{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    graphical
    network
    ;
  inherit (lib)
    optional
    mkIf
    ;

in
{
  imports = [
    ./vesktop.nix
    ./nix.nix
    ./spotify.nix
    ./global.nix
    ./time.nix
    ./osu.nix
    ./cups.nix
    ./network_support.nix
    ./firefox.nix
    ./tooling.nix
    ./dns.nix
  ];

  config = mkIf (enable && tooling.enable && network) {
    environment.systemPackages = optional graphical pkgs.opensnitch-ui;
    grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
    networking.nftables.enable = true;

    # security.audit.enable = true;
    systemd.services.opensnitchd.path = lib.optional (
      config.services.opensnitch.settings.ProcMonitorMethod == "audit"
    ) pkgs.audit.bin;

    services.opensnitch = {
      enable = true;
      settings = {
        DefaultAction = "deny";
        Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
        ProcMonitorMethod = "ftrace";
        # ProcMonitorMethod = "audit";
      };
    };
  };
}