diff --git a/docs/changelog.d/deploy-snowflake-proxy.feature.md b/docs/changelog.d/deploy-snowflake-proxy.feature.md new file mode 100644 index 0000000..e34af2b --- /dev/null +++ b/docs/changelog.d/deploy-snowflake-proxy.feature.md @@ -0,0 +1 @@ +Add Tor Snowflake proxy on ringtail as a systemd service to support anti-censorship efforts. diff --git a/docs/reference/infrastructure/ringtail.md b/docs/reference/infrastructure/ringtail.md index 95d6ee2..d5bbd91 100644 --- a/docs/reference/infrastructure/ringtail.md +++ b/docs/reference/infrastructure/ringtail.md @@ -86,6 +86,15 @@ argocd cluster add default --name k3s-ringtail ## Systemd Services +### Snowflake Proxy + +A Tor [[snowflake-proxy]] that helps censored users reach the Tor network. Runs as a simple systemd service using the `snowflake` nixpkgs package. The proxy is not a Tor exit node — it only bridges encrypted WebRTC connections to Tor relays. + +| Property | Value | +|----------|-------| +| **Service unit** | `snowflake-proxy.service` | +| **Metrics** | `localhost:9999/metrics` (Prometheus) | + ### Forgejo Actions Runner A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd service via the NixOS `services.gitea-actions-runner` module. It builds containers using `nix-build` and pushes them to Zot via `skopeo`. diff --git a/docs/reference/services/snowflake-proxy.md b/docs/reference/services/snowflake-proxy.md new file mode 100644 index 0000000..2322c5f --- /dev/null +++ b/docs/reference/services/snowflake-proxy.md @@ -0,0 +1,74 @@ +--- +title: Snowflake Proxy +modified: 2026-03-24 +tags: + - service + - privacy + - anti-censorship +--- + +# Snowflake Proxy + +Tor Snowflake proxy that helps censored users reach the Tor network. Runs as a native systemd service on [[ringtail]]. + +## Quick Reference + +| Property | Value | +|----------|-------| +| **Host** | ringtail | +| **Type** | NixOS systemd service | +| **Package** | `pkgs.snowflake` (nixpkgs) | +| **Binary** | `proxy` | +| **Upstream** | https://snowflake.torproject.org/ | +| **Source** | https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake | +| **Metrics** | `localhost:9999/metrics` (Prometheus) | + +## Architecture + +Snowflake is a pluggable transport for Tor that uses WebRTC to provide short-lived proxies. The proxy: + +1. Polls the Tor broker for censored clients needing a bridge +2. Establishes a WebRTC connection with the client +3. Forwards the encrypted traffic to a Tor bridge (relay) + +**This proxy is NOT a Tor exit node.** Traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted: WebRTC DTLS + Tor onion routing) and destination servers never see the proxy's IP. + +``` +Censored user ──[WebRTC/DTLS]──▶ THIS PROXY ──[encrypted]──▶ Tor bridge ──▶ Tor network ──▶ Exit node +``` + +## Configuration + +The service runs with default settings — no special configuration needed. Key defaults: + +| Setting | Value | +|---------|-------| +| **Broker** | `https://snowflake-broker.torproject.net/` | +| **Relay** | `wss://snowflake.torproject.net/` | +| **STUN** | Google + BlackBerry STUN servers | +| **Capacity** | Unlimited concurrent clients | +| **Summary interval** | 1 hour | +| **Metrics port** | 9999 (Prometheus format) | + +## Resource Usage + +Based on community reports, a Snowflake proxy typically uses: + +- **Bandwidth:** ~5-10 GB/day (varies with client demand) +- **Memory:** Under 100 MB +- **CPU:** Negligible + +## Legal Considerations + +Running a Snowflake proxy carries very low legal risk in the US: + +- Traffic does not exit from the proxy's IP (exit nodes are elsewhere) +- Content is not visible to the proxy operator (end-to-end encrypted) +- No known legal cases against Snowflake proxy operators worldwide +- EFF and Tor Project both classify this as minimal-risk activity +- US intermediary protections (Section 230, ECPA) apply + +## Related + +- [[ringtail]] - Host machine +- [[architecture]] - Overall system design diff --git a/nixos/ringtail/configuration.nix b/nixos/ringtail/configuration.nix index db682f6..c4b8919 100644 --- a/nixos/ringtail/configuration.nix +++ b/nixos/ringtail/configuration.nix @@ -492,6 +492,32 @@ in unqualified-search-registries = ["registry.ops.eblu.me", "docker.io", "ghcr.io", "quay.io"] ''; + # Tor Snowflake proxy (anti-censorship bridge, not an exit node) + systemd.services.snowflake-proxy = { + description = "Tor Snowflake Proxy"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.snowflake}/bin/proxy -metrics"; + DynamicUser = true; + Restart = "always"; + RestartSec = 10; + # Hardening + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + RestrictRealtime = true; + MemoryDenyWriteExecute = true; + MemoryMax = "512M"; + }; + }; + # Forgejo Actions runner (nix container builder) services.gitea-actions-runner = { package = pkgs.forgejo-runner; diff --git a/service-versions.yaml b/service-versions.yaml index 321efe8..26c1d08 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -257,6 +257,13 @@ services: upstream-source: https://code.forgejo.org/forgejo/runner/releases notes: Forgejo runner on ringtail via nixpkgs; version tracks flake.lock + - name: snowflake-proxy + type: nixos + last-reviewed: 2026-03-24 + current-version: "2.11.0" + upstream-source: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/releases + notes: Tor Snowflake proxy on ringtail; anti-censorship bridge, not an exit node + - name: mealie type: argocd last-reviewed: 2026-03-16