{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared) enable tooling;
  inherit (lib) mkIf;
  apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
in
{
  config = mkIf (enable && tooling.enable) {
    services.dbus.apparmor = "enabled";
    security.auditd.enable = true;
    
    security.apparmor.packages = [ apparmor-d ];
    security.apparmor.enable = true;

    security.apparmor.includes = {
      "local/vesktop" = ''
#        @{lib}/libdl.so* mr,
#        @{lib}/libglapi.so* mr,
#        @{lib}/libc.so* mr,
#        @{lib}/pluseaudio/** mr,

        @{bin}/electron rix,
        /nix/store/*/libexec/electron/** rix,

        /nix/store/*/bin/** mr,
        /nix/store/*/lib/** mr,
        /nix/store/** r,
      '';
    };
    
    security.apparmor.policies = {
      vesktop = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
        '';
      };
    };
  };
}