diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index b2ef90c1d76499c08839343f415f63612c792c8b..6e1eca671b0774775cbecdeed55703c6e7b02ea1 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -17,6 +17,14 @@
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
+      "stripe-secret-key" = {
+        source = stripeSecretKeyPath;
+        destination = "/var/secrets/stripe.secret-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
+      };
     };
   };
 
@@ -28,8 +36,8 @@
   services.private-storage-issuer = {
     enable = true;
     tls = true;
-    ristrettoSigningKeyPath = ./../.. + ristrettoSigningKeyPath;
-    stripeSecretKeyPath = ./../.. + stripeSecretKeyPath;
+    ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key";
+    stripeSecretKeyPath = "/var/secrets/stripe.secret-key";
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
     inherit letsEncryptAdminEmail;
diff --git a/nixos/modules/pspkgs.nix b/nixos/modules/pspkgs.nix
index 851f4e71783c3c1dcc9fc596b37722866fef7331..11ef89929ef0ad20f3c5f7795554a90085ed66f9 100644
--- a/nixos/modules/pspkgs.nix
+++ b/nixos/modules/pspkgs.nix
@@ -4,7 +4,16 @@
 { pkgs }:
 import pkgs.path {
   overlays = [
-    (import ./zkap-overlay.nix)
+    # For some reason the order of these overlays matters.  Maybe it has to do
+    # with our python27 override, I'm not sure.  In the other order, we end up
+    # with two derivations of each of Twisted and treq which conflict with
+    # each other.
     (import ./overlays.nix)
+    # It might be nice to eventually remove this.  ZKAPAuthorizer now
+    # self-applies this overlay without our help.  We only still have it
+    # because it also defines tahoe-lafs which we want to use.  We can't see
+    # tahoe-lafs from the self-applied overlay because that overlay is applied
+    # to ZKAPAuthorizer's nixpkgs, not to the one we're using.
+    (import ./zkap-overlay.nix)
   ];
 }
diff --git a/nixos/pkgs/zkapauthorizer-repo.nix b/nixos/pkgs/zkapauthorizer-repo.nix
index 727827b61af700bbc96b6ae35d672925d96a3f75..3ed259d3cccedc9d8818067b8c69037462d592e3 100644
--- a/nixos/pkgs/zkapauthorizer-repo.nix
+++ b/nixos/pkgs/zkapauthorizer-repo.nix
@@ -4,6 +4,6 @@ in
   pkgs.fetchFromGitHub {
     owner = "PrivateStorageio";
     repo = "ZKAPAuthorizer";
-    rev = "ede17a6e2e53d56978dcd5962322987c15d59634";
-    sha256 = "1i1cmj6mnmr3i1md7qks57xqdp1blhr375jsxds29glk9b8wp757";
+    rev = "b703f99ef9447f41acaa5b7402b29b26ebfb5d94";
+    sha256 = "0xhbznfc27mdkckw8rw1w21pzmqw8haf5j62jfm8yb9n3vaqlchs";
   }
\ No newline at end of file
diff --git a/nixos/pkgs/zkapissuer-repo.nix b/nixos/pkgs/zkapissuer-repo.nix
index a252d3a9b31cc83ef879e1a1f9561f0480860d1f..66d3bf2f1078ab997fcf51ecc64260e9cab74f21 100644
--- a/nixos/pkgs/zkapissuer-repo.nix
+++ b/nixos/pkgs/zkapissuer-repo.nix
@@ -4,6 +4,6 @@ in
   pkgs.fetchFromGitHub {
     owner = "PrivateStorageio";
     repo = "PaymentServer";
-    rev = "1130b17e85392efd9f6be733308542b50bded1e3";
-    sha256 = "1ivcy3xcakxs0yfvbnvizq9pchp15g2wdprh5r5rq4fkqk8k6nbf";
+    rev = "d6ad0042842ca0501c1e378b19bfdb42d5644223";
+    sha256 = "018ybp83ljdwjn2kv1smkb5rx5h0hgw17a452bsyxdq61ysv4ajv";
   }
\ No newline at end of file
diff --git a/privatestorageio.nix b/privatestorageio.nix
index dd6dd425e8c6dd66860bcd758f11ae622a6ddd0c..cde46b16f6ed537bb5ee74c5641409b11716e11a 100644
--- a/privatestorageio.nix
+++ b/privatestorageio.nix
@@ -1,8 +1,8 @@
-{ stdenv, graphviz, python3Packages }:
+{ stdenv, lib, graphviz, python3Packages }:
 stdenv.mkDerivation rec {
   version = "0.0";
   name = "privatestorageio-${version}";
-  src = ./.;
+  src = lib.cleanSource ./.;
 
   depsBuildBuild = [
     graphviz