Merge remote-tracking branch 'lass/master'

2017-09-19 16:38:07 +02:00 · 2017-09-19 16:38:07 +02:00 · cfca733473
parent 21c284a2c7 e822f88199
commit cfca733473
15 changed files with 246 additions and 34 deletions
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@ -186,6 +186,17 @@ let
    };
    repo = types.submodule ({ config, ... }: {
      options = {
+        admins = mkOption {
+          type = types.listOf types.user;
+          default = [];
+          description = ''
+            List of users that should be able to do everything with this repo.
+
+            This option is currently not used by krebs.git but instead can be
+            used to create rules.  See e.g. <stockholm/lass/2configs/git.nix> for
+            an example.
+          '';
+        };
        cgit = {
          desc = mkOption {
            type = types.nullOr types.str;
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -34,6 +34,7 @@ with import <stockholm/lib>;
            HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB
            -----END RSA PUBLIC KEY-----
          '';
+          tinc.port = 993;
        };
      };
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -294,6 +295,37 @@ with import <stockholm/lib>;
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB/MmASvx3i09DY1xFVM5jOhZRZA8rMRqtf8bCIkC+t";
    };
+    helios = {
+      cores = 8;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.133.117";
+          ip6.addr = "42:0:0:0:0:0:3:7105";
+          aliases = [
+            "helios.r"
+            "cgit.helios.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIICCgKCAgEAp+SRmP5MoCSYInx4Dm5MLZzNyXVgfo/CDoeUlUT35X0yE7WHGWsG
+            wHPCu+3RWfBUjuqNdb0qiGtRi3Q/LwznwBROPOX8gMXia/DgCLbIjn5Rx081pTIo
+            3epbUCFtNgyDWg8IHF87ZnVBXTYAy5g4tz9u8kw82D8mR18o595TuZ9t5pDc/Kvi
+            fPHZenT6cd6FtL9uankX/jan1PRP9xTrhpE8dAQ6g+7XH7knMK3cno/Ztis5YzHt
+            Ith0bsIjk5of7hhITj0MXtTikjDqWxkpF5mfOK1cG/rC1goTmB9AfcENUBnu9iAM
+            I/alzqk3CEczznLyaOckfx2fRuar912LAdiJ5v7VPztfvN1p3gIxq5M0Rgkq+98B
+            H/s32xNRBPvqoIleKnhwE9gfrCLaAVqpaMkgKRvgsTkSDNYNhh4smQ3eAKKwwDH/
+            QG3sfP8xyNyDFhBtCiDGkf9hNqBBMaKjZoh8DasZNtcfOop3fGw7jmUUbB6cG8cp
+            +EfYbcb5mVpmrIyXgOTwwYcp7tn+zkd4Wa8C9Q98eFTs0HGVGxGX9Hj6PM/kXK4C
+            aIqIQVNpnJ/9cOwT8JFIriG1MWTOXbamUusKTLs8SRp3ZkyM7XUEcLL5HMh09rUw
+            rzEAmE7TywXVhd7j2IaEy+bx2dfGQH2bFoh6Drm6Olo+ySi1utB5dGkCAwEAAQ==
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      secure = true;
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqpx9jJnn4QMGO8BOrGOLRN1rgpIkR14sQb8S+otWEL";
+    };
    iso = {
      ci = false;
      cores = 1;
@ -356,6 +388,10 @@ with import <stockholm/lib>;
      pubkey = builtins.readFile ./ssh/mors.rsa;
      pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp;
    };
+    lass-helios = {
+      mail = "lass@helios.r";
+      pubkey = builtins.readFile ./ssh/helios.rsa;
+    };
    lass-uriel = {
      mail = "lass@uriel.r";
      pubkey = builtins.readFile ./ssh/uriel.rsa;
--- a/krebs/3modules/lass/pgp/helios.pgp
+++ b/krebs/3modules/lass/pgp/helios.pgp
@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFm/8D0BEAC+kY6ELukGkQh4xJ+haYGYi6FdCCUgM+BqAXQ9s7FnzyrNCbTq
+x5O2b3Np96NANCCWSMIcAIXt/AzfvxY7awtsFNlXolMMMEdkHbEXQCgJahK1P5iD
+q7DWlwwXNy+oPdl7ZGtfhK+d698aI6eFS0SamElH4B4IFaGzSXC0ec1Cva+3QM1d
+FPRmRByMllTxEcxI6P1gIAtZGXwPLPGVPYuoRQFM+3w+VPgBcWTLPYcLyvLj0r8o
+Gv/JSyZHNEu5Rtyl+8G6/8W/u7+J4lzO4V6Y6+UPomvfyCkreqsQp/bB8Nw9LYN2
+zNttaxM5zu7FBY2e+OwFsxNC5nnIvSVY2qYUps6Lxuv1cxKY+3lZKhMcc8+p+j2g
+QNdfys3Hk4fdZ5YBaQ/v30kS7ZpAkILCYw7g5HJ18pdoULNWYMUaJF/1Qim2mU72
+5wuCzwsWyA6BQFoBSlDPQ24ypGMVKynl6Xh3uGG/K1OcTvhUgzF3J+jcntOY698b
+4Lum/zffWQsVuXZlroydMjtn7Pfr3W8nzLynhCTWruW8+irb/Qut8q04KjfR0UyE
+hdc+kohQemfhk4y0CA0xuzRBRxagKo2LUFTUL312r2TZV+vLWtdToV3HzDuFJokq
+FCxoVm/4M6BQQ3IxDHBVO6BmqIlAGq9cheao3t9XciERPMSHXZzZKV/3CQARAQAB
+tA1sYXNzQGhlbGlvcy5yiQJOBBMBCAA4FiEEwAWygS5dtGA5vC/hQM6NxyLSe0oF
+Alm/8D0CGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQQM6NxyLSe0rm5hAA
+jxqcevdjJt+b4FstIiiNhhjU62/9Tl4qoKgR1/BwAIfDoMWduPrw9ldQky36O923
+VMYKiZBoUzdXRLzL0ay/ewXdSONllUwnFLvil78SQOuJTe5JKM6N0IiEVSEhNjRr
+zylFk7SpY2MOIc0p3eHutD4oq0PcWnOer5R1z7u0mVJRYVoJOu7IIxqj7jb8JRAh
+FbLBbu2mFBcXMLKyWFCTB4nROeoTBcfKTnBuDYhaIEUCLo2RpMYqBJiVJvvFLglA
+XowKFjuE/g5Yne2GB5zx1GVRkjZsE9mGL7L5mlyucMwYqWeJzkNfB7cz58ZFN9EG
+9hzUlaEahPxnC6/AeF9ev/9/SF6bPM/nq36xBXj7W5lOewc5p5GigHkh94VN+bdw
+/KluD5rUErO+v3ag+5Tr8FzjtbjlARRo/vz5YWRGS4yqGiXlUUchAPEzflLYxfD1
+CSH+i0eWMrm5t+BYiPZHL8DSbGI1BM5EhHZ69dS7bUAO1qL7oQObQv+755fLV6+q
+ir7GHuxtNma58PS+BDiWJnIqmDJ029u188YM4dGL+EWF2AS4cUh2y6CZCOq77Gt
+NmMCZyQjg2KB1jsL5XHySB14/uN3vlSSz9V+ZT/sAK09Z4atfYNnMHBAbC00GSbH
+VqQf+OIascVZWAzqExk4fjnVYjTaoIZHaNd5aT/61S25Ag0EWb/wPQEQAJwoiiHG
+NhuBFBEjZYJsONfJayGE4qWSU//54gJaitSgDLV8G0NYQrxqSNAZMAux6g9BSSrD
+s/LbN5U1KgKpLTHjiSXUFoQFZ44AeTSQkUeelbtMVz13ohjpDInkye3sM9Jr4Zw+
+wwgg3zRi49YR6EU78c81ehPjVyxBPg2mmguBShz1zn5r6GjzniU4p3P5Hwf5F+eu
+kRekG9hlCbVz+Ibl8U/t1JQZBqSIX45svdIYqeal5LWSgUG4o8gbenggNFPi3Olz
+IOoTRMGKe6HCjTzv+xML7Q9bCMkUdyIfrrG0QDj3g+VZmZYAXdKjLLujAAU18Sh0
+SekPenVE0DNvmB7HHw+Bo+4aq6wWC9+BDb31NpJzNY64zEuUZsnustEmAXM2UIKS
+HRzfgnZRRyD99H128a95FNpZrG5H+QgpdTE4PxsZn6fFtCRy6/a/W79VfCdHCahz
+ptthyMeE81uZ28VTBXOHgK8Wawt3xjJCRksCau3xNUgRuSPoAWUPY2tLrJ9wKbxp
