yangm97/defaults.yml

## defaults.yml
---
# defaults file for yggdrasil
yggdrasil_admin_listen_address: unix:///var/run/yggdrasil.sock
yggdrasil_config_listen_address: tcp://[::]:46727
yggdrasil_sessionfirewall_on: yes
yggdrasil_node_info: {}

yggdrasil_peers:
  - name: Malha São Paulo
    listen_uri: tcp://45.231.133.188:58301
  - name: Malha São Paulo IPv6
    listen_uri: tcp://[2804:49fc::ffff:ffff:5b5:e8be]:58301

yggdrasil_whitelist_peers:
  - name: Yan's MacBook
    public_key: d61bfd196889a8e519522b08d83a8ada40ef5f57274fd6bc3e24955a97c72321

## tasks.yml
---
# tasks file for yggdrasil

- name: add yggdrasil scripts
  become: yes
  copy:
    dest: "/usr/bin/{{ item }}"
    src: "{{ item }}"
    mode: 0755
  loop:
    - yggdrasil-podman
    - yggdrasil-post

- name: create yggdrasil symlinks
  become: yes
  file:
    src: /usr/bin/yggdrasil-podman
    dest: "/usr/bin/{{ item }}"
    state: link
  loop:
    - yggdrasil
    - yggdrasilctl

# TODO: implement updating existing config files
- name: check if yggdrasil config exists
  stat:
    path: /etc/yggdrasil.conf
  register: this

- name: add yggdrasil config
  become: yes
  template:
    dest: /etc/yggdrasil.conf
    src: yggdrasil.conf.j2
  when: this.stat.exists == False

- name: run yggdrasil post-install
  become: yes
  command: "bash /usr/bin/yggdrasil-post"

- name: add yggdrasil service
  become: yes
  copy:
    dest: /etc/systemd/system/yggdrasil.service
    src: yggdrasil.service

- name: ensure yggdrasil service is enabled
  become: yes
  systemd:
    name: yggdrasil.service
    state: started
    enabled: yes
    masked: no

## yggdrasil-podman
#!/bin/sh
#
# Run yggdrasil in a container
#
# This script will attempt to mirror the host paths by using volumes for the
# following paths:
#   * /etc
#   * /var/run
#
# You can add additional volumes (or any docker run options) using
# the $DOCKER_RUN_OPTIONS or $VOLUMES environment variables.
#

set -e

VERSION="latest"
IMAGE="yangm97/yggdrasil-go:$VERSION"


# Setup volume mounts for yggdrasil config/runtime
VOLUMES="$VOLUMES -v /etc:/etc"
VOLUMES="$VOLUMES -v /var/run:/var/run"
# if [ "$(pwd)" != '/' ]; then
#     VOLUMES="$VOLUMES -v $(pwd):$(pwd)"
# fi

DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --rm"
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --device=/dev/net/tun"
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --net=host"
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --cap-add=NET_ADMIN"
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --name=yggdrasil.$(date +%s)"
# Always set -i to support piped and terminal input in run/exec
DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --interactive"

# Only allocate tty if we detect one
if [ -t 0 -a -t 1 ]; then
    DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --tty"
fi

# yggdrasil or yggdrasilctl
if [ "${0##*/}" = "yggdrasilctl" ]; then
    DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --entrypoint=/yggdrasilctl"
fi

exec podman run $DOCKER_RUN_OPTIONS $VOLUMES $IMAGE "$@"

## yggdrasil-post
#!/bin/sh

if [ -f /etc/yggdrasil.conf ]; then
  mkdir -p /var/backups
  echo "Backing up configuration file to /var/backups/yggdrasil.conf.`date +%Y%m%d`"
  cp /etc/yggdrasil.conf /var/backups/yggdrasil.conf.`date +%Y%m%d`
  echo "Normalising and updating /etc/yggdrasil.conf"
  cat /var/backups/yggdrasil.conf.`date +%Y%m%d` | /usr/bin/yggdrasil -useconf -normaliseconf > /etc/yggdrasil.conf

  if command -v systemctl >/dev/null; then
    systemctl daemon-reload >/dev/null || true
    systemctl enable yggdrasil || true
    systemctl start yggdrasil || true
  fi
  exit 0
fi

echo "Generating initial configuration file /etc/yggdrasil.conf"
echo "Please familiarise yourself with this file before starting Yggdrasil"
/usr/bin/yggdrasil -genconf > /etc/yggdrasil.conf

## yggdrasil.conf.j2
{
  # Listen address for peer connections. Default is to listen for all
  # TCP connections over IPv4 and IPv6 with a random port.
  Listen: "{{ yggdrasil_config_listen_address }}"

  # Listen address for admin connections. Default is to listen for local
  # connections either on TCP/9001 or a UNIX socket depending on your
  # platform. Use this value for yggdrasilctl -endpoint=X. To disable
  # the admin socket, use the value "none" instead.
  AdminListen: "{{ yggdrasil_admin_listen_address }}"

