diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 164831846..a08dbb32c 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -339,9 +339,11 @@ let
       description = "Git repository hosting user";
       shell = "/bin/sh";
       openssh.authorizedKeys.keys =
-        mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
-                       (filterAttrs (_: user: isString user.pubkey)
-                                    config.krebs.users);
+        unique
+          (sort lessThan
+                (map (makeAuthorizedKey git-ssh-command)
+                     (filter (user: isString user.pubkey)
+                             (concatMap (getAttr "user") cfg.rules))));
     };
   };
 
diff --git a/tv/1systems/alnus.nix b/tv/1systems/alnus.nix
index bc6e3a6d8..4bc0318e8 100644
--- a/tv/1systems/alnus.nix
+++ b/tv/1systems/alnus.nix
@@ -22,10 +22,6 @@ with import <stockholm/lib>;
         devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
       };
     };
-    loader = {
-      efi.canTouchEfiVariables = true;
-      gummiboot.enable = true;
-    };
   };
 
   environment.systemPackages = with pkgs; [
@@ -62,7 +58,7 @@ with import <stockholm/lib>;
   krebs.build = {
     host = config.krebs.hosts.alnus;
     user = mkForce config.krebs.users.dv;
-    source.nixpkgs.git.ref = mkForce "d7450443c42228832c68fba203a7c15cfcfb264e";
+    source.nixpkgs.git.ref = mkForce "e924319cb6c74aa2a9c943eddeb0caef79db01bc";
   };
 
   networking.networkmanager.enable = true;
diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix
index 48d738365..9ccb0a057 100644
--- a/tv/2configs/git.nix
+++ b/tv/2configs/git.nix
@@ -2,9 +2,9 @@
 
 with import <stockholm/lib>;
 
-let
+let {
 
-  out = {
+  body = {
     krebs.git = {
       enable = true;
       cgit = {
@@ -123,4 +123,4 @@ let
         perm = fetch;
       };
 
-in out
+}
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index cc59a95a5..1ffafe9c9 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 
 with import <stockholm/lib>;
-let
-  out = {
+let {
+  body = {
     environment.systemPackages = [
       vim
     ];
@@ -411,5 +411,4 @@ let
     catch /^Vim\%((\a\+)\)\=:E484/
     endtry
   '';
-in
-out
+}
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index 7276726ca..803ed6fbf 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -1,10 +1,10 @@
 { config, lib, pkgs, ... }:
 
 with import <stockholm/lib>;
-let
+let {
   cfg = config.tv.iptables;
 
-  out = {
+  body = {
     options.tv.iptables = api;
     config = lib.mkIf cfg.enable imp;
   };
@@ -146,14 +146,4 @@ let
       )}
       COMMIT
     '';
-in out
-
-#let
-#  cfg = config.tv.iptables;
-#  arg' = arg // { inherit cfg; };
-#in
-#
-#{
-#  options.tv.iptables = import ./options.nix arg';
-#  config = lib.mkIf cfg.enable (import ./config.nix arg');
-#}
+}