diff --git a/Makefile b/Makefile
index 6e09559b6..aa5d5d8ca 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,9 @@ system ?= $(HOSTNAME)
 $(if $(system),,$(error unbound variable: system))
 
 nixos-config ?= $(stockholm)/$(LOGNAME)/1systems/$(system).nix
+ifneq ($(words $(wildcard $(nixos-config))),1)
+$(error bad nixos-config: $(nixos-config))
+endif
 
 # target = [target_user@]target_host[:target_port][/target_path]
 ifdef target
diff --git a/krebs/3modules/apt-cacher-ng.nix b/krebs/3modules/apt-cacher-ng.nix
index 46b405842..e80d383f8 100644
--- a/krebs/3modules/apt-cacher-ng.nix
+++ b/krebs/3modules/apt-cacher-ng.nix
@@ -135,8 +135,7 @@ let
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         PermissionsStartOnly = true;
-        ExecStartPre = pkgs.writeScript "acng-init" ''
-          #!/bin/sh
+        ExecStartPre = pkgs.writeDash "acng-init" ''
           mkdir -p ${shell.escape cfg.cacheDir} ${shell.escape cfg.logDir}
           chown acng:acng  ${shell.escape cfg.cacheDir} ${shell.escape cfg.logDir}
         '';
diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix
index 71b22d8cb..4569d400f 100644
--- a/krebs/3modules/backup.nix
+++ b/krebs/3modules/backup.nix
@@ -121,8 +121,7 @@ let
       "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
       "flock -n ${shell.escape plan.dst.path} rsync"
     ];
-  in pkgs.writeScript "backup.${plan.name}" ''
-    #! ${pkgs.bash}/bin/bash
+  in pkgs.writeBash "backup.${plan.name}" ''
     set -efu
     start_date=$(date +%s)
     ssh_target=${shell.escape login-name}@$(${fastest-address remote.host})
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index cbf87b2a7..080d2188d 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -109,8 +109,7 @@ let
           Type = "simple";
           PrivateTmp = true;
 
-          ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
-            #!/bin/sh
+          ExecStartPre = assert server.secretKey != ""; pkgs.writeDash "bepasty-server.${name}-init" ''
             mkdir -p "${server.dataDir}" "${server.workDir}"
             chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
             cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index 2a1dbe31a..c365798f3 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -345,8 +345,7 @@ let
         Type = "forking";
         PIDFile = "${workdir}/twistd.pid";
         # TODO: maybe also prepare buildbot.tac?
-        ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
-          #!/bin/sh
+        ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
           set -efux
           if [ ! -e ${workdir} ];then
             mkdir -p ${workdir}
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index 248b46132..02331ee12 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -159,8 +159,7 @@ let
         Type = "forking";
         PIDFile = "${workdir}/twistd.pid";
         # TODO: maybe also prepare buildbot.tac?
-        ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
-          #!/bin/sh
+        ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
           set -efux
           mkdir -p ${workdir}/info
           cp ${buildbot-slave-init} ${workdir}/buildbot.tac
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 0f5e3172e..6a03b4638 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -462,7 +462,7 @@ let
 
   reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules));
 
-  # TODO makeGitHooks that uses runCommand instead of scriptFarm?
+  # TODO use `writeOut`
   scriptFarm =
     farm-name: scripts:
     let
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index 1d3873232..3646d35d6 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -37,8 +37,7 @@ let
         SyslogIdentifier = "github-hosts-sync";
         User = user.name;
         Restart = "always";
-        ExecStartPre = pkgs.writeScript "github-hosts-sync-init" ''
-          #! /bin/sh
+        ExecStartPre = pkgs.writeDash "github-hosts-sync-init" ''
           set -euf
           install -m 0711 -o ${user.name} -d ${cfg.dataDir}
           install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index bb06a9388..dccc11b3f 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -1,7 +1,7 @@
 arg@{ config, lib, pkgs, ... }:
 
 let
-  inherit (pkgs) writeScript writeText;
+  inherit (pkgs) writeText;
 
   inherit (builtins)
     elem
@@ -175,8 +175,7 @@ let
         ${buildTables iptables-version tables}
       '';
 