+uL4fY8x8M2d9G4U03DfQDGP9JUskqLThnJf7Jo42XTmkJd9hRBL0kMCIfolEcyEh
+pSQqbevUnFRiipv1x90Tn9Cax06ZkHkovuyIniRve/MvX8mCzzlUv1bjVNC0d71+
+z3G8fXlhDZGCkLQu6M1MlmUZxu05UfQnk5kBABEBAAGJAjYEGAEIACAWIQTABbKB
+Ll20YDm8L+FAzo3HItJ7SgUCWb/wPQIbDAAKCRBAzo3HItJ7SuI3D/0Y3A2+ZbeH
+q3SCAXBs4yOv7cffT4KwDHIC2vp9I868xj0Fw9hCdN1X9Y6hfj6nilI4EKW5ozsg
+xs1kqGlclqqpag5ZmFbD1y/DzEpgdlysDJPgdD9FlF0mN+tTS543d0SOyydD2N8X
+el5h4T2VaEBYfwKoDyN7LnCtGoiUSE3Nw99BNJ7zGma+46NRUWjv1eByMMhxvXJF
+ASKn4Ok1olhINH43tQ3TGx9XdG19GS0+OnyOlfdagKwma73A2caUAyjIXBrmR5NU
+Pb3aiyMzxm6DpCupqWkQgCC/EG8HgYhPGJ6TAK2QfMWX1TjERcPGtVbTE7BbRNLd
+LdaIuo+5ROVseBTYDC8VbACkV7eh1fVhUmpZa81uQotCRJ+jsYGT4Lyon44roSGn
+7G+rYgS2yv/2JXSTMBa45MReEPCgkSwZ6u9jvbs7vWzao+4tILsgO9RqNw1kiN9o
+LMLMVVCFmgNMCHxegmNIJYRryQkFZA5vQR2gPS3FYY3NfVGhFHMvsOK+jx415o2O
+gF76EJcexglPWhyqBc5meyw1x6pjoPTNGLnFzH1rdyyYilUyFexy3TSam60Ov/Aj
+cszX0D4M2Fnk9ncSq03ujflVYpVTNtkSVH0K9OY7rwjp78WycxiYzk1OQHogh18L
+Du4S2e/am91kQGaz490BV9XNw4I70e4dQQ==
+=gkzg
+-----END PGP PUBLIC KEY BLOCK-----
--- a/krebs/3modules/lass/ssh/helios.rsa
+++ b/krebs/3modules/lass/ssh/helios.rsa
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGZE0z5+0A42GHI2VYrN9Ra60EwlKqARZUi9e0pbiQxwKi42Y3+Jy2UIAB9rUW51Pw0K6L2FzHZyk9w4fMWjAB+OSaGi8CViGOrBmP8Xm0TSd6a725RSOKTH1jv4u54W6+VQcZpe4RepsuasvN4Rd3FYz1O0ffiroPYS0Hs7ui3HG5rZZsz+FArJ/s2mL525P9VQwMlCAdrepWXgGSPSa/ogmhMCSRttV5R0WCnvXYA4aq45scxjxIWXu/Y/FggslSpRGEnRChHiua5kPWqREC1eNbMOjYJc7OxDIZjzcwHcDHH3U1oIBEjNY8UqMFy3t87cm0BTH9yA6qQnkexCmbRGA0mnAJ1XskgL6KcZuYw+zRo6zVmnZCgRyheenBJhQy/28ZDSwCDBOayl6tAbWivesUZb0/nqucvbdRxTDd6nbSH8q8Cp1qZvP1yrhZ9X2m4Rm66UenHOPOEiyOoVQgfYb2EFHsYVN62shGcfaaL8g4rjUXsUJEheGX5ll5MOMSclUhI8Zk31APq/xuLGGIn+tipjOSX2OVZrSE+KkgitMxOOF1kx33IQGnBKQD8K/a9vVmpTrTAnfXR5oJrXp+XRZ3viXr0rUkG5KfS/zjL8ZC8ckeSkX75BLbPbimUa6TfA/lddipb76zOOOREiD4Sw+MkGDh5xnzwxMY05fjOUmk/v++WcOTTNyrknygdaC8Qx0Gv4Wxmcd+LzmIc5wZZjenwYhp4KpR55EIP966uBUcD+HlkHZnNNZUzOJA8NE+oPQbaM3qCuThe9q9hVYt08/rZ9ANwgb/ChCwEOYLNnofdgrvDb91qenwEUiE9wy79Dwgqh2SRAMN4ZTxRrVjw3potBMRuNc5HMDDXbKfGF1T6O+vBPpcQ8x+rztBDpF/lqjGqoCqyFNG/VnFHFZ5kjLkLmx6S69iRL7wg/KI1NA14tdSLJZ2qDqo5n8rbnGeAWTQB8ZgzhPO39fyOYGCdTJ8e2dIDEw8SUWaVsTnkc/PHOcGAMt2LrL6USszrLSQgU4ediPBWJjX4jk2wxLRPyBz8Z2QLWrsxV0bh1CstIsbBh1p8jMXAKJ+UXqzRWGR5T6d7lensqM0/uWqzu++w6/whQQh9Hzs6GX8l+ELMn0szkRaM9dZpAz5p9HHdYkANwsIIe8CPznRvudQ0CPManTQsjR8GZ3RjGx002VUdbDh5xx7P9Efsa6m8kkNCbUNMSHjmvC9M2sR5ww2WsnvpGBCU8sNYf4y9QvKI1LIYkG1MObhEKHyf5wxFp25bwHyxPkHGULhJKM/MdDT42flddEJCTEwiCPVuaJsr7Adr6Oni4kzY+S7CiP7YArM0v2Vg9mgVmi11koF9hcZ6zyyKAWVviDRLVIA0/eY66T/FiSS/g12zW1keuhFipNEWyZdD/r8LwfDpInAAqN5g65dx6eoyoB6AZatEwwsnn6zcDP51B1q0TC9Y+TXK5TSBE50oFxa2SLu4Gj7YOi1AoRqKxSPVktE= lass@helios
