{ inputs, pkgs, config, lib, ... }: let
  cfg = config.grimmShared;
in {
  config = with cfg; lib.mkIf (enable && firefox.enable) {
    environment.systemPackages = []
      ++ lib.optionals config.services.desktopManager.plasma6.enable [ pkgs.plasma-browser-integration ];

    programs.firefox = {
      package = pkgs.firefox-beta;
      enable = true;
      nativeMessagingHosts.packages = [] 
        ++ lib.optionals (cfg.tooling.enable && cfg.tooling.pass) [ pkgs.passff-host ];
      languagePacks = [ "de" "en-US" ];
      policies = {
        ExtensionSettings = lib.mkMerge [
          (lib.mkIf cfg.firefox.disableUserPlugins {
            "*".installation_mode = "blocked";
          } )
          (lib.mapAttrs (guid: shortId: { # explicit plugins by config 
            install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
            installation_mode = "force_installed";
          } ) cfg.firefox.plugins )
          (lib.mkIf (cfg.tooling.enable && cfg.tooling.pass) { # password-store support
            "passff@invicem.pro" = {
              install_url = "https://addons.mozilla.org/firefox/downloads/latest/passff/latest.xpi";
              installation_mode = "force_installed";
            };
          })
        ];
        DisableTelemetry = true;
        DisableFirefoxStudies = true;
        EnableTrackingProtection = {
          Value = true;
          Locked = true;
          Cryptomining = true;
          Fingerprinting = true;
        };
        DisablePocket = true;
        DisableFirefoxAccounts = true;
        DisableAccounts = true;
        DisableFirefoxScreenshots = true;
        OverrideFirstRunPage = "";
        OverridePostUpdatePage = "";
        DontCheckDefaultBrowser = true;
        Preferences = lib.mkMerge ([]
          ++ lib.optionals cfg.sway.enable [ {"browser.tabs.inTitlebar" = 0; } ]);
      };
    };
  };
}