diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index 35b59e3..29aae0f 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -5,6 +5,15 @@ ansible_pull_repo: "https://git.9iron.club/salt/ansible"
 ansible_pull_commit: rewrite
 common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible"
 
+# For zerotier
+zerotier_network_id: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35646131343239623265663562343333383362366633386462646465643163353866643633636135
+          6238643231313536323337343663313865323430323437630a353462393830376431376363373232
+          30656433343263653035333637336165323931363966376264353164326135336131646362623734
+          3339633961393864330a616437613534643231366634643362383438316233376334636264303361
+          65313231393433396538663463383731303661633663343066333264303330313133
+
 # For geerlingguy.apache
 apache_remove_default_vhost: yes
 apache_ssl_cipher_suite: AES256+EECDH:AES256+EDH
diff --git a/roles/zerotier/handlers/main.yml b/roles/zerotier/handlers/main.yml
new file mode 100644
index 0000000..4b015ef
--- /dev/null
+++ b/roles/zerotier/handlers/main.yml
@@ -0,0 +1,9 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: restart zerotier
+  systemd:
+    daemon_reload: yes
+    name: zerotier-one.service
+    state: restarted
+  become: yes
diff --git a/roles/zerotier/tasks/main.yml b/roles/zerotier/tasks/main.yml
new file mode 100644
index 0000000..b670881
--- /dev/null
+++ b/roles/zerotier/tasks/main.yml
@@ -0,0 +1,18 @@
+#!/usr/bin/env ansible-playbook
+# vim:ft=ansible:
+---
+- name: ensure zerotier repo key
+  apt_key: url=https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg
+- name: ensure zerotier repo
+  apt_repository: repo="deb http://download.zerotier.com/debian/buster buster main"
+- name: update apt cache
+  apt: update_cache=yes cache_valid_time=86400
+- name: ensure packages
+  apt: name=zerotier-one
+- name: template unit file
+  template: src=zerotier-one.service dest=/etc/systemd/system/zerotier-one.service
+  notify: restart zerotier
+- name: join network
+  command:
+    argv: [ zerotier-cli, join, "{{ zerotier_network_id }}" ]
+  changed_when: no
diff --git a/roles/zerotier/templates/zerotier-one.service b/roles/zerotier/templates/zerotier-one.service
new file mode 100644
index 0000000..be6154d
--- /dev/null
+++ b/roles/zerotier/templates/zerotier-one.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=ZeroTier One
+After=network.target
+Wants=network-online.target
+
+[Service]
+ExecStart=/usr/sbin/zerotier-one
+Restart=always
+KillMode=process
+# Issue 738
+TimeoutStopSec=10
+
+[Install]
+WantedBy=multi-user.target
diff --git a/site.yml b/site.yml
index 43915e3..9f534cf 100755
--- a/site.yml
+++ b/site.yml
@@ -23,6 +23,9 @@
           - SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="plugdev"
       become: yes
       tags: [ desktop, udev ]
+    - role: zerotier
+      become: yes
+      tags: [ desktop, zerotier ]
   # Database servers
 - hosts: db1.test.desu.ltd
   roles: