Deploy Tor Snowflake proxy on ringtail

Add snowflake-proxy as a native systemd service on ringtail to help
censored users reach the Tor network. This is a bridge proxy, not an
exit node — traffic exits through Tor exit nodes elsewhere.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/changelog.d/deploy-snowflake-proxy.feature.md

@@ -0,0 +1 @@
+Add Tor Snowflake proxy on ringtail as a systemd service to support anti-censorship efforts.

docs/reference/infrastructure/ringtail.md

@@ -86,6 +86,15 @@ argocd cluster add default --name k3s-ringtail
 
 ## Systemd Services
 
+### Snowflake Proxy
+
+A Tor [[snowflake-proxy]] that helps censored users reach the Tor network. Runs as a simple systemd service using the `snowflake` nixpkgs package. The proxy is not a Tor exit node — it only bridges encrypted WebRTC connections to Tor relays.
+
+| Property | Value |
+|----------|-------|
+| **Service unit** | `snowflake-proxy.service` |
+| **Metrics** | `localhost:9999/metrics` (Prometheus) |
+
 ### Forgejo Actions Runner
 
 A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd service via the NixOS `services.gitea-actions-runner` module. It builds containers using `nix-build` and pushes them to Zot via `skopeo`.

docs/reference/services/snowflake-proxy.md

@@ -0,0 +1,74 @@
+---
+title: Snowflake Proxy
+modified: 2026-03-24
+tags:
+  - service
+  - privacy
+  - anti-censorship
+---
+
+# Snowflake Proxy
+
+Tor Snowflake proxy that helps censored users reach the Tor network. Runs as a native systemd service on [[ringtail]].
+
+## Quick Reference
+
+| Property | Value |
+|----------|-------|
+| **Host** | ringtail |
+| **Type** | NixOS systemd service |
+| **Package** | `pkgs.snowflake` (nixpkgs) |
+| **Binary** | `proxy` |
+| **Upstream** | https://snowflake.torproject.org/ |
+| **Source** | https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake |
+| **Metrics** | `localhost:9999/metrics` (Prometheus) |
+
+## Architecture
+
+Snowflake is a pluggable transport for Tor that uses WebRTC to provide short-lived proxies. The proxy:
+
+1. Polls the Tor broker for censored clients needing a bridge
+2. Establishes a WebRTC connection with the client
+3. Forwards the encrypted traffic to a Tor bridge (relay)
+
+**This proxy is NOT a Tor exit node.** Traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted: WebRTC DTLS + Tor onion routing) and destination servers never see the proxy's IP.
+
+```
+Censored user ──[WebRTC/DTLS]──▶ THIS PROXY ──[encrypted]──▶ Tor bridge ──▶ Tor network ──▶ Exit node
+```
+
+## Configuration
+
+The service runs with default settings — no special configuration needed. Key defaults:
+
+| Setting | Value |
+|---------|-------|
+| **Broker** | `https://snowflake-broker.torproject.net/` |
+| **Relay** | `wss://snowflake.torproject.net/` |
+| **STUN** | Google + BlackBerry STUN servers |
+| **Capacity** | Unlimited concurrent clients |
+| **Summary interval** | 1 hour |
+| **Metrics port** | 9999 (Prometheus format) |
+
+## Resource Usage
+
+Based on community reports, a Snowflake proxy typically uses:
+
+- **Bandwidth:** ~5-10 GB/day (varies with client demand)
+- **Memory:** Under 100 MB
+- **CPU:** Negligible
+
+## Legal Considerations
+
+Running a Snowflake proxy carries very low legal risk in the US:
+
+- Traffic does not exit from the proxy's IP (exit nodes are elsewhere)
+- Content is not visible to the proxy operator (end-to-end encrypted)
+- No known legal cases against Snowflake proxy operators worldwide
+- EFF and Tor Project both classify this as minimal-risk activity
+- US intermediary protections (Section 230, ECPA) apply
+
+## Related
+
+- [[ringtail]] - Host machine
+- [[architecture]] - Overall system design

nixos/ringtail/configuration.nix

@@ -492,6 +492,32 @@ in
     unqualified-search-registries = ["registry.ops.eblu.me", "docker.io", "ghcr.io", "quay.io"]
   '';
 
+  # Tor Snowflake proxy (anti-censorship bridge, not an exit node)
+  systemd.services.snowflake-proxy = {
+    description = "Tor Snowflake Proxy";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.snowflake}/bin/proxy -metrics";
+      DynamicUser = true;
+      Restart = "always";
+      RestartSec = 10;
+      # Hardening
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      MemoryDenyWriteExecute = true;
+      MemoryMax = "512M";
+    };
+  };
+
   # Forgejo Actions runner (nix container builder)
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;

service-versions.yaml

@@ -257,6 +257,13 @@ services:
     upstream-source: https://code.forgejo.org/forgejo/runner/releases
     notes: Forgejo runner on ringtail via nixpkgs; version tracks flake.lock
 
+  - name: snowflake-proxy
+    type: nixos
+    last-reviewed: 2026-03-24
+    current-version: "2.11.0"
+    upstream-source: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/releases
+    notes: Tor Snowflake proxy on ringtail; anti-censorship bridge, not an exit node
+
   - name: mealie
     type: argocd
     last-reviewed: 2026-03-16