-  startScript = writeScript "krebs-iptables_start" ''
-    #! /bin/sh
+  startScript = pkgs.writeDash "krebs-iptables_start" ''
     set -euf
     iptables-restore < ${rules4 4}
     ip6tables-restore < ${rules4 6}
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index 7a7c80a75..c5c806cdf 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -1,12 +1,12 @@
 { config, lib, pkgs, ... }:
 
-with lib;
+with config.krebs.lib;
 let
   cfg = config.krebs.repo-sync;
 
   out = {
     options.krebs.repo-sync = api;
-    config = mkIf cfg.enable imp;
+    config = lib.mkIf cfg.enable imp;
   };
 
   api = {
@@ -70,7 +70,7 @@ let
   imp = {
     users.users.repo-sync = {
       name = "repo-sync";
-      uid = config.krebs.lib.genid "repo-sync";
+      uid = genid "repo-sync";
       description = "repo-sync user";
       home = cfg.stateDir;
       createHome = true;
@@ -95,9 +95,8 @@ let
       serviceConfig = {
         Type = "simple";
         PermissionsStartOnly = true;
-        ExecStartPre = pkgs.writeScript "prepare-repo-sync-user" ''
-          #! /bin/sh
-          cp -v ${config.krebs.lib.shell.escape cfg.privateKeyFile} ${cfg.stateDir}/ssh.priv
+        ExecStartPre = pkgs.writeDash "prepare-repo-sync-user" ''
+          cp -v ${shell.escape cfg.privateKeyFile} ${cfg.stateDir}/ssh.priv
           chown repo-sync ${cfg.stateDir}/ssh.priv
         '';
         ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix
index 5a035fa50..22991f093 100644
--- a/krebs/3modules/retiolum.nix
+++ b/krebs/3modules/retiolum.nix
@@ -159,13 +159,13 @@ let
       PrivateKeyFile = ${cfg.privkey.path}
       ${cfg.extraConfig}
     '';
-    "tinc-up" = pkgs.writeScript "${cfg.netname}-tinc-up" ''
+    "tinc-up" = pkgs.writeDash "${cfg.netname}-tinc-up" ''
       ${iproute}/sbin/ip link set ${cfg.netname} up
-      ${optionalString (net.ip4 != null) ''
+      ${optionalString (net.ip4 != null) /* sh */ ''
         ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname}
         ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname}
       ''}
-      ${optionalString (net.ip6 != null) ''
+      ${optionalString (net.ip6 != null) /* sh */ ''
         ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname}
         ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname}
       ''}
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 2692de982..dec89d249 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -94,8 +94,7 @@ let
         TimeoutSec = 300; # we will wait 5 minutes, kill otherwise
         restart = "always";
 
-        ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
-          #!/bin/sh
+        ExecStartPre = pkgs.writeDash "tinc_graphs-init" ''
           mkdir -p "${internal_dir}" "${external_dir}"
           if ! test -e "${cfg.workingDir}/internal/index.html"; then
             cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/." "${internal_dir}"
@@ -106,8 +105,7 @@ let
         '';
         ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
 
-        ExecStartPost = pkgs.writeScript "tinc_graphs-post" ''
-          #!/bin/sh
+        ExecStartPost = pkgs.writeDash "tinc_graphs-post" ''
           # TODO: this may break if workingDir is set to something stupid
           # this is needed because homedir is created with 700
           chmod 755  "${cfg.workingDir}"
diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix
index bfe8c581c..afff17296 100644
--- a/krebs/4lib/default.nix
+++ b/krebs/4lib/default.nix
@@ -15,6 +15,16 @@ let out = rec {
 
   addNames = mapAttrs addName;
 
+  guard = spec@{ type, value, ... }:
+    assert isOptionType type;
+    if type.check value
+      then value
+      else throw (toString (filter isString [
+        "argument"
+        (if spec ? name then "‘${spec.name}’" else null)
+        "is not a ${type.name}"
+      ]));
+
   types = import ./types.nix {
     inherit config;
     lib = lib // { inherit genid optionalTrace; };
@@ -27,6 +37,11 @@ let out = rec {
   shell = import ./shell.nix { inherit lib; };
   tree = import ./tree.nix { inherit lib; };
 
