diff --git a/packer/ansible/playbook.yml b/packer/ansible/playbook.yml
index 8abfea0..cf6177b 100644
--- a/packer/ansible/playbook.yml
+++ b/packer/ansible/playbook.yml
@@ -43,8 +43,12 @@
       metalcut:
         socket: laser.lab.fablab-nea.de:9000
         dockerimage: r.jalr.de/fablab/metalcut
-    firefox_language_packs:
-      - de
+    firefox:
+      language_packs:
+        - de
+      extensions:
+        - uBlock0@raymondhill.net
+        - https-everywhere@eff.org
     debian_sections:
       - main
       - contrib
diff --git a/packer/ansible/roles/firefox/files/firefox.js b/packer/ansible/roles/firefox/files/firefox.js
new file mode 100644
index 0000000..9f5690e
--- /dev/null
+++ b/packer/ansible/roles/firefox/files/firefox.js
@@ -0,0 +1,37 @@
+// debian settings
+pref("extensions.update.enabled", true);
+pref("intl.locale.requested", "");
+pref("browser.shell.checkDefaultBrowser", false);
+
+// disable trackers
+lockPref("app.normandy.enabled", false);
+lockPref("browser.chrome.errorReporter.enabled", false);
+lockPref("browser.safebrowsing.downloads.enabled", false);
+lockPref("browser.safebrowsing.downloads.remote.enabled", false);
+lockPref("browser.safebrowsing.malware.enabled", false);
+lockPref("browser.safebrowsing.passwords.enabled", false);
+lockPref("browser.safebrowsing.phishing.enabled", false);
+lockPref("browser.tabs.crashReporting.sendReport", false);
+lockPref("datareporting.healthreport.uploadEnabled", false);
+lockPref("datareporting.policy.dataSubmissionEnabled", false);
+lockPref("security.ssl.errorReporting.enabled", false);
+
+// design
+pref("browser.newtabpage.enabled", false);
+pref("browser.uiCustomization.state", '{"placements":{"widget-overflow-fixed-list":[],"PersonalToolbar":["personal-bookmarks"],"nav-bar":["back-button","forward-button","home-button","urlbar-container","stop-reload-button","downloads-button","library-button"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button"],"toolbar-menubar":["menubar-items"]},"seen":["developer-button"],"dirtyAreaCache":["PersonalToolbar","nav-bar","TabsToolbar","toolbar-menubar"],"currentVersion":14,"newElementCount":3}');
+
+// for experienced users
+pref("browser.urlbar.trimURLs", false);
+pref("browser.fixup.alternate.enabled", false);
+
+// privacy
+pref("privacy.donottrackheader.enabled", true);
+
+pref("privacy.history.custom", true);
+pref("places.history.enabled", false);
+pref("browser.formfill.enable", false);
+
+// search
+pref("browser.search.hiddenOneOffs", "Google,Amazon.de,Bing,Debian packages,DuckDuckGo,eBay,Ecosia,LEO Eng-Deu,Wikipedia (de)"); // hide „one click“ search eingines
+pref("browser.search.suggest.enabled", false);
+pref("browser.urlbar.placeholderName", "DuckDuckGo"); // defaults to google, even if DuckDuckGo is the default
diff --git a/packer/ansible/roles/firefox/files/policies.json b/packer/ansible/roles/firefox/files/policies.json
new file mode 100644
index 0000000..65685f9
--- /dev/null
+++ b/packer/ansible/roles/firefox/files/policies.json
@@ -0,0 +1,29 @@
+{
+  "policies": {
+    "Cookies": {
+      "AcceptThirdParty": "from-visited"
+    },
+    "DNSOverHTTPS": {
+      "Enabled": false,
+      "Locked": false
+    },
+    "DisableFeedbackCommands": true,
+    "DisableFirefoxAccounts": true,
+    "DisableFirefoxStudies": true,
+    "DisablePocket": true,
+    "DisableTelemetry": true,
+    "EnableTrackingProtection": {
+      "Value": true,
+      "Locked": true
+    },
+    "NoDefaultBookmarks": true,
+    "OfferToSaveLogins": true,
+    "Homepage": {
