starred/nix-config-ryan4yin
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-25 09:28:27 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

chore: remove unused dae configs from aqua

Browse Source
This commit is contained in:
Ryan Yin
2024-03-27 22:04:30 +08:00
parent bdfd583b65
commit ae07e142d7
5 changed files with 3 additions and 609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
hosts/idols-aquamarine/README.md
View File

@@ -1,48 +1,3 @@
# Idols - Aquamarine # Idols - Aquamarine
A router(IPv4 only) with a transparent proxy to bypass the G|F|W. TODO
NOTE: dae(running on aquamarine) do not provides a http/socks5 proxy server, so a v2ray server is
running on [idols_kana](../idols_kana/proxy.nix) to provides a http/socks5 proxy service.
## Troubleshooting
### Can not access the global internet
1. Check whether the subscription url is accessible.
- If not, then you need to get a new subscription url and update the `dae`'s configuration.
1. Check the `dae` service's log by `journalctl -u dae -n 1000`.
### DNS cannot be resolved
1. `sudo systemctl stop dae`, then try to resolve the domain name again.
- If it works, the problem is caused by `dae` service.
- check dae's log by `journalctl -u dae -n 1000`
1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`.
### DHCP cannot be obtained
1. `ss -tunlp`, check if `dnsmasq` is running and listening on udp port 67.
1. `journalctl -u dnsmasq -n 1000` to check the log of `dnsmasq`.
1. Request a new IP address by disconnect and reconnect one of your devices' wifi.
1. `nix shell nixpkgs#dhcpdump` and then `sudo dhcpdump -i br-lan`, check if the DHCP request is
received by `dnsmasq`.
1. The server listens on UDP port number 67, and the client listens on UDP port number 68.
1. DHCP operations fall into four phases:
1. Server **discovery**: The DHCP client broadcasts a DHCPDISCOVER message on the network
subnet using the destination address 255.255.255.255 (limited broadcast) or the specific
subnet broadcast address (directed broadcast).
1. IP lease **offer**: When a DHCP server receives a DHCPDISCOVER message from a client, which
is an IP address lease request, the DHCP server reserves an IP address for the client and
makes a lease offer by sending a DHCPOFFER message to the client.
1. IP lease **request**: In response to the DHCP offer, the client replies with a DHCPREQUEST
message, broadcast to the server,[a] requesting the offered address.
1. IP lease **acknowledgement**: When the DHCP server receives the DHCPREQUEST message from
the client, it sends a DHCPACK packet to the client, which includes the lease duration and
any other configuration information that the client might have requested.
1. So if you see only `DISCOVER` messages, the dhsmasq is not working properly.
## References
- <https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md>
- <https://github.com/ghostbuster91/nixos-router>

