Adding a homelab machine (behind NAT, no public IP)

[jabr]

I have a cluster, currently with two public machines:

• thebe (IP: 93.xxx)
• amalthea (IP: 65.xxx)

I've just set up a server at home, behind a NAT, and want to add it:

• himalia (external IP: 174.xxx, internal IP: 168.xxx)

(Note, I've worked through some of these issues last night, and I'm trying to document my steps from here as best as I can from notes. So some details might be slightly off of what I actually did.)

I added himalia with:

uc machine add -n himalia admin@192.xxx -i ~/.ssh/key --no-caddy

In case it's relevant, I had manually installed docker (apt install docker.io) on himalia before adding it to uncloud.

That ran without issues. I noticed in uc machine ls the state was listed as down and it had a mix of internal and external (the NAT) IPs, both v4 and v6 in its wireguard endpoints. It looked roughly like this:

himalia    Down    10.210.2.1/24   174.xxx  192.xxx:51820, [fdc3:xxx]:51820, [2600:xxx]:51820, [2600:xxx:yyy]:51820, 174.xxx:51820   4665xxx

I then tried doing something with it (uc volume create iirc) which failed. uc connected through one of the public servers and some error about not being able to connect to himalia, I think.

I then starting debugging on the instances, looking at the data under /var/lib/uncloud on various machines. In corrosion/store.db I believe thebe/amalthea had an entry for himalia in their machines table, but himalia's table only had itself.

I then started looking at the wireguard network, and it was similar:

thebe:

interface: uncloud
  public key: 1Wgi...
  private key: (hidden)
  listening port: 51820

peer: 9dKc...
  endpoint: 65.xxx:51820
  allowed ips: fdcc:...:c8b1/128, 10.210.1.0/24
  latest handshake: 1 minute, 7 seconds ago
  transfer: 964.68 MiB received, 948.41 MiB sent
  persistent keepalive: every 25 seconds

peer: FvIQ...
  endpoint: [2600:...:3eb4]:51820
  allowed ips: fdcc:...:452d/128, 10.210.2.0/24
  latest handshake: 2 hours, 46 minutes, 9 seconds ago
  transfer: 33.36 KiB received, 209.48 KiB sent
  persistent keepalive: every 25 seconds

amalthea:

interface: uncloud
  public key: 9dKc...
  private key: (hidden)
  listening port: 51820

peer: 1Wgi...
  endpoint: 93.xxx:51820
  allowed ips: fdcc:...:9275/128, 10.210.0.0/24
  latest handshake: 1 minute, 29 seconds ago
  transfer: 948.63 MiB received, 966.63 MiB sent
  persistent keepalive: every 25 seconds

peer: FvIQ...
  endpoint: [2600:...:fef9]:51820
  allowed ips: fdcc:...:452d/128, 10.210.2.0/24
  latest handshake: 2 hours, 48 minutes, 33 seconds ago
  transfer: 21.02 KiB received, 220.53 KiB sent
  persistent keepalive: every 25 seconds

himalia:

interface: uncloud
  public key: FvIQ...
  private key: (hidden)
  listening port: 51820

So thebe/amalthea knew about himalia, but himalia didn't know about them or something? I also saw the endpoint for himalia that thebe/amalthea were reporting in wireguard was cycling through the various endpoints I saw in uc machine ls.

I looked at my router and realized it did not have port triggering enabled by default, so I added a fixed port UDP port forward for 51820 to the (assigned) internal 192.xxx IP for himalia.

It didn't recover on its on, so I then did a uc machine rm and re-added it. This second time, I also added a --public-ip none option:

uc machine add -n himalia admin@192.xxx -i ~/.ssh/key --no-caddy --public-ip none

But everything looked pretty much the same after that. I also tried it again, but deleting the /var/lib/uncloud directory after removing it before adding it again, but kept getting the same result.

Then I started digging into the networking more. To confirm the port forwarding, I disabled himalia's wireguard interface and listened on 51820 directly:

nc -luv -p 51820
Bound on 0.0.0.0 51820

Connection received on 65.xxx 51820
��r��;�ı��"P"��,���K���X��N��N;+����u�V��%�u�K{��7�...

That was amalthea. I ran that a couple times and also saw connections and data from thebe (93.xxx). So it was sending/receiving correctly.

