{ pkgs, config, lib, ... }: let
  cfg = config.grimmShared;
in {
  config = with cfg; lib.mkIf (enable && firefox.enable) {
    programs.firefox = {
      enable = true;
      nativeMessagingHosts.packages = [] 
        ++ lib.optionals (cfg.tooling.enable && cfg.tooling.pass) [ pkgs.passff-host ];
      languagePacks = [ "de" "en-US" ];
      policies = {
        ExtensionSettings = lib.mkMerge [
          {} # global rules. Potentially add blocking of regularly installed addons here.
          (lib.mapAttrs (uid: url: { # explicit plugins by config 
            install_url = url;
            installation_mode = "force_installed";
          } ) cfg.firefox.plugins )
          (lib.mkIf (cfg.tooling.enable && cfg.tooling.pass) { # password-store support
            install_url = "https://addons.mozilla.org/firefox/downloads/latest/passff/latest.xpi";
            installation_mode = "force_installed";
          })
        ];
        DisableTelemetry = true;
        DisableFirefoxStudies = true;
        EnableTrackingProtection = {
          Value= true;
          Locked = true;
          Cryptomining = true;
          Fingerprinting = true;
        };
        DisablePocket = true;
        DisableFirefoxAccounts = true;
        DisableAccounts = true;
        DisableFirefoxScreenshots = true;
        OverrideFirstRunPage = "";
        OverridePostUpdatePage = "";
        DontCheckDefaultBrowser = true;
      };
    };
  };
}