[General]
loglevel = notify

[Proxy]
# Relay server - Shadowsocks (中转机)
Relay-SS = ss, {{ hostvars[groups['relay'][0]]['ansible_host'] }}, {{ ss_port }}, encrypt-method={{ ss_cipher }}, password={{ ss_password }}

# Landing server - Trojan direct (落地机直连)
Landing-Trojan = trojan, {{ trojan_domain }}, {{ trojan_port }}, password={{ trojan_password }}

# Landing server - chained through relay (落地机经中转)
Landing-Chain = trojan, {{ trojan_domain }}, {{ trojan_port }}, password={{ trojan_password }}, underlying-proxy=Relay-SS

[Proxy Group]
# For services needing landing server's local IP (AI, streaming)
Chain = select, Landing-Chain
# For direct access to landing server
Direct-Landing = select, Landing-Trojan

[Rule]
# Sukka's Rulesets (https://github.com/SukkaW/Surge)
# DOMAIN-SET and non_ip rules MUST come before ip rules

# --- AI Services → Chain (exit from landing IP) ---
DOMAIN-SET,https://ruleset.skk.moe/List/domainset/ai.conf,Chain
RULE-SET,https://ruleset.skk.moe/List/non_ip/ai.conf,Chain

# --- Streaming Services → Chain (exit from landing IP) ---
RULE-SET,https://ruleset.skk.moe/List/non_ip/stream_us.conf,Chain

# --- China Direct (domain rules) ---
DOMAIN-SET,https://ruleset.skk.moe/List/domainset/cn.conf,DIRECT
RULE-SET,https://ruleset.skk.moe/List/non_ip/domestic.conf,DIRECT

# --- IP-based rules (must come after domain rules) ---
RULE-SET,https://ruleset.skk.moe/List/ip/stream_us.conf,Chain

# --- China Direct (IP rules) ---
RULE-SET,https://ruleset.skk.moe/List/ip/domestic.conf,DIRECT

# --- Default: all other traffic through relay ---
FINAL,Relay-SS