I think started trying to modify himali's /var/lib/uncloud/machine.json directly. It initially looked like this:

{
  "ID": "4665...",
  "Name": "himalia",
  "Network": {
    "Subnet": "10.210.2.0/24",
    "ManagementIP": "fdcc:...:a5f",
    "PrivateKey": "...",
    "PublicKey": "..."
  }

While thebe/amalthea had a "Peers" section with the other plus himalia, like this:

"Peers": [
    {
      "Subnet": "10.210.1.0/24",
      "ManagementIP": "fdcc:...:c8b1",
      "Endpoint": "65....:51820",
      "AllEndpoints": [
        "65....:51820"
      ],
      "PublicKey": "..."
    },
    {
      "Subnet": "10.210.2.0/24",
      "ManagementIP": "fdcc:...:a5f",
      "Endpoint": "[fdc3:...:3eb4]:51820",
      "AllEndpoints": [
        "192.xxx:51820",
        "[fdc3:...:b94e:...:3eb4]:51820",
        "[2600:...::fef9]:51820",
        "[2600:...:429c:...:3eb4]:51820",
        "174.xxx:51820"
      ],
      "PublicKey": "..."
    }
  ]

So I shutdown the uncloud daemon (systemctl stop uncloud) and then edited himalia's machine.json to add a "Peers" section with the entries for thebe/amalthea that I copied from those servers.

Then restarted the daemon and it immediately overwrote that file back to the original (peer-less) version.

Thinking maybe it was actually getting that from corrosion/store.db not the json file, I then tried the same thing but also copied the store.db from the thebe server (using sqlite3_rsync). But it had no visible effect. The store.db kept the entries, though, but wiped the machine.json and wireguard network still had no peers.

This was a snippet from the uncloud.service logs around that time:

Oct 25 06:28:55 himalia uncloudd[7738]: INFO Configured WireGuard interface. name=uncloud Oct 25 06:28:55 himalia uncloudd[7738]: INFO Updated addresses of the WireGuard interface. name=uncloud add> Oct 25 06:28:55 himalia uncloudd[7738]: DEBUG Removed route to peer(s) via WireGuard interface. name=uncloud> Oct 25 06:28:55 himalia uncloudd[7738]: DEBUG Removed route to peer(s) via WireGuard interface. name=uncloud> Oct 25 06:28:55 himalia uncloudd[7738]: DEBUG Removed route to peer(s) via WireGuard interface. name=uncloud> Oct 25 06:28:55 himalia uncloudd[7738]: INFO Updated routes to peers via the WireGuard interface. name=uncl> Oct 25 06:28:55 himalia uncloudd[7738]: INFO Subscribed to container changes in the cluster to keep DNS rec> Oct 25 06:28:55 himalia uncloudd[7738]: INFO Subscribed to container changes in the cluster to generate Cad> Oct 25 06:28:55 himalia uncloudd[7738]: DEBUG DNS records updated. component=dns-resolver services=4 contain> Oct 25 06:28:55 himalia uncloudd[7738]: DEBUG Caddy is not running on this machine, skipping configuration l> ~

The "Removed route to peer" bit made me think it might be using the wireguard interface itself as the canonical source at that point, so I then removed the uncloud interface and created a new one manually with the proper peer configuration.

[Interface]
PrivateKey = <hidden>
ListenPort = 51820

[Peer]
# thebe
PublicKey = 1Wgi...
AllowedIPs = 10.210.0.0/24, fdcc:...:9275/128
Endpoint = 93.xxx:51820
PersistentKeepalive = 25

[Peer]
# amalthea
PublicKey = 9dKc...
AllowedIPs = 10.210.1.0/24, fdcc:...:c8b1/128
Endpoint = 65.xxx:51820
PersistentKeepalive = 25

After that, the wireguard network started working properly both ways:

himalia:

interface: uncloud 
  public key: LnHx... 
  private key: (hidden) 
  listening port: 51820

peer: 1Wgi...
  endpoint: 93.xxx:51820 
  allowed ips: 10.210.0.0/24, fdcc:...:9275/128 
  latest handshake: 1 minute, 26 seconds ago 
  transfer: 156 B received, 276 B sent 
  persistent keepalive: every 25 seconds

peer: 9dKc...
  endpoint: 65.xxx:51820 
  allowed ips: 10.210.1.0/24, fdcc:...:c8b1/128 
  latest handshake: 1 minute, 26 seconds ago 
  transfer: 124 B received, 276 B sent 
  persistent keepalive: every 25 seconds

I restarted the uncloud service, and I was then able to create the volume I'd initially started with. I was also able to pussh (unregistry) a image to himalia (via a thebe connection from the cli).

