{ config, lib, ... }:
{
  services.avahi = {
    enable = lib.mkDefault true;
    nssmdns4 = lib.mkDefault true;
    nssmdns6 = lib.mkDefault true;
    # Disabling this setting also disables discovering of network devices.
    openFirewall = lib.mkDefault true;
    publish.enable = lib.mkDefault false;
  };
  networking.nftables.ruleset = lib.mkIf config.services.avahi.enable (''
    table inet filter {
      chain output-lan {
        skuid ${config.users.users.avahi.name} udp sport mdns udp dport mdns counter accept comment "Avahi: MulticastDNS"
      }
    }
  '' + lib.optionalString config.services.avahi.openFirewall ''
    table inet filter {
      chain input-lan {
        udp dport mdns counter accept comment "Avahi: MulticastDNS"
      }
    }
  '');
}