Deploy Tor Snowflake proxy on ringtail #311

Merged

eblume merged 3 commits from deploy-snowflake-proxy into main

2026-03-24 20:51:41 -07:00

eblume commented

2026-03-24 20:38:21 -07:00

Owner

Summary

Add Snowflake proxy as a native systemd service on ringtail (NixOS)
Uses pkgs.snowflake from nixpkgs (v2.11.0)
Hardened systemd unit with DynamicUser, ProtectSystem=strict, 512MB memory limit
Prometheus metrics enabled on localhost:9999

What is Snowflake?

A Tor pluggable transport that helps censored users reach the Tor network via WebRTC. This is NOT a Tor exit node — traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted) and destination servers never see the proxy's IP.

Changes

nixos/ringtail/configuration.nix — new systemd service definition
docs/reference/services/snowflake-proxy.md — service reference card
docs/reference/infrastructure/ringtail.md — updated systemd services section
service-versions.yaml — added entry (type: nixos)

Deploy plan

After review, deploy via mise run provision-ringtail. Service starts automatically.

Test plan

mise run provision-ringtail succeeds
ssh ringtail 'systemctl status snowflake-proxy' shows active
ssh ringtail 'journalctl -u snowflake-proxy --no-pager -n 20' shows broker connections
ssh ringtail 'curl -s localhost:9999/metrics' returns Prometheus metrics

## Summary - Add Snowflake proxy as a native systemd service on ringtail (NixOS) - Uses `pkgs.snowflake` from nixpkgs (v2.11.0) - Hardened systemd unit with DynamicUser, ProtectSystem=strict, 512MB memory limit - Prometheus metrics enabled on localhost:9999 ## What is Snowflake? A Tor pluggable transport that helps censored users reach the Tor network via WebRTC. **This is NOT a Tor exit node** — traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted) and destination servers never see the proxy's IP. ## Changes - `nixos/ringtail/configuration.nix` — new systemd service definition - `docs/reference/services/snowflake-proxy.md` — service reference card - `docs/reference/infrastructure/ringtail.md` — updated systemd services section - `service-versions.yaml` — added entry (type: nixos) ## Deploy plan After review, deploy via `mise run provision-ringtail`. Service starts automatically. ## Test plan - [ ] `mise run provision-ringtail` succeeds - [ ] `ssh ringtail 'systemctl status snowflake-proxy'` shows active - [ ] `ssh ringtail 'journalctl -u snowflake-proxy --no-pager -n 20'` shows broker connections - [ ] `ssh ringtail 'curl -s localhost:9999/metrics'` returns Prometheus metrics

eblume added 1 commit

2026-03-24 20:38:22 -07:00

Deploy Tor Snowflake proxy on ringtail f2362086ef

Add snowflake-proxy as a native systemd service on ringtail to help
censored users reach the Tor network. This is a bridge proxy, not an
exit node — traffic exits through Tor exit nodes elsewhere.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit

2026-03-24 20:45:14 -07:00

Add Grafana dashboard and Prometheus scraping for snowflake proxy 508f7a957d

Bind metrics to 0.0.0.0 so Alloy can scrape from k8s, add HOST_IP
downward API env var to alloy-ringtail DaemonSet, and add a dashboard
with connection rate, traffic rate, country breakdown, and process memory.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit

2026-03-24 20:49:07 -07:00

Add geoip databases for snowflake proxy country metrics 86226c94db

NixOS doesn't have /usr/share/tor/geoip — point the proxy at
pkgs.tor.geoip derivation paths instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>