{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    network
    ;
  inherit (lib)
    getBin
    mkIf
    ;

  created = "1970-01-01T00:00:00.0+00:00";
in
{
  config = mkIf (enable && tooling.enable && network) {
    services.opensnitch.rules = {
      firefox =
        let
          cfg = config.programs.firefox;
          pkg = (
            cfg.package.override (old: {
              extraPrefsFiles =
                old.extraPrefsFiles or [ ]
                ++ cfg.autoConfigFiles
                ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
              nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
              cfg = (old.cfg or { }) // cfg.wrapperConfig;
            })
          );
        in
        # pkg = pkgs.firefox-unwrapped;
        mkIf (config.programs.firefox.enable) {
          name = "firefox";
          enabled = true;
          action = "allow";
          duration = "always";
          inherit created;
          operator = {
            type = "simple";
            sensitive = false;
            operand = "process.path";
            data = "${getBin pkg}/lib/firefox/firefox";
          };
        };

    };
  };
}