# —————————————————————————————————— local proxy —————————————————————————————————
port: 7890
socks-port: 7891
redir-port: 7892
tproxy-port: 7893
mixed-port: 7893
allow-lan: true
bind-address: "*"
# authentication of local SOCKS5/HTTP(S) server
# authentication:
#  - "user1:pass1"
#  - "user2:pass2"

# —————————————————————————————— external controller —————————————————————————————
external-controller: 127.0.0.1:9090
secret: '314159271828'
external-ui: "/usr/share/openclash/ui"
authentication:
- dts-pontifex-clash:314159271828

# ———————————————————————————————————— general ———————————————————————————————————
mode: rule
ipv6: false
unified-delay: true
log-level: info
disable-keep-alive: true
# interface-name: en0 # Outbound interface name

# ————————————————————————————————————— hosts ————————————————————————————————————
hosts:

# ———————————————————————————————————— profile ———————————————————————————————————
profile:
  store-selected: true
  store-fake-ip: true

# ———————————————————————————————————— sniffer ———————————————————————————————————
sniffer:
  enable: true
  parse-pure-ip: true

# —————————————————————————————————————— dns —————————————————————————————————————
dns:
  enable: true
  listen: 0.0.0.0:53
  default-nameserver:
  - 114.114.114.114
  - 8.8.8.8
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter-mode: blacklist
  fake-ip-filter:
     # ———————————————————— self-hosted domains ———————————————————
     - '*.lan'
     - '*.dts'
     - '*.webway.dts'
     - '*.netbird.selfhosted'
     - '*.shamanlanding.org'
     - '*.retreat.shamanlanding.org'
     - '*.hq.shamanlanding.org'
  nameserver:
  - https://purpose.shamanlanding.org/dns-query/dts-pontifex

  # If IP addresses resolved with servers in `nameservers` are in the specified
  # subnets below, they are considered invalid and results from `fallback`
  # servers are used instead.
  #
  # IP address resolved with servers in `nameserver` is used when
  # `fallback-filter.geoip` is true and when GEOIP of the IP address is `CN`.
  #
  # If `fallback-filter.geoip` is false, results from `nameserver` nameservers
  # are always used if not match `fallback-filter.ipcidr`.
  #
  # This is a countermeasure against DNS pollution attacks.
  # fallback-filter:
  #   geoip: true
  #   geoip-code: CN
  #   ipcidr:
  #     - 240.0.0.0/4
  #   domain:
  #     - '+.google.com'
  #     - '+.facebook.com'
  #     - '+.youtube.com'
    # Lookup domains via specific nameservers
  # nameserver-policy:
  #   'www.baidu.com': '114.114.114.114'
  #   '+.internal.crop.com': '10.0.0.1'

# ————————————————————————————————————— macro ————————————————————————————————————
  health-check-1min-gstatic: &health_check_1min_gstatic
    enable: true
    interval: 600
    url: http://www.gstatic.com/generate_204
  
  default-rule-provider-config: &default_rule_provider_config
    type: http
    behavior: classical
    interval: 86400


# ————————————————————————————————— proxies list —————————————————————————————————
proxies:
  # ————————————————————— direct wan routes ————————————————————
  - name: "Direct WAN A [Мегафон]"
    type: direct
    udp: true
    ip-version: ipv4
    interface-name: eth2
  - name: "Direct WAN B [РосТелеКом]"
    type: direct
    udp: true
    ip-version: ipv4
    interface-name: eth2
  - name: "Direct WAN C [Мобильная сеть]"
    type: direct
    udp: true
    ip-version: ipv4
    interface-name: eth2

  # ——————————————————— private vpn services ———————————————————
  - name: vless-serbia
    type: vless
    server: 38.180.101.70
    port: 443
    uuid: e31308a8-f7d3-4007-b077-6fd21e9c7310
    udp: false
    tls: true
    client-fingerprint: chrome
    servername: kingnews.rs
    network: tcp
    flow: xtls-rprx-vision
    reality-opts:
      public-key: xBnrKijFwmka88VI1xWYzUS9jT1SyA5UdJQ8vg5BZzw
      short-id: a9a07155
  
  - name: vless-estonia
    type: vless
    server: 37.252.4.126
    port: 443
    uuid: '028c65fd-9192-4adc-af68-e01fe5881cdd'
    udp: false
    tls: true
    client-fingerprint: chrome
    servername: yahoo.com
    network: tcp
    flow: xtls-rprx-vision
    reality-opts:
      public-key: HwuNN-BUkUm1acVf0POkJHyfSj9puyATJDIxcR_OfE4
      short-id: '58024220'


# ———————————————————————————————— proxy providers ———————————————————————————————
proxy-providers:
  # ——————————————————— private vpn services ———————————————————

  
  # ——————————————————— non-personal services ——————————————————
  full-xfinn-test:
    type: http
    url: "https://gitea.shamanlanding.org/DaTekShaman/arcadia/raw/branch/main/CLASH%20RULES/proxy-providers/gofinn-test-account-full"
    interval: 3600
    proxy: DIRECT
    path: "./proxy_provider/gofinn-test-acoount-full.txt"
    health-check:
      <<: *health_check_1min_gstatic

