Last active
July 30, 2020 16:27
-
-
Save yangm97/573b86a8b82181723aea96f70e690a98 to your computer and use it in GitHub Desktop.
yggdrasil inside podman
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# defaults file for yggdrasil | |
yggdrasil_admin_listen_address: unix:///var/run/yggdrasil.sock | |
yggdrasil_config_listen_address: tcp://[::]:46727 | |
yggdrasil_sessionfirewall_on: yes | |
yggdrasil_node_info: {} | |
yggdrasil_peers: | |
- name: Malha São Paulo | |
listen_uri: tcp://45.231.133.188:58301 | |
- name: Malha São Paulo IPv6 | |
listen_uri: tcp://[2804:49fc::ffff:ffff:5b5:e8be]:58301 | |
yggdrasil_whitelist_peers: | |
- name: Yan's MacBook | |
public_key: d61bfd196889a8e519522b08d83a8ada40ef5f57274fd6bc3e24955a97c72321 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# tasks file for yggdrasil | |
- name: add yggdrasil scripts | |
become: yes | |
copy: | |
dest: "/usr/bin/{{ item }}" | |
src: "{{ item }}" | |
mode: 0755 | |
loop: | |
- yggdrasil-podman | |
- yggdrasil-post | |
- name: create yggdrasil symlinks | |
become: yes | |
file: | |
src: /usr/bin/yggdrasil-podman | |
dest: "/usr/bin/{{ item }}" | |
state: link | |
loop: | |
- yggdrasil | |
- yggdrasilctl | |
# TODO: implement updating existing config files | |
- name: check if yggdrasil config exists | |
stat: | |
path: /etc/yggdrasil.conf | |
register: this | |
- name: add yggdrasil config | |
become: yes | |
template: | |
dest: /etc/yggdrasil.conf | |
src: yggdrasil.conf.j2 | |
when: this.stat.exists == False | |
- name: run yggdrasil post-install | |
become: yes | |
command: "bash /usr/bin/yggdrasil-post" | |
- name: add yggdrasil service | |
become: yes | |
copy: | |
dest: /etc/systemd/system/yggdrasil.service | |
src: yggdrasil.service | |
- name: ensure yggdrasil service is enabled | |
become: yes | |
systemd: | |
name: yggdrasil.service | |
state: started | |
enabled: yes | |
masked: no |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# Run yggdrasil in a container | |
# | |
# This script will attempt to mirror the host paths by using volumes for the | |
# following paths: | |
# * /etc | |
# * /var/run | |
# | |
# You can add additional volumes (or any docker run options) using | |
# the $DOCKER_RUN_OPTIONS or $VOLUMES environment variables. | |
# | |
set -e | |
VERSION="latest" | |
IMAGE="yangm97/yggdrasil-go:$VERSION" | |
# Setup volume mounts for yggdrasil config/runtime | |
VOLUMES="$VOLUMES -v /etc:/etc" | |
VOLUMES="$VOLUMES -v /var/run:/var/run" | |
# if [ "$(pwd)" != '/' ]; then | |
# VOLUMES="$VOLUMES -v $(pwd):$(pwd)" | |
# fi | |
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --rm" | |
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --device=/dev/net/tun" | |
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --net=host" | |
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --cap-add=NET_ADMIN" | |
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --name=yggdrasil.$(date +%s)" | |
# Always set -i to support piped and terminal input in run/exec | |
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --interactive" | |
# Only allocate tty if we detect one | |
if [ -t 0 -a -t 1 ]; then | |
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --tty" | |
fi | |
# yggdrasil or yggdrasilctl | |
if [ "${0##*/}" = "yggdrasilctl" ]; then | |
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --entrypoint=/yggdrasilctl" | |
fi | |
exec podman run $DOCKER_RUN_OPTIONS $VOLUMES $IMAGE "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
if [ -f /etc/yggdrasil.conf ]; then | |
mkdir -p /var/backups | |
echo "Backing up configuration file to /var/backups/yggdrasil.conf.`date +%Y%m%d`" | |
cp /etc/yggdrasil.conf /var/backups/yggdrasil.conf.`date +%Y%m%d` | |
echo "Normalising and updating /etc/yggdrasil.conf" | |
