{ pkgs, serverPkg, clientPkg }: let meshCa = ./mesh-certs/ca.pem; meshCertA = ./mesh-certs/srv-a.pem; meshKeyA = ./mesh-certs/srv-a-key.pem; meshCertB = ./mesh-certs/srv-b.pem; meshKeyB = ./mesh-certs/srv-b-key.pem; in { name = "lightscale-lab-server-mesh-relay"; nodes = { node1 = { ... }: { networking.hostName = "node1"; networking.usePredictableInterfaceNames = false; virtualisation.vlans = [ 1 ]; networking.interfaces.eth1.useDHCP = false; networking.interfaces.eth1.ipv4.addresses = [ { address = "10.0.0.1"; prefixLength = 24; } ]; networking.firewall.enable = false; boot.kernelModules = [ "wireguard" ]; environment.systemPackages = [ serverPkg pkgs.iproute2 pkgs.iputils pkgs.netcat-openbsd pkgs.curl ]; }; node2 = { ... }: { networking.hostName = "node2"; networking.usePredictableInterfaceNames = false; virtualisation.vlans = [ 1 ]; networking.interfaces.eth1.useDHCP = false; networking.interfaces.eth1.ipv4.addresses = [ { address = "10.0.0.2"; prefixLength = 24; } ]; networking.firewall.enable = false; boot.kernelModules = [ "wireguard" ]; environment.systemPackages = [ serverPkg pkgs.iproute2 pkgs.iputils pkgs.netcat-openbsd pkgs.curl ]; }; node3 = { ... }: { networking.hostName = "node3"; networking.usePredictableInterfaceNames = false; virtualisation.vlans = [ 1 ]; networking.interfaces.eth1.useDHCP = false; networking.interfaces.eth1.ipv4.addresses = [ { address = "10.0.0.3"; prefixLength = 24; } ]; networking.firewall.enable = false; boot.kernelModules = [ "wireguard" ]; environment.systemPackages = [ clientPkg pkgs.iproute2 pkgs.iputils pkgs.netcat-openbsd pkgs.curl pkgs.iptables ]; }; node4 = { ... }: { networking.hostName = "node4"; networking.usePredictableInterfaceNames = false; virtualisation.vlans = [ 1 ]; networking.interfaces.eth1.useDHCP = false; networking.interfaces.eth1.ipv4.addresses = [ { address = "10.0.0.4"; prefixLength = 24; } ]; networking.firewall.enable = false; boot.kernelModules = [ "wireguard" ]; environment.systemPackages = [ clientPkg pkgs.iproute2 pkgs.iputils pkgs.netcat-openbsd pkgs.curl pkgs.iptables ]; }; }; testScript = '' start_all() node1.wait_for_unit("multi-user.target") node2.wait_for_unit("multi-user.target") node3.wait_for_unit("multi-user.target") node4.wait_for_unit("multi-user.target") node1.wait_until_succeeds("ip -4 addr show dev eth1 | grep -q '10.0.0.1/24'") node2.wait_until_succeeds("ip -4 addr show dev eth1 | grep -q '10.0.0.2/24'") node3.wait_until_succeeds("ip -4 addr show dev eth1 | grep -q '10.0.0.3/24'") node4.wait_until_succeeds("ip -4 addr show dev eth1 | grep -q '10.0.0.4/24'") node1.succeed("touch /tmp/lightscale-server-a.log") node2.succeed("touch /tmp/lightscale-server-b.log") node1.execute("sh -c 'tail -n +1 -f /tmp/lightscale-server-a.log >/dev/console 2>&1 &'") node2.execute("sh -c 'tail -n +1 -f /tmp/lightscale-server-b.log >/dev/console 2>&1 &'") node1.succeed( "systemd-run --no-block --unit=lightscale-server-a --service-type=simple " "--property=Restart=on-failure --property=RestartSec=1 " "--property=TimeoutStartSec=30 " "--property=StandardOutput=append:/tmp/lightscale-server-a.log " "--property=StandardError=append:/tmp/lightscale-server-a.log " "--setenv=RUST_LOG=info -- " "lightscale-server --listen 10.0.0.1:8080 --state /tmp/lightscale-state-a.json " "--admin-token test-admin " "--stream-relay 10.0.0.1:8443,10.0.0.2:8443 " "--stream-relay-listen 10.0.0.1:8443 " "--mesh-server-id srv-a.mesh " "--mesh-listen 10.0.0.1:7443 " "--mesh-peer srv-b.mesh=10.0.0.2:7443 " "--mesh-ca-cert ${meshCa} " "--mesh-cert ${meshCertA} " "--mesh-key ${meshKeyA}" ) node2.succeed( "systemd-run --no-block --unit=lightscale-server-b --service-type=simple " "--property=Restart=on-failure --property=RestartSec=1 " "--property=TimeoutStartSec=30 " "--property=StandardOutput=append:/tmp/lightscale-server-b.log " "--property=StandardError=append:/tmp/lightscale-server-b.log " "--setenv=RUST_LOG=info -- " "lightscale-server --listen 10.0.0.2:8081 --state /tmp/lightscale-state-b.json " "--admin-token test-admin " "--stream-relay-listen 10.0.0.2:8443 " "--mesh-server-id srv-b.mesh " "--mesh-listen 10.0.0.2:7443 " "--mesh-peer srv-a.mesh=10.0.0.1:7443 " "--mesh-ca-cert ${meshCa} " "--mesh-cert ${meshCertB} " "--mesh-key ${meshKeyB}" ) node1.wait_for_unit("lightscale-server-a.service") node2.wait_for_unit("lightscale-server-b.service") node1.wait_for_open_port(8080, addr="10.0.0.1", timeout=120) node1.wait_for_open_port(8443, addr="10.0.0.1", timeout=120) node1.wait_for_open_port(7443, addr="10.0.0.1", timeout=120) node2.wait_for_open_port(8443, addr="10.0.0.2", timeout=120) node2.wait_for_open_port(7443, addr="10.0.0.2", timeout=120) node1.wait_until_succeeds("grep -q 'mesh enabled as srv-a.mesh' /tmp/lightscale-server-a.log", timeout=120) node2.wait_until_succeeds("grep -q 'mesh enabled as srv-b.mesh' /tmp/lightscale-server-b.log", timeout=120) import json net = json.loads(node1.succeed( "curl -sSf -X POST http://10.0.0.1:8080/v1/networks " "-H 'authorization: Bearer test-admin' " "-H 'content-type: application/json' " "-d '{\"name\":\"mesh\",\"bootstrap_token_ttl_seconds\":600," \ "\"bootstrap_token_uses\":10,\"bootstrap_token_tags\":[\"mesh\"]}'" )) token = net["bootstrap_token"]["token"] def enroll(node, name, ip, state_dir): node.succeed( "lightscale-client --profile test --config /tmp/ls-config.json " "init http://10.0.0.1:8080" ) node.succeed( f"lightscale-client --profile test --config /tmp/ls-config.json " f"--state-dir {state_dir} register --node-name {name} -- {token}" ) node.succeed( f"lightscale-client --profile test --config /tmp/ls-config.json " f"--state-dir {state_dir} heartbeat --endpoint {ip}:51820" ) def start_agent(node, state_dir, endpoint, relay_server): node.succeed("touch /tmp/lightscale-agent.log") node.execute("sh -c 'tail -n +1 -f /tmp/lightscale-agent.log >/dev/console 2>&1 &'") cmd = ( "lightscale-client --profile test --config /tmp/ls-config.json " f"--state-dir {state_dir} agent --listen-port 51820 " "--heartbeat-interval 5 --longpoll-timeout 5 " f"--endpoint {endpoint} --stream-relay " f"--stream-relay-server {relay_server} " "--endpoint-stale-after 5 --endpoint-max-rotations 1 " "--relay-reprobe-after 10" ) node.succeed( "systemd-run --no-block --unit=lightscale-agent --service-type=simple " "--property=Restart=on-failure --property=RestartSec=1 " "--property=TimeoutStartSec=30 " "--property=StandardOutput=append:/tmp/lightscale-agent.log " "--property=StandardError=append:/tmp/lightscale-agent.log -- " + cmd ) node.wait_for_unit("lightscale-agent.service") node.wait_until_succeeds("ip link show ls-test", timeout=120) enroll(node3, "node3", "10.0.0.3", "/tmp/ls-state-3") enroll(node4, "node4", "10.0.0.4", "/tmp/ls-state-4") node3.succeed("iptables -F OUTPUT") node3.succeed("iptables -P OUTPUT DROP") node3.succeed("iptables -A OUTPUT -o lo -j ACCEPT") node3.succeed("iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") node3.succeed("iptables -A OUTPUT -o ls-test -j ACCEPT") node3.succeed("iptables -A OUTPUT -d 10.0.0.1 -p tcp -m multiport --dports 8080,8443 -j ACCEPT") node4.succeed("iptables -F OUTPUT") node4.succeed("iptables -P OUTPUT DROP") node4.succeed("iptables -A OUTPUT -o lo -j ACCEPT") node4.succeed("iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") node4.succeed("iptables -A OUTPUT -o ls-test -j ACCEPT") node4.succeed("iptables -A OUTPUT -d 10.0.0.1 -p tcp --dport 8080 -j ACCEPT") node4.succeed("iptables -A OUTPUT -d 10.0.0.2 -p tcp --dport 8443 -j ACCEPT") start_agent(node3, "/tmp/ls-state-3", "203.0.113.3:51820", "10.0.0.1:8443") start_agent(node4, "/tmp/ls-state-4", "203.0.113.4:51820", "10.0.0.2:8443") node3.wait_until_fails("nc -z -w 1 10.0.0.2 8443") node4.wait_until_fails("nc -z -w 1 10.0.0.1 8443") node3.wait_until_succeeds("grep -q 'connected to 10.0.0.1:8443' /tmp/lightscale-agent.log", timeout=300) node4.wait_until_succeeds("grep -q 'connected to 10.0.0.2:8443' /tmp/lightscale-agent.log", timeout=300) data3 = json.loads(node3.succeed("cat /tmp/ls-state-3/state.json")) data4 = json.loads(node4.succeed("cat /tmp/ls-state-4/state.json")) ip3 = data3["ipv4"] ip4 = data4["ipv4"] node3.wait_until_succeeds(f"ping -c 3 {ip4}", timeout=240) node4.wait_until_succeeds(f"ping -c 3 {ip3}", timeout=240) ''; }