+  lpad = n: c: s:
+    if stringLength s < n
+      then lpad n c (c + s)
+      else s;
+
   toC = x: let
     type = typeOf x;
     reject = throw "cannot convert ${type}";
@@ -41,6 +56,8 @@ let out = rec {
     mapAttrs (name: _: path + "/${name}")
              (filterAttrs (_: eq "directory") (readDir path));
 
+  genAttrs' = names: f: listToAttrs (map f names);
+
   setAttr = name: value: set: set // { ${name} = value; };
 
   optionalTrace = c: msg: x: if c then trace msg x else x;
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 4742877a7..0d5b51f76 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -163,7 +163,7 @@ types // rec {
   secret-file = submodule ({ config, ... }: {
     options = {
       path = mkOption { type = str; };
-      mode = mkOption { type = str; default = "0400"; };
+      mode = mkOption { type = file-mode; default = "0400"; };
       owner = mkOption {
         type = user;
         default = config.krebs.users.root;
@@ -239,7 +239,7 @@ types // rec {
     check = let
       IPv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in
         concatMapStringsSep "." (const d) (range 1 4);
-    in x: match IPv4address x != null;
+    in x: isString x && match IPv4address x != null;
     merge = mergeOneOption;
   };
   addr6 = mkOptionType {
@@ -247,7 +247,7 @@ types // rec {
     check = let
       # TODO check IPv6 address harder
       IPv6address = "[0-9a-f.:]+";
-    in x: match IPv6address x != null;
+    in x: isString x && match IPv6address x != null;
     merge = mergeOneOption;
   };
 
@@ -293,6 +293,12 @@ types // rec {
     };
   };
 
+  file-mode = mkOptionType {
+    name = "file mode";
+    check = x: isString x && match "[0-7]{4}" x != null;
+    merge = mergeOneOption;
+  };
+
   haskell.conid = mkOptionType {
     name = "Haskell constructor identifier";
     check = x:
@@ -309,7 +315,7 @@ types // rec {
   # RFC952, B. Lexical grammar, <hname>
   hostname = mkOptionType {
     name = "hostname";
-    check = x: all label.check (splitString "." x);
+    check = x: isString x && all label.check (splitString "." x);
     merge = mergeOneOption;
   };
 
@@ -318,14 +324,15 @@ types // rec {
   label = mkOptionType {
     name = "label";
     # TODO case-insensitive labels
-    check = x: match "[0-9A-Za-z]([0-9A-Za-z-]*[0-9A-Za-z])?" x != null;
+    check = x: isString x
+            && match "[0-9A-Za-z]([0-9A-Za-z-]*[0-9A-Za-z])?" x != null;
     merge = mergeOneOption;
   };
 
   # POSIX.1‐2013, 3.278 Portable Filename Character Set
   filename = mkOptionType {
     name = "POSIX filename";
-    check = x: match "([0-9A-Za-z._])[0-9A-Za-z._-]*" x != null;
+    check = x: isString x && match "([0-9A-Za-z._])[0-9A-Za-z._-]*" x != null;
     merge = mergeOneOption;
   };
 
@@ -335,7 +342,7 @@ types // rec {
   absolute-pathname = mkOptionType {
     name = "POSIX absolute pathname";
     check = x: let xs = splitString "/" x; xa = head xs; in
-      xa == "/" || (xa == "" && all filename.check (tail xs));
+      isString x && (xa == "/" || (xa == "" && all filename.check (tail xs)));
     merge = mergeOneOption;
   };
 
