avahi: integrate with nss

now i can resolve .local hosts, via glibc, e.g. 'getent hosts <host>.local'

hosts/common/net/dns.nix

@@ -20,7 +20,7 @@
 # - each namespace may use a different /etc/resolv.conf to specify different DNS servers
 # - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
 #   - this is fixed by either removing `/var/run/nscd/socket` from the namespace, or disabling nscd altogether.
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 lib.mkMerge [
 {
   sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
@@ -59,15 +59,34 @@ lib.mkMerge [
   # in the netns and we query upstream DNS more often than needed. hm.
   # services.nscd.enableNsncd = true;
 
-  # disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf.
+  # disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf (er, did i mean /etc/nsswitch.conf?).
   # - dns: glibc-bultin
   # - files: glibc-builtin
   # - myhostname: systemd
   # - mymachines: systemd
   # - resolve: systemd
   # in practice, i see no difference with nscd disabled.
+  # - the exception is when the system dns resolver doesn't do everything.
+  #   for example, systemd-resolved does mDNS. hickory-dns does not. a hickory-dns system won't be mDNS-capable.
   # disabling nscd VASTLY simplifies netns and process isolation. see explainer at top of file.
   services.nscd.enable = false;
-  system.nssModules = lib.mkForce [];
+  # system.nssModules = lib.mkForce [];
+  sane.silencedAssertions = [''.*Loading NSS modules from system.nssModules.*requires services.nscd.enable being set to true.*''];
+  # add NSS modules into their own subdirectory.
+  # then i can add just the NSS modules library path to the global LD_LIBRARY_PATH, rather than ALL of /run/current-system/sw/lib.
+  # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have trust-dns delegate .local to avahi
+  #   (except avahi doesn't act as a local resolver over DNS protocol -- only dbus).
+  environment.systemPackages = [(pkgs.symlinkJoin {
+    name = "nss-modules";
+    paths = config.system.nssModules.list;
+    postBuild = ''
+      mkdir nss
+      mv $out/lib/libnss_* nss
+      rm -rf $out
+      mkdir -p $out/lib
+      mv nss $out/lib
+    '';
+  })];
+  environment.variables.LD_LIBRARY_PATH = [ "/run/current-system/sw/lib/nss" ];
 }
 ]

hosts/common/programs/avahi.nix

@@ -5,7 +5,10 @@
 # - code: <https://github.com/avahi/avahi>
 # - IRC: #avahi on irc.libera.chat
 #
-# `avahi-browse --help` for usage
+# - `avahi-browse --help` for usage
+# - `man avahi-daemon.conf`
+# - `LD_LIBRARY_PATH=/nix/store/ngwj3jqmxh8k4qji2z0lj7y1f8vzqrn2-nss-mdns-0.15.1/lib getent hosts desko.local`
+#   nss-mdns goes through avahi-daemon, so there IS caching here
 #
 # TODO(2024/06/25): *.local DNS resolution should go through avahi,
 # but this fails on trust-dns-based systems.
@@ -18,7 +21,8 @@
     package = config.sane.programs.avahi.package;
     publish.enable = true;
     publish.userServices = true;
-    # nssmdns4 = true;  #< TODO: integrate with nss so all applications (e.g. Firefox) can resolve .local domains
+    nssmdns4 = true;  #< TODO: integrate with nss so all applications (e.g. Firefox) can resolve .local domains
+    # reflector = true;
     allowInterfaces = [
       # particularly, the default config disallows loopback, which is kinda fucking retarded, right?
       "ens1"  #< servo

modules/programs/default.nix

@@ -57,8 +57,10 @@ let
           "/run/opengl-driver"
           "/run/opengl-driver-32"  #< XXX: doesn't exist on aarch64?
           "/usr/bin/env"
-        ] ++ lib.optionals (config.services.resolved.enable) [
+        ] ++ lib.optionals (sandbox.net == "all" && config.services.resolved.enable) [
           "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
+        ] ++ lib.optionals (sandbox.net == "all" && config.services.avahi.enable) [
+          "/var/run/avahi-daemon"  #< yes, it has to be "/var/run/...". required for nss (e.g. `getent hosts desko.local`)
         ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
           ++ sandbox.extraPaths
         ;