migrate to new server for Matrix

2025-12-20 02:43:08 -05:00 · 2025-12-08 05:19:04 -05:00 · 2025-12-08 05:19:04 -05:00 · 3ce34953a2
commit 3ce34953a2
parent 9ec41b5ae0
7 changed files with 90 additions and 25 deletions
--- a/10
+++ b/10
@ -12,9 +12,13 @@ for host in ${hosts_all[@]}; do
    if [[ ${hosts_uefi[$host]:-false} = true ]]; then
        rsync boot/loader/loader.conf $remote:/boot/loader/loader.conf
-        rsync boot/loader/entries/arch-lts{,-fallback}.conf $remote:/boot/loader/entries/
+        if [[ ${hosts_mdraid[$host]:-false} = true ]]; then
-        ssh $remote "SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install && systemctl enable systemd-boot-update.service"
+            rsync boot/loader/entries/arch-lts{,-fallback}.conf $remote:/boot/loader/entries/
-        rsync -r --delete etc/systemd/system/systemd-boot-update.service.d $remote:/etc/systemd/system/
+            ssh $remote "SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install && systemctl enable systemd-boot-update.service"
            rsync -r --delete etc/systemd/system/systemd-boot-update.service.d $remote:/etc/systemd/system/
        else
            ssh $remote "bootctl install && systemctl enable systemd-boot-update.service"
        fi
    else
        rsync etc/default/grub $remote:/etc/default/grub
        drive=$(ssh $remote bash -c '[[ -e /dev/sda ]] && echo sda || echo vda')
--- a/etc/nftables/nftables-matrix.conf
+++ b/etc/nftables/nftables-matrix.conf
@ -14,6 +14,40 @@ table inet filter {
        {{ssh_ipv6}},
    }
    define priority-besteffort = 0
    define priority-bulk = 2
    define priority-interactive-bulk = 4
    define priority-interactive = 6
    # based on CAKE diffserv4
    map dscp-to-priority {
        typeof ip dscp : meta priority
        elements = {
            cs1 : $priority-bulk,
            lephb : $priority-bulk,
            af11 : $priority-besteffort,
            af12 : $priority-besteffort,
            af13 : $priority-besteffort,
            cs2 : $priority-interactive-bulk,
            cs3 : $priority-interactive-bulk,
            cs4 : $priority-interactive-bulk,
            af21 : $priority-interactive-bulk,
            af22 : $priority-interactive-bulk,
            af23 : $priority-interactive-bulk,
            af31 : $priority-interactive-bulk,
            af32 : $priority-interactive-bulk,
            af33 : $priority-interactive-bulk,
            af41 : $priority-interactive-bulk,
            af42 : $priority-interactive-bulk,
            af43 : $priority-interactive-bulk,
            cs5 : $priority-interactive,
            cs6 : $priority-interactive,
            cs7 : $priority-interactive,
            ef : $priority-interactive,
            va : $priority-interactive,
        }
    }
    set ip-connlimit-ssh {
        type ipv4_addr
        flags dynamic
@ -118,6 +152,11 @@ table inet filter {
        oif lo goto output-raw-loopback
        skuid != { root, systemd-network, unbound, alpm, chrony, http, synapse, matterbridge } counter goto graceful-reject
        # translate DSCP to priority for fq bands
        meta priority set ip dscp map @dscp-to-priority
        meta priority set ip6 dscp map @dscp-to-priority
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/etc/systemd/network/matrix.grapheneos.org.link
+++ b/etc/systemd/network/matrix.grapheneos.org.link
@ -1,5 +1,5 @@
 [Match]
-MACAddress=fa:16:3e:67:24:cc
+MACAddress=ea:5f:d2:f2:87:78
 [Link]
 Name=public
--- a/etc/systemd/network/matrix.grapheneos.org.network
+++ b/etc/systemd/network/matrix.grapheneos.org.network
@ -2,25 +2,24 @@
 Name=public
 [Network]
 DHCP=ipv4
 LinkLocalAddressing=no
-Address=2607:5300:205:200::26e1/128
+Address=152.53.39.88/22
 Address=2a0a:4cc0:2000:dbc::1/64
 [Route]
 Destination=0.0.0.0/0
