{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    network
    ;
  inherit (lib)
    getExe
    getExe'
    mkIf
    ;
  created = "1970-01-01T00:00:00.0+00:00";
in
{
  config = mkIf (enable && tooling.enable && network) {
    services.opensnitch.rules = {
      nix-index = {
        name = "nix-index";
        enabled = true;
        action = "allow";
        duration = "always";
        inherit created;
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "simple";
              sensitive = false;
              operand = "process.path";
              data = getExe' pkgs.nix-index-unwrapped "nix-index";
            }
            {
              type = "regexp";
              operand = "dest.port";
              data = "443";
            }
            {
              type = "simple";
              sensitive = false;
              operand = "dest.host";
              data = "cache.nixos.org";
            }
          ];
        };
      };

      nix = {
        name = "nix";
        enabled = true;
        action = "allow";
        duration = "always";
        inherit created;
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "simple";
              sensitive = false;
              operand = "process.path";
              data = getExe config.nix.package;
            }
            {
              type = "regexp";
              operand = "dest.port";
              data = "443";
            }
            {
              type = "regexp";
              sensitive = false;
              operand = "dest.host";
              data = "(channels|cache)\\.nixos\\.org";
            }

          ];
        };
      };
    };
  };
}