From 7c9d7ce9a36afa89d2e4d93bdb2ab44353ca100d Mon Sep 17 00:00:00 2001
From: 9pfs <9pfs@amcforum.wiki>
Date: Sat, 21 Dec 2024 22:41:16 -0800
Subject: [PATCH] Add zerotier and yggdrasil

---
 setup.yml                       |   4 +++
 yggdrasil.yml                   |  50 ++++++++++++++++++++++++++++++++
 yggdrasil/debian-list.txt       |   1 +
 yggdrasil/yggdrasil-keyring.gpg | Bin 0 -> 2729 bytes
 zerotier.yml                    |  13 +++++++++
 ztwfugvwdo.network.tmpl         |  14 +++++++++
 6 files changed, 82 insertions(+)
 create mode 100644 yggdrasil.yml
 create mode 100644 yggdrasil/debian-list.txt
 create mode 100644 yggdrasil/yggdrasil-keyring.gpg
 create mode 100644 zerotier.yml
 create mode 100644 ztwfugvwdo.network.tmpl

diff --git a/setup.yml b/setup.yml
index 20b7114..dfb1a7a 100644
--- a/setup.yml
+++ b/setup.yml
@@ -56,21 +56,25 @@
         src: dn42-roa.service
         dest: /etc/systemd/system/dn42-roa.service
         mode: '0644'
+      when: ansible_service_mgr == 'systemd'
     - name: Add dn42-roa.timer
       ansible.builtin.copy:
         src: dn42-roa.timer
         dest: /etc/systemd/system/dn42-roa.timer
         mode: '0644'
+      when: ansible_service_mgr == 'systemd'
     - name: Enable+start dn42-roa.timer
       ansible.builtin.systemd_service:
         name: dn42-roa.timer
         enabled: true
         state: started
+      when: ansible_service_mgr == 'systemd'
     - name: Start dn42-roa.service, but ignore failures
       ansible.builtin.systemd_service:
         name: dn42-roa.service
         state: started
       ignore_errors: true
+      when: ansible_service_mgr == 'systemd'
     - name: Reload bird
       ansible.builtin.systemd_service:
         name: bird.service
diff --git a/yggdrasil.yml b/yggdrasil.yml
new file mode 100644
index 0000000..095940d
--- /dev/null
+++ b/yggdrasil.yml
@@ -0,0 +1,50 @@
+- hosts: routers
+  remote_user: root
+  tasks:
+    - name: fetch gpg key locally
+      ansible.builtin.command: gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt
+      delegate_to: 127.0.0.1
+      run_once: true
+    - name: export gpg key
+      ansible.builtin.command: gpg --output yggdrasil/yggdrasil-keyring.gpg --export BC1BF63BD10B8F1A
+      delegate_to: 127.0.0.1
+      run_once: true
+    - name: See if it's possible to run yggdrasil
+      ansible.builtin.stat:
+        path: /dev/net/tun
+      register: can_use_tun
+    - name: Create /usr/local/apt-keys on debian hosts
+      ansible.builtin.file:
+        path: /usr/local/apt-keys
+        state: directory
+        mode: '0755'
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
+    - name: add dirmngr on debian hosts
+      ansible.builtin.apt:
+        name: dirmngr
+        state: latest
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
+    - name: Copy gpg keyring to debian hosts
+      ansible.builtin.copy:
+        src: yggdrasil/yggdrasil-keyring.gpg
+        dest: /usr/local/apt-keys/yggdrasil-keyring.gpg
+        mode: '0644'
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
+    - name: Copy yggdrasil sources list list to debian hosts
+      ansible.builtin.copy:
