fix: bypass router

hosts/12kingdoms_shoukei/default.nix

@@ -21,7 +21,7 @@ in {
     ./impermanence.nix
   ];
 
-  boot.kernelModules = ["kvm-amd" "kvm-intel"];
+  boot.kernelModules = ["kvm-amd"];
   boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
 
   networking = {

hosts/homelab_tailscale_gw/default.nix

@@ -10,6 +10,7 @@ let
 in {
   imports = [
     ./tailscale.nix
+    ./proxy.nix
   ];
 
   # supported file systems, so we can mount any removable disks with these filesystems

hosts/homelab_tailscale_gw/proxy.nix

@@ -0,0 +1,31 @@
+{
+  # dae(running on aquamarine) do not provides http/socks5 proxy server, so we use v2ray here.
+  # https://github.com/v2fly
+  services.v2ray = {
+    enable = true;
+    config = {
+      inbounds = [
+        {
+          listen = "0.0.0.0";
+          port = 7890;
+          protocol = "http";
+        }
+        {
+          listen = "0.0.0.0";
+          port = 7891;
+          protocol = "socks";
+          settings = {
+            auth = "noauth";
+            udp = true;
+          };
+        }
+      ];
+      outbounds = [
+        {
+          protocol = "freedom";
+          tag = "freedom";
+        }
+      ];
+    };
+  };
+}

hosts/idols_ai/default.nix

@@ -17,11 +17,6 @@ in {
     ./secureboot.nix
   ];
 
-  # set http proxy for nix-daemon
-  systemd.services.nix-daemon.environment = {
-    https_proxy = "http://192.168.5.201:7890";
-  };
-
   networking = {
     inherit hostName;
     inherit (vars_networking) defaultGateway nameservers;

hosts/idols_aquamarine/README.md

@@ -1,6 +1,17 @@
 # Idols - Aquamarine
 
-TODO: use aqua as a passby router(IPv4 only) to access the global internet.
+Use aqua as a passby router(IPv4 only) to access the global internet.
+
+
+## Troubleshooting
+
+### DNS cannot be resolved
+
+1. `sudo systemctl stop dae`, then try to resolve the domain name again.
+   - If it works, the problem is caused by `dae` service.
+   - check dae's log by `sudo journalctl -u dae`
+1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`.
+
 
 ## References
 

hosts/idols_aquamarine/config.dae

@@ -1,3 +1,10 @@
+# https://github.com/daeuniverse/dae/discussions/81
+# https://github.com/daeuniverse/dae/blob/main/example.dae
+
+# load all dae files placed in ./config.d/
+include {
+    config.d/*.dae
+}
 global {
     ##### Software options.
 
@@ -14,7 +21,7 @@ global {
     so_mark_from_dae: 0
 
     # Log level: error, warn, info, debug, trace.
-    log_level: info
+    log_level: debug
 
     # Disable waiting for network before pulling subscriptions.
     disable_waiting_network: false
@@ -24,11 +31,12 @@ global {
 
     # The LAN interface to bind. Use it if you want to proxy LAN.
     # Multiple interfaces split by ",".
-    lan_interface: ens18
+    lan_interface: br-lan
 
     # The WAN interface to bind. Use it if you want to proxy localhost.
     # Multiple interfaces split by ",". Use "auto" to auto detect.
-    wan_interface: auto
+    # bypass router has no WAN interface, so comment it.
+    # wan_interface: auto
 
     # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
     # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
@@ -37,7 +45,7 @@ global {
     # Automatically configure firewall rules like firewalld and fw4.
     # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
     # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
-    auto_config_firewall_rule: true
+    auto_config_firewall_rule: false
 
     ##### Node connectivity check.
 
@@ -98,30 +106,11 @@ global {
     utls_imitate: chrome_auto
 }
 
-# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
-# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
-subscription {
-    # Add your subscription links(or files that contains the link) here.
-    'file://dae-mysubscription-1.sub' # the path is related to /etc/dae/
-    'file://dae-mysubscription-2.sub'
-}
-
-# Nodes defined here will be merged as a part of the global node pool.
-node {
-    # Add your node links here.
-    # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
-    # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
-    # mylink: 'ss://LINK'
-    # node1: 'vmess://LINK'
-    # node2: 'vless://LINK'
-    # chains: 'tuic://LINK -> vmess://LINK'
-}
-
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
 dns {
     # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
     # respond to type A queries and response empty answer to type AAAA queries.
-    #ipversion_prefer: 4
+    ipversion_prefer: 4
 
     # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
     # for these domains.
@@ -137,8 +126,8 @@ dns {
         # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
         # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
 
-        alidns: 'udp://dns.alidns.com:53'
-        googledns: 'tcp+udp://dns.google.com:53'
+        alidns: 'udp://223.5.5.5:53'
+        googledns: 'tcp+udp://8.8.8.8:53'
     }
     routing {
         # According to the request of dns query, decide to use which DNS upstream.
@@ -148,60 +137,91 @@ dns {
             qname(geosite:cn) -> alidns
             # fallback is also called default.
             fallback: googledns
+
+            # other custom rules
+            qname(geosite:category-ads) -> reject
+            qname(geosite:category-ads-all) -> reject
+            qtype(aaaa) -> reject
+            qname(regex: '.+\.linkedin$') -> googledns
+        }
+
+        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
+        # Match rules from top to bottom.
+        response {
+            # Trusted upstream. Always accept its result.
+            upstream(googledns) -> accept
+
+            # Possibly polluted(domain resolved to a private ip), re-lookup using googledns.
+            ip(geoip:private) && !qname(geosite:cn) -> googledns
+
+            fallback: accept
         }
     }
-#    routing {
-#        # According to the request of dns query, decide to use which DNS upstream.
-#        # Match rules from top to bottom.
-#        request {
-#            # fallback is also called default.
-#            fallback: alidns
-#        }
-#        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
-#        # Match rules from top to bottom.
-#        response {
-#            # Trusted upstream. Always accept its result.
-#            upstream(googledns) -> accept
-#            # Possibly polluted, re-lookup using googledns.
-#            ip(geoip:private) && !qname(geosite:cn) -> googledns
-#            # fallback is also called default.
-#            fallback: accept
-#        }
-#    }
 }
 
 # Node group (outbound).
 group {
-    my_group {
-        # No filter. Use all nodes.
-
-        # Randomly select a node from the group for every connection.
-        #policy: random
-
-        # Select the first node from the group for every connection.
-        #policy: fixed(0)
-
-        # Select the node with min last latency from the group for every connection.
-        #policy: min
-
-        # Select the node with min moving average of latencies from the group for every connection.
-        policy: min_moving_avg
-    }
-
-    group2 {
-        # Filter nodes from the global node pool defined by the subscription and node section above.
-        #filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
-
-        # Filter nodes from the global node pool defined by tag.
-        #filter: name(node1, node2)
-
+    proxy {
+        filter: name(keyword: 'Hong Kong')
+        filter: name(keyword: '香港')
+        filter: name(keyword: 'Singapore')
+        filter: name(keyword: '新加坡')
         # Filter nodes and give a fixed latency offset to archive latency-based failover.
         # In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
-        filter: name(HK_node)
-        filter: name(US_node) [add_latency: -500ms]
+        filter: name(keyword: 'USA') [add_latency: -500ms]
+        filter: name(keyword: '美国') [add_latency: -500ms]
+        filter: name(keyword: 'UK') [add_latency: -300ms]
+        filter: name(keyword: '英国') [add_latency: -300ms]
+        filter: name(keyword: 'Japan') [add_latency: 300ms]
+        filter: name(keyword: '日本') [add_latency: 300ms]
+
+        # Other filters:
+        #   Filter nodes from the global node pool defined by the subscription and node section above.
+        #     filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
+        #   Filter nodes from the global node pool defined by tag.
+        #     filter: name('node_a','node_b')
 