 Gateway=152.53.36.1
 PreferredSource=152.53.39.88
 [Route]
 Destination=152.53.36.1
 PreferredSource=152.53.39.88
 [Route]
 Destination=::/0
-Gateway=2607:5300:205:200::1
+Gateway=fe80::1
-PreferredSource=2607:5300:205:200::26e1
+PreferredSource=2a0a:4cc0:2000:dbc::1
 [Route]
-Destination=2607:5300:205:200::1
+Destination=fe80::1
-PreferredSource=2607:5300:205:200::26e1
+PreferredSource=2a0a:4cc0:2000:dbc::1
 [DHCP]
 UseMTU=true
 [CAKE]
 Handle=1
 Bandwidth=1000M
 PriorityQueueingPreset=diffserv4
 FlowIsolationMode=dual-dst-host
 SplitGSO=false
--- a/etc/systemd/system/matrix.grapheneos.org.fq.service
+++ b/etc/systemd/system/matrix.grapheneos.org.fq.service
@ -0,0 +1,20 @@
 [Unit]
 Requires=sys-subsystem-net-devices-public.device
 After=sys-subsystem-net-devices-public.device
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/tc qdisc replace dev public root handle 1 mq
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1 handle 1001 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:2 handle 1002 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:3 handle 1003 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:4 handle 1004 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:5 handle 1005 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:6 handle 1006 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:7 handle 1007 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:8 handle 1008 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:9 handle 1009 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 ExecStart=/usr/bin/tc qdisc replace dev public parent 1:a handle 100a fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
 [Install]
 WantedBy=sys-subsystem-net-devices-public.device
--- a/hosts.sh
+++ b/hosts.sh
@ -38,6 +38,7 @@ declare -Ar hosts_uefi=(
    [lax.releases.grapheneos.org]=true
    [lon.releases.grapheneos.org]=true
    [mia.releases.grapheneos.org]=true
    [matrix.grapheneos.org]=true
 )
 declare -Ar hosts_mdraid=(
@ -133,6 +134,7 @@ declare -Ar hosts_agcount=(
    [lax.releases.grapheneos.org]=24
    [lon.releases.grapheneos.org]=32
    [mia.releases.grapheneos.org]=24
    [matrix.grapheneos.org]=10
 )
 declare -Ar hosts_reserved_ports=(
@ -192,7 +194,7 @@ declare -Ar hosts_journald_system_max_use=(
    [lon.releases.grapheneos.org]=64G
    [mia.releases.grapheneos.org]=64G
    [attestation.app]=8G
-    [matrix.grapheneos.org]=8G
+    [matrix.grapheneos.org]=32G
    [discuss.grapheneos.org]=8G
    [grapheneos.social]=8G
 )
@ -203,7 +205,7 @@ declare -Ar hosts_journald_system_max_file_size=(
    [lon.releases.grapheneos.org]=4G
    [mia.releases.grapheneos.org]=4G
    [attestation.app]=512M
-    [matrix.grapheneos.org]=512M
+    [matrix.grapheneos.org]=2G
    [discuss.grapheneos.org]=512M
    [grapheneos.social]=512M
 )
@ -239,7 +241,7 @@ declare -Ar hosts_ipv4_address=(
    [mia.releases.grapheneos.org]=172.96.172.37
    [staging.attestation.app]=198.98.57.157
    [attestation.app]=51.79.66.27
-    [matrix.grapheneos.org]=51.79.51.42
+    [matrix.grapheneos.org]=152.53.39.88
    [discuss.grapheneos.org]=51.79.52.38
    [grapheneos.social]=51.222.159.14
 )
@ -274,7 +276,7 @@ declare -Ar hosts_ipv6_address=(
    [mia.releases.grapheneos.org]=2605:9880:400:1100:15:1240:515:6e
    [staging.attestation.app]=2605:6400:10:aa9:1c0f:44d3:da15:c0ec
    [attestation.app]=2607:5300:205:200::7e9
-    [matrix.grapheneos.org]=2607:5300:205:200::26e1
+    [matrix.grapheneos.org]=2a0a:4cc0:2000:dbc::1
    [discuss.grapheneos.org]=2607:5300:205:200::3c4
    [grapheneos.social]=2607:5300:205:200::5e3f
 )
--- a/packages/matrix.grapheneos.org
+++ b/packages/matrix.grapheneos.org
@ -4,10 +4,11 @@ certbot
 chrony
 cloud-guest-utils
 conntrack-tools
 dosfstools
 efibootmgr
 ethtool
 fish
 git
 grub
 htop
 ioping
 iperf