From 3ce34953a25a343eba745d904f8e1374b04bb2d9 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Mon, 8 Dec 2025 05:19:04 -0500
Subject: [PATCH] migrate to new server for Matrix

---
 deploy-bootloader                             | 10 +++--
 etc/nftables/nftables-matrix.conf             | 39 +++++++++++++++++++
 .../network/matrix.grapheneos.org.link        |  2 +-
 .../network/matrix.grapheneos.org.network     | 31 +++++++--------
 .../system/matrix.grapheneos.org.fq.service   | 20 ++++++++++
 hosts.sh                                      | 10 +++--
 packages/matrix.grapheneos.org                |  3 +-
 7 files changed, 90 insertions(+), 25 deletions(-)
 create mode 100644 etc/systemd/system/matrix.grapheneos.org.fq.service

diff --git a/deploy-bootloader b/deploy-bootloader
index 98c3fe0..3d9ccab 100755
--- a/deploy-bootloader
+++ b/deploy-bootloader
@@ -12,9 +12,13 @@ for host in ${hosts_all[@]}; do
 
     if [[ ${hosts_uefi[$host]:-false} = true ]]; then
         rsync boot/loader/loader.conf $remote:/boot/loader/loader.conf
-        rsync boot/loader/entries/arch-lts{,-fallback}.conf $remote:/boot/loader/entries/
-        ssh $remote "SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install && systemctl enable systemd-boot-update.service"
-        rsync -r --delete etc/systemd/system/systemd-boot-update.service.d $remote:/etc/systemd/system/
+        if [[ ${hosts_mdraid[$host]:-false} = true ]]; then
+            rsync boot/loader/entries/arch-lts{,-fallback}.conf $remote:/boot/loader/entries/
+            ssh $remote "SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install && systemctl enable systemd-boot-update.service"
+            rsync -r --delete etc/systemd/system/systemd-boot-update.service.d $remote:/etc/systemd/system/
+        else
+            ssh $remote "bootctl install && systemctl enable systemd-boot-update.service"
+        fi
     else
         rsync etc/default/grub $remote:/etc/default/grub
         drive=$(ssh $remote bash -c '[[ -e /dev/sda ]] && echo sda || echo vda')
diff --git a/etc/nftables/nftables-matrix.conf b/etc/nftables/nftables-matrix.conf
index 3c9836f..60d8435 100644
--- a/etc/nftables/nftables-matrix.conf
+++ b/etc/nftables/nftables-matrix.conf
@@ -14,6 +14,40 @@ table inet filter {
         {{ssh_ipv6}},
     }
 
+    define priority-besteffort = 0
+    define priority-bulk = 2
+    define priority-interactive-bulk = 4
+    define priority-interactive = 6
+
+    # based on CAKE diffserv4
+    map dscp-to-priority {
+        typeof ip dscp : meta priority
+        elements = {
+            cs1 : $priority-bulk,
+            lephb : $priority-bulk,
+            af11 : $priority-besteffort,
+            af12 : $priority-besteffort,
+            af13 : $priority-besteffort,
+            cs2 : $priority-interactive-bulk,
+            cs3 : $priority-interactive-bulk,
+            cs4 : $priority-interactive-bulk,
+            af21 : $priority-interactive-bulk,
+            af22 : $priority-interactive-bulk,
+            af23 : $priority-interactive-bulk,
+            af31 : $priority-interactive-bulk,
+            af32 : $priority-interactive-bulk,
+            af33 : $priority-interactive-bulk,
+            af41 : $priority-interactive-bulk,
+            af42 : $priority-interactive-bulk,
+            af43 : $priority-interactive-bulk,
+            cs5 : $priority-interactive,
+            cs6 : $priority-interactive,
+            cs7 : $priority-interactive,
+            ef : $priority-interactive,
+            va : $priority-interactive,
+        }
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -118,6 +152,11 @@ table inet filter {
 
         oif lo goto output-raw-loopback
         skuid != { root, systemd-network, unbound, alpm, chrony, http, synapse, matterbridge } counter goto graceful-reject
+
+        # translate DSCP to priority for fq bands
+        meta priority set ip dscp map @dscp-to-priority
+        meta priority set ip6 dscp map @dscp-to-priority
+
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
diff --git a/etc/systemd/network/matrix.grapheneos.org.link b/etc/systemd/network/matrix.grapheneos.org.link
index 7657126..62c8438 100644
--- a/etc/systemd/network/matrix.grapheneos.org.link
+++ b/etc/systemd/network/matrix.grapheneos.org.link
@@ -1,5 +1,5 @@
 [Match]
-MACAddress=fa:16:3e:67:24:cc
+MACAddress=ea:5f:d2:f2:87:78
 
 [Link]
 Name=public
diff --git a/etc/systemd/network/matrix.grapheneos.org.network b/etc/systemd/network/matrix.grapheneos.org.network
index 95d44ec..0b6e149 100644
--- a/etc/systemd/network/matrix.grapheneos.org.network
+++ b/etc/systemd/network/matrix.grapheneos.org.network
@@ -2,25 +2,24 @@
 Name=public
 