  # List of connection strings for static peers in URI format, e.g.
  # tcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j.
  Peers: [
    {% for peer in yggdrasil_peers %}
    {% if peer.listen_uri is defined %}
    "{{ peer.listen_uri }}",
    {% endif %}
    {% endfor %}
  ]

  # Local network interface name for TUN/TAP adapter, or "auto" to select
  # an interface automatically, or "none" to run without TUN/TAP.
  IfName: ygg0

  # Maximux Transmission Unit (MTU) size for your local TUN/TAP interface.
  # Default is the largest supported size for your platform. The lowest
  # possible value is 1280.
  IfMTU: 65535

  # The session firewall controls who can send/receive network traffic
  # to/from. This is useful if you want to protect this node without
  # resorting to using a real firewall. This does not affect traffic
  # being routed via this node to somewhere else. Rules are prioritised as
  # follows: blacklist, whitelist, always allow outgoing, direct, remote.
  SessionFirewall:
  {
    # Enable or disable the session firewall. If disabled, network traffic
    # from any node will be allowed. If enabled, the below rules apply.
    Enable: {% if yggdrasil_sessionfirewall_on %}true{% else %}false{% endif %}

    # Allow network traffic from directly connected peers.
    AllowFromDirect: true

    # Allow network traffic from remote nodes on the network that you are
    # not directly peered with.
    AllowFromRemote: false

    # Allow outbound network traffic regardless of AllowFromDirect or
    # AllowFromRemote. This does allow a remote node to send unsolicited
    # traffic back to you for the length of the session.
    AlwaysAllowOutbound: true

    # List of public keys from which network traffic is always accepted,
    # regardless of AllowFromDirect or AllowFromRemote.
    WhitelistEncryptionPublicKeys:
    [
      {% for peer in yggdrasil_whitelist_peers %}
      {% if peer.public_key is defined %}
      "{{ peer.public_key }}",
      {% endif %}
      {% endfor %}
    ]

    # List of public keys from which network traffic is always rejected,
    # regardless of the whitelist, AllowFromDirect or AllowFromRemote.
    BlacklistEncryptionPublicKeys: []
  }

  # Optional node info. This must be a { "key": "value", ... } map
  # or set as null. This is entirely optional but, if set, is visible
  # to the whole network on request.
  NodeInfo: {{ yggdrasil_node_info | tojson }}
}

## yggdrasil.service
[Unit]
Description=yggdrasil

[Service]
ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
Restart=always
TimeoutStartSec=0

[Install]
WantedBy=multi-user.target
	---
	# defaults file for yggdrasil
	yggdrasil_admin_listen_address: unix:///var/run/yggdrasil.sock
	yggdrasil_config_listen_address: tcp://[::]:46727
	yggdrasil_sessionfirewall_on: yes
	yggdrasil_node_info: {}

	yggdrasil_peers:
	- name: Malha São Paulo
	listen_uri: tcp://45.231.133.188:58301
	- name: Malha São Paulo IPv6
	listen_uri: tcp://[2804:49fc::ffff:ffff:5b5:e8be]:58301

	yggdrasil_whitelist_peers:
	- name: Yan's MacBook
	public_key: d61bfd196889a8e519522b08d83a8ada40ef5f57274fd6bc3e24955a97c72321
	---
	# tasks file for yggdrasil

	- name: add yggdrasil scripts
	become: yes
	copy:
	dest: "/usr/bin/{{ item }}"
	src: "{{ item }}"
	mode: 0755
	loop:
	- yggdrasil-podman
	- yggdrasil-post

	- name: create yggdrasil symlinks
	become: yes
	file:
	src: /usr/bin/yggdrasil-podman
	dest: "/usr/bin/{{ item }}"
	state: link
	loop:
	- yggdrasil
	- yggdrasilctl

	# TODO: implement updating existing config files
	- name: check if yggdrasil config exists
	stat:
	path: /etc/yggdrasil.conf
	register: this

	- name: add yggdrasil config
	become: yes
	template:
	dest: /etc/yggdrasil.conf
	src: yggdrasil.conf.j2
	when: this.stat.exists == False

	- name: run yggdrasil post-install
	become: yes
	command: "bash /usr/bin/yggdrasil-post"

	- name: add yggdrasil service
	become: yes
	copy:
	dest: /etc/systemd/system/yggdrasil.service
	src: yggdrasil.service

	- name: ensure yggdrasil service is enabled
	become: yes
	systemd:
	name: yggdrasil.service
	state: started
	enabled: yes
	masked: no
	#!/bin/sh
	#
	# Run yggdrasil in a container
	#
	# This script will attempt to mirror the host paths by using volumes for the
	# following paths:
	# * /etc
	# * /var/run
	#
	# You can add additional volumes (or any docker run options) using
	# the $DOCKER_RUN_OPTIONS or $VOLUMES environment variables.
	#

	set -e

	VERSION="latest"
	IMAGE="yangm97/yggdrasil-go:$VERSION"


