{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    network
    ;
  inherit (lib) mkIf;

  created = "1970-01-01T00:00:00.0+00:00";
in
{
  config = mkIf (enable && tooling.enable && network) {
    services.opensnitch.rules = {

      block-list = {
        name = "block-list";
        action = "deny";
        enabled = true;
        duration = "always";
        inherit created;
        operator = {
          type = "lists";
          operand = "lists.domains";
          data = pkgs.callPackage ./block_lists.nix { };
        };
      };
      localhost = {
        name = "localhost";
        enabled = true;
        action = "allow";
        duration = "always";
        precedence = true;
        inherit created;
        operator = {
          type = "regexp";
          sensitive = false;
          operand = "dest.ip";
          data = "^(127\\.0\\.0\\.1|::1)$";
        };
      };
      icmp = {
        name = "icmp";
        enabled = true;
        action = "allow";
        duration = "always";
        inherit created;
        operator = {
          type = "regexp";
          operand = "protocol";
          sensitive = false;
          data = "icmp(4|6)?";
        };
      };
    };
  };
}