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@ -0,0 +1,86 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs/baseX.nix>
+    <stockholm/lass/2configs/browsers.nix>
+    <stockholm/lass/2configs/mouse.nix>
+    <stockholm/lass/2configs/pass.nix>
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/otp-ssh.nix>
+    <stockholm/lass/2configs/git.nix>
+    { # automatic hardware detection
+      boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+      boot.kernelModules = [ "kvm-intel" ];
+
+      fileSystems."/" =
+        { device = "/dev/pool/root";
+          fsType = "btrfs";
+        };
+
+      fileSystems."/boot" =
+        { device = "/dev/disk/by-uuid/1F60-17C6";
+          fsType = "vfat";
+        };
+
+      fileSystems."/home" =
+        { device = "/dev/pool/home";
+          fsType = "btrfs";
+        };
+
+      nix.maxJobs = lib.mkDefault 8;
+      powerManagement.cpuFreqGovernor = "powersave";
+    }
+    { # crypto stuff
+      boot.initrd.luks = {
+        cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+        devices =  [{
+           name = "luksroot";
+           device = "/dev/nvme0n1p3";
+        }];
+      };
+    }
+    {
+      services.xserver.dpi = 200;
+      fonts.fontconfig.dpi = 200;
+      lass.myFont = "-schumacher-clean-*-*-*-*-26-*-*-*-*-*-iso10646-1";
+    }
+  ];
+  krebs.build.host = config.krebs.hosts.helios;
+
+  krebs.git.rules = [
+    {
+      user = [ config.krebs.users.lass-helios ];
+      repo = [ config.krebs.git.repos.stockholm ];
+      perm = with git; push "refs/heads/*" [ fast-forward non-fast-forward create delete merge ];
+    }
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.wireless.enable = true;
+  hardware.enableRedistributableFirmware = true;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    rxvt_unicode
+    git
+    rsync
+    hashPassword
+    thunderbird
+    dpass
+  ];
+
+  users.users = {
+    root.openssh.authorizedKeys.keys = [
+      config.krebs.users.lass-helios.pubkey
+    ];
+  };
+
+  programs.ssh.startAgent = lib.mkForce true;
+
+}
--- a/lass/1systems/helios/source.nix
+++ b/lass/1systems/helios/source.nix
@ -0,0 +1,4 @@
+import <stockholm/lass/source.nix> {
+  name = "helios";
+  secure = true;
+}
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -27,6 +27,12 @@ in {
        lass ALL= (root) NOPASSWD:SETENV: ${pkgs.sshuttle}/bin/.sshuttle-wrapped
      '';
    }
+    { #font magic
+      options.lass.myFont = mkOption {
+        type = types.str;
+        default = "-schumacher-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
+      };
+    }
  ];

