mirror of
https://github.com/SagerNet/sing-box.git
synced 2024-11-25 10:01:30 +00:00
fbc475ce6b
- Add Systemd user unit files - Security improvements to system unit files - Update the refrence config.json according to the manual
38 lines
1 KiB
Desktop File
38 lines
1 KiB
Desktop File
[Unit]
|
|
Description=sing-box service
|
|
Documentation=https://sing-box.sagernet.org
|
|
After=network.target nss-lookup.target network-online.target
|
|
|
|
[Service]
|
|
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
|
|
ConfigurationDirectory=sing-box
|
|
DynamicUser=true
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run
|
|
LimitNOFILE=infinity
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
ProcSubset=pid
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectProc=noaccess
|
|
ProtectSystem=full
|
|
Restart=on-failure
|
|
RestartSec=10s
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
StateDirectory=sing-box
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|