setup tor bridge on vps

machines/NixOS-VPS/default.nix

@@ -8,6 +8,7 @@
     ./network.nix
     ./nix.nix
     ./services/dns.nix
+    ./services/tor-bridge.nix
     ./services/wireguard.nix
     ./services/xtls.nix
 

machines/NixOS-VPS/network.nix

@@ -11,7 +11,6 @@ in {
     nftables.enable = true;
     domain = "wg.ataraxiadev.com";
   };
-  # enp0s18
   systemd.network = with interfaces.main'; {
     enable = true;
     wait-online.ignoredInterfaces = [ "lo" ];

machines/NixOS-VPS/services/tor-bridge.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, lib, ... }:
+let
+  inherit (import ./hardware/networks.nix) interfaces;
+  bridgeName = interfaces.main'.bridgeName;
+  obfs4Port = 18371;
+in {
+  networking.firewall.interfaces.${bridgeName} = {
+    allowedTCPPorts = [ obfs4Port ];
+  };
+
+  # We can get bridge cert from file: /var/lib/tor/pt_state/obfs4_bridgeline.txt
+  # Fingerprint can be obtained from tor.service logs
+  services.tor = {
+    enable = true;
+    enableGeoIP = true;
+    client.enable = false;
+    relay.enable = true;
+    relay.role = "private-bridge";
+    settings = {
+      BridgeDistribution = "none";
+      BridgeRelay = true;
+      ContactInfo = "admin@ataraxiadev.com";
+      ORPort = [ 17429 ];
+      ServerTransportListenAddr = "obfs4 0.0.0.0:${toString obfs4Port}";
+      Nickname = "Ataraxia";
+    };
+  };
+
+  services.networkd-dispatcher = {
+    enable = true;
+    rules."restart-tor" = {
+      onState = [ "routable" "off" ];
+      script = ''
+        #!${pkgs.runtimeShell}
+        if [[ $IFACE == "${bridgeName}" && $AdministrativeState == "configured" ]]; then
+          echo "Restarting Tor ..."
+          systemctl restart tor
+        fi
+        exit 0
+      '';
+    };
+  };
+}