From 208305f3966a4b687654bb22886dd97793454f18 Mon Sep 17 00:00:00 2001
From: Mazunki Hoksaas <rolferen@gmail.com>
Date: Fri, 17 Oct 2025 19:14:35 +0200
Subject: [PATCH 1/5] add module for qemu

---
 nixos-module.nix | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 nixos-module.nix

diff --git a/nixos-module.nix b/nixos-module.nix
new file mode 100644
index 000000000..caab1e798
--- /dev/null
+++ b/nixos-module.nix
@@ -0,0 +1,34 @@
+# nixos-module.nix
+{ config, lib, pkgs, ... }:
+let
+  qemuPkg = config.services.vmrunner.qemuPackage or pkgs.qemu;
+in
+{
+  options.services.vmrunner.qemuPackage = lib.mkOption {
+    type = lib.types.package;
+    default = pkgs.qemu;
+    description = "QEMU with capabilities enabled for IncludeOS unikernels";
+  };
+
+  config.security.wrappers = {
+    # https://wiki.qemu.org/Features/HelperNetworking
+    qemu-bridge-helper = {
+      source = "${qemuPkg}/libexec/qemu-bridge-helper";
+      owner = "root";
+      group = "root";
+      capabilities = "cap_net_admin+ep";  # required for attaching TAP devices to bridges
+    };
+
+    ping = {
+      source = "${pkgs.iputils}/bin/ping";
+      owner = "root";
+      group = "root";
+      capabilities = "cap_net_raw+ep";  # required to send ICMP packets
+    };
+  };
+
+  config.environment.etc."qemu/bridge.conf".text = ''
+    allow bridge43
+  '';
+}
+

From 93728abe49c6bafae5c9abedcdc219496f9785bd Mon Sep 17 00:00:00 2001
From: Mazunki Hoksaas <rolferen@gmail.com>
Date: Fri, 17 Oct 2025 20:11:32 +0200
Subject: [PATCH 2/5] permit overriding helper through envvar or config

---
 vmrunner/vmrunner.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/vmrunner/vmrunner.py b/vmrunner/vmrunner.py
index 27237cc1c..04bce9223 100755
--- a/vmrunner/vmrunner.py
+++ b/vmrunner/vmrunner.py
@@ -471,7 +471,7 @@ def mod_args(self, mods):
                              for mod in mods])
         return ["-initrd", mods_list]
 
-    def net_arg(self, backend, device, if_name = "net0", mac = None, bridge = None, scripts = None):
+    def net_arg(self, backend, device, if_name = "net0", mac = None, bridge = None, scripts = None, helper = None):
         """ creates network argument for hypervisor """
         if scripts:
             qemu_ifup = scripts + "qemu-ifup"
@@ -503,6 +503,8 @@ def net_arg(self, backend, device, if_name = "net0", mac = None, bridge = None,
 
         if bridge:
             netdev = "bridge,id=" + if_name + ",br=" + bridge
+            if helper:
+                netdev += ",helper=" + helper
 
 
         # Device - e.g. guest side of nic
@@ -655,7 +657,8 @@ def boot_in_hypervisor(self, multiboot=True, debug = False, kernel_args = "", im
                 mac = net["mac"] if "mac" in net else None
                 bridge = net["bridge"] if "bridge" in net else None
                 scripts = net["scripts"] if "scripts" in net else None
-                net_args += self.net_arg(net["backend"], net["device"], "net"+str(i), mac, bridge, scripts)
+                helper = net.get("helper", os.environ.get("QEMU_BRIDGE_HELPER"))
+                net_args += self.net_arg(net["backend"], net["device"], "net"+str(i), mac, bridge, scripts, helper)
                 i+=1
 
         mem_arg = []

From 342e27d37dbec03f7bebf51336459e12cca7ff63 Mon Sep 17 00:00:00 2001
From: Mazunki Hoksaas <rolferen@gmail.com>
Date: Fri, 17 Oct 2025 20:18:27 +0200
Subject: [PATCH 3/5] enable host qemu-bridge-helper by exporting path

---
 nixos-module.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos-module.nix b/nixos-module.nix
index caab1e798..8e4a03003 100644
--- a/nixos-module.nix
+++ b/nixos-module.nix
@@ -2,6 +2,7 @@
 { config, lib, pkgs, ... }:
 let
   qemuPkg = config.services.vmrunner.qemuPackage or pkgs.qemu;
+  qemuBridgeHelperPath  = "/run/wrappers/bin/qemu-bridge-helper";
 in
 {
   options.services.vmrunner.qemuPackage = lib.mkOption {
@@ -30,5 +31,7 @@ in
   config.environment.etc."qemu/bridge.conf".text = ''
     allow bridge43
   '';
+
+  config.environment.variables.QEMU_BRIDGE_HELPER = qemuBridgeHelperPath;
 }
 

