feat: migrate all nixos services from idols to 12kingdoms

hosts/12kingdoms-suzu/microvm/suzi/dae.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  pkgs,
+  daeuniverse,
+  ...
+}:
+# https://github.com/daeuniverse/flake.nix
+let
+  daeConfigPath = "/etc/dae/config.dae";
+  subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
+in {
+  imports = [
+    daeuniverse.nixosModules.dae
+  ];
+
+  # dae - eBPF-based Linux high-performance transparent proxy.
+  services.dae = {
+    enable = true;
+    package = daeuniverse.packages.${pkgs.system}.dae;
+    disableTxChecksumIpGeneric = false;
+    configFile = daeConfigPath;
+    assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
+    # alternatively, specify assets dir
+    # assetsPath = "/etc/dae";
+    openFirewall = {
+      enable = true;
+      port = 12345;
+    };
+  };
+
+  systemd.services.dae.serviceConfig = {
+    Restart = "on-failure";
+    RestartSec = 10;
+  };
+
+  # dae supports two types of subscriptions: base64 encoded proxies, and sip008.
+  # subscription can be a url return the subscription, or a file path that contains the subscription.
+  #
+  # Nix decrypt and merge my dae's base config and subscription config here.
+  # the subscription config is something like:
+  #   ```
+  #   subscription {
+  #     'https://www.example.com/subscription/link'
+  #     'https://example.com/no_tag_link'
+  #   }
+  #   node {
+  #     # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
+  #     node_a: 'trojan://'
+  #     node_b: 'trojan://'
+  #     node_c: 'vless://'
+  #     node_d: 'vless://'
+  #     node_e: 'vmess://'
+  #     node_f: 'tuic://'
+  #     node_h: 'juicity://'
+  #   }
+  #   ```
+  system.activationScripts.installDaeConfig = ''
+    install -Dm 600 ${./config.dae} ${daeConfigPath}
+    install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
+  '';
+}