+        src: yggdrasil/debian-list.txt
+        dest: /etc/apt/sources.list.d/yggdrasil.list
+        mode: '0644'
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
+    - name: add yggdrasil on arch systems
+      ansible.builtin.pacman:
+        name: yggdrasil
+        state: present
+      when: ansible_distribution == 'Archlinux' and can_use_tun.stat.exists == True
+    - name: add yggdrasil on debian systems
+      ansible.builtin.apt:
+        update_cache: yes
+        cache_valid_time: 1
+        name: yggdrasil
+        state: present
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
diff --git a/yggdrasil/debian-list.txt b/yggdrasil/debian-list.txt
new file mode 100644
index 0000000..4325ef1
--- /dev/null
+++ b/yggdrasil/debian-list.txt
@@ -0,0 +1 @@
+deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil
diff --git a/yggdrasil/yggdrasil-keyring.gpg b/yggdrasil/yggdrasil-keyring.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..89e82190ac21a686dfa29d2b69626957887c7109
GIT binary patch
literal 2729
zcmV;a3Rd-*0u2OOlnoaF5CGZAh`ZXsb7*1ArUB7U_2#riStl#Q+sF(oqUNz6qZ45S
zg9tjo*X3G;^Hg^}eDy9l(5hZGT$jtyb2$>E%P{Lmj1J<=2?5tp3vj?%Y4lqYqP_!r
zvu+83BK@VDnBy1gm;lxJz+iJ4mO(<n(UdW}Rb$2ZRv<CrH|-bqx?pHw98XI~K=z&v
zNlp;j2D-}j_w3N`pGNZmi|DtvKi>#FzK#7v8Y^_=#n-BjEt^cfL{ZER=!n=T<?j}{
z<A5Ftpk%3&!HoaWy<}GDP=Sc7WFFH0ih{Y~O~}5dW$5VTh)4se_4l{6MpHQt?p_;c
zp=<qejrj5R7=DpEh&gSg8**{gdCZ4;V*XRV+xBN+f8@lZ|91DebeuZ$U;N4jC_$Fn
zwWt!UyMJu;67f5IM~k>xk3`f?2;8MV>@bn}MYH`%eIhH{dlfxL?^-}^kSAKsDSI9(
z1-5vKV-`AB+gI=L+AyPVC%*HmJpaEi9<L6(Y<hfdVY1kW&bj6xfK*IQ({_>N7TV$6
z8t&ffhu`ZDSqwKJM(ldheD5!pSEHua#F(>6XGFsTmWq+>3?LB7070!1vpfKY-scqw
zYZQKL!5_}@z+;*F0t^UBcnB`zn-<R^7vualgCI@6uv;(TG}g`(Sz-GPmk)`UZzGpR
zt<(Macl{2d6@vf~0RREC3uI+tE@&-jV=iTNi2^tT69EDMA_W3klnoaG8v_Ol2?z%R
z0tOWb0tpHW1Qr4V0RkQY0vCV)3JDNcm`4hBOESs%e-Hm=O7)Z&$+42KPY2(|C}MHf
z=kK}!<h5kEKr7vQ6z>ZruLXEeTWlTX_NFX3$$#rQEk!eVbqwb|UHbk;0@og&*+AdJ
z{<uzh6ZTa0ap8;Z7^@#s>0y4+ds_0k#sfNabBe{th2T5pRM=In(AIGUlam3V2~y>N
zu}a*$u#K$hi1PHo?H2So$wx#nF>cQjGW-)7Ia06nIG6R$_P?0B^OVrb97X=XnCcIy
z*#`v;vDwXtpl<ygN9y3!gO4_w{k_cTsq0sG5to(HozmS_K_qrm$ml-nm(l19c3hD`
zW1js&SR0A^T-T6iVcJCjXqnswu``0LFX0WkCkn(`CcFQcdysABRrl!}U>LM?_Pv{e
z?*mzmOu9FoHHFRYo{R)>EVC6Pk&lTU>O^9jpGiJHRH%8!KDu{x`+ao~Oj>Ycnr|Y^
zY8DG4*Jjit5NA~ddoRt-cTFKNKKHQ1Ca{*oOey=b{E7C^uhGx15_kg2ER}9ak#gGp
zzQ}}fkj%zxV_62koKDO;v&Ie|RfSau!md~70<PAzX#`KgnF1@^*XvgtIJwh$0gCh2
z+4hPo;74xyk~)#4-oDl#imzme;3S99>$fsRzlW5mUh;L46Edii7&DlNgTg-LEvt>p
zn*Z#E-_8X?!F9?#Mw5bgV1*KR#KsdQ(_yE%0u2OOlnr+Q5CFlyjCtRoz=(SL6qIS)
z(B?<haJStxiFu}(3bzdI-D8&vJqb_-IoL<6T{xy>OV`a3+589RR@&K=U5V&=SqPyO
z$1{$}**!plKV{&~c|<J&;I}F|>K^h-X|*iZrsng6IK;EF^ln=VZ;=U$ACz}naT8ya
z8l>mMoOiYq+hlg{$Ee)@cDIQ(etr|Sc(Gl)4z&qqo^mL3IN1Id4RJO-nibA^RZ4W<
z**kM?k~w{u!#|dp_vu|nkBjtpujSN&OFDCXhh0PG{AM<vWad%{vpJs1Wbs<NF#prk
z%%)?~jiCOP>ZM!z(<ITh)(>Aw_MhoheU|2<0GEBC3~ucv!BJbLuvfPtNWKU*=pagd
z!dWtceANk^61v0=VHOa07jXA@^fgNHXHfhYFR{}DW9A%hR!x4jp0^ue7@U`ed%pli
zd*K5+e_>y^k-kt7hoJJaijs*bx+K68^gr-Db-h_uWj&z0Ck0`s&?|i!KI%`eXeo(a
z%3L;6_VeDpX*^4FmX<|pC1mykh%GHf6&4fjQluR&sullwWeDmxr12Rn_vR>?DXvOf
zmcIm3YUPmqQ@G=gJT%>T>+9}(2w}MK5ZitGVa)!Y>}q@tzRI@ij9sC{zR~S0b57sG
zBW4#W6iE*se%x&Gf-XkCirtLRr;}yvd!PYygW&)X0RRDs1U>{90RjLC1p-=>4R-<?