@@ -344,7 +351,7 @@ types // rec {
   pathname = mkOptionType {
     name = "POSIX pathname";
     check = x: let xs = splitString "/" x; in
-      all filename.check (if head xs == "" then tail xs else xs);
+      isString x && all filename.check (if head xs == "" then tail xs else xs);
     merge = mergeOneOption;
   };
 
diff --git a/krebs/5pkgs/Reaktor/plugins.nix b/krebs/5pkgs/Reaktor/plugins.nix
index 0f61688e3..a483db32c 100644
--- a/krebs/5pkgs/Reaktor/plugins.nix
+++ b/krebs/5pkgs/Reaktor/plugins.nix
@@ -74,8 +74,7 @@ rec {
   };
 
   nixos-version = buildSimpleReaktorPlugin "nixos-version" {
-    script = pkgs.writeScript "nixos-version" ''
-      #! /bin/sh
+    script = pkgs.writeDash "nixos-version" ''
       . /etc/os-release
       echo "$PRETTY_NAME"
       '';
diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix
index 8ba0ab5a7..924e0c086 100644
--- a/krebs/5pkgs/builders.nix
+++ b/krebs/5pkgs/builders.nix
@@ -2,16 +2,16 @@
 with config.krebs.lib;
 rec {
   execve = name: { filename, argv ? null, envp ? {}, destination ? "" }: let
-  in writeC name { inherit destination; } ''
+  in writeC name { inherit destination; } /* c */ ''
     #include <unistd.h>
 
     static char *const filename = ${toC filename};
 
     ${if argv == null
-      then /* Propagate arguments */ ''
+      then /* Propagate arguments */ /* c */ ''
         #define MAIN_ARGS int argc, char **argv
       ''
-      else /* Provide fixed arguments */ ''
+      else /* Provide fixed arguments */ /* c */ ''
         #define MAIN_ARGS void
         static char *const argv[] = ${toC (argv ++ [null])};
       ''}
@@ -28,22 +28,22 @@ rec {
 
   execveBin = name: cfg: execve name (cfg // { destination = "/bin/${name}"; });
 
-  writeBash = name: text: pkgs.writeScript name ''
-    #! ${pkgs.bash}/bin/bash
-    ${text}
-  '';
+  makeScriptWriter = interpreter: name: text:
+    assert (with types; either absolute-pathname filename).check name;
+    pkgs.writeOut (baseNameOf name) {
+      ${optionalString (types.absolute-pathname.check name) name} = {
+        executable = true;
+        text = "#! ${interpreter}\n${text}";
+      };
+    };
 
-  writeBashBin = name: text: pkgs.writeTextFile {
-    executable = true;
-    destination = "/bin/${name}";
-    name = name;
-    text = ''
-      #! ${pkgs.bash}/bin/bash
-      ${text}
-    '';
-  };
+  writeBash = makeScriptWriter "${pkgs.bash}/bin/bash";
 
-  writeC = name: { destination ? "" }: src: pkgs.runCommand name {} ''
+  writeBashBin = name:
+    assert types.filename.check name;
+    pkgs.writeBash "/bin/${name}";
+
+  writeC = name: { destination ? "" }: src: pkgs.runCommand name {} /* sh */ ''
     PATH=${makeBinPath (with pkgs; [
       binutils
       coreutils
@@ -56,37 +56,39 @@ rec {
     strip --strip-unneeded "$exe"
   '';
 
-  writeDash = name: text: pkgs.writeScript name ''
-    #! ${pkgs.dash}/bin/dash
-    ${text}
-  '';
+  writeDash = makeScriptWriter "${pkgs.dash}/bin/dash";
 
-  writeDashBin = name: text: pkgs.writeTextFile {
-    executable = true;
-    destination = "/bin/${name}";
-    name = name;
-    text = ''
-      #! ${pkgs.dash}/bin/dash
-      ${text}
-    '';
-  };
+  writeDashBin = name:
+    assert types.filename.check name;
+    pkgs.writeDash "/bin/${name}";
 
   writeEximConfig = name: text: pkgs.runCommand name {
     inherit text;
     passAsFile = [ "text" ];
-  } ''
+  } /* sh */ ''
     # TODO validate exim config even with config.nix.useChroot == true
     # currently doing so will fail because "user exim was not found"
     #${pkgs.exim}/bin/exim -C "$textPath" -bV >/dev/null
     mv "$textPath" $out
   '';
 
