{ config, lib, ... }:
{
  services.avahi = {
    enable = lib.mkDefault true;
    nssmdns4 = lib.mkDefault true;
    # UsageWarning: Due to the fact that most mDNS responders only register local IPv4 addresses,
    # most user want to leave this option disabled to avoid long timeouts
    # when applications first resolve the none existing IPv6 address.
    nssmdns6 = lib.mkDefault false;
    # Disabling this setting also disables discovering of network devices.
    openFirewall = lib.mkDefault true;
    publish.enable = lib.mkDefault false;
  };
  environment.etc."mdns.allow".text = ''
    .local.
    .local
  '';
  networking.nftables.ruleset = lib.mkIf config.services.avahi.enable (
    ''
      table inet filter {
        chain output-lan {
          skuid ${config.users.users.avahi.name} udp sport mdns udp dport mdns counter accept comment "Avahi: MulticastDNS"
        }
      }
    ''
    + lib.optionalString config.services.avahi.openFirewall ''
      table inet filter {
        chain input-lan {
          udp dport mdns counter accept comment "Avahi: MulticastDNS"
        }
      }
    ''
  );
}