{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    graphical
    network
    ;
  inherit (lib)
    concatLines
    mkIf
    ;

  local_network = [
    "192.168.0.0/16"
    "10.0.0.0/8"
    "172.16.0.0/12"
    "fc00::/7"
  ];
  local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);

  created = "1970-01-01T00:00:00.0+00:00";
in
{
  config = mkIf (enable && tooling.enable && network) {
    services.opensnitch.rules = {

      spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
        name = "spotify-deny";
        enabled = true;
        action = "deny";
        precedence = false;
        duration = "always";
        inherit created;
        operator = {
          type = "simple";
          sensitive = false;
          operand = "process.path";
          data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
        };
      };
      ncspot = mkIf (config.grimmShared.spotify.enable) {
        name = "ncspot";
        enabled = true;
        action = "allow";
        duration = "always";
        inherit created;
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "regexp";
              operand = "dest.port";
              data = "443|4070";
            }
            {
              type = "simple";
              sensitive = false;
              operand = "process.path";
              data = lib.getExe pkgs.ncspot;
            }
            {
              type = "lists";
              operand = "lists.domains_regexp";
              data = ./spotify_hosts;
            }
          ];
        };
      };

      spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
        name = "spotify-allow";
        enabled = true;
        action = "allow";
        duration = "always";
        precedence = true;
        inherit created;
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "regexp";
              operand = "dest.port";
              data = "443|4070";
            }
            {
              type = "simple";
              sensitive = false;
              operand = "process.path";
              data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
            }
            {
              type = "lists";
              operand = "lists.domains_regexp";
              data = ./spotify_hosts;
            }
          ];
        };
      };

      spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
        name = "spotify-allow-local";
        enabled = true;
        action = "allow";
        duration = "always";
        precedence = true;
        inherit created;
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "simple";
              sensitive = false;
              operand = "process.path";
              data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
            }
            {
              type = "lists";
              operand = "lists.nets";
              data = local_ips;
            }
          ];
        };
      };
    };
  };
}