diff --git a/setup.yml b/setup.yml
index 20b7114..dfb1a7a 100644
--- a/setup.yml
+++ b/setup.yml
@@ -56,21 +56,25 @@
         src: dn42-roa.service
         dest: /etc/systemd/system/dn42-roa.service
         mode: '0644'
+      when: ansible_service_mgr == 'systemd'
     - name: Add dn42-roa.timer
       ansible.builtin.copy:
         src: dn42-roa.timer
         dest: /etc/systemd/system/dn42-roa.timer
         mode: '0644'
+      when: ansible_service_mgr == 'systemd'
     - name: Enable+start dn42-roa.timer
       ansible.builtin.systemd_service:
         name: dn42-roa.timer
         enabled: true
         state: started
+      when: ansible_service_mgr == 'systemd'
     - name: Start dn42-roa.service, but ignore failures
       ansible.builtin.systemd_service:
         name: dn42-roa.service
         state: started
       ignore_errors: true
+      when: ansible_service_mgr == 'systemd'
     - name: Reload bird
       ansible.builtin.systemd_service:
         name: bird.service
diff --git a/yggdrasil.yml b/yggdrasil.yml
new file mode 100644
index 0000000..095940d
--- /dev/null
+++ b/yggdrasil.yml
@@ -0,0 +1,50 @@
+- hosts: routers
+  remote_user: root
+  tasks:
+    - name: fetch gpg key locally
+      ansible.builtin.command: gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt
+      delegate_to: 127.0.0.1
+      run_once: true
+    - name: export gpg key
+      ansible.builtin.command: gpg --output yggdrasil/yggdrasil-keyring.gpg --export BC1BF63BD10B8F1A
+      delegate_to: 127.0.0.1
+      run_once: true
+    - name: See if it's possible to run yggdrasil
+      ansible.builtin.stat:
+        path: /dev/net/tun
+      register: can_use_tun
+    - name: Create /usr/local/apt-keys on debian hosts
+      ansible.builtin.file:
+        path: /usr/local/apt-keys
+        state: directory
+        mode: '0755'
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
+    - name: add dirmngr on debian hosts
+      ansible.builtin.apt:
+        name: dirmngr
+        state: latest
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
+    - name: Copy gpg keyring to debian hosts
+      ansible.builtin.copy:
+        src: yggdrasil/yggdrasil-keyring.gpg
+        dest: /usr/local/apt-keys/yggdrasil-keyring.gpg
+        mode: '0644'
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
+    - name: Copy yggdrasil sources list list to debian hosts
+      ansible.builtin.copy:
+        src: yggdrasil/debian-list.txt
+        dest: /etc/apt/sources.list.d/yggdrasil.list
+        mode: '0644'
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
+    - name: add yggdrasil on arch systems
+      ansible.builtin.pacman:
+        name: yggdrasil
+        state: present
+      when: ansible_distribution == 'Archlinux' and can_use_tun.stat.exists == True
+    - name: add yggdrasil on debian systems
+      ansible.builtin.apt:
+        update_cache: yes
+        cache_valid_time: 1
+        name: yggdrasil
+        state: present
+      when: ansible_distribution == 'Debian' and can_use_tun.stat.exists == True
diff --git a/yggdrasil/debian-list.txt b/yggdrasil/debian-list.txt
new file mode 100644
index 0000000..4325ef1
--- /dev/null
+++ b/yggdrasil/debian-list.txt
@@ -0,0 +1 @@
+deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil
diff --git a/yggdrasil/yggdrasil-keyring.gpg b/yggdrasil/yggdrasil-keyring.gpg
new file mode 100644
index 0000000..89e8219
Binary files /dev/null and b/yggdrasil/yggdrasil-keyring.gpg differ
diff --git a/zerotier.yml b/zerotier.yml
new file mode 100644
index 0000000..21bac16
--- /dev/null
+++ b/zerotier.yml
@@ -0,0 +1,13 @@
+- name: Configure zerotier on routers
+  hosts: routers
+  remote_user: root
+  tasks:
+    - name: copy zerotier .network file
+      ansible.builtin.template:
+        src: ztwfugvwdo.network.tmpl
+        dest: /etc/systemd/network/ztwfugvwdo.network
+        mode: '0644'
+      when: ansible_service_mgr == 'systemd'
+    - name: reload systemd-networkd
+      command: networkctl reload
+      when: ansible_service_mgr == 'systemd'
diff --git a/ztwfugvwdo.network.tmpl b/ztwfugvwdo.network.tmpl
new file mode 100644
index 0000000..b16c658
--- /dev/null
+++ b/ztwfugvwdo.network.tmpl
@@ -0,0 +1,14 @@
+[Match]
+Name=ztwfugvwdo
+
+[Network]
+DHCP=false
+IPv6AcceptRA=false
+IPv4Forwarding=true
+IPv6Forwarding=true
+LLDP=true
+EmitLLDP=customer-bridge
+LinkLocalAddressing=false
+
+[Address]
+Address={{ llv6 }}/64