{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    network
    ;
  inherit (lib)
    mkIf
    ;

  created = "1970-01-01T00:00:00.0+00:00";
in
{
  config = mkIf (enable && tooling.enable && network) {
    services.opensnitch.rules = {
      git = {
        name = "git-allow-all";
        enabled = true;
        action = "allow";
        duration = "always";
        inherit created;
        operator = {
          type = "regexp";
          sensitive = false;
          operand = "process.path";
          data = "${lib.escapeRegex pkgs.git.outPath}/.*";
        };
      };

      ssh = {
        name = "ssh-allow-all";
        enabled = true;
        action = "allow";
        duration = "always";
        inherit created;
        operator = {
          type = "regexp";
          sensitive = false;
          operand = "process.path";
          data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
        };
      };

    };
  };
}