  users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@ -14,7 +14,7 @@ let
          root-desc = "keep calm and engage";
        };
      };
-      repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
+      repos = repos;
      rules = rules;
    };

@ -87,8 +87,8 @@ let
    public = true;
  };

-  make-restricted-repo = name: { collaborators ? [], announce ? false, hooks ? {}, ... }: {
-    inherit collaborators name;
+  make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? false, hooks ? {}, ... }: {
+    inherit admins collaborators name;
    public = false;
    hooks = optionalAttrs announce {
      post-receive = pkgs.git-hooks.irc-announce {
@ -111,15 +111,20 @@ let
        repo = [ repo ];
        perm = push "refs/*" [ non-fast-forward create delete merge ];
      } ++
-      optional repo.public {
-        user = attrValues config.krebs.users;
+      optional (length (repo.admins or []) > 0) {
+        user = repo.admins;
        repo = [ repo ];
-        perm = fetch;
+        perm = push "refs/*" [ non-fast-forward create delete merge ];
      } ++
      optional (length (repo.collaborators or []) > 0) {
        user = repo.collaborators;
        repo = [ repo ];
        perm = fetch;
+      } ++
+      optional repo.public {
+        user = attrValues config.krebs.users;
+        repo = [ repo ];
+        perm = fetch;
      };

 in out
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@ -1,12 +1,14 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:

 {

  krebs.iptables = {
    tables = {
-      filter.INPUT.rules = [
-        { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; }
-        { predicate = "-p udp --dport tinc"; target = "ACCEPT"; }
+      filter.INPUT.rules = let
+        tincport = toString config.krebs.build.host.nets.retiolum.tinc.port;
+      in [
+        { predicate = "-p tcp --dport ${tincport}"; target = "ACCEPT"; }
+        { predicate = "-p udp --dport ${tincport}"; target = "ACCEPT"; }
      ];
    };
  };
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@ -106,9 +106,10 @@ let
    pkgs.vimPlugins.undotree
    (pkgs.vimUtils.buildVimPlugin {
      name = "file-line-1.0";
-      src = pkgs.fetchgit {
-        url = git://github.com/bogado/file-line;
-        rev = "refs/tags/1.0";
+      src = pkgs.fetchFromGitHub {
+        owner = "bogado";
+        repo = "file-line";
+        rev = "1.0";
        sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
      };
    })
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@ -14,14 +14,6 @@ in {

  security.acme = {
    certs."lassul.us" = {
-      email = "lass@lassul.us";
-      webroot = "/var/lib/acme/acme-challenges";
-      plugins = [
-        "account_key.json"
-        "key.pem"
-        "fullchain.pem"
-        "full.pem"
-      ];
      allowKeysForGroup = true;
      group = "lasscert";
    };
@ -71,13 +63,11 @@ in {
  ];

