# Ansible Proxy Chain

Ansible playbook for provisioning a two-server chained proxy setup:

- **Relay server (中转机)**: Shadowsocks-rust — handles general traffic
- **Landing server (落地机)**: Trojan-Go — handles AI/streaming services requiring local IP

Client-side Surge uses `underlying-proxy` to chain connections:
```
Client → Relay (SS) → Landing (Trojan) → Internet   # chained
Client → Landing (Trojan) → Internet                 # direct
Client → Relay (SS) → Internet                       # relay only
```

## Prerequisites

- Two servers running Ubuntu/Debian
- A domain name pointing to the landing server (for Trojan TLS)
- Ansible 2.12+ on your local machine
- `community.general` Ansible collection: `ansible-galaxy collection install community.general`

## Setup

### 1. Configure inventory

Edit `inventory/hosts.yml` with your server IPs:

```yaml
all:
  children:
    relay:
      hosts:
        relay-server:
          ansible_host: "1.2.3.4"
    landing:
      hosts:
        landing-server:
          ansible_host: "5.6.7.8"
```

### 2. Configure secrets

```bash
cp group_vars/vault.yml.example group_vars/vault.yml
# Edit vault.yml with your passwords
ansible-vault encrypt group_vars/vault.yml
```

### 3. Configure variables

Edit `group_vars/relay.yml`:
- `ss_port`: Shadowsocks listen port (default: 8388)
- `ss_cipher`: Encryption method (default: aes-256-gcm)

Edit `group_vars/landing.yml`:
- `trojan_domain`: Your domain name
- `certbot_email`: Email for Let's Encrypt notifications

### 4. Run the playbook

```bash
ansible-playbook site.yml --ask-vault-pass
```

## Client Configuration

See `docs/surge-client.conf` for a reference Surge client configuration with:
- Proxy definitions (Relay-SS, Landing-Trojan, Landing-Chain)
- Routing rules using [Sukka's rulesets](https://github.com/SukkaW/Surge)
- AI and streaming traffic → chained through landing server
- Default traffic → relay server

## Project Structure

```
├── ansible.cfg
├── inventory/
│   └── hosts.yml
├── group_vars/
│   ├── all.yml
│   ├── relay.yml
│   ├── landing.yml
│   └── vault.yml.example
├── roles/
│   ├── base/           # SSH hardening, UFW, fail2ban
│   ├── shadowsocks/    # shadowsocks-rust (relay)
│   └── trojan/         # trojan-go + certbot (landing)
├── docs/
│   └── surge-client.conf
└── site.yml
```

## Variables Reference

| Variable | Default | Description |
|---|---|---|
| `ss_port` | 8388 | Shadowsocks listen port |
| `ss_cipher` | aes-256-gcm | Shadowsocks encryption method |
| `ss_version` | 1.21.2 | shadowsocks-rust release version |
| `trojan_port` | 443 | Trojan listen port |
| `trojan_domain` | — | Domain name for TLS certificate |
| `trojan_fallback_port` | 8080 | Fallback port for non-Trojan traffic |
| `trojan_version` | 0.10.6 | trojan-go release version |
| `certbot_email` | — | Email for Let's Encrypt |
| `ssh_port` | 22 | SSH listen port |