Loading nixos/modules/virtualisation/xen-dom0.nix +90 −11 Original line number Diff line number Diff line Loading @@ -47,15 +47,34 @@ in ''; }; virtualisation.xen.bridge = mkOption { virtualisation.xen.bridge = { name = mkOption { default = "xenbr0"; description = '' Create a bridge for the Xen domUs to connect to. description = '' Name of bridge the Xen domUs connect to. ''; }; address = mkOption { type = types.str; default = "172.16.0.1"; description = '' IPv4 address of the bridge. ''; }; prefixLength = mkOption { type = types.addCheck types.int (n: n >= 0 && n <= 32); default = 16; description = '' Subnet mask of the bridge interface, specified as the number of bits in the prefix (<literal>24</literal>). A DHCP server will provide IP addresses for the whole, remaining subnet. ''; }; }; virtualisation.xen.stored = mkOption { type = types.path; Loading Loading @@ -261,11 +280,71 @@ in description = "Xen bridge"; wantedBy = [ "multi-user.target" ]; before = [ "xen-domains.service" ]; serviceConfig.RemainAfterExit = "yes"; serviceConfig.ExecStart = "${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge}"; postStart = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} up"; serviceConfig.ExecStop = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} down"; postStop = "${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge}"; preStart = '' mkdir -p /var/run/xen touch /var/run/xen/dnsmasq.pid touch /var/run/xen/dnsmasq.etherfile touch /var/run/xen/dnsmasq.leasefile IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Usable\ range` export XEN_BRIDGE_IP_RANGE_START="${"\${data[1]//[[:blank:]]/}"}" export XEN_BRIDGE_IP_RANGE_END="${"\${data[2]//[[:blank:]]/}"}" IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Network\ address` export XEN_BRIDGE_NETWORK_ADDRESS="${"\${data[1]//[[:blank:]]/}"}" echo "${cfg.bridge.address} host gw dns" > /var/run/xen/dnsmasq.hostsfile cat <<EOF > /var/run/xen/dnsmasq.conf no-daemon pid-file=/var/run/xen/dnsmasq.pid interface=${cfg.bridge.name} except-interface=lo bind-interfaces auth-server=dns.xen.local,${cfg.bridge.name} auth-zone=xen.local,$XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} domain=xen.local addn-hosts=/var/run/xen/dnsmasq.hostsfile expand-hosts strict-order no-hosts bogus-priv no-resolv no-poll filterwin2k clear-on-reload domain-needed dhcp-hostsfile=/var/run/xen/dnsmasq.etherfile dhcp-authoritative dhcp-range=$XEN_BRIDGE_IP_RANGE_START,$XEN_BRIDGE_IP_RANGE_END,$XEN_BRIDGE_NETWORK_ADDRESS dhcp-no-override no-ping dhcp-leasefile=/var/run/xen/dnsmasq.leasefile EOF # DHCP ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT # DNS ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge.name} ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} ${cfg.bridge.address} ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} up ''; serviceConfig.ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq --conf-file=/var/run/xen/dnsmasq.conf"; postStop = '' ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} down ${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge.name} # DNS ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # DHCP ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp --sport 68 --dport 67 -j ACCEPT ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp --sport 68 --dport 67 -j ACCEPT ''; }; Loading Loading
nixos/modules/virtualisation/xen-dom0.nix +90 −11 Original line number Diff line number Diff line Loading @@ -47,15 +47,34 @@ in ''; }; virtualisation.xen.bridge = mkOption { virtualisation.xen.bridge = { name = mkOption { default = "xenbr0"; description = '' Create a bridge for the Xen domUs to connect to. description = '' Name of bridge the Xen domUs connect to. ''; }; address = mkOption { type = types.str; default = "172.16.0.1"; description = '' IPv4 address of the bridge. ''; }; prefixLength = mkOption { type = types.addCheck types.int (n: n >= 0 && n <= 32); default = 16; description = '' Subnet mask of the bridge interface, specified as the number of bits in the prefix (<literal>24</literal>). A DHCP server will provide IP addresses for the whole, remaining subnet. ''; }; }; virtualisation.xen.stored = mkOption { type = types.path; Loading Loading @@ -261,11 +280,71 @@ in description = "Xen bridge"; wantedBy = [ "multi-user.target" ]; before = [ "xen-domains.service" ]; serviceConfig.RemainAfterExit = "yes"; serviceConfig.ExecStart = "${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge}"; postStart = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} up"; serviceConfig.ExecStop = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} down"; postStop = "${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge}"; preStart = '' mkdir -p /var/run/xen touch /var/run/xen/dnsmasq.pid touch /var/run/xen/dnsmasq.etherfile touch /var/run/xen/dnsmasq.leasefile IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Usable\ range` export XEN_BRIDGE_IP_RANGE_START="${"\${data[1]//[[:blank:]]/}"}" export XEN_BRIDGE_IP_RANGE_END="${"\${data[2]//[[:blank:]]/}"}" IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Network\ address` export XEN_BRIDGE_NETWORK_ADDRESS="${"\${data[1]//[[:blank:]]/}"}" echo "${cfg.bridge.address} host gw dns" > /var/run/xen/dnsmasq.hostsfile cat <<EOF > /var/run/xen/dnsmasq.conf no-daemon pid-file=/var/run/xen/dnsmasq.pid interface=${cfg.bridge.name} except-interface=lo bind-interfaces auth-server=dns.xen.local,${cfg.bridge.name} auth-zone=xen.local,$XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} domain=xen.local addn-hosts=/var/run/xen/dnsmasq.hostsfile expand-hosts strict-order no-hosts bogus-priv no-resolv no-poll filterwin2k clear-on-reload domain-needed dhcp-hostsfile=/var/run/xen/dnsmasq.etherfile dhcp-authoritative dhcp-range=$XEN_BRIDGE_IP_RANGE_START,$XEN_BRIDGE_IP_RANGE_END,$XEN_BRIDGE_NETWORK_ADDRESS dhcp-no-override no-ping dhcp-leasefile=/var/run/xen/dnsmasq.leasefile EOF # DHCP ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT # DNS ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge.name} ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} ${cfg.bridge.address} ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} up ''; serviceConfig.ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq --conf-file=/var/run/xen/dnsmasq.conf"; postStop = '' ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} down ${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge.name} # DNS ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # DHCP ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp --sport 68 --dport 67 -j ACCEPT ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp --sport 68 --dport 67 -j ACCEPT ''; }; Loading
