diff --git a/default.nix b/default.nix
index 743de38..22bfcfa 100644
--- a/default.nix
+++ b/default.nix
@@ -32,6 +32,12 @@ in {
 
     tooling = {
       enable = mkEnableOption "grimm-tooling";
+      
+      pass = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enables password-store, gnupg and such secret handling";
+      };
 
       git_user = mkOption {
         type = types.str;
@@ -63,6 +69,16 @@ in {
       default = false;
       description = "enables steam, heroic, prism and gamemoded";
     };
+
+    firefox = {
+      enable = mkEnableOption "grimm-firefox";
+
+      plugins = mkOption {
+        type = types.attrsOf types.str;
+        default = {};
+        description = "set of plugins to install. Format: uid = url";
+      };
+    };
   };
 
   imports = [
@@ -74,5 +90,7 @@ in {
     ./modules/sound.nix
     ./modules/opengl.nix
     ./modules/gaming.nix
+    ./modules/firefox.nix
+    ./modules/pass.nix
   ];
 }
diff --git a/modules/firefox.nix b/modules/firefox.nix
new file mode 100644
index 0000000..96ea6cb
--- /dev/null
+++ b/modules/firefox.nix
@@ -0,0 +1,40 @@
+{ pkgs, config, lib, ... }: let
+  cfg = config.grimmShared;
+in {
+  config = with cfg; lib.mkIf (enable && firefox.enable) {
+    programs.firefox = {
+      enable = true;
+      nativeMessagingHosts.packages = [] 
+        ++ lib.optionals (cfg.tooling.enable && cfg.tooling.pass) [ pkgs.passff-host ];
+      languagePacks = [ "de" "en-US" ];
+      policies = {
+        ExtensionSettings = lib.mkMerge [
+          {} # global rules. Potentially add blocking of regularly installed addons here.
+          (lib.mapAttrs (uid: url: { # explicit plugins by config 
+            install_url = url;
+            installation_mode = "force_installed";
+          } ) cfg.firefox.plugins )
+          (lib.mkIf (cfg.tooling.enable && cfg.tooling.pass) { # password-store support
+            install_url = "https://addons.mozilla.org/firefox/downloads/latest/passff/latest.xpi";
+            installation_mode = "force_installed";
+          })
+        ];
+        DisableTelemetry = true;
+        DisableFirefoxStudies = true;
+        EnableTrackingProtection = {
+          Value= true;
+          Locked = true;
+          Cryptomining = true;
+          Fingerprinting = true;
+        };
+        DisablePocket = true;
+        DisableFirefoxAccounts = true;
+        DisableAccounts = true;
+        DisableFirefoxScreenshots = true;
+        OverrideFirstRunPage = "";
+        OverridePostUpdatePage = "";
+        DontCheckDefaultBrowser = true;
+      };
+    };
+  };
+}
diff --git a/modules/pass.nix b/modules/pass.nix
new file mode 100644
index 0000000..0da285d
--- /dev/null
+++ b/modules/pass.nix
@@ -0,0 +1,28 @@
+{ pkgs, config, lib, ... }: let
+  cfg = config.grimmShared;
+in {
+  config = with cfg; lib.mkIf (enable && tooling.enable && tooling.pass) {
+    security.polkit.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      mkpasswd
+      pinentry
+      gnupg
+      pass
+      libsecret
+      (writeShellScriptBin "passw" "pass $@")
+    ] ++ lib.optionals cfg.graphical [
+      lxqt.lxqt-policykit
+    ];
+
+    services.passSecretService.enable = true;
+    programs.gnupg.agent = {  
+      settings = {
+#        default-cache-ttl = 6000;
+      };
+      pinentryPackage = lib.mkDefault pkgs.pinentry;
+      enable = true;
+      # enableSSHSupport = true;
+    };
+  };
+}
diff --git a/modules/toolchains.nix b/modules/toolchains.nix
index 219dfd4..b882a90 100644
--- a/modules/toolchains.nix
+++ b/modules/toolchains.nix
@@ -2,24 +2,17 @@
   cfg = config.grimmShared;
 in {
   config = with cfg; lib.mkIf (enable && tooling.enable) {
-    security.polkit.enable = true;
-
     environment.systemPackages = with pkgs; [
       (writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
       (writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
       (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
-      mkpasswd
       gcc
       jdk17
       python3
       pkg-config
   
-      pinentry
-      pass
-      libsecret
       tea
       acpi
-      (writeShellScriptBin "passw" "pass $@")
 
       fbcat
       gomuks
@@ -31,7 +24,6 @@ in {
       tree
       file
       util-linux
-      gnupg
       visualvm
       ffmpeg-full
       lm_sensors
@@ -48,7 +40,6 @@ in {
       parted
     ] ++ lib.optionals cfg.graphical [
       qdirstat
-      lxqt.lxqt-policykit
       libva-utils
       glxinfo
       alacritty
@@ -108,18 +99,8 @@ in {
       };
     };
 
-    services.passSecretService.enable = true;
-    services.pcscd.enable = true;
     programs.xonsh.enable = true;
     programs.ssh.startAgent = true;
     programs.thefuck.enable = true;
-    programs.gnupg.agent = {  
-      settings = {
-#        default-cache-ttl = 6000;
-      };
-      pinentryPackage = lib.mkDefault pkgs.pinentry;
-      enable = true;
-      # enableSSHSupport = true;
-    };
   };
 }