However, then I started seeing other issues:

1. uc machine ls still shows it as "Down"
2. a "global deploy" service did not "see" himalia

I was able to deploy the global service after adding a x-machines setting with all three listed, though, and it then deployed it to himalia as well.

I think used docker exec ... sh on the thebe instance of the service and ran nslookup and it only returned results for itself and amalthea. I knew the service IP for the himalia instance, so I pinged it and it worked and I was able to connect to a daemon running on it, so the network was working, just the thebe (and amalthea) internal DNS servers didn't know about it?

I then docker exec'd into the himalia container and was able to connect to the thebe/amalthea instances, and its DNS listed all three IPs like I would expect.

So I think the problem I have now is some internal state in uncloud that is a bit out of sync, making it think it is down, not including it in some machine iterators for global or for event listener in internal DNS, etc.

[jabr]

Short summary of above:

I think it started with the NAT server not adding wireguard peers for the public servers. I suspect that was because I had no port forwarding enabled for 51820 to the NAT instance on my first attempt.

And then everything after that is probably because my "fixes" for that problem have likely left some other things in an incomplete or corrupt state.

[jabr]

After taking another look and verifying everything is fine on the network layer, it seemed to be some sort of corruption in the corrosion database on the new node.

I stopped the himalia corrosion service, deleted the /var/lib/uncloud/corrosion/store.db, then restarted.

After that, all nodes started seeing each other as all up, a global service deploy worked fine (it also saw all nodes), and then the internal DNS in each of those services was correctly reporting all nodes' instances.

So it all appears to be fine now.

Again, I suspect the initial issue was the port forwarding setup (my router had even the automatic hole punching disabled), and then I never reset the state "enough" when removing and re-adding the machine and other debugging work following that.

[psviderski]

Thank you so much for such a detailed description of what you did and observed 🙏

I stopped the himalia corrosion service, deleted the /var/lib/uncloud/corrosion/store.db, then restarted.
After that, all nodes started seeing each other as all up, a global service deploy worked fine (it also saw all nodes), and then the internal DNS in each of those services was correctly reporting all nodes' instances.

This makes sense as several components in the cluster use the state from Corrossion. If it gets out of sync or doesn't receive any updates, they may continue serving the outdated data.

So thebe/amalthea knew about himalia, but himalia didn't know about them or something?

This is what looks suspicious to me as I would expect that himalia gets the configuration for all existing peers in the cluster. Then even without port forwarding it should have started connecting to the public peers.

When adding a new machine, we list all current machines and include them in the join request:

uncloud/internal/cli/cli.go

Lines 373 to 392 in f8fe3c7

	// Get the most up-to-date list of other machines in the cluster to include them in the join request.
	machines, err := c.ListMachines(ctx, nil)
	if err != nil {
	return nil, nil, fmt.Errorf("list cluster machines: %w", err)
	}
	otherMachines := make([]*pb.MachineInfo, 0, len(machines)-1)
	for _, m := range machines {
	if m.Machine.Id != addResp.Machine.Id {
	otherMachines = append(otherMachines, m.Machine)
	}
	}
	// Configure the remote machine to join the cluster.
	joinReq := &pb.JoinClusterRequest{
	Machine: addResp.Machine,
	OtherMachines: otherMachines,
	}
	if _, err = machineClient.JoinCluster(ctx, joinReq); err != nil {
	return nil, nil, fmt.Errorf("join cluster: %w", err)
	}

