diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix
index 7b5d714622c8..c750286a3970 100644
--- a/nixos/modules/virtualisation/xen-dom0.nix
+++ b/nixos/modules/virtualisation/xen-dom0.nix
@@ -47,13 +47,32 @@ in
'';
};
- virtualisation.xen.bridge =
- mkOption {
- default = "xenbr0";
- description =
- ''
- Create a bridge for the Xen domUs to connect to.
+ virtualisation.xen.bridge = {
+ name = mkOption {
+ default = "xenbr0";
+ description = ''
+ Name of bridge the Xen domUs connect to.
+ '';
+ };
+
+ address = mkOption {
+ type = types.str;
+ default = "172.16.0.1";
+ description = ''
+ IPv4 address of the bridge.
'';
+ };
+
+ prefixLength = mkOption {
+ type = types.addCheck types.int (n: n >= 0 && n <= 32);
+ default = 16;
+ description = ''
+ Subnet mask of the bridge interface, specified as the number of
+ bits in the prefix (24).
+ A DHCP server will provide IP addresses for the whole, remaining
+ subnet.
+ '';
+ };
};
virtualisation.xen.stored =
@@ -261,11 +280,71 @@ in
description = "Xen bridge";
wantedBy = [ "multi-user.target" ];
before = [ "xen-domains.service" ];
- serviceConfig.RemainAfterExit = "yes";
- serviceConfig.ExecStart = "${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge}";
- postStart = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} up";
- serviceConfig.ExecStop = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} down";
- postStop = "${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge}";
+ preStart = ''
+ mkdir -p /var/run/xen
+ touch /var/run/xen/dnsmasq.pid
+ touch /var/run/xen/dnsmasq.etherfile
+ touch /var/run/xen/dnsmasq.leasefile
+
+ IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Usable\ range`
+ export XEN_BRIDGE_IP_RANGE_START="${"\${data[1]//[[:blank:]]/}"}"
+ export XEN_BRIDGE_IP_RANGE_END="${"\${data[2]//[[:blank:]]/}"}"
+
+ IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Network\ address`
+ export XEN_BRIDGE_NETWORK_ADDRESS="${"\${data[1]//[[:blank:]]/}"}"
+
+ echo "${cfg.bridge.address} host gw dns" > /var/run/xen/dnsmasq.hostsfile
+
+ cat < /var/run/xen/dnsmasq.conf
+ no-daemon
+ pid-file=/var/run/xen/dnsmasq.pid
+ interface=${cfg.bridge.name}
+ except-interface=lo
+ bind-interfaces
+ auth-server=dns.xen.local,${cfg.bridge.name}
+ auth-zone=xen.local,$XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength}
+ domain=xen.local
+ addn-hosts=/var/run/xen/dnsmasq.hostsfile
+ expand-hosts
+ strict-order
+ no-hosts
+ bogus-priv
+ no-resolv
+ no-poll
+ filterwin2k
+ clear-on-reload
+ domain-needed
+ dhcp-hostsfile=/var/run/xen/dnsmasq.etherfile
+ dhcp-authoritative
+ dhcp-range=$XEN_BRIDGE_IP_RANGE_START,$XEN_BRIDGE_IP_RANGE_END,$XEN_BRIDGE_NETWORK_ADDRESS
+ dhcp-no-override
+ no-ping
+ dhcp-leasefile=/var/run/xen/dnsmasq.leasefile
+ EOF
+
+ # DHCP
+ ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT
+ ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT
+ # DNS
+ ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+ ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+ ${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge.name}
+ ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} ${cfg.bridge.address}
+ ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} up
+ '';
+ serviceConfig.ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq --conf-file=/var/run/xen/dnsmasq.conf";
+ postStop = ''
+ ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} down
+ ${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge.name}
+
+ # DNS
+ ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+ ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+ # DHCP
+ ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp --sport 68 --dport 67 -j ACCEPT
+ ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp --sport 68 --dport 67 -j ACCEPT
+ '';
};