We have often done some hacky jugaad to stream our meetups, but due to their last minute nature and lack of proper resources, they have often been low quality or failed entirely.

With the on-ground experience I have gained as the live streaming lead at IndiaFOSS 2024 and 2023, I wanted to put these ideas into a blog-post format, so this could help out the other chapters of FOSS United, and potentially non-FOSS United events too!

My guide is primarily divided into four parts:

• Scrcpy, which deals with getting the video of the meetup by (ab)using the camera of your phone
• VDO.ninja, which retrieves a high quality, low-latency stream of the speaker’s screen in a user-friendly manner
• OBS, which combines the outputs of both Scrcpy and VDO.ninja together with a nice template, to send to the streaming server (OSP, or perhaps YouTube)
• OSP (FOSS United specific), which is the web UI which we stream to, and use to make clips out of the live stream

A large part of the guide assumes you use linux, but it should work with MacOS. PS: if you are hosting a FOSS Meetup, streaming from a Mac/Windows Box doesn’t make much sense either way :-)

Scrcpy Setup

Requirements:

• Laptop with Linux/MacOS (only tested with linux though)
• Scrcpy 2.x
• Android 12+ phone

On the phone:

• Enable Developer Options by tapping Build Number 7 times in the Software Information section of About Phone in the Settings app.
• Go to the newly enabled developer options menu, allow USB Debugging.
• Connect phone to the laptop via USB, and authorize the Laptop
  • If there is no option asking you to authorize, there should be a silent notification in your notif tray regarding USB preferences. Click that and select ADB (if not available, chose file transfer - that should be an equivalent option)
  • It might also be that the cable is old/damaged, and does not support data transfer. If previous option didn’t yield any results, try using a different cable

On the laptop:

• Install ADB
• Install Scrcpy (Linux | MacOS | Windows)
• Run this command: /usr/local/bin/scrcpy --video-source=camera --camera-id=0 --audio-source=mic --orientation=90
  • Sometimes the ideal resolution and framerate will not be the perfect 16:9 one that is required. In that case, add the following argument: --camera-size=1920x1080 --camera-fps=60
  • If you want to add any custom settings, consult this other blogpost of mine or the scrcpy docs
  • If you want a landscape camera output, remove the –orientation flag
  • Setting the camera ID to 0 should use the back camera by default, but if front camera needs to be used, set the ID to 1
• This should open a window with a full-sized preview of the camera:

Screensy / Screenshare Setup

I would recommend you use this instead of VDO.ninja, ONLY IF BOTH DEVICES ARE ON SAME NETWORK/WIFI.

The Setup

• On the speaker’s laptop, open https://screensy.marijn.it. Start screen sharing and note down the URL (making sure that the text that follows the # is included)

VDO.Ninja / Screenshare Setup

NOTE: YOU ARE BETTER OFF USING SCREENSY INSTEAD - UNLESS YOU CANNOT GET BOTH LAPTOPS ON THE SAME NETWORK.

Requirements:

• A browser which supports screenshare on the speaker’s PC, any browser on the streaming PC

The Setup:

• On streaming PC, open vdo.ninja, and create a room. Give a valid room name, and set the option select the “The guests can see the director, but not other guests’ videos” option, and then enter the control centre
• From the control centre, copy the link to invite a guest, and ask the next speaker to open it on his laptop.
• On the speaker’s laptop, select screenshare with room, and then in the settings cogweel, make it use highest quality.
• Back on the streaming PC in the control centre, press highlight on the newly appeared preview, and then copy link of “capture a group scene”. Keep the link safe, its needed in the next OBS setup

Open Streaming Platform Setup (specific to FOSS United)

On https://stream.fossunited.org, each city chapter/foss club can request an account for streaming and uploading their talks. Login to the account that is provided to you, navigate to My Channels and create a new channel.

Add the specific details like default title, description, profile picture etc., and then copy the auto-generated stream key.

If you want to stream simultaneously to youtube, you can add a new RTMP Restream Destination in this format: rtmp://a.rtmp.youtube.com/live2/<STREAM KEY>, and enable the new destination. By doing this, all new streams will be simultaneously streamed to YouTube as well.

