diff --git a/default.nix b/default.nix
index 64c69a2f4..1c3341ba7 100644
--- a/default.nix
+++ b/default.nix
@@ -11,7 +11,8 @@ let
   out =
     (lib.mapAttrs (k: v: mk-namespace (./. + "/${k}"))
       (lib.filterAttrs
-        (k: v: !lib.hasPrefix "." k && v == "directory")
+        (k: v: !lib.hasPrefix "." k && v == "directory" &&
+          builtins.pathExists (./. + "/${k}/1systems"))
         (builtins.readDir ./.)));
 
   eval = path: import <nixpkgs/nixos/lib/eval-config.nix> {
diff --git a/krebs/3modules/build/default.nix b/krebs/3modules/build/default.nix
index 4d2f36a02..6097a7b5d 100644
--- a/krebs/3modules/build/default.nix
+++ b/krebs/3modules/build/default.nix
@@ -28,6 +28,42 @@ let
       type = types.user;
     };
 
+    options.krebs.build.scripts.init = lib.mkOption {
+      type = lib.types.str;
+      default =
+        let
+          inherit (config.krebs.build) host;
+        in
+        ''
+          #! /bin/sh
+          set -efu
+
+          hostname=${host.name}
+          secrets_dir=${config.krebs.build.source.dir.secrets.path}
+          key_type=ed25519
+          key_file=$secrets_dir/ssh.id_$key_type
+          key_comment=$hostname
+
+          if test -e "$key_file"; then
+            echo "Warning: privkey already exists: $key_file" >&2
+          else
+            ssh-keygen \
+                -C "$key_comment" \
+                -t "$key_type" \
+                -f "$key_file" \
+                -N ""
+            rm "$key_file.pub"
+          fi
+
+          pubkey=$(ssh-keygen -y -f "$key_file")
+
+          cat<<EOF
+          # put following into config.krebs.hosts.$hostname:
+          ssh.pubkey = $(echo $pubkey | jq -R .);
+          EOF
+        '';
+    };
+
     options.krebs.build.scripts.deploy = lib.mkOption {
       type = lib.types.str;
       default = ''
@@ -67,12 +103,16 @@ let
           src=$(type -p nixos-install)
           cat_src() {
             sed < "$src" "$(
-              sed < "$src" -n '
-                  /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
-                  /^nixpkgs=/=
-                  /^NIX_PATH=/,/^$/{/./=}
-                ' \
-                | sed 's:$:s/^/#krebs#/:'
+              { sed < "$src" -n '
+                    /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
+                    /^nixpkgs=/=
+                    /^NIX_PATH=/,/^$/{/./=}
+
+                    # Disable: Copy the NixOS/Nixpkgs sources to the target as
+                    # the initial contents of the NixOS channel.
+                    /^srcs=/,/^ln -sfn /=
+                  '
+              } | sed 's:$:s/^/#krebs#/:'
             )"
           }
 
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index dc30b9c50..f0eb290ca 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -84,13 +84,16 @@ let
         mapAttrsToList (hostname: host:
           mapAttrsToList (netname: net:
             let
-              aliases = toString (unique (longs ++ shorts));
+              aliases = longs ++ shorts;
               providers = dns.split-by-provider net.aliases cfg.dns.providers;
               longs = providers.hosts;
-              shorts = map (removeSuffix ".${cfg.search-domain}") longs;
+              shorts =
+                map (removeSuffix ".${cfg.search-domain}")
+                    (filter (hasSuffix ".${cfg.search-domain}")
+                            longs);
             in
-              map (addr: "${addr} ${aliases}") net.addrs
-          ) host.nets
+              map (addr: "${addr} ${toString aliases}") net.addrs
+          ) (filterAttrs (name: host: host.aliases != []) host.nets)
         ) cfg.hosts
       ));
 
