nixos/users/dae/config.dae

include {
  proxy.d/*.dae
}

global {
  # 绑定到 LAN 和/或 WAN 接口。将下述接口替换成你自己的接口名。
  lan_interface: auto
  wan_interface: auto

  log_level: trace
  allow_insecure: false
  auto_config_kernel_parameter: true
  dial_mode: domain
}

# 更多的 DNS 样例见 https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md
dns {
  upstream {
    googledns: 'tcp+udp://8.8.8.8:53'
    alidns: 'udp://114.114.114.114:53'
  }
  routing {
    request {
      fallback: alidns
    }
    response {
      upstream(googledns) -> accept
      ip(geoip: private) && !qname(geosite: cn) -> googledns
      fallback: accept
    }
  }
}

group {
  proxy {
    filter: subtag(wget)
    policy: min_moving_avg
  }
  us {
    filter: subtag(wget) && name(keyword: "美国")
    policy: min_moving_avg
  }
  hk {
    filter: subtag(wget) && name(keyword: "香港")
    policy: min_moving_avg
  }
}

# 更多的 Routing 样例见 https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md
routing {
  pname(hickory-dns) && dport(53) -> must_direct
  pname(mihomo) -> must_direct
  domain(geosite:cn) -> direct
  # personal config routing

  domain(full: time.windows.com) -> must_direct
  domain(suffix: 'hit.edu.cn') -> must_direct
  domain(geosite: microsoft) -> proxy
  # domain(geosite: onedrive) -> must_direct
  domain(geosite: 'category-ai-chat-!cn') -> us
  domain(geosite: google) -> us
  domain(geosite: google-play) -> proxy
  domain(geosite: apple) -> us
  domain(keyword: spotify) -> us
  domain(geosite: tiktok) -> us

  dip(geoip:private) -> direct
  dip(geoip:cn) -> direct
  # dport(63434) && sip(192.168.31.170) -> hk
  dip(223.5.5.5) -> direct
  
  # ban qq dns over http
  # dip(43.136.0.0/13) -> block
  # dip(109.244.0.0/16) -> block
  # dip(175.27.0.0/16) -> block
  # dip('2409:8C1E:75B0:80::/64') -> block

  ## 禁用 h3，因为它通常消耗很多 CPU 和内存资源
  # l4proto(udp) && dport(443) -> block

  fallback: proxy
}