15 files changed, 453 insertions, 32 deletions

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 7b91fa6be..4ba9df6f9 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -22,6 +22,9 @@
     ../2configs/bitlbee.nix
     ../2configs/firefoxPatched.nix
     ../2configs/skype.nix
+    ../2configs/teamviewer.nix
+    ../2configs/libvirt.nix
+    ../2configs/fetchWallpaper.nix
     {
       #risk of rain port
       krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 599f4704e..95c55533c 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -116,6 +116,23 @@ in {
         { predicate = "-p tcp --dport 8080"; target = "ACCEPT";}
       ];
     }
+    {
+      users.users.chat.openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJJKlOeAHyi7lToCqRF/hdA2TrtVbrTUd2ayuWsXe9JWiyeyKH/LNY3SrgxCWPZSItE9VK68ghMuVYK/A8IAcgzNhzFYLDxmtsidjiOJBj2ZGsjqevoQ5HuKB/pob8CLW3dr1Rx38Any/XXxpfeO6vemCJMGLTe5gSlrCI+Tk1qNt0Rz+rke73Hwt9wW39g8X3prF2q9ryL9OFCcsoYUE7PIOV9xM1GaDFfTR4bKux7HyFKmG+rBvmJHB5OPW8UAtVZGY/FIChwlmF6QNO5Zym497bG1RCOGplaLpRXVJrmoUkZUO7EazePPxIjz2duWYqFtwl5R9YGy1+a+F58G19DS7wJHM29td117/ZANjRTxE5q/aJm2okJYOVSqhYzdhji+BWVZ5ai7cktpAdtPo++yiZN90LvogXNB64kFxVGuX52xZcA3KLKmvrd47o9k0pzO+oCoArxPFIx0YkHfy/yw7OG8Z+KLK8l9WXWBZO5TpjcydnEcRZ8OEqVhtmDh+9h1zhPphuFBtT1JPbt8m132RUy23qsNRtZ/lnnfQbrxgHPRzVuvA8o4ahOEUdvV9SYnzKb6qMFXGp25EhlcWnR4/toyG6I3paBtByeHkaxjgCuvm9Hob6f/xFr3kEJ4WXTVguyrcFgNg2EcEfdkrTMhNn9OIHEFFQ8whIBv5jlw== JuiceSSH"
+      ];
+    }
+    {
+      time.timeZone = "Europe/Berlin";
+    }
+    {
+      imports = [
+        ../2configs/websites/wohnprojekt-rhh.de.nix
+        ../2configs/websites/domsen.nix
+      ];
+      krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
+      ];
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix
index 61023057b..40f4e12c7 100644
--- a/lass/2configs/base.nix
+++ b/lass/2configs/base.nix
@@ -17,6 +17,7 @@ with lib;
         root = {
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
+            config.krebs.users.uriel.pubkey
           ];
         };
         mainUser = {
@@ -30,6 +31,7 @@ with lib;
           ];
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
+            config.krebs.users.uriel.pubkey
           ];
         };
       };
@@ -48,7 +50,7 @@ with lib;
       source = {
         git.nixpkgs = {
           url = https://github.com/Lassulus/nixpkgs;
-          rev = "8d1ce129361312334bf914ce0d27e463cb0bb21b";
+          rev = "363c8430f1efad8b03d5feae6b3a4f2fe7b29251";
         };
         dir.secrets = {
           host = config.krebs.hosts.mors;
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index 849778a7a..d36801863 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -1,16 +1,6 @@
 { config, lib, pkgs, ... }:
 
 let
-  simpleScript = name: content:
-    pkgs.stdenv.mkDerivation {
-      inherit name;
-      phases = [ "installPhase" ];
-      installPhase = ''
-        mkdir -p $out/bin
-        ln -s ${pkgs.writeScript name content} $out/bin/${name}
-      '';
-    };
-
   mainUser = config.users.extraUsers.mainUser;
   createChromiumUser = name: extraGroups: packages:
     {
@@ -26,8 +16,8 @@ let
         ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
       '';
       environment.systemPackages = [
-        (simpleScript name ''
-          sudo -u ${name} -i chromium $@
+        (pkgs.writeScriptBin name ''
+          /var/setuid-wrappers/sudo -u ${name} -i chromium $@
         '')
       ];
     };
@@ -46,8 +36,8 @@ let
         ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
       '';
       environment.systemPackages = [
-        (simpleScript name ''
-          sudo -u ${name} -i firefox $@
+        (pkgs.writeScriptBin name ''
+          /var/setuid-wrappers/sudo -u ${name} -i firefox $@
         '')
       ];
     };
@@ -57,7 +47,7 @@ let
 in {
 
