move dae config to module

nixos/modules/dae/config.dae

@@ -0,0 +1,89 @@
+include {
+  proxy.d/*.dae
+}
+
+global {
+  lan_interface: auto
+  wan_interface: auto
+
+  log_level: trace
+  allow_insecure: false
+  auto_config_kernel_parameter: true
+  dial_mode: domain
+
+  tcp_check_url: 'http://cp.cloudflare.com'
+  udp_check_dns: 'dns.google.com:53'
+  check_interval: 600s
+  check_tolerance: 50ms
+
+  tproxy_port: 12345
+}
+
+dns {
+  ipversion_prefer: 4
+
+  upstream {
+    googledns: 'tcp+udp://8.8.8.8:53'
+    alidns: 'udp://dns.alidns.com:53'
+  }
+  routing {
+    request {
+      qname(geosite: category-ads) -> reject
+      qname(geosite: category-ads-all) -> reject
+      qname(geosite: cn) -> alidns
+      fallback: googledns
+    }
+    response {
+      upstream(googledns) && ip(geoip: private) -> alidns
+      fallback: accept
+    }
+  }
+}
+
+group {
+  proxy {
+    filter: subtag(wget)
+    policy: min_moving_avg
+  }
+  us {
+    filter: subtag(wget) && name(keyword: "美国")
+    policy: min_moving_avg
+  }
+  hk {
+    filter: subtag(wget) && name(keyword: "香港")
+    policy: min_moving_avg
+  }
+}
+
+# 更多的 Routing 样例见 https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md
+routing {
+  pname(hickory-dns) && dport(53) -> must_direct
+  pname(mihomo) -> must_direct
+  pname(systemd-resolved) -> must_direct
+
+  domain(full: time.windows.com) -> must_direct
+  domain(regex: ".*wgetcloud.*v2ray.*") -> must_direct
+  domain(suffix: "hit.edu.cn") -> must_direct
+  domain(geosite: microsoft) -> proxy
+  # domain(geosite: onedrive) -> must_direct
+  domain(geosite: "category-ai-chat-!cn") -> us
+  domain(geosite: google) -> us
+  domain(geosite: google-play) -> proxy
+  domain(geosite: apple) -> us
+  domain(geosite: spotify) -> us
+  domain(geosite: tiktok) -> us
+  domain(geosite: cn) -> direct
+
+  dip(geoip:private) -> direct
+  dip(geoip:cn) -> direct
+  # dport(63434) && sip(192.168.31.170) -> hk
+  dip(223.5.5.5) -> direct
+  
+  # ban qq dns over http
+  # dip(43.136.0.0/13) -> block
+  # dip(109.244.0.0/16) -> block
+  # dip(175.27.0.0/16) -> block
+  # dip('2409:8C1E:75B0:80::/64') -> block
+
+  fallback: proxy
+}

nixos/modules/dae/default.nix

@@ -0,0 +1,127 @@
+{
+  config,
+  rootPath,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.youthlic.programs.dae;
+in
+{
+  options = {
+    youthlic.programs.dae = {
+      enable = lib.mkEnableOption "dae";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    services.dae = {
+      enable = true;
+      openFirewall = {
+        enable = true;
+        port = 12345;
+      };
+      disableTxChecksumIpGeneric = false;
+      config = builtins.readFile ./config.dae;
+    };
+    sops.secrets.url = {
+      mode = "0444";
+      sopsFile = rootPath + "/secrets/general.yaml";
+    };
+    systemd.services =
+      let
+        update = ''
+          head="user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36"
+          new_proxy=/etc/dae/proxy.d.new
+          num=0
+          check=1
+          urls="$(cat ${config.sops.secrets.url.path})"
+          mkdir -p ''${new_proxy}
+          for url in ''${urls}; do
+            txt=''${new_proxy}/''${num}.txt
+            config="''${new_proxy}/''${num}.dae"
+            echo \'curl -LH \""''${head}"\" \""''${url}"\" -o \""''${txt}"\"\'
+            curl -LH "''${head}" "''${url}" -o "''${txt}"
+            echo End curl
+            echo "" > ''${config}
+            {
+              echo 'subscription {'
+              echo \ \ wget:\ \"file://proxy.d/''${num}.txt\"
+              echo "}"
+            } >> ''${config}
+            if [[ ! -s ''${txt} ]]; then
+              check=0
+            fi
+            chmod 0640 ''${txt}
+            chmod 0640 ''${config}
+            num=$((num+1))
+
+            if [[ ''${check} -eq 0 ]]; then
+              echo "''${txt}" is empty
+              exit 103
+            fi
+          done
+          if [[ -d /etc/dae/proxy.d ]]; then
+            mv /etc/dae/proxy.d /etc/dae/proxy.d.old
+          fi
+          mv ''${new_proxy} /etc/dae/proxy.d
+        '';
+        updateScript = pkgs.writeShellApplication {
+          name = "update.sh";
+          runtimeInputs = with pkgs; [
+            coreutils
+            curl
+          ];
+          text = ''
+            mkdir -p /etc/proxy.d
+            if [ -z "$(ls -A /etc/dae/proxy.d 2>/dev/null)" ]; then
+              echo "No subscription file found in /etc/dae/proxy.d. Update now..."
+              ${update}
+            else
+              echo "Found existing subscription files. Skipping immediate update."
+            fi
+          '';
+        };
+        updateForceScript = pkgs.writeShellApplication {
+          name = "update-force.sh";
+          runtimeInputs = with pkgs; [
+            coreutils
+            curl
+          ];
+          text = ''
+            ${update}
+          '';
+        };
+      in
+      {
+        "update-dae-subscription-immediate" = {
+          after = [ "network-online.target" ];
+          wants = [ "network-online.target" ];
+          before = [ "dae.service" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "root";
+            ExecStart = [
+              "${updateScript}/bin/update.sh"
+            ];
+          };
+          wantedBy = [ "multi-user.target" ];
+        };
+        "update-dae-subscription-force" = {
+          serviceConfig = {
+            Type = "oneshot";
+            User = "root";
+            ExecStartPre = [
+              "-${pkgs.systemd}/bin/systemctl stop dae.service"
+            ];
+            ExecStartPost = [
+              "-${pkgs.systemd}/bin/systemctl start dae.service"
+            ];
+            ExecStart = [
+              "${updateForceScript}/bin/update-force.sh"
+            ];
+          };
+        };
+      };
+  };
+}

nixos/modules/default.nix

@@ -17,6 +17,7 @@
       ./nix.nix
       ./home.nix
       ./sops.nix
+      ./dae
     ];
 
   config = {