Maybe the other machine addresses were skipped here for some reason:

uncloud/internal/machine/machine.go

Lines 791 to 814 in 521ccf2

	// Build a peers config from other cluster machines.
	m.state.Network.Peers = make([]network.PeerConfig, 0, len(req.OtherMachines))
	for _, om := range req.OtherMachines {
	if err := om.Network.Validate(); err != nil {
	continue
	}
	omSubnet, _ := om.Network.Subnet.ToPrefix()
	omManageIP, _ := om.Network.ManagementIp.ToAddr()
	omEndpoints := make([]netip.AddrPort, len(om.Network.Endpoints))
	for i, ep := range om.Network.Endpoints {
	addrPort, _ := ep.ToAddrPort()
	omEndpoints[i] = addrPort
	}
	peer := network.PeerConfig{
	Subnet: &omSubnet,
	ManagementIP: omManageIP,
	AllEndpoints: omEndpoints,
	PublicKey: om.Network.PublicKey,
	}
	if len(omEndpoints) > 0 {
	peer.Endpoint = &omEndpoints[0]
	}
	m.state.Network.Peers = append(m.state.Network.Peers, peer)
	}

Are you still able to experiment with the himalia machine? If would be helpful if you can remove it from your cluster:

uc m rm himalia

and then fully uninstall uncloud on himalia machine with

uncloud-uninstall

Removing the port forwarding will also be helpful. Then try adding himalia to the cluster again.

An expected behaviour is the new machine gets the info about existing peers, configures WG interface, successfully connects to both machines and appears as Up in the cluster. Without port forwarding or any manual intervention.

[jabr]

This is what looks suspicious to me as I would expect that himalia gets the configuration for all existing peers in the cluster. Then even without port forwarding it should have started connecting to the public peers.

I think himalia did get the info about the other nodes and was sending them messages ... for a while ... but then removed them after it never received a message back.

From this wg output on amalthea when I first started looking at the problem:

peer: FvIQ...
  ...
  transfer: 21.02 KiB received, 220.53 KiB sent

Amalthea had received data from himalia at some point, but I think it was no longer sending it data. This was from another wg run a bit later:

peer: FvIQ...
  ...
  transfer: 21.02 KiB received, 221.54 KiB sent

I don't have any more captures from that in my notes, so I don't recall if that received count ever went up past that.

But by that point, himalia had no knowledge of the peers that I could find. No peers in wg or machine.json. I'm almost certain that corroson/store.db had only one row in its machines table, too.

Does uncloud prune peers after some time of not receiving data?

Without port forwarding or any manual intervention.

How would that be possible? Do you mean it normally works without any setup due to port triggering automatically setting up a temporary forward? My router has port triggering disabled (I didn't realize that until later), so unless it has UPnP support, I don't see how it could have worked without the port forward.

Are you still able to experiment with the himalia machine?

Unfortunately, no. At least for now. I'll see if I can get my hands on another mini PC sometime soon to try it again, but I don't have a spare machine at the moment.

[psviderski]

Does uncloud prune peers after some time of not receiving data?

No, it shouldn't. It configures the uncloud WG interface peers according to the machines listed in the machines table in corrosion. However, if the machines table is updated (e.g. entries are removed) for some reason, then the WG peers are updated accordingly.

How would that be possible? Do you mean it normally works without any setup due to port triggering automatically setting up a temporary forward?

Yes, it normally should work without any manual set up if one of the machines in each pair has a reachable IP, for example, a public one. Uncloud doesn't do any UPnP shenanigans, it simply relies on the WireGuard capability of establishing a tunnel where either of the peers in each pair can initiate a connection.

In your case, the machine behind NAT (himalia) should initiate a connection to another machine with a public IP. The machine with a public IP will see the IP address and port of the peer's gateway it can send the reply packets to. This is called NAT traversal. Some CGNATs from consumer ISPs could be aggressive and not allow the communication back to the peer behind nat through the mapped ip/port on the gateway. But generally it works. See

• https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
• https://tailscale.com/blog/how-nat-traversal-works

Unfortunately, no. At least for now. I'll see if I can get my hands on another mini PC sometime soon to try it again, but I don't have a spare machine at the moment.

No worries, please let me know if you have a chance to try another machine. I'd love to help troubleshoot and try to fix why it didn't work in the first place.

[jabr]

Some CGNATs from consumer ISPs could be aggressive and not allow the communication back to the peer behind nat through the mapped ip/port on the gateway. But generally it works.