cat /var/backups/yggdrasil.conf.`date +%Y%m%d` | /usr/bin/yggdrasil -useconf -normaliseconf > /etc/yggdrasil.conf | |
if command -v systemctl >/dev/null; then | |
systemctl daemon-reload >/dev/null || true | |
systemctl enable yggdrasil || true | |
systemctl start yggdrasil || true | |
fi | |
exit 0 | |
fi | |
echo "Generating initial configuration file /etc/yggdrasil.conf" | |
echo "Please familiarise yourself with this file before starting Yggdrasil" | |
/usr/bin/yggdrasil -genconf > /etc/yggdrasil.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
# Listen address for peer connections. Default is to listen for all | |
# TCP connections over IPv4 and IPv6 with a random port. | |
Listen: "{{ yggdrasil_config_listen_address }}" | |
# Listen address for admin connections. Default is to listen for local | |
# connections either on TCP/9001 or a UNIX socket depending on your | |
# platform. Use this value for yggdrasilctl -endpoint=X. To disable | |
# the admin socket, use the value "none" instead. | |
AdminListen: "{{ yggdrasil_admin_listen_address }}" | |
# List of connection strings for static peers in URI format, e.g. | |
# tcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j. | |
Peers: [ | |
{% for peer in yggdrasil_peers %} | |
{% if peer.listen_uri is defined %} | |
"{{ peer.listen_uri }}", | |
{% endif %} | |
{% endfor %} | |
] | |
# Local network interface name for TUN/TAP adapter, or "auto" to select | |
# an interface automatically, or "none" to run without TUN/TAP. | |
IfName: ygg0 | |
# Maximux Transmission Unit (MTU) size for your local TUN/TAP interface. | |
# Default is the largest supported size for your platform. The lowest | |
# possible value is 1280. | |
IfMTU: 65535 | |
# The session firewall controls who can send/receive network traffic | |
# to/from. This is useful if you want to protect this node without | |
# resorting to using a real firewall. This does not affect traffic | |
# being routed via this node to somewhere else. Rules are prioritised as | |
# follows: blacklist, whitelist, always allow outgoing, direct, remote. | |
SessionFirewall: | |
{ | |
# Enable or disable the session firewall. If disabled, network traffic | |
# from any node will be allowed. If enabled, the below rules apply. | |
Enable: {% if yggdrasil_sessionfirewall_on %}true{% else %}false{% endif %} | |
# Allow network traffic from directly connected peers. | |
AllowFromDirect: true | |
# Allow network traffic from remote nodes on the network that you are | |
# not directly peered with. | |
AllowFromRemote: false | |
# Allow outbound network traffic regardless of AllowFromDirect or | |
# AllowFromRemote. This does allow a remote node to send unsolicited | |
# traffic back to you for the length of the session. | |
AlwaysAllowOutbound: true | |
# List of public keys from which network traffic is always accepted, | |
# regardless of AllowFromDirect or AllowFromRemote. | |
WhitelistEncryptionPublicKeys: | |
[ | |
{% for peer in yggdrasil_whitelist_peers %} | |
{% if peer.public_key is defined %} | |
"{{ peer.public_key }}", | |
{% endif %} | |
{% endfor %} | |
] | |
# List of public keys from which network traffic is always rejected, | |
# regardless of the whitelist, AllowFromDirect or AllowFromRemote. | |
BlacklistEncryptionPublicKeys: [] | |
} | |
# Optional node info. This must be a { "key": "value", ... } map | |
# or set as null. This is entirely optional but, if set, is visible | |
# to the whole network on request. | |
NodeInfo: {{ yggdrasil_node_info | tojson }} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=yggdrasil | |
[Service] | |
ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf | |
Restart=always | |
TimeoutStartSec=0 | |
[Install] | |
WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment