{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    graphical
    network
    ;
  inherit (lib)
    escapeRegex
    getVersion
    mkIf
    ;

  created = "1970-01-01T00:00:00.0+00:00";
in
{
  config = mkIf (enable && tooling.enable && network) {
    services.opensnitch.rules = {
      osu_deny = mkIf (config.grimmShared.gaming && graphical) {
        name = "osu-deny";
        enabled = true;
        action = "deny";
        precedence = false;
        duration = "always";
        inherit created;
        operator = {
          type = "regexp";
          sensitive = false;
          operand = "process.path";
          data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
        };
      };

      osu_allow = mkIf (config.grimmShared.gaming && graphical) {
        name = "osu-allow";
        enabled = true;
        action = "allow";
        precedence = true;
        duration = "always";
        inherit created;
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "regexp";
              operand = "dest.port";
              data = "443|53";
            }
            {
              type = "regexp";
              sensitive = false;
              operand = "process.path";
              data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
            }
            {
              type = "regexp";
              sensitive = false;
              operand = "dest.host";
              data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
            }
          ];
        };
      };
    };
  };
}