chore(assets): reorganize into outbox and wireguard-config

Move processed inbox files to assets/outbox/, rename assets/wireguard
to assets/wireguard-config, delete unused dwm.desktop.

8 files changed, 669 insertions, 0 deletions

diff --git a/assets/outbox/2026-01-17-gvfs-smb-feature-request.txt b/assets/outbox/2026-01-17-gvfs-smb-feature-request.txt
new file mode 100644
index 0000000..79892f7
--- /dev/null
+++ b/assets/outbox/2026-01-17-gvfs-smb-feature-request.txt
@@ -0,0 +1,6 @@
+Install gvfs-smb for Thunar SMB network browsing
+
+Package: gvfs-smb
+Install: sudo pacman -S gvfs-smb
+
+Without this package, Thunar cannot browse SMB/CIFS network shares.
diff --git a/assets/outbox/2026-01-17-security-and-hardening-recommendations.txt b/assets/outbox/2026-01-17-security-and-hardening-recommendations.txt
new file mode 100644
index 0000000..22a0c53
--- /dev/null
+++ b/assets/outbox/2026-01-17-security-and-hardening-recommendations.txt
@@ -0,0 +1,119 @@
+# Security and Hardening Recommendations for archsetup
+
+These recommendations come from the install-archzfs base install.
+The base system is minimal - archsetup should handle hardening.
+
+## SSH Hardening (Priority: High)
+
+If SSH was enabled during install (for headless servers), it uses password auth.
+archsetup should:
+
+1. Install and configure fail2ban
+   - pacman -S fail2ban
+   - Enable sshd jail
+   - Configure ban times (suggested: 10m first offense, escalating)
+   - Consider integration with firewalld/nftables
+
+2. Switch to key-based authentication
+   - Prompt user for SSH public key or generate keypair
+   - Disable password authentication in /etc/ssh/sshd_config:
+     PasswordAuthentication no
+     PermitRootLogin prohibit-password (or 'no' for desktop)
+
+3. Consider changing default SSH port (optional, security through obscurity)
+
+## Firewall (Priority: High)
+
+Base install has no firewall configured. Options:
+
+1. firewalld (recommended for most users)
+   - pacman -S firewalld
+   - systemctl enable --now firewalld
+   - Default zone should block incoming except SSH
+
+2. nftables (for advanced users)
+   - Already installed as iptables backend
+   - Needs manual configuration
+
+3. ufw (simpler alternative)
+   - pacman -S ufw
+   - Good for users coming from Ubuntu
+
+## ZFS-Specific Recommendations
+
+1. Sanoid/Syncoid for automated snapshots
+   - pacman -S sanoid
+   - Configure /etc/sanoid/sanoid.conf for automatic snapshot retention
+   - Suggested policy: hourly for 24h, daily for 7d, monthly for 12m
+
+2. ZFS scrub timer
+   - systemctl enable zfs-scrub-weekly.timer
+   - Or create monthly timer for large pools
+
+3. ZED (ZFS Event Daemon) email alerts
+   - Configure /etc/zfs/zed.d/zed.rc
+   - Set ZED_EMAIL_ADDR for pool health notifications
+
+4. Consider zfs-auto-snapshot as alternative to sanoid
+
+## User Account Setup
+
+Base install only has root. archsetup should:
+
+1. Create primary user account with sudo access
+2. Lock root account for direct login (sudo only)
+3. Configure sudo timeout and logging
+
+## Package Manager Hardening
+
+1. Enable pacman hooks for security
+   - Verify package signatures (already default)
+
+2. Consider enabling reflector timer
+   - Keeps mirrorlist updated with fastest/most recent mirrors
+
+3. Install pacman-contrib for paccache
+   - Configure paccache.timer to clean old package cache
+
+## Automatic Updates (Optional)
+
+For servers that need unattended security updates:
+- Consider pacman-auto-update or similar
+- ZFS pre-pacman snapshots (already in install-archzfs) make this safer
+
+## AppArmor/SELinux (Optional, Advanced)
+
+For high-security environments:
+- AppArmor is easier: pacman -S apparmor
+- Requires kernel parameter: lsm=apparmor
+
+## Misc Recommendations
+
+1. Install and enable systemd-timesyncd or chrony for NTP
+
+2. Configure journald retention
+   - /etc/systemd/journald.conf
+   - SystemMaxUse=500M (or appropriate for system)
+
+3. Disable core dumps for security (optional)
+   - /etc/security/limits.conf: * hard core 0
+
+4. Install lynis for security auditing
+   - pacman -S lynis
+   - Run: lynis audit system
+
+## Desktop-Specific (if applicable)
+
+1. Consider firejail for sandboxing applications
+2. Install a password manager (pass, keepassxc)
+3. Configure automatic screen lock
+
+## Server-Specific (if applicable)
+
+1. Install and configure logwatch or logrotate
+2. Consider setting up centralized logging
+3. Install monitoring (prometheus node_exporter, netdata, etc.)