Making a clip for each talk

After the live stream has ended, you might want to separate the stream into smaller chunks, with a separate video for each of the talks. This can be done using the clips feature of OSP.

Once the stream ends, the stream will be converted into a recording and uploaded on to the channel from where it was being streamed.

Open the video, and in it the cogweel, from where you can select the create clip option. Using the slider, move to the desired start and end point, give it a valid description and title, and then create the clip. A video is attached for reference:

OBS Setup

Requirements:

• OBS Installation, with the default browser plugin enabled (the plugin is not enabled on debian as of writing FYI, so use the flatpak version if on Debian)

• An X11 environment (if under wayland, run env -u WAYLAND_DISPLAY obs

• Run setup wizard, optimize for streaming, and use 1920x1080 as the base resolution. For stream key, enter the one from your service provider (if you are using OSP, consult the next section)

• Disable MIC/AUX, and keep Desktop Audio enabled

• In OBS, add a window source (Labelled XComposite Window Capture on linux) for scrcpy

• In OBS, add a browser source, and make the url point towards the screensy link that you copied initially. If you are using VDO.ninja instead, the url will be the one from the “capture group scene” from the VDO.ninja setup.

• At the end, it should look something like this:

• Start streaming!

However, while moving our US node, we faced a few problems, in the fact that I didn’t want to wipe the disk, nor did I want to do some jank stuff like reinstalling debian and then replacing the files.

Therefore, my only solution came down to creating a new encrypted partition, copying the entire directory tree of the old partition to the new one via rsync, and then making grub and co. point to the new stuff.

So, in order to do this, you first need to shrink your existing partition so you can create the new one, which I did using GParted on the GParted LiveCD.

Past that, you have to create the new primary partition in the empty space created, which I did via CFDisk, since GParted requires you to format while creating a partition (from what I could see), and it doesn’t support creating LUKS partitions.

Additionally, since you can’t use the “good” PBKDF, argon2i(d) (which is more secure and gives faster speeds) with the current version of grub available on Debian 12, you have to move boot to a separate unencrypted partition. This can be done by merely creating a new ~512 MiB ext2 primary partition via GParted

Past this, I had to create the LUKS stuff. To do so, I ran the following commands:

# Format partition as LUKS encrypted
cryptsetup luksFormat --type luks2 --pbkdf argon2i /dev/DEVICE
# Open partition, and map it to /dev/mapper/crypt
cryptsetup luksOpen /dev/DEVICE crypt
# Overwrite the entire device with 0s, just to be a bit more secure
dd if=/dev/zero of=/dev/mapper/crypt status=progress bs=4096
# Create ext4 partition on the mapped device
mkfs.ext4 /dev/mapper/crypt

Then, to copy the content to the new partition, I used the following commands:

mkdir -p /mnt/{old,new}
mount /dev/OLD_DEVICE /mnt/old
mount /dev/mapper/crypt /mnt/new
mkdir -p /mnt/new/boot
mount /dev/BOOT_DEVICE /mnt/new/boot
rsync -av /mnt/old/* /mnt/new

After all the data is copied, I need to enter a chroot environment in order to configure a few more things. This is done through the following commands:

mount -t sysfs /sys /mnt/new/sys/
mount -t proc /proc /mnt/new/proc/
mount --rbind /dev /mnt/new/dev/
chroot /mnt/new

Inside the chroot environment, you need to first install some cryptsetup related stuff, and then update the fstab file:

apt install cryptsetup cryptsetup-initramfs

/etc/crypttab (the file which tells the system what encrypted partitions to mount):

crypt   UUID=UUID_OF_PARTITION_FROM_BLKID   none    luks,discard

/etc/fstab:

/dev/mapper/crypt   /   ext4    rw  0   1
/dev/BOOT_PARTITION /boot   ext2    rw  0   1

Past this, you need to reinstall grub:

grub-install /dev/DISK # for legacy BIOS, note this is the disk not the partition (ie. /dev/vda not /dev/vda1)
update-grub

And that should be it, once you reboot, you should boot into a password prompt, past which you can boot into your newly encrypted system!

PS: don’t forget to remove the old partition :D

Since we couldn’t procure a good camera that can capture text from the projector well, I started experimenting with other alternatives.

