{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    network
    ;
  inherit (lib)
    getExe
    mkIf
    ;

  created = "1970-01-01T00:00:00.0+00:00";

  dnscrypt_proxy_user = "dnscrypt-proxy2";
in
{

  config = mkIf (enable && tooling.enable && network) {
    users.users."${dnscrypt_proxy_user}" = {
      isSystemUser = true;
      group = dnscrypt_proxy_user;
      uid = 991;
    };
    users.groups."${dnscrypt_proxy_user}" = { };

    systemd.services.dnscrypt-proxy2.serviceConfig = {
      DynamicUser = lib.mkForce true;
      User = dnscrypt_proxy_user;
      Group = dnscrypt_proxy_user;
    };

    services.opensnitch.rules = {
      dnscrypt-proxy = mkIf (config.services.dnscrypt-proxy2.enable) {
        name = "dnscrypt-proxy";
        enabled = true;
        action = "allow";
        duration = "always";
        inherit created;
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "simple";
              sensitive = false;
              operand = "process.path";
              data = getExe pkgs.dnscrypt-proxy;
            }
            {
              type = "regexp";
              operand = "dest.port";
              data = "53|443|4434|5443";
            }
            #  {
            #    type = "lists";
            #    operand = "lists.nets";
            #    data = pkgs.writeTextDir "cidr_dns.list" (
            #      concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
            #    );
            #  }
            {
              type = "simple";
              operand = "user.id";
              data = builtins.toString (config.users.users."${dnscrypt_proxy_user}".uid);
            }
          ];
        };
      };
    };
  };
}