+
+---
+Generated by install-archzfs build system
+These are recommendations - implement based on your security requirements.
diff --git a/assets/outbox/2026-01-17-zfs-sanoid-feature-request.txt b/assets/outbox/2026-01-17-zfs-sanoid-feature-request.txt
new file mode 100644
index 0000000..87207f2
--- /dev/null
+++ b/assets/outbox/2026-01-17-zfs-sanoid-feature-request.txt
@@ -0,0 +1,202 @@
+ZFS Detection and Sanoid Installation
+======================================
+
+When archsetup runs, it should detect if the system is on ZFS and install sanoid.
+
+Detection:
+- Check if root filesystem is ZFS: `findmnt -n -o FSTYPE /` returns "zfs"
+- Or check if zpool exists: `zpool list -H 2>/dev/null`
+
+If ZFS detected:
+1. Install sanoid from AUR: `yay -S sanoid`
+2. Create /etc/sanoid/sanoid.conf (see below)
+3. Enable the timer: `systemctl enable --now sanoid.timer`
+4. Create the syncoid replication script and systemd units (see below)
+
+Context:
+- install-archzfs can't install sanoid (AUR package)
+- archsetup already has AUR helper setup, so it's the right place to install it
+- syncoid (for TrueNAS replication) comes with the sanoid package
+
+Added: 2026-01-17
+
+================================================================================
+SANOID CONFIGURATION (/etc/sanoid/sanoid.conf)
+================================================================================
+
+# Sanoid configuration for ZFS snapshots
+# Less aggressive - TrueNAS handles long-term backups
+
+#############################
+# Templates
+#############################
+
+[template_production]
+    # Local rollback capability
+    hourly = 6
+    daily = 7
+    weekly = 2
+    monthly = 1
+    autosnap = yes
+    autoprune = yes
+
+[template_backup]
+    # Less frequent for large/static data
+    hourly = 0
+    daily = 3
+    weekly = 2
+    monthly = 1
+    autosnap = yes
+    autoprune = yes
+
+[template_none]
+    autosnap = no
+    autoprune = yes
+
+#############################
+# Datasets
+#############################
+
+[zroot/ROOT/default]
+    use_template = production
+
+[zroot/home]
+    use_template = production
+    recursive = yes
+
+[zroot/media]
+    use_template = backup
+
+[zroot/vms]
+    use_template = backup
+
+[zroot/var/log]
+    use_template = production
+
+[zroot/var/lib/pacman]
+    use_template = production
+
+[zroot/var/cache]
+    use_template = none
+
+[zroot/var/tmp]
+    use_template = none
+
+[zroot/tmp]
+    use_template = none
+
+================================================================================
+SYNCOID REPLICATION SCRIPT (/usr/local/bin/zfs-replicate)
+================================================================================
+
+#!/bin/bash
+# zfs-replicate - Replicate ZFS datasets to TrueNAS
+#
+# Usage:
+#   zfs-replicate              # Replicate all configured datasets
+#   zfs-replicate [dataset]    # Replicate specific dataset
+
+set -e
+
+# TrueNAS Configuration
+# Try local network first, fall back to tailscale
+TRUENAS_LOCAL="truenas.local"
+TRUENAS_TAILSCALE="truenas"
+TRUENAS_USER="root"
+TRUENAS_POOL="vault"
+BACKUP_PATH="backups"  # TODO: Configure actual path
+
+# Datasets to replicate
+DATASETS="zroot/ROOT/default zroot/home zroot/media zroot/vms"
+
+# Colors
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+NC='\033[0m'
+
+info()  { echo -e "${GREEN}[INFO]${NC} $1"; }
+warn()  { echo -e "${YELLOW}[WARN]${NC} $1"; }
+error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }
+
+command -v syncoid >/dev/null 2>&1 || error "syncoid not found. Install sanoid package."
