diff --git a/release/config/config.json b/release/config/config.json index c518d18bd9..c057a97c4f 100644 --- a/release/config/config.json +++ b/release/config/config.json @@ -14,10 +14,15 @@ "type": "shadowsocks", "listen": "::", "listen_port": 8080, + "tcp_fast_open": true, + "tcp_multi_path": true, "sniff": true, "network": "tcp", "method": "2022-blake3-aes-128-gcm", - "password": "8JCsPssfgS8tiRwiMlhARg==" + "password": "8JCsPssfgS8tiRwiMlhARg==", + "multiplex": { + "enabled": true + } } ], "outbounds": [ diff --git a/release/config/sing-box.service b/release/config/sing-box.service deleted file mode 100644 index 7b7a13a855..0000000000 --- a/release/config/sing-box.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=sing-box service -Documentation=https://sing-box.sagernet.org -After=network.target nss-lookup.target network-online.target - -[Service] -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH -ExecStart=/usr/bin/sing-box -D /var/lib/sing-box -C /etc/sing-box run -ExecReload=/bin/kill -HUP $MAINPID -Restart=on-failure -RestartSec=10s -LimitNOFILE=infinity - -[Install] -WantedBy=multi-user.target diff --git a/release/config/sing-box@.service b/release/config/sing-box@.service deleted file mode 100644 index 578ebd1cb5..0000000000 --- a/release/config/sing-box@.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=sing-box service -Documentation=https://sing-box.sagernet.org -After=network.target nss-lookup.target network-online.target - -[Service] -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH -ExecStart=/usr/bin/sing-box -D /var/lib/sing-box-%i -c /etc/sing-box/%i.json run -ExecReload=/bin/kill -HUP $MAINPID -Restart=on-failure -RestartSec=10s -LimitNOFILE=infinity - -[Install] -WantedBy=multi-user.target diff --git a/release/config/system/sing-box.service b/release/config/system/sing-box.service new file mode 100644 index 0000000000..28b837f589 --- /dev/null +++ b/release/config/system/sing-box.service @@ -0,0 +1,37 @@ +[Unit] +Description=sing-box service +Documentation=https://sing-box.sagernet.org +After=network.target nss-lookup.target network-online.target + +[Service] +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +ConfigurationDirectory=sing-box +DynamicUser=true +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run +LimitNOFILE=infinity +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=noaccess +ProtectSystem=full +Restart=on-failure +RestartSec=10s +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=sing-box +SystemCallArchitectures=native +SystemCallFilter=@system-service + +[Install] +WantedBy=multi-user.target diff --git a/release/config/system/sing-box@.service b/release/config/system/sing-box@.service new file mode 100644 index 0000000000..83cdf302bd --- /dev/null +++ b/release/config/system/sing-box@.service @@ -0,0 +1,38 @@ +[Unit] +Description=sing-box service (%i) +Documentation=https://sing-box.sagernet.org +After=network.target nss-lookup.target network-online.target + +[Service] +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +ConfigurationDirectory=sing-box +DynamicUser=true +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run +LimitNOFILE=infinity +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=noaccess +ProtectSystem=full +Restart=on-failure +RestartSec=10s +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=sing-box-%i +SystemCallArchitectures=native +SystemCallFilter=@system-service + +[Install] +WantedBy=multi-user.target +DefaultInstance=sing-box.service diff --git a/release/config/user/sing-box.service b/release/config/user/sing-box.service new file mode 100644 index 0000000000..9d9e455354 --- /dev/null +++ b/release/config/user/sing-box.service @@ -0,0 +1,28 @@ +[Unit] +Description=sing-box user service +Documentation=https://sing-box.sagernet.org +After=basic.target + +[Service] +ConfigurationDirectory=sing-box +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run +LimitNOFILE=infinity +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProcSubset=pid +ProtectProc=noaccess +Restart=on-failure +RestartSec=10s +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=sing-box +SystemCallArchitectures=native +SystemCallFilter=@system-service + +[Install] +WantedBy=default.target diff --git a/release/config/user/sing-box@.service b/release/config/user/sing-box@.service new file mode 100644 index 0000000000..5b30147c07 --- /dev/null +++ b/release/config/user/sing-box@.service @@ -0,0 +1,29 @@ +[Unit] +Description=sing-box user service (%i) +Documentation=https://sing-box.sagernet.org +After=basic.target + +[Service] +ConfigurationDirectory=sing-box +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run +LimitNOFILE=infinity +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProcSubset=pid +ProtectProc=noaccess +Restart=on-failure +RestartSec=10s +RestrictNamespaces=true +RestrictRealtime=true +StateDirectory=sing-box-%i +SystemCallArchitectures=native +SystemCallFilter=@system-service + +[Install] +WantedBy=default.target +DefaultInstance=sing-box.service