Deploy Tor Snowflake proxy on ringtail (#311)

## Summary - Add Snowflake proxy as a native systemd service on ringtail (NixOS) - Uses `pkgs.snowflake` from nixpkgs (v2.11.0) - Hardened systemd unit with DynamicUser, ProtectSystem=strict, 512MB memory limit - Prometheus metrics enabled on localhost:9999 ## What is Snowflake? A Tor pluggable transport that helps censored users reach the Tor network via WebRTC. **This is NOT a Tor exit node** — traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted) and destination servers never see the proxy's IP. ## Changes - `nixos/ringtail/configuration.nix` — new systemd service definition - `docs/reference/services/snowflake-proxy.md` — service reference card - `docs/reference/infrastructure/ringtail.md` — updated systemd services section - `service-versions.yaml` — added entry (type: nixos) ## Deploy plan After review, deploy via `mise run provision-ringtail`. Service starts automatically. ## Test plan - [ ] `mise run provision-ringtail` succeeds - [ ] `ssh ringtail 'systemctl status snowflake-proxy'` shows active - [ ] `ssh ringtail 'journalctl -u snowflake-proxy --no-pager -n 20'` shows broker connections - [ ] `ssh ringtail 'curl -s localhost:9999/metrics'` returns Prometheus metrics Reviewed-on: #311
2026-03-24 20:51:40 -07:00 · 2026-03-24 20:51:40 -07:00 · b97e37543f
commit b97e37543f
parent 243a862901
9 changed files with 460 additions and 0 deletions
--- a/nixos/ringtail/configuration.nix
+++ b/nixos/ringtail/configuration.nix
@ -492,6 +492,37 @@ in
    unqualified-search-registries = ["registry.ops.eblu.me", "docker.io", "ghcr.io", "quay.io"]
  '';

+  # Tor Snowflake proxy (anti-censorship bridge, not an exit node)
+  systemd.services.snowflake-proxy = {
+    description = "Tor Snowflake Proxy";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = toString [
+        "${pkgs.snowflake}/bin/proxy"
+        "-metrics" "-metrics-address" "0.0.0.0"
+        "-geoipdb" "${pkgs.tor.geoip}/share/tor/geoip"
+        "-geoip6db" "${pkgs.tor.geoip}/share/tor/geoip6"
+      ];
+      DynamicUser = true;
+      Restart = "always";
+      RestartSec = 10;
+      # Hardening
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      MemoryDenyWriteExecute = true;
+      MemoryMax = "512M";
+    };
+  };
+
  # Forgejo Actions runner (nix container builder)
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;