	# Setup volume mounts for yggdrasil config/runtime
	VOLUMES="$VOLUMES -v /etc:/etc"
	VOLUMES="$VOLUMES -v /var/run:/var/run"
	# if [ "$(pwd)" != '/' ]; then
	# VOLUMES="$VOLUMES -v $(pwd):$(pwd)"
	# fi

	DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --rm"
	DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --device=/dev/net/tun"
	DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --net=host"
	DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --cap-add=NET_ADMIN"
	DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --name=yggdrasil.$(date +%s)"
	# Always set -i to support piped and terminal input in run/exec
	DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --interactive"

	# Only allocate tty if we detect one
	if [ -t 0 -a -t 1 ]; then
	DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --tty"
	fi

	# yggdrasil or yggdrasilctl
	if [ "${0##*/}" = "yggdrasilctl" ]; then
	DOCKER_RUN_OPTIONS="$DOCKER_RUN_OPTIONS --entrypoint=/yggdrasilctl"
	fi

	exec podman run $DOCKER_RUN_OPTIONS $VOLUMES $IMAGE "$@"
	#!/bin/sh

	if [ -f /etc/yggdrasil.conf ]; then
	mkdir -p /var/backups
	echo "Backing up configuration file to /var/backups/yggdrasil.conf.`date +%Y%m%d`"
	cp /etc/yggdrasil.conf /var/backups/yggdrasil.conf.`date +%Y%m%d`
	echo "Normalising and updating /etc/yggdrasil.conf"
	cat /var/backups/yggdrasil.conf.`date +%Y%m%d` \| /usr/bin/yggdrasil -useconf -normaliseconf > /etc/yggdrasil.conf

	if command -v systemctl >/dev/null; then
	systemctl daemon-reload >/dev/null \|\| true
	systemctl enable yggdrasil \|\| true
	systemctl start yggdrasil \|\| true
	fi
	exit 0
	fi

	echo "Generating initial configuration file /etc/yggdrasil.conf"
	echo "Please familiarise yourself with this file before starting Yggdrasil"
	/usr/bin/yggdrasil -genconf > /etc/yggdrasil.conf
	{
	# Listen address for peer connections. Default is to listen for all
	# TCP connections over IPv4 and IPv6 with a random port.
	Listen: "{{ yggdrasil_config_listen_address }}"

	# Listen address for admin connections. Default is to listen for local
	# connections either on TCP/9001 or a UNIX socket depending on your
	# platform. Use this value for yggdrasilctl -endpoint=X. To disable
	# the admin socket, use the value "none" instead.
	AdminListen: "{{ yggdrasil_admin_listen_address }}"

	# List of connection strings for static peers in URI format, e.g.
	# tcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j.
	Peers: [
	{% for peer in yggdrasil_peers %}
	{% if peer.listen_uri is defined %}
	"{{ peer.listen_uri }}",
	{% endif %}
	{% endfor %}
	]

	# Local network interface name for TUN/TAP adapter, or "auto" to select
	# an interface automatically, or "none" to run without TUN/TAP.
	IfName: ygg0

	# Maximux Transmission Unit (MTU) size for your local TUN/TAP interface.
	# Default is the largest supported size for your platform. The lowest
	# possible value is 1280.
	IfMTU: 65535

	# The session firewall controls who can send/receive network traffic
	# to/from. This is useful if you want to protect this node without
	# resorting to using a real firewall. This does not affect traffic
	# being routed via this node to somewhere else. Rules are prioritised as
	# follows: blacklist, whitelist, always allow outgoing, direct, remote.
	SessionFirewall:
	{
	# Enable or disable the session firewall. If disabled, network traffic
	# from any node will be allowed. If enabled, the below rules apply.
	Enable: {% if yggdrasil_sessionfirewall_on %}true{% else %}false{% endif %}

	# Allow network traffic from directly connected peers.
	AllowFromDirect: true

	# Allow network traffic from remote nodes on the network that you are
	# not directly peered with.
	AllowFromRemote: false

	# Allow outbound network traffic regardless of AllowFromDirect or
	# AllowFromRemote. This does allow a remote node to send unsolicited
	# traffic back to you for the length of the session.
	AlwaysAllowOutbound: true

	# List of public keys from which network traffic is always accepted,
	# regardless of AllowFromDirect or AllowFromRemote.
	WhitelistEncryptionPublicKeys:
	[
	{% for peer in yggdrasil_whitelist_peers %}
	{% if peer.public_key is defined %}
	"{{ peer.public_key }}",
	{% endif %}
	{% endfor %}
	]

	# List of public keys from which network traffic is always rejected,
	# regardless of the whitelist, AllowFromDirect or AllowFromRemote.
	BlacklistEncryptionPublicKeys: []
	}

	# Optional node info. This must be a { "key": "value", ... } map
	# or set as null. This is entirely optional but, if set, is visible
	# to the whole network on request.
	NodeInfo: {{ yggdrasil_node_info \| tojson }}
	}
	[Unit]
	Description=yggdrasil

	[Service]
	ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
	Restart=always
	TimeoutStartSec=0

	[Install]
	WantedBy=multi-user.target