+
+# Determine which host to use
+determine_host() {
+    if ping -c 1 -W 2 "$TRUENAS_LOCAL" &>/dev/null; then
+        echo "$TRUENAS_LOCAL"
+    elif ping -c 1 -W 2 "$TRUENAS_TAILSCALE" &>/dev/null; then
+        echo "$TRUENAS_TAILSCALE"
+    else
+        error "Cannot reach TrueNAS at $TRUENAS_LOCAL or $TRUENAS_TAILSCALE"
+    fi
+}
+
+TRUENAS_HOST=$(determine_host)
+info "Using TrueNAS host: $TRUENAS_HOST"
+
+# Single dataset mode
+if [[ -n "$1" ]]; then
+    dataset="$1"
+    dest="$TRUENAS_USER@$TRUENAS_HOST:$TRUENAS_POOL/$BACKUP_PATH/${dataset#zroot/}"
+    info "Replicating $dataset -> $dest"
+    syncoid --recursive "$dataset" "$dest"
+    exit 0
+fi
+
+# Full replication
+info "Starting ZFS replication to $TRUENAS_HOST"
+echo ""
+
+for dataset in $DATASETS; do
+    dest="$TRUENAS_USER@$TRUENAS_HOST:$TRUENAS_POOL/$BACKUP_PATH/${dataset#zroot/}"
+    info "Replicating $dataset -> $dest"
+
+    if syncoid --recursive "$dataset" "$dest"; then
+        info "  Success"
+    else
+        warn "  Failed (will retry next run)"
+    fi
+    echo ""
+done
+
+info "Replication complete."
+
+================================================================================
+SYSTEMD SERVICE (/etc/systemd/system/zfs-replicate.service)
+================================================================================
+
+[Unit]
+Description=ZFS Replication to TrueNAS
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/zfs-replicate
+User=root
+
+[Install]
+WantedBy=multi-user.target
+
+================================================================================
+SYSTEMD TIMER (/etc/systemd/system/zfs-replicate.timer)
+================================================================================
+
+[Unit]
+Description=Run ZFS replication nightly
+
+[Timer]
+OnCalendar=*-*-* 02:00:00
+RandomizedDelaySec=1800
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+
+================================================================================
+ENABLE REPLICATION
+================================================================================
+
+After SSH key auth is set up to TrueNAS:
+  systemctl enable --now zfs-replicate.timer
diff --git a/assets/outbox/2026-01-19-remove-zfs-scripts-request.md b/assets/outbox/2026-01-19-remove-zfs-scripts-request.md
new file mode 100644
index 0000000..f67aa47
--- /dev/null
+++ b/assets/outbox/2026-01-19-remove-zfs-scripts-request.md
@@ -0,0 +1,29 @@
+# Task: Remove zfssnapshot and zfsrollback from archsetup
+
+## Summary
+Remove the `zfssnapshot` and `zfsrollback` scripts from archsetup's dotfiles. These scripts are now provided by the archzfs ISO and installed to `/usr/local/bin/` during `install-archzfs`.
+
+## Files to Remove
+- `dotfiles/system/.local/bin/zfssnapshot`
+- `dotfiles/system/.local/bin/zfsrollback`
+
+## Reason for Change
+These scripts need to be available immediately after a fresh install from the archzfs ISO, before archsetup runs. Key use cases:
+
+1. **Rescue scenarios**: Rolling back from live USB when the installed system won't boot
+2. **Genesis rollback**: If archsetup fails mid-run, user can rollback to genesis and retry
+3. **Script availability**: The scripts themselves must survive a genesis rollback (they're now part of genesis snapshot)
+
+By including them in the ISO and `install-archzfs`, they're guaranteed to be present from first boot, with fzf also installed as a dependency.
