Tor-Snowflake on NixOS

Snowflake is a tool that helps users circumvent censorship when Tor is blocked.

Running a snowflake proxy on NixOS is simple. It is already packaged and just needs to be setup as a service.

I decided to wrap it in a container as well – because I can and NixOS makes it incredibly simple.

Here's a section that you can just paste into your configuration.nix:

  containers.snowflake = {
    autoStart = true;
    ephemeral = true;
    config = { = {
        wantedBy = [ "" ];
        serviceConfig = {
          IPAccounting = "yes";
          ExecStart = "${pkgs.snowflake}/bin/proxy";
          DynamicUser = "yes";
          # Read-only filesystem
          ProtectSystem = "strict";
          PrivateDevices = "yes";
          ProtectKernelTunables = "yes";
          ProtectControlGroups = "yes";
          ProtectHome = "yes";
          # Deny access to as many things as possible
          NoNewPrivileges = "yes";
          PrivateUsers = "yes";
          LockPersonality = "yes";
          MemoryDenyWriteExecute = "yes";
          ProtectClock = "yes";
          ProtectHostname = "yes";
          ProtectKernelLogs = "yes";
          ProtectKernelModules = "yes";
          RestrictAddressFamilies = "AF_INET AF_INET6";
          RestrictNamespaces = "yes";
          RestrictRealtime = "yes";
          RestrictSUIDSGID = "yes";
          SystemCallArchitectures = "native";
          SystemCallFilter = "~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @setuid @swap @privileged @resources";
          CapabilityBoundingSet = "";
          ProtectProc = "invisible";
          ProcSubset = "pid";

You can get the snowflake logs with this command: machinectl shell snowflake $(which journalctl) -fu snowflake

Keep in mind that running the snowflake proxy causes some traffic, so this may be unsuitable for some metered connections. I had it running for nearly a day and saw roughly 5 GB of data logged by systemd in systemctl status container@snowflake.service, but your mileage may vary.

If you don't want the container overhead, you can just drop the contents of containers.snowflake.config into your configuration.nix, but I prefer the extra layer of isolation.