 [Network]
-DHCP=ipv4
 LinkLocalAddressing=no
-Address=2607:5300:205:200::26e1/128
+Address=152.53.39.88/22
+Address=2a0a:4cc0:2000:dbc::1/64
+
+[Route]
+Destination=0.0.0.0/0
+Gateway=152.53.36.1
+PreferredSource=152.53.39.88
+
+[Route]
+Destination=152.53.36.1
+PreferredSource=152.53.39.88
 
 [Route]
 Destination=::/0
-Gateway=2607:5300:205:200::1
-PreferredSource=2607:5300:205:200::26e1
+Gateway=fe80::1
+PreferredSource=2a0a:4cc0:2000:dbc::1
 
 [Route]
-Destination=2607:5300:205:200::1
-PreferredSource=2607:5300:205:200::26e1
-
-[DHCP]
-UseMTU=true
-
-[CAKE]
-Handle=1
-Bandwidth=1000M
-PriorityQueueingPreset=diffserv4
-FlowIsolationMode=dual-dst-host
-SplitGSO=false
+Destination=fe80::1
+PreferredSource=2a0a:4cc0:2000:dbc::1
diff --git a/etc/systemd/system/matrix.grapheneos.org.fq.service b/etc/systemd/system/matrix.grapheneos.org.fq.service
new file mode 100644
index 0000000..fc2d889
--- /dev/null
+++ b/etc/systemd/system/matrix.grapheneos.org.fq.service
@@ -0,0 +1,20 @@
+[Unit]
+Requires=sys-subsystem-net-devices-public.device
+After=sys-subsystem-net-devices-public.device
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/tc qdisc replace dev public root handle 1 mq
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1 handle 1001 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:2 handle 1002 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:3 handle 1003 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:4 handle 1004 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:5 handle 1005 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:6 handle 1006 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:7 handle 1007 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:8 handle 1008 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:9 handle 1009 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:a handle 100a fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+
+[Install]
+WantedBy=sys-subsystem-net-devices-public.device
diff --git a/hosts.sh b/hosts.sh
index 3af5e8c..0d986ef 100644
--- a/hosts.sh
+++ b/hosts.sh
@@ -38,6 +38,7 @@ declare -Ar hosts_uefi=(
     [lax.releases.grapheneos.org]=true
     [lon.releases.grapheneos.org]=true
     [mia.releases.grapheneos.org]=true
+    [matrix.grapheneos.org]=true
 )
 
 declare -Ar hosts_mdraid=(
@@ -133,6 +134,7 @@ declare -Ar hosts_agcount=(
     [lax.releases.grapheneos.org]=24
     [lon.releases.grapheneos.org]=32
     [mia.releases.grapheneos.org]=24
+    [matrix.grapheneos.org]=10
 )
 
 declare -Ar hosts_reserved_ports=(
@@ -192,7 +194,7 @@ declare -Ar hosts_journald_system_max_use=(
     [lon.releases.grapheneos.org]=64G
     [mia.releases.grapheneos.org]=64G
     [attestation.app]=8G
-    [matrix.grapheneos.org]=8G
+    [matrix.grapheneos.org]=32G
     [discuss.grapheneos.org]=8G
     [grapheneos.social]=8G
 )
@@ -203,7 +205,7 @@ declare -Ar hosts_journald_system_max_file_size=(
     [lon.releases.grapheneos.org]=4G
     [mia.releases.grapheneos.org]=4G
     [attestation.app]=512M
-    [matrix.grapheneos.org]=512M
+    [matrix.grapheneos.org]=2G
     [discuss.grapheneos.org]=512M
     [grapheneos.social]=512M
 )
@@ -239,7 +241,7 @@ declare -Ar hosts_ipv4_address=(
     [mia.releases.grapheneos.org]=172.96.172.37
     [staging.attestation.app]=198.98.57.157
     [attestation.app]=51.79.66.27
-    [matrix.grapheneos.org]=51.79.51.42
+    [matrix.grapheneos.org]=152.53.39.88
     [discuss.grapheneos.org]=51.79.52.38
     [grapheneos.social]=51.222.159.14
 )
@@ -274,7 +276,7 @@ declare -Ar hosts_ipv6_address=(
     [mia.releases.grapheneos.org]=2605:9880:400:1100:15:1240:515:6e
     [staging.attestation.app]=2605:6400:10:aa9:1c0f:44d3:da15:c0ec
     [attestation.app]=2607:5300:205:200::7e9
-    [matrix.grapheneos.org]=2607:5300:205:200::26e1
+    [matrix.grapheneos.org]=2a0a:4cc0:2000:dbc::1
     [discuss.grapheneos.org]=2607:5300:205:200::3c4
     [grapheneos.social]=2607:5300:205:200::5e3f
 )
diff --git a/packages/matrix.grapheneos.org b/packages/matrix.grapheneos.org
index eb53d98..aa4dad9 100644
--- a/packages/matrix.grapheneos.org
+++ b/packages/matrix.grapheneos.org
@@ -4,10 +4,11 @@ certbot
 chrony
 cloud-guest-utils
 conntrack-tools
+dosfstools
+efibootmgr
 ethtool
 fish
 git
-grub
 htop
 ioping
 iperf