Erich Blume
b97e37543f
## Summary - Add Snowflake proxy as a native systemd service on ringtail (NixOS) - Uses `pkgs.snowflake` from nixpkgs (v2.11.0) - Hardened systemd unit with DynamicUser, ProtectSystem=strict, 512MB memory limit - Prometheus metrics enabled on localhost:9999 ## What is Snowflake? A Tor pluggable transport that helps censored users reach the Tor network via WebRTC. **This is NOT a Tor exit node** — traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted) and destination servers never see the proxy's IP. ## Changes - `nixos/ringtail/configuration.nix` — new systemd service definition - `docs/reference/services/snowflake-proxy.md` — service reference card - `docs/reference/infrastructure/ringtail.md` — updated systemd services section - `service-versions.yaml` — added entry (type: nixos) ## Deploy plan After review, deploy via `mise run provision-ringtail`. Service starts automatically. ## Test plan - [ ] `mise run provision-ringtail` succeeds - [ ] `ssh ringtail 'systemctl status snowflake-proxy'` shows active - [ ] `ssh ringtail 'journalctl -u snowflake-proxy --no-pager -n 20'` shows broker connections - [ ] `ssh ringtail 'curl -s localhost:9999/metrics'` returns Prometheus metrics Reviewed-on: #311
2.4 KiB
2.4 KiB
| title | modified | tags | |||
|---|---|---|---|---|---|
| Snowflake Proxy | 2026-03-24 |
|
Snowflake Proxy
Tor Snowflake proxy that helps censored users reach the Tor network. Runs as a native systemd service on ringtail.
Quick Reference
| Property | Value |
|---|---|
| Host | ringtail |
| Type | NixOS systemd service |
| Package | pkgs.snowflake (nixpkgs) |
| Binary | proxy |
| Upstream | https://snowflake.torproject.org/ |
| Source | https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake |
| Metrics | localhost:9999/metrics (Prometheus) |
Architecture
Snowflake is a pluggable transport for Tor that uses WebRTC to provide short-lived proxies. The proxy:
- Polls the Tor broker for censored clients needing a bridge
- Establishes a WebRTC connection with the client
- Forwards the encrypted traffic to a Tor bridge (relay)
This proxy is NOT a Tor exit node. Traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted: WebRTC DTLS + Tor onion routing) and destination servers never see the proxy's IP.
Censored user ──[WebRTC/DTLS]──▶ THIS PROXY ──[encrypted]──▶ Tor bridge ──▶ Tor network ──▶ Exit node
Configuration
The service runs with default settings — no special configuration needed. Key defaults:
| Setting | Value |
|---|---|
| Broker | https://snowflake-broker.torproject.net/ |
| Relay | wss://snowflake.torproject.net/ |
| STUN | Google + BlackBerry STUN servers |
| Capacity | Unlimited concurrent clients |
| Summary interval | 1 hour |
| Metrics port | 9999 (Prometheus format) |
Resource Usage
Based on community reports, a Snowflake proxy typically uses:
- Bandwidth: ~5-10 GB/day (varies with client demand)
- Memory: Under 100 MB
- CPU: Negligible
Legal Considerations
Running a Snowflake proxy carries very low legal risk in the US:
- Traffic does not exit from the proxy's IP (exit nodes are elsewhere)
- Content is not visible to the proxy operator (end-to-end encrypted)
- No known legal cases against Snowflake proxy operators worldwide
- EFF and Tor Project both classify this as minimal-risk activity
- US intermediary protections (Section 230, ECPA) apply
Related
- ringtail - Host machine
- architecture - Overall system design