The first solution I tried was a generic IP camera based solution, which of course came with the latencies involved with network-based stuff and hence wasn’t suitable for this purpose.

Then, I tried droidcam, which uses ADB, but again, it had a paywall for anything over 480p.

Past this, my jugaad solution was to use scrcpy via USB ADB, open the normal camera app and then just capture part of the window with the content, but that came with the issue of only being able to use 4:3 aspect ratio, and potentially worse quality since liveview is rarely as good as actuals.

Later, I discovered that scrcpy can natively capture the phone camera since Android 12+ and Scrcpy 2.x+.

This came with the first problem, debian testing is still stuck on 1.x of scrcpy!

Note to self: maybe I should try porting a 2.x to Debian :D

As outlined in the docs, scrcpy can capture both front and back cameras, at all supported resolutions, and even the audio from the phone’s mic (which is useful considering how shitty the mics are on modern laptops these days) .

So at the end, I ended up with this command:

/usr/local/bin/scrcpy --video-source=camera --camera-id=0 --camera-size=3264x1836

Now, at this point, I just needed to run OBS under Xwayland, add it as an Xcomposite video capture, and start streaming!

But then, if you want to use it as a webcam, you just have to install v4l2loopback (and run modprobe v4l2loopback), and then click “Start Virtual Camera” instead of Start Streaming.

Do note though, you might have to change output type to scene under the settings section right next to the start virtual camera button.

But thats about it. This is still a bit jank, considering you need scrcpy and OBS both running in the background, but it generally does the job pretty well, and a good phone’s webcam is miles better than any other mid-range web-cam you can get.

To begin with, you need to use the altgr-intl layout in order to be able to use it in the first place. This also gives you access to many other characters as well.

To do this, add kb_variant = altgr-intl in the input section of your hyprland.conf.

Past this, the configuration is pretty simple, you just have to add the required options to kb_options.

You can get a list of these with localectl list-x11-keymap-options.

In my case, I needed rupeesign:4

At the end, this is how the hyprland.conf’s input section looks:

input {
    kb_layout = us
    kb_options = rupeesign:4, caps:backspace
    kb_variant = altgr-intl
    [...mouse stuff...]
}

This led me to think again about something I have been pondering about in and out for ages, the place of philosophy in the educational system.

The problem

I’ll start with the problem. To be honest, this generation is extremely apolitical, and non-politically active.

All they care about is getting good marks, passing 10th/12th and getting a good college/job, while ignoring the big and important question, the state of our nation.

When noone cares about the nation, asatyamev hi jayate (injustice alone will prevail), for there is no person to keep check on the government.

Every person’s goal in life is to serve themselves. Me first, everything secondary. This is how humans work.

The government is meant to mediate this but its not a bulletproof entity, its made of people, whose primary goal is to serve themselves.

This is why we need someone to keep the government in check, and unintellectual and aloofness from politics does not help.

This I feel, is excacerbated by the education system, especially here, which encourages rote learning.

The state of the current education system

This is especially bad with social studies, where it is important to be opinion based, not “I just memorized this chapter and can get 100 in tommorow’s exam”.

I guess this could apply to the sciences, mathematics etc. but it is even more important in the social sciences and humanities.

Social Studies must be opinions, what you think about this thing, who is in the right and who is in the wrong according to you, with multiple sources to understand from.

People should be marked based on the intellectual-ness of the answer, not based on how “politically-correct” or similar to textbook the answer is.

Here is where philosophy plays an important role.

While social studies only covers laws, history and generally how our current system came to be, philosophy questions the basic theory.

Philosophy awakens the intellectual-ness, and makes people think critically.

It encourages and makes people go into deep thoughts and intellectual discussions, which benifit them mentally and society in large as we get more intelligent people.

This encouragement that used to be prevailent in the ancient times of Gurukuls has been effectively wiped off by the advent of the structured educational system.

My ideas for how philosophy could be implemented in education

Philosophy is a vast and varied subject.

I would say, extracts from philosophical texts from the big 4 traditions (western, indian, chinese, islamic) should be given to students about a specific topic, which of course must be suitable for their grade and they should be asked to comment on what they think about each.