         # Select the node with min average of the last 10 latencies from the group for every connection.
         policy: min_avg10
+        # Other policies:
+        #   random         - Randomly select a node from the group for every connection.
+        #   fixed(0)       - Select the first node from the group for every connection.
+        #   min            - Select the node with min last latency from the group for every connection.
+        #   min_moving_avg - Select the node with min moving average of latencies from the group for every connection.
+    }
+
+    media {
+        filter: name(keyword: 'Hong Kong')
+        filter: name(keyword: '香港')
+        filter: name(keyword: 'Singapore')
+        filter: name(keyword: '新加坡')
+        filter: name(keyword: 'USA') [add_latency: -500ms]
+        filter: name(keyword: '美国') [add_latency: -500ms]
+        filter: name(keyword: 'UK') [add_latency: -300ms]
+        filter: name(keyword: '英国') [add_latency: -300ms]
+        filter: name(keyword: 'Japan') [add_latency: 300ms]
+        filter: name(keyword: '日本') [add_latency: 300ms]
+
+        policy: min_avg10
+    }
+
+    sg {
+        filter: name(keyword: 'Singapore')
+        filter: name(keyword: '新加坡')
+        policy: min_avg10
+    }
+
+    usa {
+        filter: name(keyword: 'USA')
+        filter: name(keyword: '美国')
+        policy: min_avg10
+    }
+
+    uk {
+        filter: name(keyword: 'UK')
+        filter: name(keyword: '英国')
+        filter: name(keyword: '美国')
+        policy: min_avg10
     }
 }
 
@@ -212,6 +232,7 @@ routing {
     # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
     # WAN.
     pname(NetworkManager) -> direct
+    pname(systemd-networkd) -> direct
 
     # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
     # forwarded by the proxy.
@@ -222,12 +243,75 @@ routing {
     # private addresses in your proxy host network, modify the below line.
     dip(geoip:private) -> direct
 
-    ### Write your rules below.
+    # --- Core rules ---#
 
-    # Disable h3 because it usually consumes too much cpu/mem resources.
+    # Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
     l4proto(udp) && dport(443) -> block
+
+    # Direct access to all Chinese mainland-related IP addresses
     dip(geoip:cn) -> direct
     domain(geosite:cn) -> direct
 
-    fallback: my_group
+    # Use HK to access all other foreign sites
+    domain(geosite:geolocation-!cn) -> proxy
+    !dip(geoip:cn) -> proxy
+
+    # Block ads
+    domain(geosite:category-ads) -> block
+    domain(geosite:category-ads-all) -> block
+
+    # DNS
+    dip(8.8.8.8, 8.8.4.4) -> proxy
+    dip(223.5.5.5, 223.6.6.6) -> direct
+    domain(full:dns.alidns.com) -> direct
+    domain(full:dns.googledns.com) -> proxy
+    domain(full:dns.opendns.com) -> proxy
+
+    # --- Rules for other commonly used sites ---#
+
+    # Access github.com via UK's proxies
+    domain(geosite:github) -> uk
+
+    ### OpenAI
+    domain(geosite:openai) -> sg
+    domain(regex:'.+\.openai$') -> sg
+
+    ### Media
+    domain(geosite:netflix) -> media
+
+    ### Proxy
+    domain(suffix: linkedin.com) -> proxy
+    domain(keyword:'linkedin') -> proxy
+    domain(regex:'.+\.linkedin\.com$') -> proxy
+    domain(regex:'.+\.quay\.io$') -> proxy
+    domain(regex:'.+\.notion\.so$') -> proxy
+    domain(regex:'.+\.amazon\.com$') -> proxy
+    domain(regex:'.+\.oracle\.com$') -> proxy
+    domain(regex:'.+\.docker\.com$') -> proxy
+    domain(regex:'.+\.kubernetes\.io$') -> proxy
+
+    domain(geosite:microsoft) -> proxy
+    domain(geosite:linkedin) -> proxy
+    domain(geosite:twitter) -> proxy
+    domain(geosite:telegram) -> proxy
+    domain(geosite:google) -> proxy
+    domain(geosite:apple) -> proxy
+    domain(geosite:category-container) -> proxy
+    domain(geosite:category-dev) -> proxy
+    domain(geosite:google-scholar) -> proxy
+    domain(geosite:category-scholar-!cn) -> proxy
+
+    ### Direct
+    domain(regex:'.+\.edu\.cn$') -> proxy
+    domain(keyword:'baidu') -> direct
+    domain(keyword:'bilibili') -> direct
+    domain(keyword:'taobao') -> direct
+    domain(keyword:'alibabadns') -> direct
+    domain(keyword:'alicdn') -> direct
+    domain(keyword:'tbcache') -> direct
+    domain(keyword:'zhihu') -> direct
+    domain(keyword:'douyu') -> direct
+    domain(geosite:cloudflare-cn) -> direct
+
+    fallback: direct
 }

