From f4291b152510eb13b31b59c97c3a49ec83adf528 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 21 Mar 2026 23:10:47 +0100 Subject: vidhar: knot-resolver --- hosts/vidhar/dns/default.nix | 89 +++++++++++-------------------------- hosts/vidhar/network/pppoe.nix | 6 --- hosts/vidhar/prometheus/default.nix | 40 ++++++++--------- hosts/vidhar/zfs.nix | 5 --- 4 files changed, 44 insertions(+), 96 deletions(-) (limited to 'hosts') diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index 11e6f55f..14d212e7 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix @@ -12,73 +12,36 @@ let in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir)); in { config = { - services.unbound = { + services.knot-resolver = { enable = true; - resolveLocalQueries = false; - stateDir = "/var/lib/unbound"; - localControlSocketPath = "/run/unbound/unbound.ctl"; - enableRootTrustAnchor = false; settings = { - server = { - interface = ["lo" "lan"]; - prefer-ip6 = true; - access-control = ["0.0.0.0/0 allow" "::/0 allow"]; - root-hints = "${pkgs.dns-root-data}/root.hints"; - trust-anchor-file = "${pkgs.dns-root-data}/root.key"; - trust-anchor-signaling = false; - ip-dscp = 20; - - num-threads = 12; - so-reuseport = true; - msg-cache-slabs = 16; - rrset-cache-slabs = 16; - infra-cache-slabs = 16; - key-cache-slabs = 16; - - rrset-cache-size = "100m"; - msg-cache-size = "50m"; - outgoing-range = 8192; - num-queries-per-thread = 4096; - - so-rcvbuf = "4m"; - so-sndbuf = "4m"; - - # serve-expired = true; - # serve-expired-ttl = 86400; - # serve-expired-reply-ttl = 0; - - prefetch = true; - prefetch-key = true; - - minimal-responses = false; - - extended-statistics = true; - - rrset-roundrobin = true; - use-caps-for-id = true; - - do-not-query-localhost = false; - local-zone = [ - "141.10.in-addr.arpa. transparent" - "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent" - "yggdrasil. transparent" - ]; - domain-insecure = [ - "141.10.in-addr.arpa." - "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa." - "yggdrasil." - ]; - }; - - stub-zone = map (name: { - inherit name; - stub-addr = "127.0.0.1@5353"; - stub-first = true; - stub-no-cache = true; - stub-prime = false; - }) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."]; + network.listen = [ + { interface = "lo"; } + { interface = "lan"; freebind = true; } + ]; + forward = [ + { + subtree = "yggdrasil."; + servers = [ { address = "::1@5353"; } ]; + options.dnssec = false; + } + { + subtree = "141.10.in-addr.arpa."; + servers = [ { address = "::1@5353"; } ]; + options.dnssec = false; + } + { + subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."; + servers = [ { address = "::1@5353"; } ]; + options.dnssec = false; + } + ]; }; }; + fileSystems."/var/cache/knot-resolver" = { + fsType = "tmpfs"; + options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ]; + }; systemd.services.knot = { unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix index 52a1818b..7b342b69 100644 --- a/hosts/vidhar/network/pppoe.nix +++ b/hosts/vidhar/network/pppoe.nix @@ -141,11 +141,5 @@ in { bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; after = [ "sys-subsystem-net-devices-telekom.device" ]; }; - - systemd.services.unbound = { - serviceConfig = { - Restart = lib.mkForce "always"; - }; - }; }; } diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 4a5fa3c8..35942c53 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix @@ -39,11 +39,6 @@ in { enable = true; configurationPath = pkgs.copyPathToStore "${pkgs.prometheus-snmp-exporter.src}/snmp.yml"; }; - unbound = { - enable = true; - unbound.host = "unix:///run/unbound/unbound.ctl"; - group = config.services.unbound.group; - }; wireguard = { enable = true; wireguardConfig = @@ -164,10 +159,11 @@ in { ]; scrape_interval = "10s"; } - { job_name = "unbound"; + { job_name = "knot-resolver"; static_configs = [ - { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; } + { targets = ["localhost:9167"]; } ]; + metrics_path = "/metrics/prometheus"; relabel_configs = relabelHosts; scrape_interval = "1s"; } @@ -241,7 +237,7 @@ in { [ { source_labels = ["__param_target"]; target_label = "job"; regex = "127\.0\.0\.1:53"; - replacement = "unbound.dns_soa"; + replacement = "knot-resolver.dns_soa"; } { replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}"; target_label = "__address__"; @@ -332,20 +328,6 @@ in { }; }; - users.users.${config.services.prometheus.exporters.unbound.user} = { - description = "Prometheus unbound exporter service user"; - isSystemUser = true; - group = config.services.unbound.group; - }; - systemd.services."prometheus-unbound-exporter" = { - wantedBy = [ "unbound.service" ]; - serviceConfig = { - DynamicUser = false; - Restart = lib.mkForce "always"; - RestartSec = "5"; - }; - }; - systemd.services."prometheus-nftables-exporter" = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -501,6 +483,20 @@ in { sopsFile = ./zte_dsl01.mgmt.yggdrasil; }; + systemd.sockets."prometheus-knot-resolver-exporter" = { + unitConfig.WantedBy = [ "sockets.target" ]; + socketConfig.ListenStream = "[::1]:9167"; + }; + systemd.services."prometheus-knot-resolver-exporter" = { + unitConfig = { + BindsTo = [ "knot-resolver.service" ]; + }; + serviceConfig = { + Type = "notify"; + ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd /run/knot-resolver/kres-api.sock"; + }; + }; + services.corerad = { enable = true; settings = { diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix index 9d667fd6..4b009c0d 100644 --- a/hosts/vidhar/zfs.nix +++ b/hosts/vidhar/zfs.nix @@ -44,11 +44,6 @@ with lib; fsType = "zfs"; }; - # "/var/lib/unbound" = - # { device = "ssd-raid1/local/var-lib-unbound"; - # fsType = "zfs"; - # }; - # "/var/lib/dhcp" = # { device = "ssd-raid1/local/var-lib-dhcp"; # fsType = "zfs"; -- cgit v1.2.3