In my opinion, everything should be marked based on the intellect of the answer, and when marks are deducted for “wrong-think”, students should be able to appeal to a board setup to answer and co-ordinate with schools about these kind of marking conflicts.

The “untouchable” subjects

There are many subjects that are untouchable in any normal debate, be it caste, morality, religion etc.

This is BAD and leads to forcing of opinions and generally lack of intellectualism around these topics.

You cannot and should not take a blind follow approach to anything. Question every single thing you have to do, be it rhetorical or directed towards someone else.

The law

The law should be more liberal when it comes to “wrong-think”. Speech should be allowed as long as it does not incite or promote violence.

I know incite violence is vague as hell, and that is of course because of how varied stuff can cause people to get mad.

A small social media post about something inciteful can cause more harm than someone saying extremely inciting/dangerous things to even a big audience.

“Hate speech” can not be regulated, and the intentions of something cannot be easily made out.

To be frank, I don’t have any ideas about this. Maybe a committee to decide what constitutes a hate-speech and what does not, but then there are of course biases.

If you go with a simple “if there is violence due to your post we arrest you”, you risk arresting people whose post unintentionally incited the same.

But, at the end of the day, the law should be more allowing for free thinking and intellectual discussions, as long as of course, it doesnt incite violent acts.

Societal stuff

People also are moulded more and more into non-individualistic robots, who all share the same happiness and same opinions.

People like something just because others like it, and if they don’t like it they are treated like outcasts from society.

People have no individualistic goals in life, just the standard “getting good marks, passing 10th/12th and getting a good college/job”

While these are also extremely important, we need to stress on the importance of a life where people aren’t just robots who do what they are told to do (or NPCs as the zoomers call it).

This could be lessened by philosophy, which imbibes critical thinking in the mind of those who read it.

I should have published this on Independence day since well a lot of these were ponderings about the Indian independence and what it gave us Indians, but well procrastination :)

I know this is a bit rambly but I hope you get the point :P

Of course I wanted to replace the default windows with linux, but I was too lazy to reinstall and hence just put my old NVMe SSD in the laptop thanks to the availability of 2 M.2 slots.

Before this I had to disable secure boot in the bios which I did along with a few other “important” changes (which I’ll cover later)

Past this, most things worked out of the box after removing my old Nvidia drivers. Ryzen is really good on linux :P

However, 2 things didn’t work correctly, the Fingerprint sensor and WiFi card.

Realtek WiFi

After the initial setup, my realtek wifi card was having frequent disconnection issues. It will suddenly just stop transmitting data and the fix was to reconnect to the wifi network.

Another issue is that the Realtek WiFi card only works with kernels 6.2+. This wasn’t an issue for me as a Debian Sid user but when I first tested the compatibility on an Ubuntu 22.04 ISO before adding my drive, this was pretty weird/confusing.

After a bit of searching, I figured out that the random disconnection was due to NetworkManager’s randomized mac addresses.

To fix this, I just had to append the following to the NetworkManager.conf file:

[device]
wifi.scan-rand-mac-address=no

Goodix Fingerprint

I thought the fingerprint was useless for good, until I discovered that Lenovo provided drivers for their fingerprint sensor through one of the manuals I was searching through.

Originally I didn’t find anything, since the driver page for my model didn’t show linux, but after a bit of searching again, I stumbled across this support page that gave links to drivers.

Since I ran debian testing and its mostly compatible with what Ubuntu has, I tried just installing libfprint-2-2 normally and then the driver’s deb, but the deb refused to install since it needed libfprint-2-tod (a fork of libfprint with support for TOD/touch based fingerprint readers).

I tried installing the deb from ubuntu repos and then install the driver, which succeeded, but didn’t make the device work.

Later, I installed ubuntu 22.04 on a secondary partition to check if it worked on ubuntu, which it did.

One thing I noticed, however was that it used a ppa instead of regular libfprint(-tod) from canonical repos.

Then, I tried installing libfprint and libfprint-tod debs from that ppa and the goodix deb from lenovo, and after a reboot, everything worked!

Once it was up, I installed fprintd and libpam-fprintd, at which point I did the fprintd-enroll and fprintd-verify.

After these succeeded, I ran pam-auth-update --enable fprintd. This made fprintd work on pam stuff like sudo and TTY logins.

