build our own libvirt bridge
diff --git a/roles/config-virt/defaults/main.yml b/roles/config-virt/defaults/main.yml
index 8a1faf1..a134d20 100644
--- a/roles/config-virt/defaults/main.yml
+++ b/roles/config-virt/defaults/main.yml
@@ -1,4 +1,6 @@
 ---
 # roles/config-virt/defaults/main.yml
 
-mgmtbr_name: virbr0
+virt_nets:
+  - mgmtbr
+
diff --git a/roles/config-virt/tasks/main.yml b/roles/config-virt/tasks/main.yml
index d74d4f3..fb748fa 100644
--- a/roles/config-virt/tasks/main.yml
+++ b/roles/config-virt/tasks/main.yml
@@ -1,9 +1,40 @@
 ---
 # roles/config-virt/tasks/main.yml
 
-- name: Get ubuntu image for uvtool
-  command: uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily \
-    release={{ ansible_distribution_release }} arch=amd64
+- name: collect libvirt network facts
+  virt_net:
+    command=facts
+
+- name: Tear down libvirt's default network
+  when: ansible_libvirt_networks["default"] is defined
+  virt_net:
+    command={{ item }}
+    name=default
+  with_items:
+    - destroy
+    - undefine
+
+# note, this isn't idempotent, so may need manual fixing if it changes
+- name: define libvirt networks IP/DHCP/DNS settings
+  virt_net:
+    name=xos-{{ item.name }}
+    command=define
+    xml='{{ lookup("template", "virt_net.xml.j2") }}'
+  with_items: '{{ virt_nets }}'
+
+- name: start libvirt networks
+  when: ansible_libvirt_networks["xos-{{ item.name }}"].state != "active"
+  virt_net:
+    name=xos-{{ item.name }}
+    command=create
+  with_items: '{{ virt_nets }}'
+
+- name: have libvirt networks autostart
+  when: ansible_libvirt_networks["xos-{{ item.name }}"].autostart != "yes"
+  virt_net:
+    name=xos-{{ item.name }}
+    autostart=yes
+  with_items: '{{ virt_nets }}'
 
 - name: Have libvirt enable port forwarding to VM's
   become: yes
@@ -18,11 +49,4 @@
     - reload libvirt-bin
     - run qemu hook
 
-- name: configure libvirt mgmtbr network DHCP range and IP assignments
-  virt_net:
-    command=define
-    name=default
-    xml='{{ lookup("template", "default.xml.j2") }}'
-    autostart=yes
-    state=active
 
diff --git a/roles/config-virt/templates/daemon.j2 b/roles/config-virt/templates/daemon.j2
index c79bf4a..852aef6 100644
--- a/roles/config-virt/templates/daemon.j2
+++ b/roles/config-virt/templates/daemon.j2
@@ -27,8 +27,9 @@
 
 {% for vm in head_vm_list -%}
 {% if vm.forwarded_ports is defined -%}
+{% set vm_net = ( virt_nets | selectattr("head_vms", "defined") | first ) %}
 {% for port in vm.forwarded_ports -%}
-    add_port_fwd_rule {{ port.ext }} "{{ mgmtbr_prefix }}.{{ vm.ipv4_last_octet }}" {{ port.int }}
+    add_port_fwd_rule {{ port.ext }} "{{ vm_net.ipv4_prefix }}.{{ vm.ipv4_last_octet }}" {{ port.int }}
 {% endfor -%}
 {% endif -%}
 {% endfor -%}
diff --git a/roles/config-virt/templates/default.xml.j2 b/roles/config-virt/templates/default.xml.j2
deleted file mode 100644
index 7914a2e..0000000
--- a/roles/config-virt/templates/default.xml.j2
+++ /dev/null
@@ -1,19 +0,0 @@
-<network>
-  <name>default</name>
-  <bridge name="{{ mgmtbr_name }}"/>
-  <forward/>
-  <domain name="{{ site_suffix }}" localonly="no"/>
-  <dns>
-{% for ns in dns_servers %}
-  <forwarder addr="{{ ns }}"/>
-{% endfor %}
-  </dns>
-  <ip address="{{ mgmtbr_prefix }}.1" netmask="255.255.255.0">
-    <dhcp>
-      <range start="{{ mgmtbr_prefix }}.2" end="{{ mgmtbr_prefix }}.254"/>
-{% for vm in head_vm_list %}
-      <host name='{{ vm.name }}' ip='{{ mgmtbr_prefix }}.{{ vm.ipv4_last_octet }}'/>
-{% endfor %}
-    </dhcp>
-  </ip>
-</network>
diff --git a/roles/config-virt/templates/qemu.j2 b/roles/config-virt/templates/qemu.j2
index 1c947f9..9d20379 100644
--- a/roles/config-virt/templates/qemu.j2
+++ b/roles/config-virt/templates/qemu.j2
@@ -5,6 +5,10 @@
 NIC=$( route|grep default|awk '{print $NF}' )
 PORTAL=$( dig +short portal.opencloud.us | tail -1 )
 
+SUBNET=$( ip addr show $NIC|grep "inet "|awk '{print $2}' )
+{% set vm_net = ( virt_nets | selectattr("head_vms", "defined") | first ) %}
+PRIVATENET=$( ip addr show {{ vm_net.name }} |grep "inet "|awk '{print $2}' )
+
 NAME="${1}"
 OP="${2}"
 SUBOP="${3}"
@@ -21,8 +25,6 @@
 }
 
 add_local_access_rules() {
-    SUBNET=$( ip addr show $NIC|grep "inet "|awk '{print $2}' )
-    PRIVATENET=$( ip addr show virbr0|grep "inet "|awk '{print $2}' )
     add_rule "FORWARD" "-s $SUBNET -j ACCEPT"
     # Don't NAT traffic from service VMs destined to the local subnet
     add_rule "POSTROUTING" "-t nat -s $PRIVATENET -d $SUBNET -j RETURN"
diff --git a/roles/config-virt/templates/virt_net.xml.j2 b/roles/config-virt/templates/virt_net.xml.j2
new file mode 100644
index 0000000..ad043e9
--- /dev/null
+++ b/roles/config-virt/templates/virt_net.xml.j2
@@ -0,0 +1,28 @@
+<network>
+  <name>xos-{{ item.name }}</name>
+  <bridge name="{{ item.name }}"/>
+  <forward/>
+  <domain name="{{ site_suffix }}" localonly="no"/>
+  <dns>
+{% if unbound_listen_on_default %}
+{% for host in groups['head'] %}
+  <forwarder addr="{{ hostvars[host].ansible_default_ipv4.address }}"/>
+{% endfor %}
+{% endif %}
+{% if dns_servers is defined %}
+{% for ns in dns_servers %}
+  <forwarder addr="{{ ns }}"/>
+{% endfor %}
+{% endif %}
+  </dns>
+  <ip address="{{ item.ipv4_prefix }}.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="{{ item.ipv4_prefix }}.2" end="{{ item.ipv4_prefix }}.254"/>
+{% if item.head_vms %}
+{% for vm in head_vm_list %}
+      <host name='{{ vm.name }}' ip='{{ item.ipv4_prefix }}.{{ vm.ipv4_last_octet }}'/>
+{% endfor %}
+{% endif %}
+    </dhcp>
+  </ip>
+</network>