   environment.systemPackages = [
-    (simpleScript "browser-select" ''
+    (pkgs.writeScriptBin "browser-select" ''
       BROWSER=$(echo -e "ff\ncr\nfb\ngm\nflash" | dmenu)
       $BROWSER $@
     '')
@@ -70,7 +60,7 @@ in {
     ( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] )
     ( createChromiumUser "fb" [ ] [ pkgs.chromium ] )
     ( createChromiumUser "gm" [ ] [ pkgs.chromium ] )
-   # ( createChromiumUser "flash" [ ] [ pkgs.flash ] )
+    ( createChromiumUser "flash" [ ] [ pkgs.flash ] )
   ];
 
   nixpkgs.config.packageOverrides = pkgs : {
diff --git a/lass/2configs/elster.nix b/lass/2configs/elster.nix
index 1edd01896..e3a88c789 100644
--- a/lass/2configs/elster.nix
+++ b/lass/2configs/elster.nix
@@ -14,6 +14,9 @@ in {
       createHome = true;
     };
   };
+  krebs.per-user.elster.packages = [
+    pkgs.chromium
+  ];
   security.sudo.extraConfig = ''
     ${mainUser.name} ALL=(elster) NOPASSWD: ALL
   '';
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
new file mode 100644
index 000000000..9c27706cb
--- /dev/null
+++ b/lass/2configs/fetchWallpaper.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+let
+
+in {
+  krebs.fetchWallpaper = {
+    enable = true;
+    url = "echelon/wallpaper.png";
+  };
+}
+
diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
new file mode 100644
index 000000000..368722e77
--- /dev/null
+++ b/lass/2configs/libvirt.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+let
+  mainUser = config.users.extraUsers.mainUser;
+
+in {
+  virtualisation.libvirtd.enable = true;
+
+  users.extraUsers = {
+    libvirt = {
+      uid = 358821352; # genid libvirt
+      description = "user for running libvirt stuff";
+      home = "/home/libvirt";
+      useDefaultShell = true;
+      extraGroups = [ "libvirtd" "audio" ];
+      createHome = true;
+    };
+  };
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(libvirt) NOPASSWD: ALL
+  '';
+}
diff --git a/lass/2configs/teamviewer.nix b/lass/2configs/teamviewer.nix
new file mode 100644
index 000000000..48053d7db
--- /dev/null
+++ b/lass/2configs/teamviewer.nix
@@ -0,0 +1,6 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  services.teamviewer.enable = true;
+}
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
new file mode 100644
index 000000000..109c216c0
--- /dev/null
+++ b/lass/2configs/websites/domsen.nix
@@ -0,0 +1,35 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../../3modules/static_nginx.nix
+    ../../3modules/owncloud_nginx.nix
+    ../../3modules/wordpress_nginx.nix
+  ];
+
+  lass.staticPage = {
+    "karlaskop.de" = {};
+    "makeup.apanowicz.de" = {};
+    "pixelpocket.de" = {};
+    "reich-gebaeudereinigung.de" = {};
+  };
+
+  lass.owncloud = {
+    "o.ubikmedia.de" = {
+      instanceid = "oc8n8ddbftgh";
+    };
+  };
+
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    rootPassword = toString (<secrets/mysql_rootPassword>);
+  };
+
+  #lass.wordpress = {
+  #  "ubikmedia.de" = {
+  #  };
+  #};
+
+}
+
diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix
new file mode 100644
index 000000000..cd31450c5
--- /dev/null
+++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix
@@ -0,0 +1,12 @@
+{ config, ... }:
+
+{
+  imports = [
+    ../../3modules/static_nginx.nix
+  ];
+
+  lass.staticPage = {
+    "wohnprojekt-rhh.de" = {};
+  };
+}
+
diff --git a/lass/2configs/xserver/default.nix b/lass/2configs/xserver/default.nix
index ceccf5fee..da337f6a7 100644
--- a/lass/2configs/xserver/default.nix
+++ b/lass/2configs/xserver/default.nix
@@ -108,7 +108,6 @@ let
       pkgs.rxvt_unicode
       pkgs.i3lock
       pkgs.haskellPackages.yeganesh
-      pkgs.haskellPackages.xmobar
       pkgs.dmenu
     ] ++ config.environment.systemPackages)}:/var/setuid-wrappers
     settle() {(
diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix
new file mode 100644
index 000000000..a0db87b0b
--- /dev/null
+++ b/lass/3modules/owncloud_nginx.nix
@@ -0,0 +1,215 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.lass.owncloud;
+
+  out = {
+    options.lass.owncloud = api;
+    config = imp;
+  };
+
+  api = mkOption {
+    type = with types; attrsOf (submodule ({ config, ... }: {
+      options = {
+        domain = mkOption {
+          type = str;
+          default = config._module.args.name;
+        };
+        dataDir = mkOption {
+          type = str;
+          default = "${config.folder}/data";
+        };
+        dbUser = mkOption {
+          type = str;
+          default = replaceStrings ["."] ["_"] config.domain;
+        };
+        dbName = mkOption {
+          type = str;
+          default = replaceStrings ["."] ["_"] config.domain;
+        };
+        dbType = mkOption {
+        # TODO: check for valid dbType
+          type = str;
+          default = "mysql";
+        };
+        folder = mkOption {
+          type = str;
+          default = "/srv/http/${config.domain}";
+        };
+        auto = mkOption {
+          type = bool;
+          default = false;
+        };
+        instanceid = mkOption {
+          type = str;
+        };
+        ssl = mkOption {
+          type = bool;
+          default = false;
+        };
+      };
+    }));
+    default = {};
+  };
+
+  user = config.services.nginx.user;
+  group = config.services.nginx.group;
+
+  imp = {
+    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
+      server-names = [
+        "${domain}"
+        "www.${domain}"
+      ];
+      locations = [
+        (nameValuePair "/" ''
+          # The following 2 rules are only needed with webfinger
+          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+          rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
+          rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
+
+          rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+
+          try_files $uri $uri/ /index.php;
+        '')
+        (nameValuePair "~ \.php$" ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+          fastcgi_param PATH_INFO $fastcgi_path_info;
+          fastcgi_pass unix:${folder}/phpfpm.pool;