With this, the last remaining non-working feature of my thinkpad was working as well :D

The BIOS

Once I got my thinkpad, basically the first thing I did was tweak the BIOS.

Getting into the BIOS is dead simple compared to other laptops, just press enter (which it tells you during bootup) and it will take you to a menu, from where you can choose to go to the BIOS with F1.

I was pleasantly surprised to see a modern BIOS, with touchpad support. Coming from laptops which only had blue and white bioses and barely any tweaks, this was a welcome upgrade :)

First thing to disable was secure boot. It was present in Security section of the BIOS and was pretty easy to disable

Then, I permanently disabled some enterprise spyware utility (update: it was called Absolute under Security).

There was also Lenovo Cloud Services in Config -> Network, which I of course disabled.

While in Security, I disabled Enhanced Windows Biometric Security (in Virtualization) and Microsoft Device Guard.

And thats it for now, I’ll update this blogpost if I face any other issues or discover other stuff. Thanks for sticking around :)

If you have any questions, feel free to contact me!

This was because of how much of a pain it is to setup workers, especially with docker. The docs aren’t great about it either..

For these reasons, we turned to matrix-docker-ansible-deploy.

The first issue we encountered was how spread out the docs were, though very precise and well-explained.

Once we cloned the repo, we first had to setup the inventory hosts file.

Since we cloned the repo to the DockerVM itself, we had a weird solution for this.

[matrix_servers]
matrix.projectsegfau.lt ansible_host=localhost ansible_ssh_user=root

After this, we had to add the pubkey of the VM to its own authorized_keys. Wacky :P

With that sorted, we had to start configuring.

Firstly, we had to prevent it from installing docker.

This is important since (re)installing docker will break a lot, especially for our pre-existing services.

matrix_playbook_docker_installation_enabled: false

After that, we had to add our old secret keys back to the config file so that it won’t break federation:

matrix_synapse_macaroon_secret_key: "xxx"
matrix_synapse_registration_shared_secret: "xxx"
matrix_synapse_form_secret: "xxx"

The signing key had to be re-added as well, but later after the setup was complete.

After that, we turned to the thing we migrated for, synapse workers:

Since the generic and federation_sender workers have to process a lot of data, we made 4 of each (totally didn’t copy the number from envs.net :P).

matrix_synapse_workers_enabled: true
matrix_synapse_workers_preset: one-of-each
matrix_synapse_workers_federation_sender_count: 4
matrix_synapse_workers_generic_worker_count: 4

Another important thing we had to take into consideration was postgres. We ran postgres on a separate VM and connected to the database on it.

matrix_synapse_database_host: "192.168.5.4"
matrix_synapse_database_user: "synapse"
matrix_synapse_database_password: "xxx"
matrix_synapse_database_database: "synapse"
devture_postgres_enabled: false

After the database, we had to set up registration/login stuff.

A weird thing I noticed about matrix-docker-ansible-deploy’s email configuration is that it uses its own relay, above our mail credentials.

matrix_mailer_sender_address: "matrix@projectsegfau.lt"
matrix_mailer_relay_use: true
matrix_mailer_relay_host_name: "mail.projectsegfau.lt"
matrix_mailer_relay_host_port: 587
matrix_mailer_relay_auth: true
matrix_mailer_relay_auth_username: "matrix@projectsegfau.lt"
matrix_mailer_relay_auth_password: "xxx"
matrix_synapse_registrations_require_3pid: [ email ]
matrix_synapse_enable_registration: true
matrix_synapse_configuration_extension_yaml: |
  oidc_providers:
    - idp_id: authentik
      idp_name: "authentik"
      idp_icon: "mxc://envs.net/429bd4b307d32b919a94823f03acc7c24a7da61f"
      discover: true
      issuer: "https://auth.p.projectsegfau.lt/application/o/matrix/"
      client_id: "xxx"
      client_secret: "xxx"
      scopes:
        - "openid"
        - "profile"
        - "email"
      user_mapping_provider:
        config:
          localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
          display_name_template: "{% raw%}{{ user.name }}{% endraw %}"
          email_template: "{% raw %}{{ user.email }}{% endraw %}"

Past this, we also had to port the small configurations we had in our old homeserver.yaml to the ansible format.