320
hosts/idols-aquamarine/config.dae
View File

@@ -1,320 +0,0 @@
# https://github.com/daeuniverse/dae/discussions/81
# https://github.com/daeuniverse/dae/blob/main/example.dae
# load all dae files placed in ./config.d/
include {
config.d/*.dae
}
global {
##### Software options.
# tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
# In normal case, you do not need to use it.
tproxy_port: 12345
# Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
# iptables tproxy rules.
tproxy_port_protect: true
# If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
# rules.
so_mark_from_dae: 1
# Log level: error, warn, info, debug, trace.
log_level: info
# Disable waiting for network before pulling subscriptions.
disable_waiting_network: false
##### Interface and kernel options.
# The LAN interface to bind. Use it if you want to proxy LAN.
# Multiple interfaces split by ",".
lan_interface: br-lan
# The WAN interface to bind. Use it if you want to proxy localhost.
# Multiple interfaces split by ",". Use "auto" to auto detect.
#
# Disable this to avoid problems with the proxy server that prevent the subscription link from being updated
# wan_interface: auto
# Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
auto_config_kernel_parameter: false
##### Node connectivity check.
# Host of URL should have both IPv4 and IPv6 if you have double stack in local.
# First is URL, others are IP addresses if given.
# Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
#tcp_check_url: 'http://cp.cloudflare.com'
tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
# The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
# accounting for this kind of traffic.
tcp_check_http_method: HEAD
# This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
# TCP DNS connectivity of nodes.
# First is URL, others are IP addresses if given.
# This DNS should have both IPv4 and IPv6 if you have double stack in local.
#udp_check_dns: 'dns.google.com:53'
udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'
check_interval: 30s
# Group will switch node only when new_latency <= old_latency - tolerance.
check_tolerance: 50ms
##### Connecting options.
# Optional values of dial_mode are:
# 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
# respectively, and makes the IP version requested by the application meet expectations. For example, if you
# use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
# This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled
# in this mode.
# 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
# if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
# re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
# That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
# 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
# DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
# go through dae, dae cannot split traffic by domain.
# 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
# domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
dial_mode: domain
# Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
allow_insecure: false
# Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
# in high latency LAN network.
sniffing_timeout: 100ms
# TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
tls_implementation: tls
# The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
# See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
utls_imitate: chrome_auto
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns {
# For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
# respond to type A queries and response empty answer to type AAAA queries.
ipversion_prefer: 4
# Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
# for these domains.
#fixed_domain_ttl {
# ddns.example.org: 10
# test.example.org: 3600
#}
upstream {
# Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
# If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
# IPv4 or IPv6 to use according to group policy (such as min latency policy).
# Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
# If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
alidns: 'udp://223.5.5.5:53'
googledns: 'tcp+udp://8.8.8.8:53'
}
routing {
# According to the request of dns query, decide to use which DNS upstream.
# Match rules from top to bottom.
request {
# Lookup China mainland domains using alidns, otherwise googledns.
qname(geosite:cn) -> alidns
# fallback is also called default.
fallback: googledns
# other custom rules
qname(full:analytics.google.com) -> googledns # do not block google analytics(console)
qname(regex: '.+\.nixos.org$') -> googledns
qname(geosite:category-ads) -> reject
qname(geosite:category-ads-all) -> reject
qtype(aaaa) -> reject
qname(regex: '.+\.linkedin$') -> googledns
}
# According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
# Match rules from top to bottom.
response {
# Trusted upstream. Always accept its result.
upstream(googledns) -> accept
# Possibly polluted(domain resolved to a private ip), re-lookup using googledns.
ip(geoip:private) && !qname(geosite:cn) -> googledns
fallback: accept
}
}
}
# Node group (outbound).
group {
proxy {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
# Filter nodes and give a fixed latency offset to archive latency-based failover.
# In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
# filter: name(keyword: '英国') [add_latency: -300ms]
# filter: name(keyword: 'Japan') [add_latency: 300ms]
# filter: name(keyword: '日本') [add_latency: 300ms]
# Other filters:
# Filter nodes from the global node pool defined by the subscription and node section above.
# filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
# Filter nodes from the global node pool defined by tag.
# filter: name('node_a','node_b')
# Select the node with min average of the last 10 latencies from the group for every connection.
policy: min_avg10
# Other policies:
# random - Randomly select a node from the group for every connection.
# fixed(0) - Select the first node from the group for every connection.
# min - Select the node with min last latency from the group for every connection.
# min_moving_avg - Select the node with min moving average of latencies from the group for every connection.
}
media {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
filter: name(keyword: '英国') [add_latency: -300ms]
filter: name(keyword: 'Japan') [add_latency: 300ms]
filter: name(keyword: '日本') [add_latency: 300ms]
policy: min_avg10
}
ssh-proxy {
filter: name(keyword: 'UK')
filter: name(keyword: '英国')
policy: min_avg10
}
sg {
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
policy: min_avg10
}
usa {
filter: name(keyword: 'USA')
filter: name(keyword: '美国')
policy: min_avg10
}
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
# Pname has the highest priority, so should be placed in the front.
# Priority of other rules is the same as the order of the rules defined in this file.
routing {
### Preset rules.
# Network managers in localhost should be direct to
# avoid false negative network connectivity check when binding to WAN.
pname(NetworkManager) -> direct
pname(systemd-networkd) -> direct
# Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
# forwarded by the proxy.
# "dip" means destination IP.
dip(224.0.0.0/3, 'ff00::/8') -> direct
# This line allows you to access private addresses directly instead of via your proxy. If you really want to access
# private addresses in your proxy host network, modify the below line.
dip(geoip:private) -> direct
# --- Core rules ---#
# Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
l4proto(udp) && dport(443) -> block
# Direct access to all Chinese mainland-related IP addresses
dip(geoip:cn) -> direct
domain(geosite:cn) -> direct
# Block ads
domain(full:analytics.google.com) -> proxy # do not block google analytics(console)
domain(geosite:category-ads) -> block
domain(geosite:category-ads-all) -> block
# DNS
dip(8.8.8.8, 8.8.4.4) -> proxy
dip(223.5.5.5, 223.6.6.6) -> direct
domain(full:dns.alidns.com) -> direct
domain(full:dns.googledns.com) -> proxy
domain(full:dns.opendns.com) -> proxy
# --- Rules for other commonly used sites ---#
# SSH - tcp port 22 is blocked by many proxy servers.
dport(22) && !dip(geoip:cn) && !domain(geosite:cn) -> ssh-proxy
### OpenAI
domain(geosite:openai) -> sg
domain(regex:'.+\.openai$') -> sg
### Media
domain(geosite:netflix) -> media
### Proxy
domain(suffix: linkedin.com) -> proxy
domain(keyword:'linkedin') -> proxy
domain(regex:'.+\.linkedin\.com$') -> proxy
domain(regex:'.+\.quay\.io$') -> proxy
domain(regex:'.+\.notion\.so$') -> proxy
domain(regex:'.+\.amazon\.com$') -> proxy
domain(regex:'.+\.oracle\.com$') -> proxy
domain(regex:'.+\.docker\.com$') -> proxy
domain(regex:'.+\.kubernetes\.io$') -> proxy
domain(regex:'.+\.nixos\.org$') -> proxy
domain(geosite:microsoft) -> proxy
domain(geosite:linkedin) -> proxy
domain(geosite:twitter) -> proxy
domain(geosite:telegram) -> proxy
domain(geosite:google) -> proxy
domain(geosite:apple) -> proxy
domain(geosite:category-container) -> proxy
domain(geosite:category-dev) -> proxy
domain(geosite:google-scholar) -> proxy
domain(geosite:category-scholar-!cn) -> proxy
### Direct
domain(regex:'.+\.edu\.cn$') -> direct
domain(keyword:'baidu') -> direct
domain(keyword:'bilibili') -> direct
domain(keyword:'taobao') -> direct
domain(keyword:'alibabadns') -> direct
domain(keyword:'alicdn') -> direct
domain(keyword:'tbcache') -> direct
domain(keyword:'zhihu') -> direct
domain(keyword:'douyu') -> direct
domain(geosite:cloudflare-cn) -> direct
# --- Fallback rules ---#
# Access all other foreign sites
domain(geosite:geolocation-!cn) -> proxy
!dip(geoip:cn) -> proxy
fallback: direct
}

