增加重启机制

vps-xray/deploy.sh

@@ -310,7 +310,7 @@ net.ipv4.tcp_fin_timeout=15
 net.ipv4.tcp_keepalive_time=300
 net.ipv4.tcp_keepalive_intvl=30
 net.ipv4.tcp_keepalive_probes=5
-net.ipv4.tcp_max_tw_buckets=5000
+net.ipv4.tcp_max_tw_buckets=262144
 net.ipv4.tcp_max_syn_backlog=8192
 net.core.somaxconn=8192
 net.core.netdev_max_backlog=8192
@@ -320,11 +320,61 @@ SYSEOF
     log "BBR 已启用，网络参数已优化"
 }
 
+# ===== 新增：系统与服务加固 =====
+harden_system() {
+    step "加固系统与服务"
+
+    # 文件描述符上限
+    if ! grep -q '99-xray-nofile' /etc/security/limits.conf 2>/dev/null; then
+        cat >> /etc/security/limits.conf << 'EOF'
+# 99-xray-nofile
+* soft nofile 1000000
+* hard nofile 1000000
+root soft nofile 1000000
+root hard nofile 1000000
+EOF
+    fi
+
+    # systemd 服务加固
+    mkdir -p /etc/systemd/system/xray.service.d
+    cat > /etc/systemd/system/xray.service.d/override.conf << 'EOF'
+[Service]
+LimitNOFILE=1000000
+Restart=always
+RestartSec=3
+EOF
+
+    # 定时重启 timer（每日凌晨 4 点）
+    cat > /etc/systemd/system/xray-restart.service << 'EOF'
+[Unit]
+Description=Daily restart of Xray
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/systemctl restart xray
+EOF
+
+    cat > /etc/systemd/system/xray-restart.timer << 'EOF'
+[Unit]
+Description=Daily restart Xray at 04:00 CST
+
+[Timer]
+OnCalendar=*-*-* 04:00:00
+TimeZone=Asia/Shanghai
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+EOF
+}
+
 # ===== 7. 启动服务 =====
 start_service() {
     systemctl daemon-reload
     systemctl restart xray
     systemctl enable xray
+    systemctl enable --now xray-restart.timer
 
     sleep 2
     if systemctl is-active --quiet xray; then
@@ -425,6 +475,7 @@ main() {
     write_config
     configure_firewall
     tune_network
+    harden_system
     start_service
     save_env
     print_result