+        '')
+        (nameValuePair "~ /\\." ''
+          deny all;
+        '')
+      ];
+      extraConfig = ''
+        root ${folder}/;
+        #index index.php;
+        access_log /tmp/nginx_acc.log;
+        error_log /tmp/nginx_err.log;
+
+        # set max upload size
+        client_max_body_size 10G;
+        fastcgi_buffers 64 4K;
+
+        rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
+        rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
+        rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
+
+        error_page 403 /core/templates/403.php;
+        error_page 404 /core/templates/404.php;
+      '';
+    });
+    services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
+      listen = ${folder}/phpfpm.pool
+      user = ${user}
+      group = ${group}
+      pm = dynamic
+      pm.max_children = 5
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      listen.owner = ${user}
+      listen.group = ${group}
+      # errors to journal
+      php_admin_value[error_log] = 'stderr'
+      php_admin_flag[log_errors] = on
+      catch_workers_output = yes
+    '');
+    #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
+    #  name = "owncloudInit-${name}";
+    #  value = {
+    #    path = [
+    #      pkgs.mysql
+    #      pkgs.su
+    #      pkgs.gawk
+    #      pkgs.jq
+    #    ];
+    #    requiredBy = [ "nginx.service" ];
+    #    serviceConfig = let
+    #      php.define = name: value:
+    #        "define(${php.newdoc name}, ${php.newdoc value});";
+    #      php.toString = x:
+    #        "'${x}'";
+    #      php.newdoc = s:
+    #        let b = "EOF${builtins.hashString "sha256" s}"; in
+    #        ''<<<'${b}'
+    #        ${s}
+    #        ${b}
+    #        '';
+    #    in {
+    #      Type = "oneshot";
+    #      ExecStart = pkgs.writeScript "wordpressInit" ''
+    #        #!/bin/sh
+    #        set -euf
+    #        oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
+    #        db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
+    #        get_secret() {
+    #          echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
+    #        }
+    #        to_php_string() {
+    #          echo "base64_decode('$(base64)')"
+    #        }
+    #        {
+    #          cat ${toString <secrets/mysql_rootPassword>}
+    #          password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
+    #          # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
+    #          # TODO as package pkgs.sqlHashPassword
+    #          # TODO not using mysql
+    #          # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
+    #          passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
+    #          user=${shell.escape dbUser}@localhost
+    #          database=${shell.escape dbName}
+    #          cat << EOF
+    #            CREATE DATABASE IF NOT EXISTS $database;
+    #            GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
+    #            GRANT ALL PRIVILEGES ON $database.* TO $user;
+    #            FLUSH PRIVILEGES;
+    #        EOF
+    #        } | mysql -u root -p
+    #        # TODO nix2php for wp-config.php
+    #        mkdir -p ${folder}/config
+    #        cat > ${folder}/config/config.php << EOF
+    #        <?php
+    #        \$CONFIG = array (
+    #          'dbhost' => 'localhost',
+    #          'dbtableprefix' => 'oc_',
+    #          'dbpassword' => '$db_password',
+    #          'installed' => 'true',
+    #          'trusted_domains' =>
+    #          array (
+    #            0 => '${domain}',
+    #          ),
+    #          'overwrite.cli.url' => 'http://${domain}',
+
+    #        ${concatStringsSep "\n" (mapAttrsToList (name: value:
+    #          "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
+    #        ) {
+    #          instanceid = instanceid;
+    #          datadirectory = dataDir;
+    #          dbtype = dbType;
+    #          dbname = dbName;
+    #          dbuser = dbUser;
+    #        })}
+
+    #        ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
+    #          "secret"
+    #          "passwordsalt"
+    #        ]}
+    #        );
+    #        EOF
+    #      '';
+    #    };
+    #  };
+    #});
+    users.users.nobody_oc = {
+      uid = 1651469147; # genid nobody_oc
+      useDefaultShell = true;
+    };
+  };
+
+in out
diff --git a/lass/3modules/static_nginx.nix b/lass/3modules/static_nginx.nix
new file mode 100644
index 000000000..cc2641af2
--- /dev/null
+++ b/lass/3modules/static_nginx.nix
@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.lass.staticPage;
+
+  out = {
+    options.lass.staticPage = api;
+    config = imp;
+  };
+
+  api = mkOption {
+    type = with types; attrsOf (submodule ({ config, ... }: {
+      options = {
+        domain = mkOption {
+          type = str;
+          default = config._module.args.name;
+        };
+        folder = mkOption {
+          type = str;
+          default = "/srv/http/${config.domain}";
+        };
+      };
+    }));
+    default = {};
+  };
+
+  user = config.services.nginx.user;
+  group = config.services.nginx.group;
+
+  imp = {
+    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
+      server-names = [
+        "${domain}"
+        "www.${domain}"
+      ];
+      locations = [
+        (nameValuePair "/" ''
+          root ${folder};
+        '')
+        (nameValuePair "~ /\\." ''
+          deny all;
+        '')
+      ];
+    });
+  };
+
+in out
diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix
index 65170698f..2f31f6e02 100644
--- a/lass/3modules/wordpress_nginx.nix
+++ b/lass/3modules/wordpress_nginx.nix
@@ -45,35 +45,70 @@ let
           type = bool;
           default = false;
         };
+        multiSite = mkOption {
+          type = attrsOf str;
+          default = {};
+          example = {
+            "0" = "bla.testsite.de";
+            "1" = "test.testsite.de";
+          };
+        };
       };
     }));
     default = {};
   };
 
