modules/network: enable dae on mainland machines

2025-04-10 12:56:43 +08:00 · 2025-04-10 12:56:43 +08:00 · 1aad6589cf
commit 1aad6589cf
parent f2cceba5f5
4 changed files with 150 additions and 14 deletions
--- a/machines/calcite/network.nix
+++ b/machines/calcite/network.nix
@ -31,12 +31,12 @@ in
  };
  # services.tailscale.useRoutingFeatures = "both";

-  services.dae.enable = true;
-  services.dae.configFile = "/var/lib/dae/config.dae";
-  systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [
-    "NetworkManager-wait-online.service"
-  ];
-
+  # services.dae.enable = true;
+  # services.dae.configFile = "/var/lib/dae/config.dae";
+  # systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [
+  #   "NetworkManager-wait-online.service"
+  # ];
+  #
  # Open ports in the firewall.
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 3389 ];
--- a/machines/secrets.yaml
+++ b/machines/secrets.yaml
@ -1,6 +1,8 @@
 prometheus:
    metrics_username: ENC[AES256_GCM,data:/CQfOA==,iv:BjhB+uLfjmYHdgpc/+tDJXJ8C1EK9kngQWbo4NleOmE=,tag:JCdqyqGLRh09T25vmufiZw==,type:str]
    metrics_password: ENC[AES256_GCM,data:q/xMPuNtlcUFewMdVu6w2Q==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:B4LrObH1DsnnD5CcuOPOyg==,type:str]
+dae:
+    sub: ENC[AES256_GCM,data:kruAGgIBwiN508hwczGeVmh6Jr4Mg9BNEWSBNfYnBCCOrkSM1I5GRuG8EZqTq1+Ib+TRN8cgaqCEk2mpZ+7po1FjW1K8M0EBj9QvQCs7a+QVSmP6qS14WY1B,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:V/nZgi7AWHU2Kp5WGhaGAw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -88,8 +90,8 @@ sops:
            am04NVRtU2N6SThYZWdXVE5RZ1B2aE0KVcHvB5k2Gcu/St0P8WPFzlCtuZthZTKo
            hwVc0lC6Xxt25hriaUFinwnyvcjxrLCx0Nq7f9Zn16nJcza5kev1nQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-30T06:31:42Z"
-    mac: ENC[AES256_GCM,data:xh8x9IrQ01ZzdcCTIfBrifIGduMYVmSSP52BkTyr/bx7AgQAz2WeA7LFrccxIayCGHrQKfMQDLUKJ/EBamG/6p8AX6QqZBTfqFD688ZhmRfxgpj7fYR9jPYnhb/9XHI9R2jTaJWwrorXvu3pa+Gy/hWB3Kb+WZc3fslmIuKuLH0=,iv:GDrHSFZxPbpACdusVDPHXEjeEusYfk53N/KGHtdvrYo=,tag:ap38sCSTZVDQ0ZazXM3vlg==,type:str]
+    lastmodified: "2025-04-10T03:53:49Z"
+    mac: ENC[AES256_GCM,data:ioiGVfCWOn8Hc5EpCtcDTF4YoKtsMAchBlRM0C00WQbM9Ss3571Oly4jtymshDVbDFbH+y0gYcEXn8Fs5XYjd0rIa6mbaISLvPlG+P34SqHcVsh6eDU15z0vTAncbOHrok+/xAmg64WtiBxteMaWPsTVngCrmPYS247eCav+Jpo=,iv:K7PiHNn2IS0pGUh1F75TjliHMk8l6PaHmDshSPPA4BE=,tag:Jd/lHdeWUDQa5AwSwFCeSw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4
--- a/modules/nixos/common-settings/mainland.nix
+++ b/modules/nixos/common-settings/mainland.nix
@ -16,10 +16,16 @@ let
  cfg = config.inMainland;
 in
 {
-  options.inMainland = mkOption {
+  options = {
+    inMainland = mkOption {
      type = types.bool;
      default = config.time.timeZone == "Asia/Shanghai";
    };
+    commonSettings.network.enableProxy = mkOption {
+      type = types.bool;
+      default = config.inMainland;
+    };
+  };

  config = mkIf cfg {
    nix.settings.extra-substituters = [
@ -31,9 +37,136 @@ in
      "ntp.ntsc.ac.cn"
    ];