+
+## Changes Made in archzfs
+- Added `custom/zfssnapshot` and `custom/zfsrollback`
+- `build.sh` copies them to `/usr/local/bin/` on the ISO
+- `install-archzfs` installs `fzf` to target system (required by zfsrollback)
+- fzf was already in ISO package list
+
+## Note: Keep fzf in archsetup
+Archsetup should continue to install `fzf` in its package list. Archsetup can run on vanilla Arch installs with ext4 or btrfs (not just ZFS from archzfs ISO), where `install-archzfs` would not have run and fzf wouldn't be present.
+
+## Date
+2026-01-19
diff --git a/assets/outbox/2026-01-20-console-display-issues.txt b/assets/outbox/2026-01-20-console-display-issues.txt
new file mode 100644
index 0000000..f8dc710
--- /dev/null
+++ b/assets/outbox/2026-01-20-console-display-issues.txt
@@ -0,0 +1,112 @@
+Console Display Issues - Potential Causes in archsetup
+======================================================
+Date: 2026-01-20
+Source: archzfs testing on ratio - console not showing after install
+
+SUMMARY
+-------
+After running install-archzfs and archsetup on ratio, the console stopped
+displaying. The system boots but shows no console output. These are the
+suspected culprits in archsetup.
+
+SUSPECTED ISSUES
+----------------
+
+1. Console Font Configuration (boot_ux, lines 1574-1579)
+
+   File: archsetup
+   Lines: 1574-1579
+
+   Code:
+     if grep -q "^FONT=" /etc/vconsole.conf 2>/dev/null; then
+         sed -i 's/^FONT=.*/FONT=ter-132n/' /etc/vconsole.conf
+     else
+         echo "FONT=ter-132n" >> /etc/vconsole.conf
+     fi
+
+   Problem: Sets console font to ter-132n (Terminus 32pt). If the font
+   is missing, corrupted, or incompatible with the framebuffer, the
+   console may fail to display anything.
+
+   Fix: Verify terminus-font package is installed and font exists before
+   setting. Add fallback handling.
+
+2. mkinitcpio Hook Change (boot_ux, lines 1581-1583)
+
+   File: archsetup
+   Lines: 1581-1583
+
+   Code:
+     sed -i '/^HOOKS=/ s/\budev\b/systemd/' /etc/mkinitcpio.conf
+     mkinitcpio -P
+
+   Problem: Changes mkinitcpio from 'udev' to 'systemd' hook and
+   regenerates ALL initramfs images. This is a significant change that
+   affects early boot. If the systemd hook isn't properly configured
+   or conflicts with other hooks, boot may fail or console may not
+   initialize properly.
+
+   Fix: Ensure all required systemd-related hooks are present. Consider
+   whether this change is necessary or could be made optional.
+
+3. GRUB Quiet Boot Settings (boot_ux, line 1624)
+
+   File: archsetup
+   Line: 1624
+
+   Code:
+     sed -i "s/.*GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"rw loglevel=2 rd.systemd.show_status=auto rd.udev.log_level=2 nvme.noacpi=1 mem_sleep_default=deep nowatchdog quiet splash\"/g" /etc/default/grub
+
+   Problem: Adds 'quiet splash' and sets loglevel=2, which suppresses
+   most boot messages. If something goes wrong during boot, you won't
+   see any output. The 'splash' option may also interfere with console.
+
+   Fix: Consider removing 'splash' or making quiet boot optional.
+   For debugging, temporarily remove 'quiet splash' from GRUB.
+
+4. Kernel Message Suppression (boot_ux, lines 1571-1572)
+
+   File: archsetup
+   Lines: 1571-1572
+
+   Code:
+     echo "kernel.printk = 3 3 3 3" >/etc/sysctl.d/20-quiet-printk.conf
+
+   Problem: Suppresses kernel messages to console. Combined with other
+   quiet settings, this could hide important boot information.
+
+   Fix: For debugging, remove or adjust this setting.
+
+5. Xorg VT Switching Disabled (xorg, lines 1102-1107)
+
+   File: archsetup
+   Lines: 1102-1107
+
+   Code:
+     cat << EOF > /etc/X11/xorg.conf.d/00-no-vt-or-zap.conf
+         Section "ServerFlags"
+             Option "DontVTSwitch" "True"
+             Option "DontZap"      "True"
+     EndSection
+     EOF
+
+   Problem: Disables VT switching when X is running. If X starts
+   automatically, you cannot switch to a text console with Ctrl+Alt+F2.
+   This is a security feature but makes debugging harder.
+
+   Note: This only affects post-X boot, not early console display.
+
+DEBUGGING STEPS
+---------------
+1. Boot with 'nomodeset' kernel parameter to rule out GPU/framebuffer issues
+2. Remove 'quiet splash' from GRUB temporarily
+3. Check if ter-132n font exists: ls /usr/share/kbd/consolefonts/ter-*
+4. Review mkinitcpio.conf HOOKS line for conflicts
+5. Check journalctl -b for boot errors
+
+RECOMMENDED CHANGES
+-------------------
+- Make quiet boot optional or add a debug boot menu entry
+- Verify font exists before setting in vconsole.conf
+- Document the udev->systemd hook change and its implications
+- Consider adding a recovery boot option that skips quiet settings
diff --git a/assets/outbox/2026-01-21-grub-timeout-request.txt b/assets/outbox/2026-01-21-grub-timeout-request.txt
new file mode 100644
index 0000000..fa03f62
--- /dev/null
+++ b/assets/outbox/2026-01-21-grub-timeout-request.txt
@@ -0,0 +1,4 @@
+* TODO Increase GRUB_TIMEOUT to 2 seconds
+Currently setting GRUB_TIMEOUT=0 which doesn't give users time to access GRUB menu.
+Change to GRUB_TIMEOUT=2 for a reasonable delay while keeping boot fast.
+
diff --git a/assets/outbox/2026-01-21-syncthing-service-conflict.org b/assets/outbox/2026-01-21-syncthing-service-conflict.org
new file mode 100644
index 0000000..7f86b39
--- /dev/null
+++ b/assets/outbox/2026-01-21-syncthing-service-conflict.org
@@ -0,0 +1,72 @@
+#+TITLE: Syncthing Service Conflict Issue
+#+DATE: 2026-01-21
+
+* Problem
+
+archsetup enables the system service:
+#+begin_src bash
+systemctl enable "syncthing@$username.service"
+#+end_src
+
+However, the user service can also get enabled (either by default or manually):
+#+begin_src bash
+systemctl --user enable syncthing.service
+#+end_src
+
+When BOTH services are enabled, they fight over the same lock file:
+=~/.local/state/syncthing/syncthing.lock=
+
+This causes one or both to fail with:
+: Failed to acquire lock: is another Syncthing instance already running?
+
+* Symptoms
+
+- Syncthing fails to start or keeps crashing
+- Lock file errors in journalctl
+- Two syncthing processes running with different parent services
+- Config changes don't persist (one service overwrites the other)
+
+* Recommendation
+
+Standardize on ONE service type. Options:
+
+** Option A: User Service (recommended for desktops)
+
+Runs when user logs in. Cleaner for desktop use.
+
+Change archsetup from:
+#+begin_src bash
+systemctl enable "syncthing@$username.service"
+#+end_src
+
+To:
+#+begin_src bash
+# Enable user service (requires user session)
+sudo -u "$username" systemctl --user enable syncthing.service
+#+end_src
+
+Note: User services require lingering or an active session:
+#+begin_src bash
+loginctl enable-linger "$username"
+#+end_src
+
+** Option B: System Service (recommended for headless/servers)
+
+Runs at boot without user login. Better for servers.
+
+Keep current archsetup config, but ensure user service is disabled:
+#+begin_src bash
+systemctl enable "syncthing@$username.service"
+# Explicitly disable user service to prevent conflicts
+sudo -u "$username" systemctl --user disable syncthing.service 2>/dev/null || true
+#+end_src
+
+* Resolution on ratio (2026-01-21)
+
+Disabled system service, kept user service:
+#+begin_src bash
+sudo systemctl stop syncthing@cjennings.service
+sudo systemctl disable syncthing@cjennings.service
+systemctl --user enable syncthing.service
+systemctl --user start syncthing.service
+#+end_src
diff --git a/assets/outbox/2026-01-23-avahi-mdns-fixes.org b/assets/outbox/2026-01-23-avahi-mdns-fixes.org
new file mode 100644
index 0000000..89b005e
--- /dev/null
+++ b/assets/outbox/2026-01-23-avahi-mdns-fixes.org
@@ -0,0 +1,125 @@
+#+TITLE: Avahi/mDNS Configuration Fixes
+#+DATE: 2026-01-23
+
+* Problem Summary
+
+On velox, mDNS hostname resolution was not working correctly from other machines on the LAN (e.g., ratio). Attempting to access =http://velox.local:8384= (Syncthing web UI) failed, while accessing via IP address worked.