@@ -100,6 +103,36 @@ let
           ([cfg.zone-head-config] ++ combined-hosts) ;
         combined-hosts = (mapAttrsToList (name: value: value.extraZones)  cfg.hosts );
       in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
+
+      services.openssh.hostKeys =
+        let inherit (config.krebs.build.host.ssh) privkey; in
+        mkIf (privkey != null) (mkForce [privkey]);
+
+      services.openssh.knownHosts =
+        mapAttrs
+          (name: host: {
+            hostNames =
+              concatLists
+                (mapAttrsToList
+                  (net-name: net:
+                    let
+                      aliases = shorts ++ longs;
+                      longs = net.aliases;
+                      shorts =
+                        map (removeSuffix ".${cfg.search-domain}")
+                            (filter (hasSuffix ".${cfg.search-domain}")
+                                    longs);
+                      add-port = a:
+                        if net.ssh.port != null
+                          then "[${a}]:${toString net.ssh.port}"
+                          else a;
+                    in
+                    aliases ++ map add-port net.addrs)
+                  host.nets);
+
+            publicKey = host.ssh.pubkey;
+          })
+          (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
     }
   ];
 
@@ -501,6 +534,7 @@ let
               "cgit.cd.viljetic.de"
               "cd.krebsco.de"
             ];
+            ssh.port = 11423;
           };
           retiolum = {
             via = internet;
@@ -527,6 +561,8 @@ let
             '';
           };
         };
+        ssh.privkey.path = <secrets/ssh.id_ed25519>;
+        ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6";
       };
       mkdir = rec {
         cores = 1;
@@ -534,7 +570,7 @@ let
         infest.addr = head nets.internet.addrs4;
         nets = rec {
           internet = {
-            addrs4 = ["104.233.84.102"];
+            addrs4 = ["104.233.84.173"];
             aliases = [
               "mkdir.internet"
             ];
@@ -559,6 +595,35 @@ let
             '';
           };
         };
+        ssh.privkey.path = <secrets/ssh.id_ed25519>;
+        ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw";
+      };
+      ire = {
+        nets = {
+          internet = {
+            addrs4 = ["198.147.22.115"];
+            ssh.port = 11423;
+          };
+          retiolum = {
+            addrs4 = ["10.243.231.66"];
+            addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"];
+            aliases = [
+              "ire.retiolum"
+            ];
+            tinc.pubkey = ''
+              -----BEGIN RSA PUBLIC KEY-----
+              MIIBCgKCAQEAwofjmP/XBf5pwsJlWklkSzI+Bo0I0B9ONc7/j+zpbmMRkwbWk4X7
+              rVLt1cWvTY15ujg2u8l0o6OgEbIkc6rslkD603fv1sEAd0KOv7iKLgRpE9qfSvAt
+              6YpiSv+mxEMTpH0g36OmBfOJ10uT+iHDB/FfxmgGJx//jdJADzLjjWC6ID+iGkGU
+              1Sf+yHXF7HRmQ29Yak8LYVCJpGC5bQfWIMSL5lujLq4NchY2d+NZDkuvh42Ayr0K
+              LPflnPBQ3XnKHKtSsnFR2vaP6q+d3Opsq/kzBnAkjL26jEuFK1v7P/HhNhJoPzwu
+              nKKWj/W/k448ce374k5ycjvKm0c6baAC/wIDAQAB
+              -----END RSA PUBLIC KEY-----
+            '';
+            ssh.port = 11423;
+          };
+        };
+        ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaMjBJ/BfYlHjyn5CO0xzFNaQ0LPvMP3W9UlOs1OxGY";
       };
       nomic = {
         cores = 2;
@@ -584,6 +649,7 @@ let
           };
         };
         secure = true;
+        ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILn7C3LxAs9kUynENdRNgQs4qjrhNDfXzlHTpVJt6e09";
       };
       rmdir = rec {
         cores = 1;
@@ -616,6 +682,8 @@ let
             '';
           };
         };
+        ssh.privkey.path = <secrets/ssh.id_ed25519>;
+        ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLuhLRmt8M5s2Edwwl9XY0KAAivzmPCEweesH5/KhR4";
       };
       wu = {
         cores = 4;
@@ -641,6 +709,7 @@ let
           };
         };
         secure = true;
+        ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
       };
       xu = {
         cores = 4;
@@ -666,6 +735,7 @@ let
           };
         };
         secure = true;
+        ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID554niVFWomJjuSuQoiCdMUYrCFPpPzQuaoXXYYDxlw";
       };
     };
     users = addNames {
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index dbffdf850..0aa594fb1 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -1,11 +1,12 @@
 { lib, ... }:
 
