feat: restructure Surge client config with SukkaW ruleset conventions

Adopt skk.moe's standard Proxy/Native group naming and expand [General]
settings with DNS, IPv6, and connectivity options. Replace minimal rule
set with comprehensive service-based routing (streaming, Telegram, Apple,
Microsoft, AI, etc.).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

templates/surge-client.conf.j2

@@ -1,42 +1,86 @@
 [General]
+skip-proxy = 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 100.64.0.0/10, 162.14.0.0/16, 211.99.96.0/19, 162.159.192.0/24, 162.159.193.0/24, 162.159.195.0/24, fc00::/7, fe80::/10, localhost, *.local, captive.apple.com, passenger.t3go.cn, *.ccb.com, wxh.wo.cn, *.abcchina.com, *.abcchina.com.cn
+exclude-simple-hostnames = true
+internet-test-url = http://connectivitycheck.platform.hicloud.com/generate_204
+proxy-test-url = http://www.apple.com/
+proxy-test-udp = www.apple.com@64.6.64.6
+test-timeout = 2
+dns-server = 223.5.5.5, 114.114.114.114
+hijack-dns = 8.8.8.8:53, 8.8.4.4:53
+wifi-assist = true
+vif-mode = v3
+ipv6 = false
+ipv6-vif = off
 loglevel = notify
+show-error-page-for-reject = true
+read-etc-hosts = true
+udp-policy-not-supported-behaviour = REJECT
 
 [Proxy]
-# Relay server - Shadowsocks (中转机)
-Relay-SS = ss, {{ hostvars[groups['relay'][0]]['relay_domain'] }}, {{ hostvars[groups['relay'][0]]['ss_port'] }}, encrypt-method={{ hostvars[groups['relay'][0]]['ss_cipher'] }}, password={{ hostvars[groups['relay'][0]]['ss_password'] }}
-
-# Landing server - Trojan direct (落地机直连)
-Landing-Trojan = trojan, {{ trojan_domain }}, {{ trojan_port }}, password={{ trojan_password }}
-
-# Landing server - chained through relay (落地机经中转)
-Landing-Chain = trojan, {{ trojan_domain }}, {{ trojan_port }}, password={{ trojan_password }}, underlying-proxy=Relay-SS
+Relay = ss, {{ hostvars[groups['relay'][0]]['relay_domain'] }}, {{ hostvars[groups['relay'][0]]['ss_port'] }}, encrypt-method={{ hostvars[groups['relay'][0]]['ss_cipher'] }}, password={{ hostvars[groups['relay'][0]]['ss_password'] }}
+Landing = trojan, {{ trojan_domain }}, {{ trojan_port }}, password={{ trojan_password }}, underlying-proxy=Relay
 
 [Proxy Group]
-# For services needing landing server's local IP (AI, streaming)
-Chain = select, Landing-Chain
-# For direct access to landing server
-Direct-Landing = select, Landing-Trojan
+Proxy = select, Relay
+Native = select, Landing
 
 [Rule]
-# Sukka's Rulesets (https://github.com/SukkaW/Surge)
-# DOMAIN-SET and non_ip rules MUST come before ip rules
+# Block: SougouInput
+RULE-SET,https://ruleset.skk.moe/List/non_ip/sogouinput.conf,REJECT-DROP
+
+# Block: AD
+DOMAIN-SET,https://ruleset.skk.moe/List/domainset/reject.conf,REJECT
+RULE-SET,https://ruleset.skk.moe/List/non_ip/reject.conf,REJECT,extended-matching
+RULE-SET,https://ruleset.skk.moe/List/ip/reject.conf,REJECT-DROP
+
+# Block: Append
+RULE-SET,https://ruleset.skk.moe/List/non_ip/reject-no-drop.conf,REJECT-NO-DROP,extended-matching
+RULE-SET,https://ruleset.skk.moe/List/non_ip/reject-drop.conf,REJECT-DROP,extended-matching
+
+# Service: Streaming
+RULE-SET,https://ruleset.skk.moe/List/non_ip/stream.conf,Native,extended-matching
+RULE-SET,https://ruleset.skk.moe/List/ip/stream.conf,Native
 
-# --- AI Services → Chain (exit from landing IP) ---
-DOMAIN-SET,https://ruleset.skk.moe/List/domainset/ai.conf,Chain
-RULE-SET,https://ruleset.skk.moe/List/non_ip/ai.conf,Chain
+# Service: Telegram
+RULE-SET,https://ruleset.skk.moe/List/non_ip/telegram.conf,Native,extended-matching
+RULE-SET,https://ruleset.skk.moe/List/ip/telegram.conf,Native
+PROCESS-NAME,Telegram,REJECT-DROP
 
-# --- Streaming Services → Chain (exit from landing IP) ---
-RULE-SET,https://ruleset.skk.moe/List/non_ip/stream_us.conf,Chain
+# Service: Apple & Microsoft Local CDN
+RULE-SET,https://ruleset.skk.moe/List/non_ip/apple_cdn.conf,DIRECT
+RULE-SET,https://ruleset.skk.moe/List/non_ip/microsoft_cdn.conf,DIRECT
 
-# --- China Direct (domain rules) ---
-DOMAIN-SET,https://ruleset.skk.moe/List/domainset/cn.conf,DIRECT
-RULE-SET,https://ruleset.skk.moe/List/non_ip/domestic.conf,DIRECT
+# Service: Download
+DOMAIN-SET,https://ruleset.skk.moe/List/domainset/download.conf,DIRECT,extended-matching
+RULE-SET,https://ruleset.skk.moe/List/non_ip/download.conf,DIRECT,extended-matching
 
-# --- IP-based rules (must come after domain rules) ---
-RULE-SET,https://ruleset.skk.moe/List/ip/stream_us.conf,Chain
+# Service: Apple CN
+RULE-SET,https://ruleset.skk.moe/List/non_ip/apple_cn.conf,DIRECT
 
-# --- China Direct (IP rules) ---
+# Service: Apple
+RULE-SET,https://ruleset.skk.moe/List/non_ip/apple_services.conf,Proxy,extended-matching
+RULE-SET,https://ruleset.skk.moe/List/non_ip/microsoft.conf,Proxy,extended-matching
+DOMAIN-SET,https://ruleset.skk.moe/List/domainset/icloud_private_relay.conf,Proxy
+
+# Service: AI
+RULE-SET,https://ruleset.skk.moe/List/non_ip/ai.conf,Native,extended-matching
+
+# Service: Global
+RULE-SET,https://ruleset.skk.moe/List/non_ip/global.conf,Proxy,extended-matching
+
+# Service: Netease Music
+RULE-SET,https://ruleset.skk.moe/List/non_ip/neteasemusic.conf,DIRECT,extended-matching
+
+# Location: CN
+RULE-SET,https://ruleset.skk.moe/List/non_ip/domestic.conf,DIRECT,extended-matching
 RULE-SET,https://ruleset.skk.moe/List/ip/domestic.conf,DIRECT
+RULE-SET,https://ruleset.skk.moe/List/ip/china_ip.conf,DIRECT
+
+# LAN
+RULE-SET,https://ruleset.skk.moe/List/non_ip/lan.conf,DIRECT
+RULE-SET,https://ruleset.skk.moe/List/ip/lan.conf,DIRECT
 
-# --- Default: all other traffic through relay ---
-FINAL,Relay-SS
+# Default
+RULE-SET,LAN,DIRECT
+GEOIP,CN,DIRECT
+FINAL,Proxy,dns-failed