From 2ee152c6cfea0d51f0ff1fa4bccd6400bba90cb7 Mon Sep 17 00:00:00 2001
From: Mazunki Hoksaas <rolferen@gmail.com>
Date: Sat, 18 Oct 2025 01:11:40 +0200
Subject: [PATCH 4/5] allow inbound connections required for tests

---
 nixos-module.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nixos-module.nix b/nixos-module.nix
index 8e4a03003..1978c3901 100644
--- a/nixos-module.nix
+++ b/nixos-module.nix
@@ -32,6 +32,10 @@ in
     allow bridge43
   '';
 
+  config.networking.firewall = {
+    trustedInterfaces = [ "bridge43" ];
+  };
+
   config.environment.variables.QEMU_BRIDGE_HELPER = qemuBridgeHelperPath;
 }
 

From 19e2dadf796ea88cdd712c9fd79a3b0120cc30a4 Mon Sep 17 00:00:00 2001
From: Mazunki Hoksaas <rolferen@gmail.com>
Date: Sat, 18 Oct 2025 01:36:29 +0200
Subject: [PATCH 5/5] add includeos-create-bridge to system PATH + formatting

---
 default.nix      |  4 ++++
 nixos-module.nix | 53 ++++++++++++++++++++++++++++--------------------
 2 files changed, 35 insertions(+), 22 deletions(-)

diff --git a/default.nix b/default.nix
index 2e3c73109..216bcd55b 100644
--- a/default.nix
+++ b/default.nix
@@ -29,6 +29,10 @@ pkgs.python3.pkgs.buildPythonPackage rec {
     license = pkgs.lib.licenses.asl20;
   };
 
+  postInstall = ''
+    install -Dm755 ${create_bridge} $out/bin/${pname}-create-bridge
+  '';
+
   nativeCheckInputs = [
     pkgs.shellcheck
     pkgs.pylint
diff --git a/nixos-module.nix b/nixos-module.nix
index 1978c3901..785b8a666 100644
--- a/nixos-module.nix
+++ b/nixos-module.nix
@@ -2,40 +2,49 @@
 { config, lib, pkgs, ... }:
 let
   qemuPkg = config.services.vmrunner.qemuPackage or pkgs.qemu;
+  vmrunnerPkg = config.services.vmrunner.package or (pkgs.callPackage ./default.nix { });
+
   qemuBridgeHelperPath  = "/run/wrappers/bin/qemu-bridge-helper";
+  bridge = "bridge43";
 in
-{
+  {
   options.services.vmrunner.qemuPackage = lib.mkOption {
     type = lib.types.package;
     default = pkgs.qemu;
     description = "QEMU with capabilities enabled for IncludeOS unikernels";
   };
 
-  config.security.wrappers = {
-    # https://wiki.qemu.org/Features/HelperNetworking
-    qemu-bridge-helper = {
-      source = "${qemuPkg}/libexec/qemu-bridge-helper";
-      owner = "root";
-      group = "root";
-      capabilities = "cap_net_admin+ep";  # required for attaching TAP devices to bridges
-    };
+  config = {
+    security.wrappers = {
+      # https://wiki.qemu.org/Features/HelperNetworking
+      qemu-bridge-helper = {
+        source = "${qemuPkg}/libexec/qemu-bridge-helper";
+        owner = "root";
+        group = "root";
+        capabilities = "cap_net_admin+ep";  # required for attaching TAP devices to bridges
+      };
 
-    ping = {
-      source = "${pkgs.iputils}/bin/ping";
-      owner = "root";
-      group = "root";
-      capabilities = "cap_net_raw+ep";  # required to send ICMP packets
+      ping = {
+        source = "${pkgs.iputils}/bin/ping";
+        owner = "root";
+        group = "root";
+        capabilities = "cap_net_raw+ep";  # required to send ICMP packets
+      };
     };
-  };
 
-  config.environment.etc."qemu/bridge.conf".text = ''
-    allow bridge43
-  '';
+    environment = {
+      etc."qemu/bridge.conf".text = ''
+        allow ${bridge}
+      '';
 
-  config.networking.firewall = {
-    trustedInterfaces = [ "bridge43" ];
-  };
+      systemPackages = [ vmrunnerPkg ];
 
-  config.environment.variables.QEMU_BRIDGE_HELPER = qemuBridgeHelperPath;
+      variables.QEMU_BRIDGE_HELPER = qemuBridgeHelperPath;
+    };
+
+    networking.firewall = {
+      trustedInterfaces = [ bridge ];
+    };
+  };
 }