Conversation
- 050-api: remove duplicate "stats":{} — already defined in 010-stats.json.j2,
duplicate top-level key causes Xray to reject split config
- 400-routing: move blocked domains rule before freedom catch-all — previously
all inbound traffic matched the first rule (freedom) so ad blocking never fired;
correct order: blocked → api → freedom
- 210-in-xhttp: add routeOnly:true to sniffing, consistent with VLESS-reality inbound
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- defaults: add xray_vless_decryption variable ("none" by default)
supports postquantum cipher string (mlkem768x25519plus.native.0rtt.*)
- defaults: document xray_reality.mldsa65_seed and mldsa65_verify
in secrets.yml example with generation command (xray mldsa65)
- 200-in-vless-reality, 210-in-xhttp: dynamic decryption field via
xray_vless_decryption; conditional mldsa65Seed/mldsa65Verify in
realitySettings when variables are defined
- 240-in-vless-users: fix hardcoded flow "" -> user.flow with default
fallback; fix decryption to use xray_vless_decryption; remove
incorrect "security" field from settings block
- 230-in-xhttp-users: dynamic decryption field
- README: document MLDSA65 + new encryption setup, key variables table
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- defaults: trim MLDSA65 comment block and vless_decryption
comments to < 80 chars per line
- templates: replace long {% if ... is defined and ... %} conditions
with {% set _seed / _verify %} + {% if %} (max 72 chars per line)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When xray_vless_decryption is set to a non-none cipher string, xtls-rprx-vision is required. All four inbound/user templates now auto-set flow to xtls-rprx-vision if _pq is true. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds xray_vless_encryption default variable (default: "none"). Each client entry now includes an encryption field that auto-syncs with xray_vless_decryption when PQ mode is active, or falls back to per-user user.encryption / xray_vless_encryption otherwise. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Xray rejects "encryption" in inbound settings — it is only valid in outbound (client-side) configs. Removed from all 4 templates and cleaned up the unused xray_vless_encryption default var. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New validate.yml runs before any config is deployed (tags: always). Fails immediately with a clear message if xray_vless_decryption is not "none", xray_users is empty, or xray_reality keys are missing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DoH servers (https://) route through the Xray proxy chain and fail with "io: read/write on closed pipe" when the connection is reused after being closed. Switch to tcp+local://8.8.8.8 and tcp+local://1.1.1.1 which bypass the proxy. Added validation assert to catch DoH in user vars. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Templates 210 and 230 were ignoring user.flow and always outputting "". Now they read user.flow (default '') so xtls-rprx-vision is set when defined per user, consistent with templates 200 and 240. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ncryption Xray role: - defaults/main.yml: add xray_vless_decryption/xray_vless_client_encryption vars, full raven_subscribe_* vars block, remove mldsa65 references - validate.yml: assert xray_vless_decryption format and client encryption consistency - inbounds: remove mldsa65 blocks, use decryption/flow logic for VLESS Encryption - handlers/main.yml: fix handler order (Validate before Restart to catch invalid configs) - tasks/main.yml: import raven_subscribe.yml task Raven-subscribe deploy (new): - tasks/raven_subscribe.yml: download binary, deploy config, install systemd service - templates/raven-subscribe/config.json.j2: config template with vless_client_encryption - templates/raven-subscribe/xray-subscription.service.j2: hardened systemd unit Cleanup: - Remove obsolete config.json.j2 and main.yml.bak Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…_domains - render_overrides.yml: xray_blocked_domains: [] to avoid geosite.dat lookup in CI - 400-routing.json.j2: wrap blocked domains rule in length > 0 guard to prevent invalid empty domain array; clean up comma handling with inline trailing commas
findias
added a commit
that referenced
this pull request
Apr 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.