Merge pull request #173697 from jmbaur/avahi-daemon-deny-interfaces

nixos/avahi: add denyInterfaces option
2023-03-17 17:11:49 +01:00 · 2023-03-17 17:11:49 +01:00 · 7ec767ff54
commit 7ec767ff54
parent a585ce724c ea0dc2c5eb
1 changed files with 27 additions and 9 deletions
--- a/nixos/modules/services/networking/avahi-daemon.nix
+++ b/nixos/modules/services/networking/avahi-daemon.nix
@ -5,7 +5,7 @@ with lib;
 let
  cfg = config.services.avahi;

-  yesNo = yes : if yes then "yes" else "no";
+  yesNo = yes: if yes then "yes" else "no";

  avahiDaemonConf = with cfg; pkgs.writeText "avahi-daemon.conf" ''
    [server]
@ -17,7 +17,8 @@ let
    browse-domains=${concatStringsSep ", " browseDomains}
    use-ipv4=${yesNo ipv4}
    use-ipv6=${yesNo ipv6}
-    ${optionalString (interfaces!=null) "allow-interfaces=${concatStringsSep "," interfaces}"}
+    ${optionalString (allowInterfaces!=null) "allow-interfaces=${concatStringsSep "," allowInterfaces}"}
+    ${optionalString (denyInterfaces!=null) "deny-interfaces=${concatStringsSep "," denyInterfaces}"}
    ${optionalString (domainName!=null) "domain-name=${domainName}"}
    allow-point-to-point=${yesNo allowPointToPoint}
    ${optionalString (cacheEntriesMax!=null) "cache-entries-max=${toString cacheEntriesMax}"}
@ -39,6 +40,10 @@ let
  '';
 in
 {
+  imports = [
+    (lib.mkRenamedOptionModule [ "services" "avahi" "interfaces" ] [ "services" "avahi" "allowInterfaces" ])
+  ];
+
  options.services.avahi = {
    enable = mkOption {
      type = types.bool;
@ -91,7 +96,7 @@ in
      description = lib.mdDoc "Whether to use IPv6.";
    };

-    interfaces = mkOption {
+    allowInterfaces = mkOption {
      type = types.nullOr (types.listOf types.str);
      default = null;
      description = lib.mdDoc ''
@ -101,6 +106,17 @@ in
      '';
    };

+    denyInterfaces = mkOption {
+      type = types.nullOr (types.listOf types.str);
+      default = null;
+      description = lib.mdDoc ''
+        List of network interfaces that should be ignored by the
+        {command}`avahi-daemon`. Other unspecified interfaces will be used,
+        unless {option}`allowInterfaces` is set. This option takes precedence
+        over {option}`allowInterfaces`.
+      '';
+    };
+
    openFirewall = mkOption {
      type = types.bool;
      default = true;
@ -134,7 +150,7 @@ in

    extraServiceFiles = mkOption {
      type = with types; attrsOf (either str path);
-      default = {};
+      default = { };
      example = literalExpression ''
        {
          ssh = "''${pkgs.avahi}/etc/avahi/services/ssh.service";
@ -236,7 +252,7 @@ in
      isSystemUser = true;
    };

-    users.groups.avahi = {};
+    users.groups.avahi = { };

    system.nssModules = optional cfg.nssmdns pkgs.nssmdns;
    system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [
@ -246,10 +262,12 @@ in

    environment.systemPackages = [ pkgs.avahi ];

-    environment.etc = (mapAttrs' (n: v: nameValuePair
-      "avahi/services/${n}.service"
-      { ${if types.path.check v then "source" else "text"} = v; }
-    ) cfg.extraServiceFiles);
+    environment.etc = (mapAttrs'
+      (n: v: nameValuePair
+        "avahi/services/${n}.service"
+        { ${if types.path.check v then "source" else "text"} = v; }
+      )
+      cfg.extraServiceFiles);

    systemd.sockets.avahi-daemon = {
      description = "Avahi mDNS/DNS-SD Stack Activation Socket";