Yeah, that was disabled on my router, so I think that was the root cause for my problems. But I have himalia on a reserved IP with a configured port forward rule now, and I have had no problems with its connectivity since.

No, it shouldn't. It configures the uncloud WG interface peers according to the machines listed in the machines table in corrosion. However, if the machines table is updated (e.g. entries are removed) for some reason, then the WG peers are updated accordingly.

I think this bit is the outstanding mystery. Thebe/amalthea definitely knew about himalia (including its internal IPs on the wireguard endpoints for it).

And himalia knew enough about them to have sent some packets at some point.

But by the time I looked at it in detail, there was no trace of those peers.

Perhaps they were briefly in the wireguard peers but never made it into the machines table for some reason, and then later removed from wireguard based on the incomplete table?

Anyway, probably not much more we can do for now. If I get another chance to try replicating this, I'll follow up.

Also, we can close this issue for now, if you prefer.

[psviderski]

Also, we can close this issue for now, if you prefer.

I'm fine keeping it open. Feel free to share any updates if you have a chance to test with a new machine.

[psviderski]

I was able to reproduce this in two different clusters. Will investigate what we broke recently.

[psviderski]

Removing and retrying adding a new machine again succeeded in both clusters. Looks like a race condition we could have for a long time

[psviderski]

Initial peer configuration is handled correctly:

Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: INFO  Configured WireGuard interface. name=uncloud
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: INFO  Updated addresses of the WireGuard interface. name=uncloud addrs=[fdcc:e33f:d427:c5da:68a5:2099:ce8a:c455/128]
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: INFO  Brought WireGuard interface up. name=uncloud
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: DEBUG Added route to peer(s) via WireGuard interface. name=uncloud dst=10.210.0.0/23
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: DEBUG Added route to peer(s) via WireGuard interface. name=uncloud dst=fdcc:259e:b5d0:d11b:b9d:27f:fdc3:3a17/128
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: DEBUG Added route to peer(s) via WireGuard interface. name=uncloud dst=fdcc:cb1f:c554:916e:fae0:2ae:1c6e:1eb2/128
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: DEBUG Removed route to peer(s) via WireGuard interface. name=uncloud dst=fdcc:e33f:d427:c5da:68a5:2099:ce8a:c455/128
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: INFO  Updated routes to peers via the WireGuard interface. name=uncloud peers=2
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: INFO  WireGuard network configured.

corrosion is successfully restarted after configuring the WG network:

Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: INFO  Restarting corrosion service to apply new configuration with WireGuard network.
Nov 06 09:18:04 uc-prod-us2 uncloudd[1768]: DEBUG Retrying corrosion API request due to network error. error="dial tcp 127.0.0.1:51002: connect: connection refused"
Nov 06 09:18:05 uc-prod-us2 uncloudd[1768]: DEBUG Retrying corrosion API request due to network error. error="dial tcp 127.0.0.1:51002: connect: connection refused"
...
Nov 06 09:18:09 uc-prod-us2 uncloudd[1768]: DEBUG Corrosion systemd service restarted. unit=uncloud-corrosion.service
Nov 06 09:18:09 uc-prod-us2 uncloudd[1768]: DEBUG Waiting for corrosion service to be ready.
Nov 06 09:18:09 uc-prod-us2 uncloudd[1768]: DEBUG Corrosion service is ready.
Nov 06 09:18:09 uc-prod-us2 uncloudd[1768]: INFO  Corrosion service restarted.
Nov 06 09:18:09 uc-prod-us2 uncloudd[1768]: INFO  Subscribed to machine changes in the cluster to reconfigure network peers.

then WG successfully connects to peers:

Nov 06 09:18:10 uc-prod-us2 uncloudd[1768]: INFO  Peer endpoint automatically updated on WireGuard interface by establishing a reverse connection to this machine. public_key=cb1fc55491>
Nov 06 09:18:10 uc-prod-us2 uncloudd[1768]: INFO  Peer status changed. public_key=cb1fc554916efae002ae1c6e1eb29c399b2fcd192b0bc968e287a6998a4acc4f status=up previous_status=unknown
Nov 06 09:18:10 uc-prod-us2 uncloudd[1768]: INFO  Peer status changed. public_key=259eb5d0d11b0b9d027ffdc33a17d25e26393f03a5de9e7feed82969155ed77a status=up previous_status=unknown
Nov 06 09:18:10 uc-prod-us2 uncloudd[1768]: DEBUG Preserved endpoint change in the machine state. public_key=cb1fc554916efae002ae1c6e1eb29c399b2fcd192b0bc968e287a6998a4acc4f

then it looks like corrosion establishes connections to its peers and receives updates for the machines table. But for some reason the table is still empty:

