Update release directory

- Add Systemd user unit files
- Security improvements to system unit files
- Update the refrence config.json according to the manual
This commit is contained in:
demarcush 2024-07-21 06:27:06 +03:30
parent 8a2d3fbb28
commit fbc475ce6b
7 changed files with 138 additions and 33 deletions

View file

@ -14,10 +14,15 @@
"type": "shadowsocks",
"listen": "::",
"listen_port": 8080,
"tcp_fast_open": true,
"tcp_multi_path": true,
"sniff": true,
"network": "tcp",
"method": "2022-blake3-aes-128-gcm",
"password": "8JCsPssfgS8tiRwiMlhARg=="
"password": "8JCsPssfgS8tiRwiMlhARg==",
"multiplex": {
"enabled": true
}
}
],
"outbounds": [

View file

@ -1,16 +0,0 @@
[Unit]
Description=sing-box service
Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target network-online.target
[Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
ExecStart=/usr/bin/sing-box -D /var/lib/sing-box -C /etc/sing-box run
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=10s
LimitNOFILE=infinity
[Install]
WantedBy=multi-user.target

View file

@ -1,16 +0,0 @@
[Unit]
Description=sing-box service
Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target network-online.target
[Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
ExecStart=/usr/bin/sing-box -D /var/lib/sing-box-%i -c /etc/sing-box/%i.json run
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=10s
LimitNOFILE=infinity
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,37 @@
[Unit]
Description=sing-box service
Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target network-online.target
[Service]
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
ConfigurationDirectory=sing-box
DynamicUser=true
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run
LimitNOFILE=infinity
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=full
Restart=on-failure
RestartSec=10s
RestrictNamespaces=true
RestrictRealtime=true
StateDirectory=sing-box
SystemCallArchitectures=native
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,38 @@
[Unit]
Description=sing-box service (%i)
Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target network-online.target
[Service]
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
ConfigurationDirectory=sing-box
DynamicUser=true
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run
LimitNOFILE=infinity
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=full
Restart=on-failure
RestartSec=10s
RestrictNamespaces=true
RestrictRealtime=true
StateDirectory=sing-box-%i
SystemCallArchitectures=native
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
DefaultInstance=sing-box.service

View file

@ -0,0 +1,28 @@
[Unit]
Description=sing-box user service
Documentation=https://sing-box.sagernet.org
After=basic.target
[Service]
ConfigurationDirectory=sing-box
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run
LimitNOFILE=infinity
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectProc=noaccess
Restart=on-failure
RestartSec=10s
RestrictNamespaces=true
RestrictRealtime=true
StateDirectory=sing-box
SystemCallArchitectures=native
SystemCallFilter=@system-service
[Install]
WantedBy=default.target

View file

@ -0,0 +1,29 @@
[Unit]
Description=sing-box user service (%i)
Documentation=https://sing-box.sagernet.org
After=basic.target
[Service]
ConfigurationDirectory=sing-box
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run
LimitNOFILE=infinity
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectProc=noaccess
Restart=on-failure
RestartSec=10s
RestrictNamespaces=true
RestrictRealtime=true
StateDirectory=sing-box-%i
SystemCallArchitectures=native
SystemCallFilter=@system-service
[Install]
WantedBy=default.target
DefaultInstance=sing-box.service