From fbc475ce6b07775351e42856443d06c460e525dc Mon Sep 17 00:00:00 2001 From: demarcush <146051763+demarcush@users.noreply.github.com> Date: Sun, 21 Jul 2024 06:27:06 +0330 Subject: [PATCH] Update release directory - Add Systemd user unit files - Security improvements to system unit files - Update the refrence config.json according to the manual --- release/config/config.json | 7 ++++- release/config/sing-box.service | 16 ----------- release/config/sing-box@.service | 16 ----------- release/config/system/sing-box.service | 37 ++++++++++++++++++++++++ release/config/system/sing-box@.service | 38 +++++++++++++++++++++++++ release/config/user/sing-box.service | 28 ++++++++++++++++++ release/config/user/sing-box@.service | 29 +++++++++++++++++++ 7 files changed, 138 insertions(+), 33 deletions(-) delete mode 100644 release/config/sing-box.service delete mode 100644 release/config/sing-box@.service create mode 100644 release/config/system/sing-box.service create mode 100644 release/config/system/sing-box@.service create mode 100644 release/config/user/sing-box.service create mode 100644 release/config/user/sing-box@.service diff --git a/release/config/config.json b/release/config/config.json index c518d18b..c057a97c 100644 --- a/release/config/config.json +++ b/release/config/config.json @@ -14,10 +14,15 @@ "type": "shadowsocks", "listen": "::", "listen_port": 8080, + "tcp_fast_open": true, + "tcp_multi_path": true, "sniff": true, "network": "tcp", "method": "2022-blake3-aes-128-gcm", - "password": "8JCsPssfgS8tiRwiMlhARg==" + "password": "8JCsPssfgS8tiRwiMlhARg==", + "multiplex": { + "enabled": true + } } ], "outbounds": [ diff --git a/release/config/sing-box.service b/release/config/sing-box.service deleted file mode 100644 index 7b7a13a8..00000000 --- a/release/config/sing-box.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=sing-box service -Documentation=https://sing-box.sagernet.org -After=network.target nss-lookup.target network-online.target - -[Service] -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH -ExecStart=/usr/bin/sing-box -D /var/lib/sing-box -C /etc/sing-box run -ExecReload=/bin/kill -HUP $MAINPID -Restart=on-failure -RestartSec=10s -LimitNOFILE=infinity - -[Install] -WantedBy=multi-user.target diff --git a/release/config/sing-box@.service b/release/config/sing-box@.service deleted file mode 100644 index 578ebd1c..00000000 --- a/release/config/sing-box@.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=sing-box service -Documentation=https://sing-box.sagernet.org -After=network.target nss-lookup.target network-online.target - -[Service] -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH -ExecStart=/usr/bin/sing-box -D /var/lib/sing-box-%i -c /etc/sing-box/%i.json run -ExecReload=/bin/kill -HUP $MAINPID -Restart=on-failure -RestartSec=10s -LimitNOFILE=infinity - -[Install] -WantedBy=multi-user.target diff --git a/release/config/system/sing-box.service b/release/config/system/sing-box.service new file mode 100644 index 00000000..28b837f5 --- /dev/null +++ b/release/config/system/sing-box.service @@ -0,0 +1,37 @@ +[Unit] +Description=sing-box service +Documentation=https://sing-box.sagernet.org +After=network.target nss-lookup.target network-online.target + +[Service] +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +ConfigurationDirectory=sing-box +DynamicUser=true +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run +LimitNOFILE=infinity +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=noaccess +ProtectSystem=full +Restart=on-failure +RestartSec=10s +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=sing-box +SystemCallArchitectures=native +SystemCallFilter=@system-service + +[Install] +WantedBy=multi-user.target diff --git a/release/config/system/sing-box@.service b/release/config/system/sing-box@.service new file mode 100644 index 00000000..83cdf302 --- /dev/null +++ b/release/config/system/sing-box@.service @@ -0,0 +1,38 @@ +[Unit] +Description=sing-box service (%i) +Documentation=https://sing-box.sagernet.org +After=network.target nss-lookup.target network-online.target + +[Service] +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +ConfigurationDirectory=sing-box +DynamicUser=true +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run +LimitNOFILE=infinity +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=noaccess +ProtectSystem=full +Restart=on-failure +RestartSec=10s +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=sing-box-%i +SystemCallArchitectures=native +SystemCallFilter=@system-service + +[Install] +WantedBy=multi-user.target +DefaultInstance=sing-box.service diff --git a/release/config/user/sing-box.service b/release/config/user/sing-box.service new file mode 100644 index 00000000..9d9e4553 --- /dev/null +++ b/release/config/user/sing-box.service @@ -0,0 +1,28 @@ +[Unit] +Description=sing-box user service +Documentation=https://sing-box.sagernet.org +After=basic.target + +[Service] +ConfigurationDirectory=sing-box +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run +LimitNOFILE=infinity +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProcSubset=pid +ProtectProc=noaccess +Restart=on-failure +RestartSec=10s +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=sing-box +SystemCallArchitectures=native +SystemCallFilter=@system-service + +[Install] +WantedBy=default.target diff --git a/release/config/user/sing-box@.service b/release/config/user/sing-box@.service new file mode 100644 index 00000000..5b30147c --- /dev/null +++ b/release/config/user/sing-box@.service @@ -0,0 +1,29 @@ +[Unit] +Description=sing-box user service (%i) +Documentation=https://sing-box.sagernet.org +After=basic.target + +[Service] +ConfigurationDirectory=sing-box +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run +LimitNOFILE=infinity +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProcSubset=pid +ProtectProc=noaccess +Restart=on-failure +RestartSec=10s +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=sing-box-%i +SystemCallArchitectures=native +SystemCallFilter=@system-service + +[Install] +WantedBy=default.target +DefaultInstance=sing-box.service