-  writeFiles = name: specs0:
+  writeOut = name: specs0:
   let
-    specs = mapAttrsToList (path: spec0: {
-      path = assert types.pathname.check path; path;
+    specs = mapAttrsToList (path0: spec0: rec {
+      path = guard {
+        type = types.pathname;
+        value = path0;
+      };
       var = "file_${hashString "sha1" path}";
       text = spec0.text;
+      executable = guard {
+        type = types.bool;
+        value = spec0.executable or false;
+      };
+      mode = guard {
+        type = types.file-mode;
+        value = spec0.mode or (if executable then "0755" else "0644");
+      };
     }) specs0;
 
     filevars = genAttrs' specs (spec: nameValuePair spec.var spec.text);
@@ -97,7 +99,7 @@ rec {
       set -efu
       PATH=${makeBinPath [pkgs.coreutils]}
       ${concatMapStrings (spec: /* sh */ ''
-        install -D ''$${spec.var}Path $out${spec.path}
+        install -m ${spec.mode} -D ''$${spec.var}Path $out${spec.path}
       '') specs}
     '';
 
@@ -119,7 +121,7 @@ rec {
       isExecutable = executables != {};
       isLibrary = library != null;
 
-      cabal-file = pkgs.writeText "${name}-${version}.cabal" ''
+      cabal-file = pkgs.writeText "${name}-${version}.cabal" /* cabal */ ''
         build-type: Simple
         cabal-version: >= 1.2
         name: ${name}
@@ -135,7 +137,7 @@ rec {
         , text
         , ... }:
         if types.filename.check exe-name
-          then "install -D ${file} $out/${relpath}"
+          then /* sh */ "install -D ${file} $out/${relpath}"
           else throw "argument ‘exe-name’ is not a ${types.filename.name}";
 
       exe-section =
@@ -145,7 +147,7 @@ rec {
         , file ? pkgs.writeText "${name}-${exe-name}.hs" text
         , relpath ? "${exe-name}.hs"
         , text
-        , ... }: ''
+        , ... }: /* cabal */ ''
           executable ${exe-name}
             build-depends: ${concatStringsSep "," build-depends}
             ghc-options: ${toString ghc-options}
@@ -168,7 +170,7 @@ rec {
         { build-depends ? base-depends ++ extra-depends
         , extra-depends ? []
         , exposed-modules
-        , ... }: ''
+        , ... }: /* cabal */ ''
           library
             build-depends: ${concatStringsSep "," build-depends}
             ghc-options: ${toString ghc-options}
@@ -182,7 +184,7 @@ rec {
         , text
         , ... }:
         if types.haskell.modid.check mod-name
-          then "install -D ${file} $out/${relpath}"
+          then /* sh */ "install -D ${file} $out/${relpath}"
           else throw "argument ‘mod-name’ is not a ${types.haskell.modid.name}";
     in
       haskellPackages.mkDerivation {
@@ -196,7 +198,7 @@ rec {
             (optionals isLibrary (get-depends library))
             haskellPackages;
         pname = name;
-        src = pkgs.runCommand "${name}-${version}-src" {} ''
+        src = pkgs.runCommand "${name}-${version}-src" {} /* sh */ ''
           install -D ${cabal-file} $out/${cabal-file.name}
           ${optionalString isLibrary (lib-install library)}
           ${concatStringsSep "\n" (mapAttrsToList exe-install executables)}
@@ -208,7 +210,7 @@ rec {
       "The function `writeNixFromCabal` has been deprecated in favour of"
       "`writeHaskell`."
     ])
-    (name: path: pkgs.runCommand name {} ''
+    (name: path: pkgs.runCommand name {} /* sh */ ''
       ${pkgs.cabal2nix}/bin/cabal2nix ${path} > $out
     '');
 }
diff --git a/krebs/5pkgs/git-hooks/default.nix b/krebs/5pkgs/git-hooks/default.nix
index 3aba90535..c8e8c8f53 100644
--- a/krebs/5pkgs/git-hooks/default.nix
+++ b/krebs/5pkgs/git-hooks/default.nix
@@ -101,8 +101,7 @@ let
     fi
   '';
 