Since most of these weren’t documented very well, we had to make heavy use of the defaults file.

matrix_synapse_auto_join_rooms: [ '#project-segfault:projectsegfau.lt', '#support:projectsegfau.lt', '#general:projectsegfau.lt', '#announcements:projectsegfau.lt' ]
matrix_synapse_max_upload_size_mb: 700
matrix_synapse_allow_public_rooms_without_auth: true
matrix_synapse_allow_public_rooms_over_federation: true
matrix_synapse_email_client_base_url: "https://matrix.to"
matrix_synapse_email_invite_client_location: "https://chat.projectsegfau.lt"
matrix_synapse_turn_uris: ["turn:turn.projectsegfau.lt?transport=udp", "turn:turn.projectsegfau.lt?transport=tcp"]
matrix_synapse_turn_shared_secret: "xxx"
matrix_synapse_turn_allow_guests: true
matrix_coturn_enabled: false
matrix_client_element_enabled: false

At this point we realized that we need to do a lot of weirder stuff to get it to work reverse-proxied behind our main caddy instance.

We reverse-proxied the traefik instance behind our caddy instance, as recommended by the documentation with the instructions there:

# Ensure that public urls use https
matrix_playbook_ssl_enabled: true

# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval
devture_traefik_config_entrypoint_web_secure_enabled: false

# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81`
devture_traefik_container_web_host_bind_port: '0.0.0.0:81'

# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
# a reverse-proxy running on the local machine is safe enough.
devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
devture_traefik_additional_entrypoints_auto:
  - name: matrix-federation
    port: 8449
    host_bind_port: '0.0.0.0:8449'
    config: {}

After all the configuration was done, we had to run it :P.

Firstly, we had to install ansible and just, and run just roles to initialize all the ansible stuff.

At this point, we shut down our old matrix instance in order to not cause any issues.

Then, we ran ansible-playbook -i inventory/hosts setup.yml --tags=install-all to install all the files but not start the services.

Now came the most time consuming part, importing the old media repo. Considering its size at over 85 gigabytes.

ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_media_store=/opt/docker/mtrx/files/media_store' --tags=import-synapse-media-store

This took almost 30 minutes, the majority of the downtime we had..

After this was done, we were able to start the server: ansible-playbook -i inventory/hosts setup.yml --tags=start.

The nginx configuration they recommended in the documentation for our reverse-proxy setup was pretty self-explanatory and easy to convert, but for the fact that till now our matrix instance used normal delegation and did not make use of :8448.

Due to this, we had to waste a lot of time trying to figure out which routes went to which ports. I wish the documentation explained this better..

At the end, this was the caddy configuration we came up with for this:

matrix.projectsegfau.lt {
    reverse_proxy /_matrix/* 192.168.5.2:8449
    reverse_proxy /_matrix/client/* 192.168.5.2:81
    reverse_proxy /_synapse/* 192.168.5.2:81
}

This configuration works right now, though we are still not completely sure if other routes need to go somewhere else.

I do have some gripes with it though, such as the ages it takes for restarts (–tags=setup-build and then –tags=restart for those wondering) and the lack of documentation for what is the recommended upstream delegation configuration.

At the end, matrix-docker-ansible-deploy simplified our config a lot and relieved a lot of maintanence burden we would have had in case we configured it manually and I am thankful for that.

In this tutorial I’ll show how to setup Knot with DNSSEC, authenticated master -> slave sync, RFC2136 (for automatic dns-based certs in caddy and such) and GeoDNS, which makes the server give an IP closest to the user.

I assume you have two Debian based systems, with port 53 (tcp+udp) forwarded.