+
+* Issues Identified
+
+** Issue 1: Hostname Conflict (velox-3.local)
+
+*Symptom:* Avahi was running as =velox-3.local= instead of =velox.local=
+
+*Cause:* Avahi was publishing on multiple network interfaces including virtual ones:
+- =enp0s13f0u3= (physical LAN - correct)
+- =docker0= (Docker bridge)
+- =virbr0= (libvirt bridge)
+- =vnet0= (VM virtual NIC)
+- =tailscale0= (Tailscale VPN)
+
+Each interface was effectively registering as a separate host, causing mDNS hostname conflicts with itself.
+
+*Solution:* Restrict Avahi to only the physical LAN interface.
+
+#+begin_src conf
+# /etc/avahi/avahi-daemon.conf
+[server]
+allow-interfaces=enp0s13f0u3
+#+end_src
+
+** Issue 2: IPv6-Only Resolution
+
+*Symptom:* =velox.local= resolved to IPv6 link-local address (=fe80::...=) only, but Syncthing was listening on IPv4 only (=0.0.0.0:8384=).
+
+*Cause:* Default Avahi configuration does not publish A records (IPv4) in response to AAAA queries (IPv6).
+
+*Solution:* Enable =publish-a-on-ipv6= to ensure IPv4 addresses are returned.
+
+#+begin_src conf
+# /etc/avahi/avahi-daemon.conf
+[publish]
+publish-a-on-ipv6=yes
+#+end_src
+
+** Issue 3: Conflicting mDNS Stacks
+
+*Symptom:* Avahi logged warning: "Detected another IPv4 mDNS stack running on this host"
+
+*Cause:* Both =avahi-daemon= and =systemd-resolved= were configured to handle mDNS:
+
+#+begin_src conf
+# /etc/systemd/resolved.conf (before fix)
+[Resolve]
+MulticastDNS=yes
+#+end_src
+
+*Solution:* Disable mDNS in systemd-resolved, let Avahi handle it exclusively.
+
+#+begin_src conf
+# /etc/systemd/resolved.conf
+[Resolve]
+Domains=~local
+MulticastDNS=no
+#+end_src
+
+* Complete Fix Applied
+
+** Files Modified
+
+*** /etc/avahi/avahi-daemon.conf
+
+Changes made:
+#+begin_src diff
+-#allow-interfaces=eth0
++allow-interfaces=enp0s13f0u3
+
+-#publish-a-on-ipv6=no
++publish-a-on-ipv6=yes
+#+end_src
+
+*** /etc/systemd/resolved.conf
+
+Changes made:
+#+begin_src diff
+-MulticastDNS=yes
++MulticastDNS=no
+#+end_src
+
+** Services Restarted
+
+#+begin_src bash
+sudo systemctl restart systemd-resolved
+sudo systemctl restart avahi-daemon
+#+end_src
+
+* Verification
+
+After fixes:
+- Avahi runs as =velox.local= (not =velox-3.local=)
+- No mDNS stack conflict warning
+- From ratio: =avahi-resolve -n velox.local= returns =192.168.86.42=
+- From ratio: =curl http://velox.local:8384/= returns HTTP 200
+
+* Notes for archsetup
+
+These configurations should be added to the Arch setup scripts:
+
+1. Install avahi: =pacman -S avahi nss-mdns=
+
+2. Configure =/etc/avahi/avahi-daemon.conf=:
+   - Set =allow-interfaces= to physical LAN interface (determine dynamically or prompt user)
+   - Set =publish-a-on-ipv6=yes=
+
+3. Configure =/etc/systemd/resolved.conf=:
+   - Set =MulticastDNS=no= to avoid conflict with Avahi
+
+4. Enable and start avahi-daemon:
+   #+begin_src bash
+   systemctl enable --now avahi-daemon
+   #+end_src
+
+5. Ensure =/etc/nsswitch.conf= has mdns in hosts line:
+   #+begin_src conf
+   hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files dns
+   #+end_src