+      "URL": "about:blank"
+    },
+    "OverrideFirstRunPage": "",
+    "SearchEngines": {
+      "Default": "DuckDuckGo"
+    }
+  }
+}
diff --git a/packer/ansible/roles/firefox/tasks/extensions.yml b/packer/ansible/roles/firefox/tasks/extensions.yml
new file mode 100644
index 0000000..abd9e76
--- /dev/null
+++ b/packer/ansible/roles/firefox/tasks/extensions.yml
@@ -0,0 +1,15 @@
+---
+- name: get extensions info
+  uri:
+    url: "https://addons.mozilla.org/api/v4/addons/addon/{{ item }}/"
+    return_content: yes
+  register: extension_infos
+  loop: "{{ firefox.extensions }}"
+
+- name: install extensions
+  get_url:
+    url: "{{ item.json.current_version.files[0].url }}"
+    dest: "/usr/lib/firefox-esr/browser/extensions/{{ item.item }}.xpi"
+  loop: "{{ extension_infos.results }}"
+  loop_control:
+    label: "{{ item.url }}"
diff --git a/packer/ansible/roles/firefox/tasks/main.yml b/packer/ansible/roles/firefox/tasks/main.yml
index 69d91ea..1668cd4 100644
--- a/packer/ansible/roles/firefox/tasks/main.yml
+++ b/packer/ansible/roles/firefox/tasks/main.yml
@@ -7,8 +7,22 @@
     apt:
       name: "firefox-esr-l10n-{{ item }}"
     with_items:
-      - "{{ firefox_language_packs }}"
-    when: firefox_language_packs is defined
+      - "{{ firefox.language_packs }}"
+    when: firefox.language_packs is defined
+
+  - name: install firefox config
+    copy:
+      src: firefox.js
+      dest: /etc/firefox-esr/firefox-esr.js
+
+  - name: install firefox policies
+    copy:
+      src: policies.json
+      dest: /usr/share/firefox-esr/distribution/policies.json
+
+  - import_tasks: extensions.yml
+    tags:
+      - firefox:extensions
 
   tags:
     - firefox
diff --git a/packer/ansible/roles/superuser/files/authorized_keys b/packer/ansible/roles/superuser/files/authorized_keys
index d6f54be..ea8ecf8 100644
--- a/packer/ansible/roles/superuser/files/authorized_keys
+++ b/packer/ansible/roles/superuser/files/authorized_keys
@@ -1,2 +1,2 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0f7+Y4QSUsSvd360eq0Q/ESVfE/s0WxJIrzvW8cazTcmld8/rKxGQR2xrxApu7pzZlZC3LDbQrx3B6nNVEZi0dPUgkJz9oEKRY5vSJ6x0H9cZ0iFfTcCTz5znflqGaFI6E6W6Vtl+DzIrmkFgaR0wNmV9DCcYAJreW4E32t8dKsG1Pv347N0eAZs3shokPYr7dmGoNiKzTOn/ILQ1Hxppzqy1ch2h8k2KL0+FM6wO76ijivBzfMZRJW0DVYsmebO6Je5HglkzYXvrNUtcD2gIrNE0YKByjorTjjf3336S+0uBGxetzhnl+XA2PxHB/3n9AzYC4DI/Nb9wgLBo6Ql+EYaPLKnGl3JHvtcOyAfoNVPdNDfbZz+tfe8cBUt1IPTlm26RYKgwCnJvcBD6dk/5mxu1ogjSfgEIqihJaq3j3+NfIY1CUFx1U6ISG40SWEXF5xV1qW3NZg5FqqA8sOfWLlkON/yFkPJ2shXUXmiZtjXMWM6XLIO054EN7cpUxHGPspjgynU9XLc45c4k5lKF1xQv13B8n8dHNEL01MU21svfdGcpuOsRvzagLX51+rVRJObYP1bZudyYVDgsxB6B/TiBHw3Xl3mwEs4KVi/cqVsPpaG3hwqCreDlV+NeCVtb0qb1WJ2Sae83CA6NEcUvRbrwAnU/vEhJepfo6j7WSw== jalr@jalr-tp
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIN2OoowP25rTyS62coHoHuJD2134DsoAM7d0z5u7KvyK9hGs/3FWf6EQkdN/eHVrzjT4+yS+zNKPNAv9dBsC5iXS9xk2iZcscQIEsy57S5WtGmMaX50xWtwPN7RXp783eCKe9arU4Ttq6xDpL0ASHEq3BiMGcGT20X1c88bN1kxAQOYPsZGQRhwgLnMty8CJSxdJYgfjBJk01srp6I+YEZFPbS3IERDsYGrUyHBOkXnWbO6NAyDnlD97QOAVr32dgZfoqBDhGd0GVdU2PWI1A0IYFjvqB0xs8FJNF9ivrg1zH8KZ29HyGDzG+E6kYd8PQI97CcRrNR8ZwwP5F4/K/ simon@pita
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs0igb6TTxPkKEQ96pk/NEqqWvQH/miJEBAEe1bzHlo5n5ThnGYvVPadfHIwq1ix0IdAfyWoG8duaKVDJAUAFBtegRO7vRBYBYR04V8DE8n66MgDbbLDuu7Kbm4JWMUNg43KwJDzZtSvEKjyh5/u/TT59D1F+toxMfet++jNG03mFa6ANhMTjghbkFHj3eyuiXA/SxZLorhkCFW6Tri3u5FFLGpjaom1dZ5PAcic0+ZOECpgEwTj8FpOzmldjsu8gFxdPYGrqfA1dOxL3OQ6/rB0LfHjwrN9i3DrZzG+RfJxZbgO4/RLQz2sHYM6S6d1MtCcXThozCXSbmpdNdwdPp simon@kipf