avahi: set service directory and refactor module

[WilliButz]

Re-opened PR against staging, includes changes proposed in #61945.

Motivation for this change

Before this PR avahi used to look for service definitions in etc/avahi/services in its store path.
First this leads to the situation mentioned in #60939 and it also makes adding custom services quite user-unfriendly, because they would have to be added to the build output of avahi.

Things done

Package:

For the build AVAHI_SERVICE_DIR is now set to /etc/avahi/services.

Module:

Types are now specified for all options.
The fixed uid and gid for the avahi user have been removed
and the avahi user is now in the avahi group.
The the generic opening of the firewall for UDP port 5353 is
now optional, but still defaults to true.

The option extraServiceFiles was added to specify avahi
service definitions, which are then placed in /etc/avahi/services.

Manual:

Added a section mentioning the changes for avahi.

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Assured whether relevant documentation is up to date
• Fits CONTRIBUTING.md.

---

fixes #60939

/cc @infinisil

[WilliButz]

@GrahamcOfBorg test avahi

[peterhoeg]

Good initiative!

Couple of things:

a. avahi upstream provides a systemd unit file - we don't need our own service def (except for the activation)
b. Why are we removing the static uid/gid?

[WilliButz]

@peterhoeg

a. avahi upstream provides a systemd unit file - we don't need our own service def (except for the activation)

Regarding avahi-daemon.socket the unit file shipped with avahi is not different from the one in nixpkgs.
Our definition for avahi-daemon.service has a small diff compared to upstream:

• we do not specify ExecReload, which I think makes sense, because we do not have our avahi config file in the build output of avahi
• we specify the extra path entries and LD_LIBRARY_PATH
• we don't speficy the unit's Alias

As I am not quite sure what you meant, could you maybe elaborate on why we don't need our own service definition?

b. Why are we removing the static uid/gid?

The service doesn't handle a lot of files and the ones that are handled by avahi don't rely on a static uid. Also, as the user was not even in the avahi group until now, the gid was never used - instead the group nogroup was.

Maybe you thought of a reason to keep the static uid?

[peterhoeg]

a. avahi upstream provides a systemd unit file - we don't need our own service def (except for the activation)

As I am not quite sure what you meant, could you maybe elaborate on why we don't need our own service definition?

We can get the unit files from upstream avahi by doing this:

systemd.packages = with pkgs; [ avahi ];

And then simply override the bits that we want to change and leave the rest as-is.

Maybe you thought of a reason to keep the static uid?

The problem is that the uid could (would) be something else on another system which isn't great. We either want to keep it the same across the board (hence the ids.nix) or ideally use DynamicUser = true; if supported to have systemd handle it for us.

[fpletz]

The problem is that the uid could (would) be something else on another system which isn't great.

The avahi service does not manage any persistent state so it shouldn't really matter. Why are different uids a problem?

ideally use DynamicUser = true; if supported to have systemd handle it for us.

Avahi drops the privileges itself to a user with a username that is compiled in. It has to be run as root and the user has to exist.

Avahi does support running as non-root but the code still expects the hardcoded username to exist. That's why we can't switch to DynamicUser. Fixing avahi is out of scope for this PR though.

a. avahi upstream provides a systemd unit file - we don't need our own service def (except for the activation)

The upstream systemd service unit is pretty basic and in that case I actually prefer defining the whole service in the NixOS module. When avahi will eventually support DynamicUser or other systemd shenanigans we have to touch our service definition anyway.

[fpletz]

@worldofpeace Do you have any remarks since you requested self-review?

[elseym]

just a few typos :)

[WilliButz]

I added the suggested changes and rebased on staging.

[worldofpeace]

@worldofpeace Do you have any remarks since you requested self-review?

Yes, it was in queue to review. I have the time now so it's incoming shortly if it's still needed.

[worldofpeace]

Just some more cleanup should be done to the options.
Feedback on the release note also.

[worldofpeace]

nitpick: this option's name is pretty ambiguous. There's already domainName to be confusing so perhaps

Suggested change

	domain = mkOption {
	announceDomain = mkOption {

[WilliButz]

Sounds like a good idea to me, though these option names come from avahi and I think it would therefore be better to keep them.
Regarding the ambiguity, I think this is not much of a problem, because the two options are on different levels.

[worldofpeace]

Suggested change

	cacheEntriesMax = mkOption {
	maxCacheEntries = mkOption {

Feels backwards to me. Options renamed should use mkRenamedOptionModule btw.

[WilliButz]

Same as with the other option.

[WilliButz]

I updated the PR to include most of the suggested changes. I'd like to wait for feedback on the renaming of the two options before adding these changes.
Also rebased on staging.

[worldofpeace]

I updated the PR to include most of the suggested changes. I'd like to wait for feedback on the renaming of the two options before adding these changes.
Also rebased on staging.

The renaming of the options were essentially nitpicks and didn't really need a response.
This looks good to me 👍 thank you for being so responsive to our requests.

Lastly, it's always a good idea to actually test the service. And specifically extraServiceFiles.
I'll try to perform this today in a NixOS vm.

[worldofpeace]

Actually, perhaps https://github.com/NixOS/nixpkgs/blob/bac6f67aaa8fa87425b6f5cc046534ba4b734d9c/nixos/tests/avahi.nix should be updated to test extraServiceFiles?

[WilliButz]

@worldofpeace done. Took me a while to build staging after rebasing though :)
@GrahamcOfBorg test avahi

[worldofpeace]

On my side of things this looks good 🌸

[peterhoeg]

The avahi service does not manage any persistent state so it shouldn't really matter. Why are different uids a problem?

It isn't a problem per se, but currently we have this nice guarantee that the ids are all the same across systems which is no longer the case for no gain.

Avahi does support running as non-root but the code still expects the hardcoded username to exist. That's why we can't switch to DynamicUser. Fixing avahi is out of scope for this PR though.

Fully agree.

a. avahi upstream provides a systemd unit file - we don't need our own service def (except for the activation)

The upstream systemd service unit is pretty basic and in that case I actually prefer defining the whole service in the NixOS module. When avahi will eventually support DynamicUser or other systemd shenanigans we have to touch our service definition anyway.

I think as a matter of principle, we should use upstream - we really don't gain anything by maintaining our own.

See #62153 (comment)

[worldofpeace]

Only comment left that may be blocking is this is a principal of whether to use systemd.packages or define everything manually within the module. (raised by @peterhoeg)

I generally tend to prefer if there's a service upstream that we could use, and they're practically identical...
If we were to use it we'd have to establish the alias manually though like network-manager

nixpkgs/pkgs/tools/networking/network-manager/default.nix

Line 102 in 97aba37

ln -s $out/etc/systemd/system/NetworkManager.service $out/etc/systemd/system/dbus-org.freedesktop.NetworkManager.service

No real loss in leaving it as is, no?

[peterhoeg]

I generally tend to prefer if there's a service upstream that we could use

IMHO, the best kind of code is the one you don't have to write.

[globin]

I think this PR is definitely ready enough to be merged, any further minor issues like using the systemd unit from upstream can be addressed in a follow-up PR. This should not have to be blocked as it definitely improves the module a lot already.