  services.nginx.virtualHosts."lassul.us" = {
+    enableACME = true;
    serverAliases = [ "lassul.us" ];
    locations."/".extraConfig = ''
      root /srv/http/lassul.us;
    '';
-    locations."/.well-known/acme-challenge".extraConfig = ''
-      root /var/lib/acme/challenges/lassul.us/;
-    '';
    locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
      alias ${config.krebs.tinc.retiolum.hostsArchive};
    '';
--- a/lass/2configs/xresources.nix
+++ b/lass/2configs/xresources.nix
@ -8,8 +8,8 @@ let
    URxvt*scrollBar: false
    URxvt*urgentOnBell: true
    URxvt*SaveLines: 4096
-    URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
-    URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
+    URxvt*font: ${config.lass.myFont}
+    URxvt*boldFont: ${config.lass.myFont}

    ! ref https://github.com/muennich/urxvt-perls
    URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@ -1,8 +1,9 @@
-{ pkgs, ... }@args:
+{ config, pkgs, ... }@args:

 {
  nixpkgs.config.packageOverrides = rec {
    acronym = pkgs.callPackage ./acronym/default.nix {};
+    dpass = pkgs.callPackage ./dpass {};
    ejabberd = pkgs.callPackage ./ejabberd {
      erlang = pkgs.erlangR16;
    };
@ -20,7 +21,7 @@
    rs = pkgs.callPackage ./rs/default.nix {};
    urban = pkgs.callPackage ./urban/default.nix {};
    xml2json = pkgs.callPackage ./xml2json/default.nix {};
-    xmonad-lass = import ./xmonad-lass.nix { inherit pkgs; };
+    xmonad-lass = import ./xmonad-lass.nix { inherit config pkgs; };
    yt-next = pkgs.callPackage ./yt-next/default.nix {};
  };
 }
--- a/lass/5pkgs/dpass/default.nix
+++ b/lass/5pkgs/dpass/default.nix
@ -0,0 +1,12 @@
+{ pass, writeOut, writeDash, ... }:
+
+writeOut "dsco-pass" {
+  "/bin/dpass".link = writeDash "dpass" ''
+    PASSWORD_STORE_DIR=$HOME/.dpasswordstore \
+    exec ${pass}/bin/pass $@
+  '';
+  "/bin/dpassmenu".link = writeDash "dpassmenu" ''
+    PASSWORD_STORE_DIR=$HOME/.dpasswordstore \
+    exec ${pass}/bin/passmenu $@
+  '';
+}
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 pkgs.writeHaskell "xmonad-lass" {
  executables.xmonad = {
    extra-depends = [
@ -40,7 +40,7 @@ import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
 import XMonad.Layout.NoBorders (smartBorders)
-import XMonad.Prompt (autoComplete, searchPredicate, XPConfig)
+import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
 import XMonad.Layout.SimpleFloat (simpleFloat)
@ -51,7 +51,7 @@ urxvtcPath :: FilePath
 urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc"

 myFont :: String
-myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
+myFont = "${config.lass.myFont}"

 main :: IO ()
 main = getArgs >>= \case
@ -99,6 +99,7 @@ myKeyMap =
    , ("M4-C-p", spawn "${pkgs.scrot}/bin/scrot ~/public_html/scrot.png")
    , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
    , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
+    , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
    , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
    , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%")
    , ("<XF86MonBrightnessDown>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -time 0 -dec 1%")
@ -107,8 +108,8 @@ myKeyMap =
    , ("M4-C-k", spawn "${pkgs.xorg.xkill}/bin/xkill")

    , ("M4-a", focusUrgent)
-    , ("M4-S-r", renameWorkspace    def)
-    , ("M4-S-a", addWorkspacePrompt def)
+    , ("M4-S-r", renameWorkspace    myXPConfig)
+    , ("M4-S-a", addWorkspacePrompt myXPConfig)
    , ("M4-S-<Backspace>", removeEmptyWorkspace)
    , ("M4-S-c", kill1)
    , ("M4-<Esc>", toggleWS)
@ -141,8 +142,13 @@ forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
 forkFile path args env =
    xfork (executeFile path False args env) >> return ()

