defaults/main.yml

# We download xray release Xray-{{ xray_os_arch }}-{{ xray_version }}.tar.gz
xray_os_arch: linux-64
xray_version: v24.9.30

#######################################
# Remote xray server related config.
#######################################
# uuid for local xray client itself.
# Run `uuidgen` to generate valid uuid.
xray_client_uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
# uuid for all clients on xray server.
xray_server_clients:
  - { uuid: "{{ xray_client_uuid }}", email: xray@router }
  # Specify other clients here.
  #- { uuid: yyyy-yyyy..., email: client@host }
# xray_server_* is used for specifying remote xray server information.
# dns_name is used for server certificate checking.
xray_server_dns_name: xray-server.domain
# Optional to specify server ip to avoid name resolve.
#xray_server_ip: 1.2.3.4
xray_server_port: 443

# Use fallback syntax of xray. Convert to json in the generated config file.
xray_server_fallbacks:
  - dest: 80
xray_server_certifacate_file: /etc/letsencrypt/live/{{ xray_server_dns_name }}/fullchain.pem
xray_server_key_file: /etc/letsencrypt/live/{{ xray_server_dns_name }}/privkey.pem

#######################################
# xray transport
#######################################

# Must choose only one transport method.

##### xtls
#xray_transport: xtls
xray_xtls_server_flow: xtls-rprx-direct
# Refer to https://github.com/XTLS/Xray-core/discussions/59 before using xtls-rprx-splice.
# Performance may drop due to enabling ip forwarding.
xray_xtls_client_flow: xtls-rprx-splice

# Or use XTLS Vision. Refer to [XTLS Vision, fixes TLS in TLS, to the star and beyond](https://github.com/XTLS/Xray-core/discussions/1295)
# Not tested yet.
#xray_xtls_server_flow: xtls-rprx-vision
#xray_xtls_client_flow: xtls-rprx-vision

##### websocket
xray_transport: websocket
# Please do not include slash in websocket path. Template will add slash.
xray_websocket_path: REPLACE_WITH_RANDOM_PATH_AND_SYNC_WITH_WEBSERVER

#######################################
# Local xray config.
#######################################
# For local http proxy server.
xray_local_address: 192.168.1.254
xray_http_port: 1984
# For local DNS server.
# If there are other DNS server running, change to use other port.
xray_dns_port: 53
# For local transparent proxy server.
xray_tproxy_port: 1812

xray_client_tls_fingerprint: chrome

# Transparent proxy for only selected source IPs (subnet or host).
# Traffic from other IPs are not affected.
# This is optional. If not defined, all forwarding traffic will be intercepted by transparent proxy.
#xray_tproxy_src_addresses:
#  lan0: # For lan host.
#    - 192.168.1.0/24
#  wg0: # For WireGuard peer.
#    - 192.168.3.2

# Config for locally generated traffic processing.
xray_tproxy_local_traffic:
  # Set this to true to intercept locally generated traffic with transparent proxy.
  enable: true
  # For local services
  direct_tcp_src_ports:
    - 22
  direct_udp_src_ports:
    - "{{ xray_dns_port }}"
    # For IPsec service.
    - 500
    - 4500
    # Also add wireguard port here if running wireguard and xray together.

# Use following DNS servers for domains that have to be resolved by remote xray server.
# Must specify at least one. Otherwise the generated config would be invalid json.
xray_proxy_dns_servers:
  - 1.1.1.1
  - 8.8.8.8
# Specify domains that must be resolved with remote xray server.
# These domains will also use proxy in routing.
xray_proxy_dns_domains:
  # Some domains may resolve to 127.0.0.1 by direct DNS servers. Direct them to use remote DNS servers.
  - domain:github.com
  - domain:raw.githubusercontent.com

# Use following DNS servers for domains that can be resolved without going through remote xray server.
xray_direct_dns_servers:
  - 223.5.5.5
  - 114.114.114.114

xray_direct_domains:
  # We can use xray's syntax for domain matching
  - geosite:cn
  - geosite:apple-cn
  - geosite:google-cn
  - geosite:tld-cn
  - geosite:category-games@cn
  - full:"{{ xray_server_dns_name }}"

xray_direct_ips:
  - geoip:cn

xray_block_domains:
  - geosite:category-ads-all

xray_block_ips:
  - geoip:private # prevent access to local service through xray

xray_server_block_domains:
  - geosite:private
  - geosite:category-ads-all
  - geosite:cn
  - geosite:apple-cn
  - geosite:google-cn
  - geosite:tld-cn
  - geosite:category-games@cn

xray_server_block_ips:
  - geoip:private
  - geoip:cn

xray_direct_protocols:
  - bittorrent

# Avoid UDP DNS requests using too much open fd.
xray_udp_dns_conn_idle: 5

xray_direct_firewall_marks:
  # The 1st item in the list is reuiqred.
  # For xray self generated traffic, add this as firewall mark to by-pass
  # tproxy firewall rules.
  - 255
  # Include other services which uses firewall mark and should by-pass
  # tproxy.
  # Example: strongswan IPsec VPN with xfrm interface.
  #- 254
  #- 253

xray_sysctl_params:
  net.ipv4.ip_forward: 1
  net.ipv6.conf.all.forwarding: 1
  net.ipv4.tcp_fastopen: 3
  net.ipv4.tcp_syncookies: 1
  # Host running xray may act as a side-gateway, so client should indeed send traffic to xray host
  # even if there's a shorter path in this local subnet.
  # We have to disable send_redicts on specific interfaces in order to make this work.
  net.ipv4.conf.all.send_redirects: 0
  # Refer [here](https://unix.stackexchange.com/a/666924) for the differences between "default" and "all".
  net.ipv4.conf.default.send_redirects: 0
  # Since we are using nftables to implement transparent proxy, we should
  # disable traffice passing to iptables.
  # Why they are enabled by default? Refer to this [excellent answer](https://unix.stackexchange.com/a/719143/).
  net.bridge.bridge-nf-call-ip6tables: 0
  net.bridge.bridge-nf-call-iptables: 0
  net.bridge.bridge-nf-call-arptables: 0

# xray re-route firewall mark.
# This is to handle traffic generated on the host which xray runs.
xray_route_firewall_mark: 1
xray_route_table_id: 100