# ————————————————————————————————— proxy groups —————————————————————————————————
proxy-groups:
  # ————————————————————————— fallback —————————————————————————
  - name: "Automatic Fallback Route"
    type: fallback
    proxies:
      - DIRECT
    url: 'https://cp.cloudflare.com/generate_204'
    interval: 300
  
  # ————————————————————— direct wan routes ————————————————————
  - name: Direct Multi-WAN Load Balancer [AB]
    type: load-balancer
    disable-udp: false
    proxies:
      - Direct WAN A [Мегафон]
      - Direct WAN B [РосТелеКом]

  - name: Direct Route for Unprivileged Webway Clients
    type: select
    disable-udp: false
    proxies:
      - Direct WAN A [Мегафон]
      - Direct WAN B [РосТелеКом]

  - name: Direct Route for Privileged Webway Clients
    type: select
    disable-udp: false
    proxies:
      - Direct WAN A [Мегафон]
      - Direct WAN B [РосТелеКом]

  - name: Direct Route for LAN Clients
    type: select
    disable-udp: false
    proxies:
      - Direct Multi-WAN Load Balancer [AB]
      - Direct WAN A [Мегафон]
      - Direct WAN B [РосТелеКом]
      - Direct WAN C [Мобильная сеть]

  - name: Direct Route for IOT Clients
    type: select
    disable-udp: false
    proxies:
      - Direct Multi-WAN Load Balancer [AB]
      - Direct WAN A [Мегафон]
      - Direct WAN B [РосТелеКом]
      - Direct WAN C [Мобильная сеть]

  # ————————————————————————— selectors ————————————————————————
  
  - name: YouTube for LAN Clients
    type: select
    use:
      - full-xfinn-test
    proxies:
      - vless-estonia
      - vless-serbia
    url: https://cp.cloudflare.com/generate_204
    interval: 300

  - name: Testzone A
    type: select
    use:
      - full-xfinn-test
    proxies:
      - vless-estonia
      - vless-serbia
    url: https://cp.cloudflare.com/generate_204
    interval: 300

# ———————————————————————————————— rule providers ————————————————————————————————
rule-providers:
  
  # ———————————————————— external providers ————————————————————
  AI Stuff:
    url: https://testingcf.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/AI%20Suite.yaml                                # AI Stuff
    path: "./rule_provider/ai-stuff.yaml"                                                                                 
    <<: *default_rule_provider_config

  Notion:
    url: https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/refs/heads/master/rule/Clash/Notion/Notion.yaml     # Notion
    path: "./rule_provider/notion.yaml"
    <<: *default_rule_provider_config
  
  Youtube:
    url: https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/refs/heads/master/rule/Clash/Notion/Notion.yaml     # Youtube
    path: "./rule_provider/youtube.yaml"
    <<: *default_rule_provider_config
  
  # ———————————————————— internal providers ————————————————————
  Testzone A:
    url: https://gitea.shamanlanding.org/DaTekShaman/arcadia/raw/branch/main/CLASH%20RULES/rule-providers/ip-test.yaml
    path: "./rule_provider/0000-lpx-testzone-a.yaml"
    <<: *default_rule_provider_config
  General Direct Domain List:
    url: http://purpose.shamanlanding.org:9999/direct-domain.yaml
    path: "./ruleset/direct-domain.yaml"
    <<: *default_rule_provider_config
  General Direct IP List:
    url: http://purpose.shamanlanding.org:9999/direct-ip.yaml
    path: "./ruleset/direct-ip.yaml"
    <<: *default_rule_provider_config
  General Proxy Domain List:
    url: http://purpose.shamanlanding.org:9999/proxy-domain.yaml
    path: "./ruleset/proxy-domain.yaml"
    <<: *default_rule_provider_config
  General Proxy IP List:
    url: http://purpose.shamanlanding.org:9999/proxy-ip.yaml
    path: "./ruleset/proxy-ip.yaml"
    <<: *default_rule_provider_config
  
  # ————————————————— antifilter community list ————————————————
  Antifilter IP List:
    url: http://purpose.shamanlanding.org:9999/antifilter-ip.yaml
    path: "./ruleset/antifilter-ip.yaml"
    <<: *default_rule_provider_config
  Antifilter Community IP List:
    url: http://purpose.shamanlanding.org:9999/antifilter-community-ip.yaml
    path: "./ruleset/antifilter-community-ip.yaml"
    <<: *default_rule_provider_config
  Antifilter Community Domain List:
    url: http://purpose.shamanlanding.org:9999/antifilter-community-domain.yaml
    path: "./ruleset/antifilter-community-domain.yaml"
    <<: *default_rule_provider_config

# ————————————————————————————————————— rules ————————————————————————————————————
rules:

- RULE-SET,Youtube,YouTube for LAN Clients
- RULE-SET,Testzone A,Testzone A

- RULE-SET,General Direct Domain List,Direct Route for LAN Clients
- RULE-SET,General Direct IP List,Direct Route for LAN Clients
- RULE-SET,General Proxy Domain List,Testzone A
- RULE-SET,General Proxy IP List,Testzone A

- RULE-SET,Antifilter IP List,Testzone A
- RULE-SET,Antifilter Community IP List,Testzone A
- RULE-SET,Antifilter Community Domain List,Testzone A

- MATCH,Direct Route for LAN Clients