-  irc-announce-script = pkgs.writeScript "irc-announce-script" ''
-    #! /bin/sh
+  irc-announce-script = pkgs.writeDash "irc-announce-script" ''
     set -euf
 
     export PATH=${makeSearchPath "bin" (with pkgs; [
diff --git a/krebs/5pkgs/hashPassword/default.nix b/krebs/5pkgs/hashPassword/default.nix
index 6a7c51c57..3da65ad79 100644
--- a/krebs/5pkgs/hashPassword/default.nix
+++ b/krebs/5pkgs/hashPassword/default.nix
@@ -1,7 +1,6 @@
 { lib, pkgs, ... }:
 
-pkgs.writeScriptBin "hashPassword" ''
-  #! /bin/sh
+pkgs.writeDashBin "hashPassword" ''
   # usage: hashPassword
   set -euf
 
diff --git a/krebs/5pkgs/krebspaste/default.nix b/krebs/5pkgs/krebspaste/default.nix
index fb318af83..dd7616a05 100644
--- a/krebs/5pkgs/krebspaste/default.nix
+++ b/krebs/5pkgs/krebspaste/default.nix
@@ -1,7 +1,6 @@
-{ writeScriptBin, pkgs }:
+{ writeDashBin, bepasty-client-cli }:
 
-# TODO: use `wrapProgram --add-flags` instead?
-writeScriptBin "krebspaste" ''
-  #! /bin/sh
-  exec ${pkgs.bepasty-client-cli}/bin/bepasty-cli --url http://paste.retiolum "$@"
+# TODO use `execve` instead?
+writeDashBin "krebspaste" ''
+  exec ${bepasty-client-cli}/bin/bepasty-cli --url http://paste.retiolum "$@"
 ''
diff --git a/krebs/5pkgs/pssh/default.nix b/krebs/5pkgs/pssh/default.nix
index fd48d3e7c..2676af0cf 100644
--- a/krebs/5pkgs/pssh/default.nix
+++ b/krebs/5pkgs/pssh/default.nix
@@ -1,7 +1,6 @@
-{ writeScriptBin }:
+{ writeDashBin }:
 
-writeScriptBin "pssh" ''
-  #! /bin/sh
+writeDashBin "pssh" ''
   set -efu
   case ''${1-} in
 
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index fed67a105..3696bcdfc 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -47,8 +47,7 @@ with config.krebs.lib;
   boot.tmpOnTmpfs = true;
 
   environment.systemPackages = with pkgs; [
-    (writeScriptBin "play" ''
-      #! /bin/sh
+    (writeDashBin "play" ''
       set -euf
       mpv() { exec ${mpv}/bin/mpv "$@"; }
       case $1 in
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index a79ae498b..6ba7ab327 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -26,8 +26,7 @@ with config.krebs.lib;
         hashPassword
         haskellPackages.lentil
         parallel
-        (pkgs.writeScriptBin "im" ''
-          #! ${pkgs.bash}/bin/bash
+        (pkgs.writeBashBin "im" ''
           export PATH=${makeSearchPath "bin" (with pkgs; [
             tmux
             gnugrep
diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix
index 8e611f21e..512919759 100644
--- a/tv/2configs/pulse.nix
+++ b/tv/2configs/pulse.nix
@@ -67,8 +67,7 @@ in
     };
     serviceConfig = {
       ExecStart = "${pkg}/bin/pulseaudio";
-      ExecStartPre = pkgs.writeScript "pulse-start" ''
-        #! /bin/sh
+      ExecStartPre = pkgs.writeDash "pulse-start" ''
         install -o pulse -g pulse -m 0750 -d ${runDir}
         install -o pulse -g pulse -m 0700 -d ${runDir}/home
       '';
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index 826c2d4ca..85045332f 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -211,9 +211,8 @@ let
   nix.vim = pkgs.writeText "nix.vim" ''
     setf nix
 
-    syn match NixCode /./
-
     " Ref <nix/src/libexpr/lexer.l>
+    syn match NixID    /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
     syn match NixINT   /\<[0-9]\+\>/
     syn match NixPATH  /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
     syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
@@ -230,7 +229,7 @@ let
       \ skip="'''\('\|[$]\|\\[nrt]\)"
       \ end="'''"
 