z0s<)s5LlQ;3U*5}$-!M91Q`JW00spDT9gfU0162Zyc_mA(F>0n+4T?pH8A!zm>|w!
z;eHr1SDY>q%lNj=8bb30eiz-!dDH;B!39fv^gS|c^Fb#dZTBJ_^3r_0vi?3U7!T}e
zi1nd&sHC-j0IM>VFhSZ-Uo2Yri;l>g6Uj1I?QV~U*==z_%yc4hLJmfFGLG0$<c~CJ
z?ET1>zx5X3eIAsggZrZMiL+PD8yUFq5ijlV=XHJ?5(jp6S!*Uyzh=7%9Yp{I%L4Sl
zxAb>Se;5;|fgcCD7IAU{@)9S3)IU}bNr4%IlLZa9B~ucR{&%Zp)&f>(Ur#YYZ%R{)
zehgQX;JOC3Xw&~xLOsEi-NhD*`v}}B*Np6PazRtZVIM%~8*56SF_)}@fjPa2{L=k;
z_f3>1XS9*ZQP6piN9MDD^l=e*jw&1(?vO=^YJ1f`g~0X&$XGf}aRQOvTjI#ndJO;k
zOl71ne>^0FhDQw>d&)_^@h6~B-Req6`YydzSr~H`u;h63yPD-~(T_(;o;Hr#@GN`V
zC<$=93MGW@Rwv}e7+3Qyb*Hr3Z~@&F*)(OvAWmoUEtN@K)#urG9kUPD;@kNDi;o9P
zz+osYHp{JhcLK`;V!nrKxW&eChaXA)bD+nTn0FTZ9K<*w@LPGEf~IjAH*-?#;ZcL0
zStJ@6?AY+CyeXcaQw>s?AjO|m>~4Mb3TXK_AtwS=lkX)C*wPRGTeL~rU6!bY>hiB4
z`glmrbs3s({fj=%zD>W#!B>EKZ-f@xK-&BK6WtBV6@29(#l2UZ@M+#hCZ=~jhz6_>
z#?OS<Db?(e_bmXZ?cKF}-NxSp?&W?f_&csD3>Lw-Ctz!Zh9hivbWXr4zjhn%3ifQ9
zV!<mqY1V=r5wqp9O;SAFlo5*gSso;?hc|&RIJXClq)Si5LDzjD7$=YCBWu8{P561l
z?q69{|3rIf*y?Kx-kdrwPikiiWu!;&YXC2Es>|Z02vT!E=)R`II?QNwrpx4iyiyrQ
z7X?;nxwH6B3Y7$oY=|ol4wODs)JU9VfWzG7=ojflxAbl|6ki|#+%JjXqY=a=DIjdy
z+%>?bUNHw|y0ZHs0Q)bz^7kGoWh||E@~b@`?GCp`^9b`#HOIaV5?<*Z&m$^fVD6zj
zem7EM=JLMcJGms$`k-)aS_KhJ7$gmC$n2D?Yh}n(^GpigIvV<(W;4_f>0s6KA_=vj
zEOsMV*een~RT%<HB1WUjb_r&#)QXTgM6aq?U0{V{hB8)~A|qkZuZ1h_^=8zDcF;;_
zC?N&7qBGxbU)ZC}shv8UOU0j62nQMpS++#2JXDPlwH27wWQJl^ir09JJqCs)B-@9~
jAlz{=W`E5*BB)(tKh~3BlknU@k`W+DpLUp_0Yi9~O7kdi

literal 0
HcmV?d00001

diff --git a/zerotier.yml b/zerotier.yml
new file mode 100644
index 0000000..21bac16
--- /dev/null
+++ b/zerotier.yml
@@ -0,0 +1,13 @@
+- name: Configure zerotier on routers
+  hosts: routers
+  remote_user: root
+  tasks:
+    - name: copy zerotier .network file
+      ansible.builtin.template:
+        src: ztwfugvwdo.network.tmpl
+        dest: /etc/systemd/network/ztwfugvwdo.network
+        mode: '0644'
+      when: ansible_service_mgr == 'systemd'
+    - name: reload systemd-networkd
+      command: networkctl reload
+      when: ansible_service_mgr == 'systemd'
diff --git a/ztwfugvwdo.network.tmpl b/ztwfugvwdo.network.tmpl
new file mode 100644
index 0000000..b16c658
--- /dev/null
+++ b/ztwfugvwdo.network.tmpl
@@ -0,0 +1,14 @@
+[Match]
+Name=ztwfugvwdo
+
+[Network]
+DHCP=false
+IPv6AcceptRA=false
+IPv4Forwarding=true
+IPv6Forwarding=true
+LLDP=true
+EmitLLDP=customer-bridge
+LinkLocalAddressing=false
+
+[Address]
+Address={{ llv6 }}/64