+myXPConfig :: XPConfig
+myXPConfig = def
+    { font = myFont
+    }
+
 autoXPConfig :: XPConfig
-autoXPConfig = def
+autoXPConfig = myXPConfig
    { autoComplete = Just 5000
    }
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGZE0z5+0A42GHI2VYrN9Ra60EwlKqARZUi9e0pbiQxwKi42Y3+Jy2UIAB9rUW51Pw0K6L2FzHZyk9w4fMWjAB+OSaGi8CViGOrBmP8Xm0TSd6a725RSOKTH1jv4u54W6+VQcZpe4RepsuasvN4Rd3FYz1O0ffiroPYS0Hs7ui3HG5rZZsz+FArJ/s2mL525P9VQwMlCAdrepWXgGSPSa/ogmhMCSRttV5R0WCnvXYA4aq45scxjxIWXu/Y/FggslSpRGEnRChHiua5kPWqREC1eNbMOjYJc7OxDIZjzcwHcDHH3U1oIBEjNY8UqMFy3t87cm0BTH9yA6qQnkexCmbRGA0mnAJ1XskgL6KcZuYw+zRo6zVmnZCgRyheenBJhQy/28ZDSwCDBOayl6tAbWivesUZb0/nqucvbdRxTDd6nbSH8q8Cp1qZvP1yrhZ9X2m4Rm66UenHOPOEiyOoVQgfYb2EFHsYVN62shGcfaaL8g4rjUXsUJEheGX5ll5MOMSclUhI8Zk31APq/xuLGGIn+tipjOSX2OVZrSE+KkgitMxOOF1kx33IQGnBKQD8K/a9vVmpTrTAnfXR5oJrXp+XRZ3viXr0rUkG5KfS/zjL8ZC8ckeSkX75BLbPbimUa6TfA/lddipb76zOOOREiD4Sw+MkGDh5xnzwxMY05fjOUmk/v++WcOTTNyrknygdaC8Qx0Gv4Wxmcd+LzmIc5wZZjenwYhp4KpR55EIP966uBUcD+HlkHZnNNZUzOJA8NE+oPQbaM3qCuThe9q9hVYt08/rZ9ANwgb/ChCwEOYLNnofdgrvDb91qenwEUiE9wy79Dwgqh2SRAMN4ZTxRrVjw3potBMRuNc5HMDDXbKfGF1T6O+vBPpcQ8x+rztBDpF/lqjGqoCqyFNG/VnFHFZ5kjLkLmx6S69iRL7wg/KI1NA14tdSLJZ2qDqo5n8rbnGeAWTQB8ZgzhPO39fyOYGCdTJ8e2dIDEw8SUWaVsTnkc/PHOcGAMt2LrL6USszrLSQgU4ediPBWJjX4jk2wxLRPyBz8Z2QLWrsxV0bh1CstIsbBh1p8jMXAKJ+UXqzRWGR5T6d7lensqM0/uWqzu++w6/whQQh9Hzs6GX8l+ELMn0szkRaM9dZpAz5p9HHdYkANwsIIe8CPznRvudQ0CPManTQsjR8GZ3RjGx002VUdbDh5xx7P9Efsa6m8kkNCbUNMSHjmvC9M2sR5ww2WsnvpGBCU8sNYf4y9QvKI1LIYkG1MObhEKHyf5wxFp25bwHyxPkHGULhJKM/MdDT42flddEJCTEwiCPVuaJsr7Adr6Oni4kzY+S7CiP7YArM0v2Vg9mgVmi11koF9hcZ6zyyKAWVviDRLVIA0/eY66T/FiSS/g12zW1keuhFipNEWyZdD/r8LwfDpInAAqN5g65dx6eoyoB6AZatEwwsnn6zcDP51B1q0TC9Y+TXK5TSBE50oFxa2SLu4Gj7YOi1AoRqKxSPVktE= lass@helios