-    services.dae = {
+    sops = mkIf config.commonSettings.network.enableProxy {
+      secrets = {
+        "dae/sub" = {
+          sopsFile = ../../../machines/secrets.yaml;
+        };
+      };
+      templates."dae/sub.dae".content = ''
+        subscription {
+          my_sub: '${config.sops.placeholder."dae/sub"}'
+        }
+      '';
+    };
+
+    systemd.services.dae.serviceConfig.LoadCredential = mkIf config.commonSettings.network.enableProxy [
+      "sub.dae:${config.sops.templates."dae/sub.dae".path}"
+    ];
+
+    services.dae = mkIf config.commonSettings.network.enableProxy {
      enable = mkDefault true;
-      configFile = mkDefault "/var/lib/dae/config.dae";
+      config = ''
+        include {
+          ./sub.dae
+        }
+        global {
+          tproxy_port: 12345
+          tproxy_port_protect: true
+          so_mark_from_dae: 0
+          log_level: info
+          disable_waiting_network: false
+
+          ##### Interface and kernel options.
+          # lan_interface: docker0
+          wan_interface: auto
+
+          auto_config_kernel_parameter: true
+
+          ##### Node connectivity check.
+          tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
+          tcp_check_http_method: HEAD
+
+          udp_check_dns: 'dns.quad9.net:53,9.9.9.9,2620:fe::fe'
+
+          check_interval: 30s
+
+          # Group will switch node only when new_latency <= old_latency - tolerance.
+          check_tolerance: 100ms 
+
+          ##### Connecting options.
+
+          
+          dial_mode: ${if config.commonSettings.network.localdns.enable then "domain+" else "domain"}
+          allow_insecure: false
+          sniffing_timeout: 100ms
+          tls_implementation: tls
+          # utls_imitate: firefox_auto
+
+          mptcp: true
+        }
+
+        # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
+        dns {
+          ipversion_prefer: 4
+
+          upstream {
+        	    globaldns: 'tls://dns.quad9.net'
+        	    cndns: 'h3://dns.alidns.com:443'
+        	    tsdns: 'udp://100.100.100.100'
+        	    localdns: 'udp://127.0.0.1:53' 
+          }
+
+          routing {
+            request {
+              ${
+                if config.commonSettings.network.localdns.enable then
+                  ''
+                    fallback: localdns
+                  ''
+                else
+                  ''
+                    qname(suffix:ts.net) -> tsdns
+                    qname(geosite:cn) -> cndns
+                    fallback: globaldns
+                  ''
+              }
+            }
+          }
+        }
+
+        # Node group (outbound).
+        group {
+          default_group {
+            filter: name(regex: '^(hk)[0-9]+') [add_latency: -30ms]
+            filter: name(regex: '^(la)[0-9]+') [add_latency: -140ms]
+            filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
+            policy: min_moving_avg
+          }
+        }
+
+        # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
+        routing {
+          # pname(kresd) && dport(53) && l4proto(udp)-> must_direct
+          # Disable h3 because it usually consumes too much cpu/mem resources.
+          l4proto(udp) && dport(443) -> block
+
+          pname(blackbox_exporter) -> direct
+          pname(tailscaled) -> direct
+
+          dip(224.0.0.0/3, 'ff00::/8') -> direct
+          dip(geoip:private) -> direct
+
+          # Direct traffic to dns server
+          dip(1.12.12.12) -> direct
+          dip(223.5.5.5) -> direct
+          dip(223.6.6.6) -> direct
+
+          # === Force Proxy ===
+          domain(geosite:linkedin) -> default_group
+
+          # === Custom direct rules ===
+          domain(geosite:cn) -> direct
+
+          domain(suffix:ipify.org) -> direct
+          domain(geosite:steam@cn) -> direct
+
+          dip(geoip:cn) -> direct
+
+          fallback: default_group
+        }
+      '';
+
    };
  };
 }
--- a/note.md
+++ b/note.md
@ -8,3 +8,4 @@ Demonstrate disk usage by nix-store path.
 - [x] synapse jmalloc
 - [ ] backup all directories under /var/lib/forgejo
 - [ ] collect caddy access logs with promtail (waiting for caddy v2.9.0 release after which log file mode can be set)
+- [ ] update "https" to "https-file" with dae 1.0.0