @@ in {
332	};	328	};
333	};	329	};
334		330
335	users.users.${config.services.prometheus.exporters.unbound.user} = {
336	description = "Prometheus unbound exporter service user";
337	isSystemUser = true;
338	group = config.services.unbound.group;
339	};
340	systemd.services."prometheus-unbound-exporter" = {
341	wantedBy = [ "unbound.service" ];
342	serviceConfig = {
343	DynamicUser = false;
344	Restart = lib.mkForce "always";
345	RestartSec = "5";
346	};
347	};
348
349	systemd.services."prometheus-nftables-exporter" = {	331	systemd.services."prometheus-nftables-exporter" = {
350	wantedBy = [ "multi-user.target" ];	332	wantedBy = [ "multi-user.target" ];
351	after = [ "network.target" ];	333	after = [ "network.target" ];
@@ -501,6 +483,20 @@ in {
501	sopsFile = ./zte_dsl01.mgmt.yggdrasil;	483	sopsFile = ./zte_dsl01.mgmt.yggdrasil;
502	};	484	};
503		485
		486	systemd.sockets."prometheus-knot-resolver-exporter" = {
		487	unitConfig.WantedBy = [ "sockets.target" ];
		488	socketConfig.ListenStream = "[::1]:9167";
		489	};
		490	systemd.services."prometheus-knot-resolver-exporter" = {
		491	unitConfig = {
		492	BindsTo = [ "knot-resolver.service" ];
		493	};
		494	serviceConfig = {
		495	Type = "notify";
		496	ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd /run/knot-resolver/kres-api.sock";
		497	};
		498	};
		499
504	services.corerad = {	500	services.corerad = {
505	enable = true;	501	enable = true;
506	settings = {	502	settings = {


diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix index 9d667fd6..4b009c0d 100644 --- a/hosts/vidhar/zfs.nix +++ b/hosts/vidhar/zfs.nix
@@ -44,11 +44,6 @@ with lib;
44	fsType = "zfs";	44	fsType = "zfs";
45	};	45	};
46		46
47	# "/var/lib/unbound" =
48	# { device = "ssd-raid1/local/var-lib-unbound";
49	# fsType = "zfs";
50	# };
51
52	# "/var/lib/dhcp" =	47	# "/var/lib/dhcp" =
53	# { device = "ssd-raid1/local/var-lib-dhcp";	48	# { device = "ssd-raid1/local/var-lib-dhcp";
54	# fsType = "zfs";	49	# fsType = "zfs";