{
  config,
  extensions,
  ...
}: let
  locals = [
    "en-CA"
    "de"
    "sv-SE"
  ];
  mkAllowedExtension = extension: {
    name = extension.addonId;
    value = {
      installation_mode = "normal_installed";
      updates_disabled = true;
      inherit (extension) default_area;
      install_url = "file://${builtins.fetchurl {
        inherit
          (extension)
          url
          sha256
          ;
      }}";
    };
  };
  allowedExtensions =
    builtins.listToAttrs
    (builtins.map mkAllowedExtension (builtins.attrValues
        extensions));

  mkBlockedExtension = id: {
    name = id;
    value = {
      install_mode = "blocked";
    };
  };
  blockedExtensions = builtins.listToAttrs (builtins.map mkBlockedExtension [
    # these are the default search engines
    "addons-search-detection@mozilla.com"
    "amazon@search.mozilla.org"
    "bing@search.mozilla.org"
    "ddg@search.mozilla.org"
    "google@search.mozilla.org"
    "wikipedia@search.mozilla.org"
  ]);

  language_packs = builtins.listToAttrs (builtins.map
    (
      lang: {
        name = "langpack-${lang}@firefox.mozilla.org";
        value = {
          installation_mode = "normal_installed";
          updates_disabled = true;
          install_url = "https://releases.mozilla.org/pub/firefox/releases/${config.soispha.firefox.package_version}/linux-x86_64/xpi/${lang}.xpi";
        };
      }
    )
    locals);
in {
  # NOTE: See https://mozilla.github.io/policy-templates for documentation <2023-10-21>
  policies = {
    # NixOS manages this already
    DisableAppUpdate = true;

    DisableFirefoxAccounts = true;
    DisableFirefoxScreenshots = true;

    # KeepassXC does this for me
    DisableMasterPasswordCreation = true;

    # I use a self-hosted services for that
    DisablePocket = true;

    # I don't want to lose my data
    DisableProfileRefresh = true;

    DisableDeveloperTools = false;

    DisplayBookmarksToolbar = "newtab";
    DisplayMenuBar = "default-off";

    DNSOverHTTPS = {
      Enabled = true;
      Locked = false;
    };
    # The concept of a "default browser" does not apply to my NixOS config
    DontCheckDefaultBrowser = true;

    EnableTrackingProtection = {
      Value = true;
      Locked = false;
      Cryptomining = true;
      Fingerprinting = true;
      EmailTracking = true;
    };

    EncryptedMediaExtensions = {
      # I want a _free_ config (and I can always just run another browser)
      Enabled = false;
      Locked = true;
    };

    ExtensionSettings =
      {
        "*" = {
          # Blocking the extension install here, also blocks the 'about:debugging' page

          # blocked_install_message = ''
          #   You can't install a extension manually,
          #   please specify it in your NixOS configuration
          # '';
          installation_mode = "allowed";
        };
      }
      // allowedExtensions
      // blockedExtensions
      // language_packs;

    ExtensionUpdate = false;

    # TODO: Add handlers for the default file types <2023-10-21>
    # Handlers = {
    # };

    HardwareAcceleration = true;

    # Blocking the extension install here, also blocks the 'about:debugging' page
    # InstallAddonsPermission = {
    #   Allowed = [];
    #   Default = false;
    # };

    # KeepassXC and such things
    OfferToSaveLogins = false;
    PasswordManagerEnabled = false;

    PDFjs = {
      Enabled = true;
      # Don't honor documents right to be un-copy-able
      EnablePermissions = false;
    };

    SearchBar = "unified";
    RequestedLocales = locals;
  };
}