+with builtins;
 with lib;
 with types;
 
 types // rec {
 
-  host = submodule {
+  host = submodule ({ config, ... }: {
     options = {
       name = mkOption {
         type = label;
@@ -46,8 +47,39 @@ types // rec {
           TODO define minimum requirements for secure hosts
         '';
       };
+
+      ssh.pubkey = mkOption {
+        type = nullOr str;
+        default = null;
+        apply = x:
+          if x != null
+            then x
+            else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null;
+      };
+      ssh.privkey = mkOption {
+        type = nullOr (submodule {
+          options = {
+            bits = mkOption {
+              type = nullOr (enum ["4096"]);
+              default = null;
+            };
+            path = mkOption {
+              type = either path str;
+              apply = x: {
+                path = toString x;
+                string = x;
+              }.${typeOf x};
+            };
+            type = mkOption {
+              type = enum ["rsa" "ed25519"];
+              default = "ed25519";
+            };
+          };
+        });
+        default = null;
+      };
     };
-  };
+  });
 
   net = submodule ({ config, ... }: {
     options = {
@@ -71,6 +103,18 @@ types // rec {
       aliases = mkOption {
         # TODO nonEmptyListOf hostname
         type = listOf hostname;
+        default = [];
+      };
+      ssh = mkOption {
+        type = submodule {
+          options = {
+            port = mkOption {
+              type = nullOr int;
+              default = null;
+            };
+          };
+        };
+        default = {};
       };
       tinc = mkOption {
         type = let net-config = config; in nullOr (submodule ({ config, ... }: {
diff --git a/krebs/Zhosts/ire b/krebs/Zhosts/ire
index 724158cb0..db4f9808c 100644
--- a/krebs/Zhosts/ire
+++ b/krebs/Zhosts/ire
@@ -1,4 +1,4 @@
-Address = 198.147.23.143
+Address = 198.147.22.115
 Subnet = 10.243.231.66
 Subnet = 42:b912:0f42:a82d:0d27:8610:e89b:490c
 
diff --git a/tv/4lib/git.nix b/tv/4lib/git.nix
index 2b25debdc..748b77269 100644
--- a/tv/4lib/git.nix
+++ b/tv/4lib/git.nix
@@ -114,6 +114,18 @@ let
         gnused
       ])}
 
+      green()  { printf '\x0303,99%s\x0F' "$1"; }
+      red()    { printf '\x0304,99%s\x0F' "$1"; }
+      orange() { printf '\x0307,99%s\x0F' "$1"; }
+      pink()   { printf '\x0313,99%s\x0F' "$1"; }
+      gray()   { printf '\x0314,99%s\x0F' "$1"; }
+
+      unset message
+      add_message() {
+        message="''${message+$message
+      }$*"
+      }
+
       nick=${escapeShellArg nick}
       channel=${escapeShellArg channel}
       server=${escapeShellArg server}
@@ -124,7 +136,6 @@ let
 
       empty=0000000000000000000000000000000000000000
 
-      unset message
       while read oldrev newrev ref; do
 
         if [ $oldrev = $empty ]; then
@@ -157,14 +168,23 @@ let
             link="$cgit_endpoint/$GIT_SSH_REPO/ ($h)"
             ;;
           fast-forward|non-fast-forward)
-            #git diff --stat $id..$id2
             link="$cgit_endpoint/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2"
             ;;
         esac
 
         #$host $GIT_SSH_REPO $ref $link
-        message="''${message+$message
-      }$GIT_SSH_USER $receive_mode $link"
+        add_message $(pink push) $link $(gray "($receive_mode)")
+
+        add_message "$(
+          git log \
+              --format="$(orange %h) %s $(gray '(%ar)')" \
+              --reverse \
+              $id2..$id
+
+          git diff --stat $id2..$id \
+            | sed '$!s/\(+*\)\(-*\)$/'$(green '\1')$(red '\2')'/'
+        )"
+
       done
 
       if test -n "''${message-}"; then