56
hosts/idols-aquamarine/dae.nix
View File

@@ -1,56 +0,0 @@
{
config,
pkgs,
daeuniverse,
...
}:
# https://github.com/daeuniverse/flake.nix
let
daeConfigPath = "/etc/dae/config.dae";
subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
in {
imports = [
daeuniverse.nixosModules.dae
];
# dae - eBPF-based Linux high-performance transparent proxy.
services.dae = {
enable = true;
package = daeuniverse.packages.${pkgs.system}.dae;
disableTxChecksumIpGeneric = false;
configFile = daeConfigPath;
assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
# alternatively, specify assets dir
# assetsPath = "/etc/dae";
openFirewall = {
enable = true;
port = 12345;
};
};
# dae supports two types of subscriptions: base64 encoded proxies, and sip008.
# subscription can be a url return the subscription, or a file path that contains the subscription.
#
# Nix decrypt and merge my dae's base config and subscription config here.
# the subscription config is something like:
# ```
# subscription {
# 'https://www.example.com/subscription/link'
# 'https://example.com/no_tag_link'
# }
# node {
# # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
# node_a: 'trojan://'
# node_b: 'trojan://'
# node_c: 'vless://'
# node_d: 'vless://'
# node_e: 'vmess://'
# node_f: 'tuic://'
# node_h: 'juicity://'
# }
# ```
system.activationScripts.installDaeConfig = ''
install -Dm 600 ${./config.dae} ${daeConfigPath}
install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
'';
}

6
hosts/idols-aquamarine/default.nix
View File

@@ -8,8 +8,6 @@ let
hostName = "aquamarine"; # Define your hostname. hostName = "aquamarine"; # Define your hostname.
in { in {
imports = [ imports = [
./router.nix
./dae.nix
]; ];
# supported file systems, so we can mount any removable disks with these filesystems # supported file systems, so we can mount any removable disks with these filesystems
@@ -22,8 +20,8 @@ in {
"exfat" "exfat"
]; ];
boot.kernelModules = ["kvm-amd"]; # boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu # boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = { networking = {
inherit hostName; inherit hostName;