Installing Knot

This guide covers debian, but instructions for other distributions can be found on the download page Run the following on both the master and the slave:

apt-get -y install apt-transport-https lsb-release ca-certificates wget
wget -O /usr/share/keyrings/knot.gpg https://deb.knot-dns.cz/apt.gpg
sh -c 'echo "deb [signed-by=/usr/share/keyrings/knot.gpg] https://deb.knot-dns.cz/knot-latest/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/knot-latest.list'
apt-get update
apt-get install knot knot-dnsutils

Basic Configuration

knot.conf

Now, to add in the basic configuration, overwrite the /etc/knot/knot.conf file on the master with the following text:

server:
    rundir: "/run/knot"
    user: knot:knot
    listen: 0.0.0.0@53
log:
  - target: syslog
    any: info
database:
    storage: "/var/lib/knot"
remote:
  - id: secondary
    address: your.other.servers.ip@53
acl:
  - id: acl_secondary
    address: your.other.servers.ip
    action: transfer
template:
  - id: default
    storage: "/etc/knot/zones"
    file: "%s.zone"
    semantic-checks: on
    # Don't override zonefile
    zonefile-sync: -1
    zonefile-load: difference-no-serial
    journal-content: all
zone:
  - domain: your.domain
    notify: secondary
    acl: acl_secondary

On the slave, overwrite the same file with the following text:

server:
    rundir: "/run/knot"
    user: knot:knot
    listen: 0.0.0.0@53
log:
  - target: syslog
    any: info
database:
    storage: "/var/lib/knot"
remote:
  - id: primary
    address: your.main.servers.ip@53
acl:
  - id: acl_primary
    address: your.main.servers.ip
    action: notify
template:
  - id: default
    storage: "/etc/knot/zones"
    file: "%s.zone"
zone:
  - domain: your.domain
    master: primary
    acl: acl_primary

Zonefile

At this point you need to create /etc/knot/zones on both the master and slave as that is where the zonefiles will be stored. Now create a file named your.domain.zone in the directory on the master alone and add the following text to it:

$ORIGIN your.domain. ; 'default' domain as FQDN for this zone
$TTL 3600 ; default time-to-live for this zone

your.domain.   IN  SOA     ns1.your.domain. ns2.your.domain. (
        YYYYMMDD01  ;Serial
        14400       ;Refresh
        3600        ;Retry
        1209600     ;Expire
        3600        ;Negative response caching TTL
)
@   IN  NS  ns1.your.domain.
@   IN  NS  ns2.your.domain.
ns1 A   your.main.servers.ip
ns2 A   your.other.servers.ip
@   A   your.main.servers.ip

; PTR Records (for mailservers)
your.ip.in.reverse.in-addr.arpa.    PTR mail.your.domain.

At this point, you can run systemctl restart knot (restart since its a major change) on both nodes.

Updating the zonefile

Updating the zonefile is not hard.

• Since we set the zonefile-load to difference-no-serial, we do not need to increment the serial as it will automatically be computed when knotc reload is run.
• All records must be before the PTR in the zonefile.
• Wildcards can be done with the hostname as *
• If the hostname ends with ., it must include your.domain, that is something.your.domain will be something.your.domain.
• If the hostname does not end with a ., it is relative to the domain, that is something.your.domain will just be something.
• Always use tabs, not spaces.

Token-based zonefile authentication

At the moment, the authentication for sending and receiving the zonefile is completely based on the IP address, which is not very secure.

To remediate this, we can use token-based authentication.

First, you need to generate a key with keymgr -t zonesync hmac-sha256

This is the key that will authenticate the zone transfers.

You can copy-paste the output it gives you into your knot.conf, above the remote section on both master and slave.

Now, you need to add key: zonesync to the remote, acl_primary/secondary sections on both master and slave.

At this point, you can run systemctl restart knot, and all the syncs will be more secure!

DNSSEC

DNSSEC is an extension to DNS designed to protect applications using DNS from accepting forged or manipulated DNS data by using zone signing.

Enabling DNSSEC on knot is as simple as adding the following line to the template section:

template:
    ...
    dnssec-signing: on
    ...

At this point, you need to upload the DS record to your Registry. This is usually done through your registrar’s WebUI.

The DNSSEC-enabled DNS servers use the DS record from your domain registry to validate your records.

You can get your DS record with the following command:

keymgr your.domain ds

The output will look something like this:

54674 13 2 E28E3DB78E5517A577353A43799AD14EC044720BAE4906D134F5EA40 74AC0287

In the example given:

• Key tag - 54674
• Algorithm - 13
• Digest Type - 2
• Digest - E28E3…287 (omit space)

On namecheap, you add this at Advanced DNS -> DNSSEC

You can check if your DNSSEC is working properly at DNSViz and DNSSEC-Analyzer.