-  dataFolder = "/srv/http";
   user = config.services.nginx.user;
   group = config.services.nginx.group;
 
   imp = {
-    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, ... }: {
+    #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) ''
+    #  map $http_host $blogid {
+    #  ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)}
+    #  }
+    #'';
+
+    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: {
       server-names = [
         "${domain}"
         "www.${domain}"
       ];
-      locations = [
+        #(mkIf (multiSite != {})
+        #)
+      locations = (if (multiSite != {}) then
+        [
+          (nameValuePair "~ ^/files/(.*)$" ''
+            try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
+          '')
+          (nameValuePair "^~ /blogs.dir" ''
+            internal;
+            alias ${folder}/wp-content/blogs.dir ;
+            access_log off; log_not_found off; expires max;
+          '')
+        ]
+      else
+        []
+      ) ++
+      [
         (nameValuePair "/" ''
           try_files $uri $uri/ /index.php?$args;
         '')
         (nameValuePair "~ \.php$" ''
-          fastcgi_pass unix:${dataFolder}/${domain}/phpfpm.pool;
+          fastcgi_pass unix:${folder}/phpfpm.pool;
           include ${pkgs.nginx}/conf/fastcgi.conf;
         '')
         (nameValuePair "~ /\\." ''
           deny all;
         '')
+        #Directives to send expires headers and turn off 404 error logging.
+        (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
+          access_log off;
+          log_not_found off;
+          expires max;
+        '')
       ];
       extraConfig = ''
-        root ${dataFolder}/${domain}/;
+        root ${folder}/;
         index index.php;
         access_log /tmp/nginx_acc.log;
         error_log /tmp/nginx_err.log;
@@ -81,8 +116,8 @@ let
         error_page 500 502 503 504 /50x.html;
       '';
     });
-    services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, ... }: ''
-      listen = ${dataFolder}/${domain}/phpfpm.pool
+    services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
+      listen = ${folder}/phpfpm.pool
       user = ${user}
       group = ${group}
       pm = dynamic
@@ -97,7 +132,7 @@ let
       php_admin_flag[log_errors] = on
       catch_workers_output = yes
     '');
-    systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, ... }: {
+    systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: {
       name = "wordpressInit-${name}";
       value = {
         path = [
@@ -175,6 +210,13 @@ let
             ]}
 
