feat: switch to avahi for mdns and mdns reflection

2025-10-10 23:00:39 +02:00 · 2025-04-27 11:08:40 +02:00 · 2025-04-27 11:08:40 +02:00 · 3f3573a1e2
commit 3f3573a1e2
parent 919ce9fc6a
12 changed files with 30 additions and 195 deletions
--- a/config/net.nix
+++ b/config/net.nix
@ -7,6 +7,18 @@
  systemd.network.enable = true;
  systemd.network.wait-online.enable = false;

+  services.avahi = {
+    enable = true;
+    ipv4 = true;
+    ipv6 = true;
+    nssmdns4 = true;
+    nssmdns6 = true;
+    publish = {
+      enable = true;
+      addresses = true;
+    };
+  };
+
  networking = {
    useDHCP = lib.mkForce false;
    useNetworkd = true;
@ -16,5 +28,10 @@
    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
      config.repo.secrets.local.networking.interfaces or { }
    );
+
+    nftables.chains.input.mdns = {
+      after = [ "conntrack" ];
+      rules = [ "udp dport 5353 accept" ];
+    };
  };
 }
--- a/config/resolved.nix
+++ b/config/resolved.nix
@ -1,12 +1,7 @@
-{
-  config,
-  lib,
-  ...
-}:
 {
  services.resolved = {
    enable = true;
-    dnssec = "false"; # wake me up in 20 years when DNSSEC is at least partly working
+    dnssec = "false"; # NOTE: wake me up in 20 years when DNSSEC is at least partially working
    fallbackDns = [
      "1.1.1.1"
      "2606:4700:4700::1111"
@ -16,50 +11,6 @@
    llmnr = "false";
    extraConfig = ''
      Domains=~.
-      MulticastDNS=true
    '';
  };
-
-  system.nssDatabases.hosts = lib.mkMerge [
-    (lib.mkBefore [ "mdns_minimal [NOTFOUND=return]" ])
-    (lib.mkAfter [ "mdns" ])
-  ];
-
-  # Open port 5353 for any interfaces that have MulticastDNS enabled
-  networking.nftables.firewall =
-    let
-      # Determine all networks that have MulticastDNS enabled
-      networksWithMulticast = lib.filter (
-        n: config.systemd.network.networks.${n}.networkConfig.MulticastDNS or false
-      ) (lib.attrNames config.systemd.network.networks);
-
-      # Determine all known mac addresses and the corresponding link name
-      # based on the renameInterfacesByMac option.
-      knownMacs = lib.mapAttrs' (k: v: lib.nameValuePair v k) config.networking.renameInterfacesByMac;
-      # A helper that returns the link name for the given mac address,
-      # or null if it doesn't exist or the given mac was null.
-      linkNameFor = mac: if mac == null then null else knownMacs.${mac} or null;
-
-      # Calls the given function for each network that has MulticastDNS enabled,
-      # and collects all non-null values.
-      mapNetworks = f: lib.filter (v: v != null) (map f networksWithMulticast);
-
-      # All interfaces on which MulticastDNS is used
-      mdnsInterfaces = lib.unique (
-        # For each network that is matched by MAC, lookup the link name
-        # and if map the definition name to the link name.
-        mapNetworks (x: linkNameFor (config.systemd.network.networks.${x}.matchConfig.MACAddress or null))
-        # For each network that is matched by name, map the definition
-        # name to the link name.
-        ++ mapNetworks (x: config.systemd.network.networks.${x}.matchConfig.Name or null)
-      );
-    in
-    lib.mkIf (mdnsInterfaces != [ ]) {
-      zones.mdns.interfaces = mdnsInterfaces;
-      rules.mdns-to-local = {
-        from = [ "mdns" ];
-        to = [ "local" ];
-        allowedUDPPorts = [ 5353 ];
-      };
-    };
 }
--- a/config/users.nix
+++ b/config/users.nix
@ -45,5 +45,6 @@
      tss = uidGid 966;
      firefly-iii = uidGid 965;
      firefly-pico = uidGid 964;
+      avahi = uidGid 963;
    };
 }