RFC2136

RFC2136 is an RFC that allows dynamic updates for DNS.

This works completely over DNS and does not require a special API.

To set it up, you need to create an ACL as follows:

acl:
    ...
    - id: acl_dynupdates
    address: [an.authorized.ip.addr, another.authorized.ip.addr]
    action: update
...
zone:
  - domain: your.domain
    notify: secondary
    acl: [acl_secondary, acl_dynupdates]

You can also add token-based auth by generating another key with keymgr -t rfc2136 hmac-sha256

You can add it to the config as follows:

key:
    ...
    - id: rfc2136
    algorithm: hmac-sha256
    secret: xxx
...
acl:
    ...
    - id: acl_dynupdates
    address: [an.authorized.ip.addr, another.authorized.ip.addr]
    action: update
    key: rfc2136

After this, you can run systemctl restart knot to apply the changes.

Caddy

Caddy is a modern webserver which supports automatic cert generation from letsencrypt/zerossl with acme.

It uses http-01 for the challenge by default, but can use a dns challenge too.

For the DNS challenge, you first need to install the RFC2136 DNS plugin with the following command:

xcaddy build --with github.com/caddy-dns/rfc2136@master

Now, add the following lines to the top of your caddyfile

{
    acme_dns rfc2136 {
        key_name "rfc2136"
        key_alg "hmac-sha256"
        key "xxx"
        server "your.main.servers.ip:53"
    }
    acme_ca https://acme-v02.api.letsencrypt.org/directory
}

Now, all certs can be generated using the DNS challenge!

This is especially useful in a GeoDNS environment.

GeoDNS

GeoDNS allows geographical split horizon based on a GeoIP database, such as Maxmind’s free GeoLite2.

Firstly, you need to procure the GeoLite2 database from Maxmind.

Due to policy changes, you now need to signup on Maxmind’s website in order to get access.

However, older GeoIP DBs can still be found in many places, including distribution package repositories.

Once you procure your copy of GeoLite2, you need to install the GeoIP module for knot-dns on both master and slave.

On Debian, the package’s name is knot-module-geoip

After installing the module, you can add it to the knot.conf (must be before zone section however):

mod-geoip:
  - id: geo 
    config-file: "/etc/knot/geo.conf"
    mode: geodb
    geodb-file: "/var/lib/knot/GeoLite2-City.mmdb"
    geodb-key: [ continent/code, country/iso_code, city/names/en ]

You also need to include the GeoIP module for your domain. You can do that by adding this line to your domain’s zone section:

zone:
    - domain: your.domain
      ...
      module: mod-geoip/geo

Now, you need to configure the GeoDNS.

To do so, create a file called /etc/knot/geo.conf with the following:

geodnsubdom.your.domain:
  - geo: "*;*;*" # Fallback incase DNS server doesn't send ECS
    A: your.main.servers.ip
    TXT: "Worldwide"
  - geo: "EU;*;*" # Europe
    A: your.europe.servers.ip
    TXT: "Europe"
    ...

However, the file needs to be manually synced to the slave on every update.

It is also painful to use if you have multiple root subdomains you want to use GeoDNS with.

Due to these reasons, I made a kinda hacky script to remediate this:

#!/usr/bin/env bash
geoconf=/etc/knot/geo.conf
remote='geodns@other.servers.ip'
printf '' > $geoconf
for i in $(</etc/knot/geodnsdomains); do
    cat /etc/knot/geodnstemplate >> $geoconf
    sed -i "s/REPLACEME/${i}/" $geoconf
done
scp $geoconf "${remote}":/var/geo.conf
ssh $remote "sudo systemctl restart knot"
systemctl restart knot

In order to allow the unprivileged user on the slave to restart knot, I used a sudo ALLOW_CMDS flag:

Cmnd_Alias KNOT_CMDS = /usr/bin/systemctl restart knot
geodns ALL=(ALL) NOPASSWD: KNOT_CMDS

And thats it. Thanks for reading!

Welcome to my new blog!

I created this along with my website redesign and conversion to pandoc from static html.

I will try to write based content atleast once a month but no promises :P