Nov 06 09:18:11 uc-prod-us2 uncloudd[1768]: INFO  Cluster machines changed, reconfiguring network peers.
Nov 06 09:18:11 uc-prod-us2 uncloudd[1768]: INFO  Configured WireGuard interface. name=uncloud
Nov 06 09:18:11 uc-prod-us2 uncloudd[1768]: INFO  Updated addresses of the WireGuard interface. name=uncloud addrs=[fdcc:e33f:d427:c5da:68a5:2099:ce8a:c455/128]
Nov 06 09:18:11 uc-prod-us2 uncloudd[1768]: INFO  Brought WireGuard interface up. name=uncloud
Nov 06 09:18:11 uc-prod-us2 uncloudd[1768]: DEBUG Removed route to peer(s) via WireGuard interface. name=uncloud dst=10.210.0.0/23
Nov 06 09:18:11 uc-prod-us2 uncloudd[1768]: DEBUG Removed route to peer(s) via WireGuard interface. name=uncloud dst=fdcc:259e:b5d0:d11b:b9d:27f:fdc3:3a17/128
Nov 06 09:18:11 uc-prod-us2 uncloudd[1768]: DEBUG Removed route to peer(s) via WireGuard interface. name=uncloud dst=fdcc:cb1f:c554:916e:fae0:2ae:1c6e:1eb2/128
Nov 06 09:18:11 uc-prod-us2 uncloudd[1768]: INFO  Updated routes to peers via the WireGuard interface. name=uncloud peers=0

Looks like corrosion may notify about the changes in the table when they are still on the way. Could be a bug/race condition in corrosion itself. Would be good to upgrade Corrosion to the latest upstream version.

We already have a check for empty machines when just subscribing to machines:

uncloud/internal/machine/cluster.go

Lines 341 to 348 in fa004d6

	// The machine store may be empty when a machine first joins the cluster, before store synchronization
	// completes. Skip configuration now and apply it when the store changes are received.
	if len(machines) > 0 {
	slog.Info("Reconfiguring network peers with the current machines.", "machines", len(machines))
	if err = cc.configurePeers(machines); err != nil {
	slog.Error("Failed to configure peers.", "err", err)
	}
	}

. I think we need to add a similar one for the listed machines on a change:

uncloud/internal/machine/cluster.go

Line 357 in fa004d6

if machines, err = cc.store.ListMachines(ctx); err != nil {

.
We need to reconfigure peers if there is at least one machine in the list to not accidentally lock ourself out of the cluster like it occasionally happens now.

[jabr]

That sounds like it fits what it seemed to be doing to me (just a wild hypothesis from the observed facts I had):

1. wireguard was initialized with peers correctly
2. there was some delay in adding the peers to the corrosion store for some unknown reason
3. the corrosion store then told wireguard it had no peers and it removed them from the initial setup

[psviderski]

Yep, that's exactly what happened on my machines and logs above prove this.

2. there was some delay in adding the peers to the corrosion store for some unknown reason

The delay is due to corrosion waiting for the DB sync from other peers after the wireguard was initialised with peers initially.

3. the corrosion store then told wireguard it had no peers and it removed them from the initial setup

Yes, the local machines table in corrosion wasn't fully synchronised with other peers but for some reason fired a trigger that the table changed. Then

uncloud/internal/machine/cluster.go

Lines 356 to 357 in fa004d6

	slog.Info("Cluster machines changed, reconfiguring network peers.")
	if machines, err = cc.store.ListMachines(ctx); err != nil {

returned an empty slice of machines. We used that empty slice to reconfigure the WG network. This removed the peers from WG device and disconnected the machine from the cluster, including corrosion. There is no way the machine is able to recover from this state on its own.

I'll push a fix to reconfigure the WG network only if ListMachines returns at least one machine.