{ config, lib, ... }:
{
  services.avahi = {
    enable = lib.mkDefault true;
    nssmdns4 = lib.mkDefault true;
    nssmdns6 = lib.mkDefault true;
    # Disabling this setting also disables discovering of network devices.
    openFirewall = lib.mkDefault true;
    publish.enable = lib.mkDefault false;
  };
  networking.nftables.ruleset = lib.mkIf config.services.avahi.enable (
    ''
      table inet filter {
        chain output-lan {
          skuid ${config.users.users.avahi.name} udp sport mdns udp dport mdns counter accept comment "Avahi: MulticastDNS"
        }
      }
    ''
    + lib.optionalString config.services.avahi.openFirewall ''
      table inet filter {
        chain input-lan {
          udp dport mdns counter accept comment "Avahi: MulticastDNS"
        }
      }
    ''
  );
}