hosts/idols_aquamarine/dae.nix

@@ -1,9 +1,14 @@
 {
+  config,
   pkgs,
   daeuniverse,
+  ...
 }:
 # https://github.com/daeuniverse/flake.nix
-{
+let
+  daeConfigPath = "/etc/dae/config.dae";
+  subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
+in {
   imports = [
     daeuniverse.nixosModules.dae
     daeuniverse.nixosModules.daed
@@ -12,9 +17,9 @@
   # dae - eBPF-based Linux high-performance transparent proxy.
   services.dae = {
     enable = true;
-    package = pkgs.dae;
+    package = daeuniverse.packages.${pkgs.system}.dae;
     disableTxChecksumIpGeneric = false;
-    configFile = ./bypass-router.dae;
+    configFile = daeConfigPath;
     assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
     # alternatively, specify assets dir
     # assetsPath = "/etc/dae";
@@ -24,15 +29,29 @@
     };
   };
 
-  # daed, a modern web dashboard for dae.
-  services.daed = {
-    enable = true;
-    package = pkgs.daed;
-    configdir = "/etc/daed";
-    listen = "0.0.0.0:9090";
-    openfirewall = {
-      enable = true;
-      port = 9090;
-    };
-  };
+  # dae supports two types of subscriptions: base64 encoded proxies, and sip008.
+  # subscription can be a url return the subscription, or a file path that contains the subscription.
+  #
+  # Nix decrypt and merge my dae's base config and subscription config here.
+  # the subscription config is something like:
+  #   ```
+  #   subscription {
+  #     'https://www.example.com/subscription/link'
+  #     'https://example.com/no_tag_link'
+  #   }
+  #   node {
+  #     # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
+  #     node_a: 'trojan://'
+  #     node_b: 'trojan://'
+  #     node_c: 'vless://'
+  #     node_d: 'vless://'
+  #     node_e: 'vmess://'
+  #     node_f: 'tuic://'
+  #     node_h: 'juicity://'
+  #   }
+  #   ```
+  system.activationScripts.installDaeConfig = ''
+    install -Dm 600 ${./config.dae} ${daeConfigPath}
+    install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
+  '';
 }

hosts/idols_aquamarine/default.nix

@@ -6,40 +6,28 @@
 #############################################################
 let
   hostName = "aquamarine"; # Define your hostname.
-  hostAddress = vars_networking.hostAddress.${hostName};
 in {
   imports = [
     ./router.nix
     ./dae.nix
   ];
 
-  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
-  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
   # supported file systems, so we can mount any removable disks with these filesystems
   boot.supportedFilesystems = [
     "ext4"
     "btrfs"
     "xfs"
-    #"zfs"
-    "ntfs"
     "fat"
     "vfat"
     "exfat"
-    "cifs" # mount windows share
   ];
 
-  boot.kernelModules = ["kvm-amd" "kvm-intel"];
+  boot.kernelModules = ["kvm-amd"];
   boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
 
   networking = {
     inherit hostName;
-    inherit (vars_networking) defaultGateway nameservers;
-
-    networkmanager.enable = false;
-    interfaces.ens18 = {
-      useDHCP = false;
-      ipv4.addresses = [hostAddress];
-    };
+    inherit (vars_networking) nameservers;
   };
 
   # This value determines the NixOS release from which the default

hosts/idols_kana/default.nix

@@ -23,7 +23,7 @@ in {
     "cifs" # mount windows share
   ];
 
-  boot.kernelModules = ["kvm-amd" "kvm-intel"];
+  boot.kernelModules = ["kvm-amd"];
   boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
 
   networking = {

hosts/idols_ruby/README.md

@@ -1,6 +1,6 @@
 # Idols - Ruby
 
-TODO: use kana for backup / sync my personal data.
+TODO: use ruby for backup / sync my personal data.
 For safety, those data should be encrypted before sending to the cloud or my NAS.
 
 1. restic: Backup file from homelab to NAS, or from NAS to Cloud

hosts/idols_ruby/default.nix

@@ -27,7 +27,7 @@ in {
     "cifs" # mount windows share
   ];
 
-  boot.kernelModules = ["kvm-amd" "kvm-intel"];
+  boot.kernelModules = ["kvm-amd"];
   boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
 
   networking = {