migrate to new server for Matrix

deploy-bootloader

@@ -12,9 +12,13 @@ for host in ${hosts_all[@]}; do
 
     if [[ ${hosts_uefi[$host]:-false} = true ]]; then
         rsync boot/loader/loader.conf $remote:/boot/loader/loader.conf
-        rsync boot/loader/entries/arch-lts{,-fallback}.conf $remote:/boot/loader/entries/
-        ssh $remote "SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install && systemctl enable systemd-boot-update.service"
-        rsync -r --delete etc/systemd/system/systemd-boot-update.service.d $remote:/etc/systemd/system/
+        if [[ ${hosts_mdraid[$host]:-false} = true ]]; then
+            rsync boot/loader/entries/arch-lts{,-fallback}.conf $remote:/boot/loader/entries/
+            ssh $remote "SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install && systemctl enable systemd-boot-update.service"
+            rsync -r --delete etc/systemd/system/systemd-boot-update.service.d $remote:/etc/systemd/system/
+        else
+            ssh $remote "bootctl install && systemctl enable systemd-boot-update.service"
+        fi
     else
         rsync etc/default/grub $remote:/etc/default/grub
         drive=$(ssh $remote bash -c '[[ -e /dev/sda ]] && echo sda || echo vda')

etc/nftables/nftables-matrix.conf

@@ -14,6 +14,40 @@ table inet filter {
         {{ssh_ipv6}},
     }
 
+    define priority-besteffort = 0
+    define priority-bulk = 2
+    define priority-interactive-bulk = 4
+    define priority-interactive = 6
+
+    # based on CAKE diffserv4
+    map dscp-to-priority {
+        typeof ip dscp : meta priority
+        elements = {
+            cs1 : $priority-bulk,
+            lephb : $priority-bulk,
+            af11 : $priority-besteffort,
+            af12 : $priority-besteffort,
+            af13 : $priority-besteffort,
+            cs2 : $priority-interactive-bulk,
+            cs3 : $priority-interactive-bulk,
+            cs4 : $priority-interactive-bulk,
+            af21 : $priority-interactive-bulk,
+            af22 : $priority-interactive-bulk,
+            af23 : $priority-interactive-bulk,
+            af31 : $priority-interactive-bulk,
+            af32 : $priority-interactive-bulk,
+            af33 : $priority-interactive-bulk,
+            af41 : $priority-interactive-bulk,
+            af42 : $priority-interactive-bulk,
+            af43 : $priority-interactive-bulk,
+            cs5 : $priority-interactive,
+            cs6 : $priority-interactive,
+            cs7 : $priority-interactive,
+            ef : $priority-interactive,
+            va : $priority-interactive,
+        }
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -118,6 +152,11 @@ table inet filter {
 
         oif lo goto output-raw-loopback
         skuid != { root, systemd-network, unbound, alpm, chrony, http, synapse, matterbridge } counter goto graceful-reject
+
+        # translate DSCP to priority for fq bands
+        meta priority set ip dscp map @dscp-to-priority
+        meta priority set ip6 dscp map @dscp-to-priority
+
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 

etc/systemd/network/matrix.grapheneos.org.link

@@ -1,5 +1,5 @@
 [Match]
-MACAddress=fa:16:3e:67:24:cc
+MACAddress=ea:5f:d2:f2:87:78
 
 [Link]
 Name=public

etc/systemd/network/matrix.grapheneos.org.network

@@ -2,25 +2,24 @@
 Name=public
 
 [Network]
-DHCP=ipv4
 LinkLocalAddressing=no
-Address=2607:5300:205:200::26e1/128
+Address=152.53.39.88/22
+Address=2a0a:4cc0:2000:dbc::1/64
+
+[Route]
+Destination=0.0.0.0/0
+Gateway=152.53.36.1
+PreferredSource=152.53.39.88
+
+[Route]
+Destination=152.53.36.1
+PreferredSource=152.53.39.88
 
 [Route]
 Destination=::/0
-Gateway=2607:5300:205:200::1
-PreferredSource=2607:5300:205:200::26e1
+Gateway=fe80::1
+PreferredSource=2a0a:4cc0:2000:dbc::1
 