183
hosts/idols-aquamarine/router.nix
View File

@@ -1,183 +0,0 @@
{lib, ...}: let
hostAddress = "192.168.5.101";
hostAddressWithMask = "${hostAddress}/24";
mainGatewayAddress = "192.168.5.1";
dhcpRange = {
start = "192.168.5.50";
end = "192.168.5.99";
};
in {
# https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md
boot = {
kernel = {
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md
sysctl = {
# forward network packets that are not destined for the interface on which they were received
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
"net.ipv4.conf.br-lan.rp_filter" = 1;
"net.ipv4.conf.br-lan.send_redirects" = 0;
};
};
};
# Docker uses iptables internally to setup NAT for containers.
# This module disables the ip_tables kernel module, which is required for nftables to work.
# So make sure to disable docker here.
virtualisation.docker.enable = lib.mkForce false;
networking = {
useNetworkd = true;
useDHCP = false;
networkmanager.enable = false;
wireless.enable = false; # Enables wireless support via wpa_supplicant.
# No local firewall.
nat.enable = false;
firewall.enable = false;
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/nftables.nix
nftables = {
enable = true;
# Check the applied rules with `nft -a list ruleset`.
# Since this is a internal bypass router, we don't need to do NAT & can forward all traffic.
ruleset = ''
# Check out https://wiki.nftables.org/ for better documentation.
# Table for both IPv4 and IPv6.
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iifname lo accept
# accept any lan traffic
iifname br-lan accept
# count and drop any other traffic
counter drop
}
# Allow all outgoing connections.
chain output {
type filter hook output priority 0;
accept
}
# Allow all forwarding all traffic.
chain forward {
type filter hook forward priority 0;
accept
}
}
'';
};
};
# https://nixos.wiki/wiki/Systemd-networkd
systemd.network = {
netdevs = {
# Create the bridge interface
"20-br-lan" = {
netdevConfig = {
Kind = "bridge";
Name = "br-lan";
};
};
};
# This is a bypass router, so we do not need a wan interface here.
networks = {
"30-lan0" = {
# match the interface by name
matchConfig.Name = "ens18";
# Connect to the bridge
networkConfig = {
Bridge = "br-lan";
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
};
# Configure the bridge device we just created
"40-br-lan" = {
matchConfig.Name = "br-lan";
address = [
# configure addresses including subnet mask
hostAddressWithMask # forwards all traffic to the gateway except for the router address itself
];
routes = [
# forward all traffic to the main gateway
{routeConfig.Gateway = mainGatewayAddress;}
];
bridgeConfig = {};
linkConfig.RequiredForOnline = "routable";
};
};
};
# resolved is conflict with dnsmasq
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
# resolve local queries (add 127.0.0.1 to /etc/resolv.conf)
resolveLocalQueries = true; # may be conflict with dae, disable this.
alwaysKeepRunning = true;
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=tree
settings = {
# upstream DNS servers
server = [
"119.29.29.29" # DNSPod
"223.5.5.5" # AliDNS
# "8.8.8.8"
# "1.1.1.1"
];
# forces dnsmasq to try each query with each server strictly
# in the order they appear in the config.
strict-order = true;
# Never forward plain names (without a dot or domain part)
domain-needed = true;
# Never forward addresses in the non-routed address spaces(e.g. private IP).
bogus-priv = true;
# don't needlessly read /etc/resolv.conf which only contains the localhost addresses of dnsmasq itself.
no-resolv = true;
# Cache dns queries.
cache-size = 1000;
dhcp-range = ["${dhcpRange.start},${dhcpRange.end},24h"];
interface = "br-lan";
dhcp-sequential-ip = true;
dhcp-option = [
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
"option:router,${hostAddress}"
"option:dns-server,${hostAddress}"
];
# local domains
local = "/lan/";
domain = "lan";
expand-hosts = true;
# don't use /etc/hosts
no-hosts = true;
address = [
# "/surfer.lan/192.168.10.1"
];
};
};
# monitoring with prometheus
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix
services.prometheus.exporters.dnsmasq = {
enable = true;
listenAddress = "0.0.0.0";
port = 9153;
openFirewall = false;
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
};
# The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of
# letting the first CPU core to handle everything.
# This is supposed to increase performance by hitting CPU cache more often.
services.irqbalance.enable = false;
}