diff --git a/lib/update-system.nix b/lib/update-system.nix
index 8ef3ad7f..12489225 100644
--- a/lib/update-system.nix
+++ b/lib/update-system.nix
@@ -3,7 +3,7 @@ let configPath = "/etc/nixos";
 in {
   update-system = pkgs.writeHaskellScript {
     name = "update-system";
-    bins = [ nixos-rebuild pkgs.git ];
+    bins = [ nixos-rebuild ];
   } ''
     privatePath = "${configPath}/private"
     canaryPath = privatePath <> "/submodule-is-checked-out"
@@ -11,8 +11,8 @@ in {
     main = do
         paths <- myNixPath "${configPath}"
         args <- getArgs
-        bracket (rm canaryPath) (\() -> git "-C" privatePath "restore" canaryPath) $ \() ->
-           nixos_rebuild (paths ++ ["build"] ++ remoteBuildParams ++ fmap toString args)
+        bracket (rm canaryPath) (\() -> exe "/run/wrappers/bin/sudo" "-u" "maralorn" "git" "-C" privatePath "restore" canaryPath) $ \() ->
+           nixos_rebuild (paths ++ ["build", "--no-out-link"] ++ remoteBuildParams ++ fmap toString args)
         nixos_rebuild (paths ++ ["switch"] ++ fmap toString args)
   '';
 }
diff --git a/nixos/machines/hera/web.nix b/nixos/machines/hera/web.nix
index a53d29f1..1a6d90fc 100644
--- a/nixos/machines/hera/web.nix
+++ b/nixos/machines/hera/web.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
   locations = {
     "/" = {
@@ -16,27 +16,29 @@ in {
   security.acme.certs."hera.m-0.eu".keyType = "rsa4096";
   services = {
     nginx = {
-      enable = true;
-      virtualHosts."tasks.maralorn.de" = {
-        basicAuthFile = pkgs.privatePath "basic-auth/kassandra";
-        forceSSL = true;
-        enableACME = true;
-        locations = {
-          "/" = {
-            proxyPass = "http://[::1]:8000";
-            proxyWebsockets = true;
+      enable = lib.mkForce pkgs.withSecrets;
+      virtualHosts = {
+        "tasks.maralorn.de" = {
+          basicAuthFile = pkgs.privatePath "basic-auth/kassandra";
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {
+              proxyPass = "http://[::1]:8000";
+              proxyWebsockets = true;
+            };
           };
         };
-      };
-      virtualHosts."hera.m-0.eu" = {
-        enableACME = true;
-        forceSSL = true;
-        inherit locations;
-      };
-      virtualHosts."maralorn.de" = {
-        enableACME = true;
-        forceSSL = true;
-        inherit locations;
+        "hera.m-0.eu" = {
+          enableACME = true;
+          forceSSL = true;
+          inherit locations;
+        };
+        "maralorn.de" = {
+          enableACME = true;
+          forceSSL = true;
+          inherit locations;
+        };
       };
     };
   };
diff --git a/nixos/roles/server/init_ssh.nix b/nixos/roles/server/init_ssh.nix
index f476b560..946505be 100644
--- a/nixos/roles/server/init_ssh.nix
+++ b/nixos/roles/server/init_ssh.nix
@@ -7,7 +7,7 @@ with lib; {
       network = {
         enable = true;
         ssh = {
-          enable = true;
+          enable = pkgs.withSecrets;
           authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
           hostKeys = [ config.m-0.server.initSSHKey ];
         };