             \$table_prefix = 'wp_';
+
+            ${if (multiSite != {}) then
+              "define('WP_ALLOW_MULTISITE', true);"
+            else
+              ""
+            }
+
             define('WP_DEBUG', ${toJSON debug});
             if ( !defined('ABSPATH') )
               define('ABSPATH', dirname(__FILE__) . '/');
@@ -186,10 +228,12 @@ let
         };
       };
     });
-    users.users.nobody2 = {
-      uid = 125816384; # genid nobody2
-      useDefaultShell = true;
+    users.users.nobody2 = mkDefault {
+      uid = mkDefault 125816384; # genid nobody2
+      useDefaultShell = mkDefault true;
     };
   };
 
+  indent = replaceChars ["\n"] ["\n  "];
+
 in out
diff --git a/lass/5pkgs/xmonad-lass/Main.hs b/lass/5pkgs/xmonad-lass/Main.hs
index 10a3c5638..ce5afe33a 100644
--- a/lass/5pkgs/xmonad-lass/Main.hs
+++ b/lass/5pkgs/xmonad-lass/Main.hs
@@ -49,6 +49,7 @@ import XMonad.Stockholm.Pager
 import XMonad.Stockholm.Rhombus
 import XMonad.Stockholm.Shutdown
 
+
 myTerm :: String
 myTerm = "urxvtc"
 
@@ -65,6 +66,7 @@ main = getArgs >>= \case
 
 mainNoArgs :: IO ()
 mainNoArgs = do
+    workspaces0 <- getWorkspaces0
     xmonad'
         -- $ withUrgencyHookC dzenUrgencyHook { args = ["-bg", "magenta", "-fg", "magenta", "-h", "2"], duration = 500000 }
         --                   urgencyConfig { remindWhen = Every 1 }
@@ -74,6 +76,7 @@ mainNoArgs = do
         $ defaultConfig
             { terminal          = myTerm
             , modMask           = mod4Mask
+            , workspaces        = workspaces0
             , layoutHook = smartBorders $ myLayoutHook
             -- , handleEventHook   = myHandleEventHooks <+> handleTimerEvent
             --, handleEventHook   = handleTimerEvent
@@ -100,16 +103,26 @@ xmonad' conf = do
             hPutStrLn stderr (displaySomeException e)
             xmonad conf
 
+getWorkspaces0 :: IO [String]
+getWorkspaces0 =
+    try (getEnv "XMONAD_WORKSPACES0_FILE") >>= \case
+      Left e -> warn (displaySomeException e)
+      Right p -> try (readFile p) >>= \case
+        Left e -> warn (displaySomeException e)
+        Right x -> case readEither x of
+          Left e -> warn e
+          Right y -> return y
+  where
+    warn msg = hPutStrLn stderr ("getWorkspaces0: " ++ msg) >> return []
 
 displaySomeException :: SomeException -> String
 displaySomeException = displayException
 
 
 myKeyMap =
-    [ ("M4-<F11>", spawn "i3lock -i ~/lock.png -u" )
+    [ ("M4-<F11>", spawn "/var/setuid-wrappers/slock")
     , ("M4-p", spawn "passmenu --type")
-    , ("M4-r", spawn "exe=$(yeganesh -x) && eval \"exec $exe\"")
-    -- , ("M4-r", io (readProcess "yeganesh" ["-x"] "" >>= putStrLn )  )
+    --, ("M4-r", spawn "exe=$(yeganesh -x) && eval \"exec $exe\"")
     , ("<XF86AudioRaiseVolume>", spawn "pactl -- set-sink-volume 0 +4%")
     , ("<XF86AudioLowerVolume>", spawn "pactl -- set-sink-volume 0 -4%")
     , ("<XF86Launch1>", gridselectWorkspace myWSConfig W.view)