-    syn cluster NixStrings contains=NixSTRING,NixIND_STRING
+    syn match NixOther /[():/;=.,?\[\]]/
 
     syn match NixCommentMatch /\(^\|\s\)#.*/
     syn region NixCommentRegion start="/\*" end="\*/"
@@ -241,6 +240,7 @@ let
 
     hi link NixCommentMatch NixComment
     hi link NixCommentRegion NixComment
+    hi link NixID NixCode
     hi link NixINT NixData
     hi link NixPATH NixData
     hi link NixHPATH NixData
@@ -250,12 +250,12 @@ let
     hi link NixIND_STRING NixData
 
     hi link NixEnter NixCode
-    hi link NixExit NixData
+    hi link NixOther NixCode
     hi link NixQuote NixData
-    hi link NixQuote2 NixQuote
-    hi link NixQuote3 NixQuote
 
-    syn cluster NixSubLangs contains=NONE
+    syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
+    syn cluster nix_ind_strings contains=NixIND_STRING
+    syn cluster nix_strings contains=NixSTRING
 
     ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
       startAlts = filter isString [
@@ -269,27 +269,35 @@ let
 
       syn match nix_${lang}_sigil
         \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
-        \ nextgroup=nix_${lang}_region
+        \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
         \ transparent
 
-      syn region nix_${lang}_region
+      syn region nix_${lang}_region_STRING
         \ matchgroup=NixSTRING
         \ start='"'
         \ skip='\\"'
         \ end='"'
         \ contained
         \ contains=@nix_${lang}_syntax
+        \ transparent
 
-      syn region nix_${lang}_region
+      syn region nix_${lang}_region_IND_STRING
         \ matchgroup=NixIND_STRING
         \ start="'''"
         \ skip="'''\('\|[$]\|\\[nrt]\)"
         \ end="'''"
         \ contained
         \ contains=@nix_${lang}_syntax
+        \ transparent
 
-      syn cluster NixSubLangs
-        \ add=nix_${lang}_region,@nix_${lang}_syntax
+      syn cluster nix_ind_strings
+        \ add=nix_${lang}_region_IND_STRING
+
+      syn cluster nix_strings
+        \ add=nix_${lang}_region_STRING
+
+      syn cluster nix_has_dollar_curly
+        \ add=@nix_${lang}_syntax
     '') {
       c = {};
       cabal = {};
@@ -299,26 +307,32 @@ let
         ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
     })}
 
-    " Clear syntax that interferes with NixBlock.
-    " TODO redefine NixBlock so syntax don't have to be cleared
-    syn clear shOperator shSetList shVarAssign
+    " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
+    syn clear shVarAssign
 
-    syn region NixBlock
+    syn region nixINSIDE_DOLLAR_CURLY
       \ matchgroup=NixEnter
       \ start="[$]{"
       \ end="}"
       \ contains=TOP
-      \ containedin=@NixSubLangs,@NixStrings
+      \ containedin=@nix_has_dollar_curly
+      \ transparent
 
-    syn region NixBlockHack
+    syn region nix_inside_curly
       \ matchgroup=NixEnter
       \ start="{"
       \ end="}"
       \ contains=TOP
+      \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
+      \ transparent
 
-    syn match NixQuote  "'''[$]"he=e-1  contained containedin=@NixSubLangs
-    syn match NixQuote2 "''''"he=s+1    contained containedin=@NixSubLangs
-    syn match NixQuote3 "'''\\[nrt]"    contained containedin=@NixSubLangs
+    syn match NixQuote /'''\([''$']\|\\.\)/he=s+2
+      \ containedin=@nix_ind_strings
+      \ contained
+
+    syn match NixQuote /\\./he=s+1
+      \ containedin=@nix_strings
+      \ contained
 
     syn sync fromstart
 
diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix
index da3c914b8..607980807 100644
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@@ -3,8 +3,7 @@
 {
   nixpkgs.config.packageOverrides = {
     # TODO use XDG_RUNTIME_DIR?
-    cr = pkgs.writeScriptBin "cr" ''
-      #! /bin/sh
+    cr = pkgs.writeDashBin "cr" ''
       set -efu
       export LC_TIME=de_DE.utf8
       exec ${pkgs.chromium}/bin/chromium \