 [Route]
-Destination=2607:5300:205:200::1
-PreferredSource=2607:5300:205:200::26e1
-
-[DHCP]
-UseMTU=true
-
-[CAKE]
-Handle=1
-Bandwidth=1000M
-PriorityQueueingPreset=diffserv4
-FlowIsolationMode=dual-dst-host
-SplitGSO=false
+Destination=fe80::1
+PreferredSource=2a0a:4cc0:2000:dbc::1

etc/systemd/system/matrix.grapheneos.org.fq.service

@@ -0,0 +1,20 @@
+[Unit]
+Requires=sys-subsystem-net-devices-public.device
+After=sys-subsystem-net-devices-public.device
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/tc qdisc replace dev public root handle 1 mq
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:1 handle 1001 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:2 handle 1002 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:3 handle 1003 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:4 handle 1004 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:5 handle 1005 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:6 handle 1006 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:7 handle 1007 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:8 handle 1008 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:9 handle 1009 fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+ExecStart=/usr/bin/tc qdisc replace dev public parent 1:a handle 100a fq bands 3 priomap 1 2 2 2 0 2 0 0 1 1 1 1 1 1 1 1
+
+[Install]
+WantedBy=sys-subsystem-net-devices-public.device

hosts.sh

@@ -38,6 +38,7 @@ declare -Ar hosts_uefi=(
     [lax.releases.grapheneos.org]=true
     [lon.releases.grapheneos.org]=true
     [mia.releases.grapheneos.org]=true
+    [matrix.grapheneos.org]=true
 )
 
 declare -Ar hosts_mdraid=(
@@ -133,6 +134,7 @@ declare -Ar hosts_agcount=(
     [lax.releases.grapheneos.org]=24
     [lon.releases.grapheneos.org]=32
     [mia.releases.grapheneos.org]=24
+    [matrix.grapheneos.org]=10
 )
 
 declare -Ar hosts_reserved_ports=(
@@ -192,7 +194,7 @@ declare -Ar hosts_journald_system_max_use=(
     [lon.releases.grapheneos.org]=64G
     [mia.releases.grapheneos.org]=64G
     [attestation.app]=8G
-    [matrix.grapheneos.org]=8G
+    [matrix.grapheneos.org]=32G
     [discuss.grapheneos.org]=8G
     [grapheneos.social]=8G
 )
@@ -203,7 +205,7 @@ declare -Ar hosts_journald_system_max_file_size=(
     [lon.releases.grapheneos.org]=4G
     [mia.releases.grapheneos.org]=4G
     [attestation.app]=512M
-    [matrix.grapheneos.org]=512M
+    [matrix.grapheneos.org]=2G
     [discuss.grapheneos.org]=512M
     [grapheneos.social]=512M
 )
@@ -239,7 +241,7 @@ declare -Ar hosts_ipv4_address=(
     [mia.releases.grapheneos.org]=172.96.172.37
     [staging.attestation.app]=198.98.57.157
     [attestation.app]=51.79.66.27
-    [matrix.grapheneos.org]=51.79.51.42
+    [matrix.grapheneos.org]=152.53.39.88
     [discuss.grapheneos.org]=51.79.52.38
     [grapheneos.social]=51.222.159.14
 )
@@ -274,7 +276,7 @@ declare -Ar hosts_ipv6_address=(
     [mia.releases.grapheneos.org]=2605:9880:400:1100:15:1240:515:6e
     [staging.attestation.app]=2605:6400:10:aa9:1c0f:44d3:da15:c0ec
     [attestation.app]=2607:5300:205:200::7e9
-    [matrix.grapheneos.org]=2607:5300:205:200::26e1
+    [matrix.grapheneos.org]=2a0a:4cc0:2000:dbc::1
     [discuss.grapheneos.org]=2607:5300:205:200::3c4
     [grapheneos.social]=2607:5300:205:200::5e3f
 )

packages/matrix.grapheneos.org

@@ -4,10 +4,11 @@ certbot
 chrony
 cloud-guest-utils
 conntrack-tools
+dosfstools
+efibootmgr
 ethtool
 fish
 git
-grub
 htop
 ioping
 iperf