diff --git a/.circleci/config.yml b/.circleci/config.yml
index 735831e3fce2f6b39fb0fa35b7caf8af32e51382..6c630aba24253a8c8d855e2de81b9ac69ba3e28a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -227,7 +227,7 @@ workflows:
         matrix:
           parameters:
             tahoe-lafs-source:
-            - "tahoe-lafs"
+            - "tahoe-lafs-1.17.0"
 
     - "macos-tests":
         matrix:
diff --git a/default.nix b/default.nix
index 0e68b6386e993e113260e7cfb72c646947fe6beb..5202fa637b934a198f538fa367a9873e323a5d50 100644
--- a/default.nix
+++ b/default.nix
@@ -4,7 +4,7 @@ in
 { pkgs ? import sources.release2105 {}
 , pypiData ? sources.pypi-deps-db
 , mach-nix ? import sources.mach-nix { inherit pkgs pypiData; }
-, tahoe-lafs-source ? "tahoe-lafs"
+, tahoe-lafs-source ? "tahoe-lafs-1.17.0"
 , tahoe-lafs-repo ? sources.${tahoe-lafs-source}
 }:
   let
@@ -36,7 +36,7 @@ in
       tahoe-lafs = mach-nix.buildPythonPackage rec {
         inherit python providers;
         name = "tahoe-lafs";
-        version = "1.16.post999";
+        version = "1.17.0";
         # See https://github.com/DavHau/mach-nix/issues/190
         requirementsExtra = ''
           pyrsistent < 0.17
@@ -53,6 +53,10 @@ in
           EOF
         '';
         src = tahoe-lafs-repo;
+
+        # The version of Klein we get doesn't need / can't have the patch that
+        # comes from the nixpkgs derivation mach-nix picks up from 21.05.
+        _.klein.patches = [];
       };
       zkapauthorizer = mach-nix.buildPythonApplication rec {
         inherit python providers;
@@ -73,6 +77,9 @@ in
         ];
         # Record some settings here, so downstream nix files can consume them.
         meta.mach-nix = { inherit python providers; };
+
+        # Annoyingly duplicate the Klein fix from the Tahoe-LAFS expression.
+        _.klein.patches = [];
       };
 
       privatestorage = let
diff --git a/nix/sources.json b/nix/sources.json
index b294dc6e788e1633112ba3df42109c1497e4a38c..a8da3eca759cde9e58f6528e1c53f518a6aaa239 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -41,16 +41,16 @@
         "url": "https://releases.nixos.org/nixos/21.05/nixos-21.05.3740.ce7a1190a0f/nixexprs.tar.xz",
         "url_template": "https://releases.nixos.org/nixos/21.05/nixos-21.05.3740.ce7a1190a0f/nixexprs.tar.xz"
     },
-    "tahoe-lafs": {
+    "tahoe-lafs-1.17.0": {
         "branch": "master",
         "description": "The Tahoe-LAFS decentralized secure filesystem.",
         "homepage": "https://tahoe-lafs.org/",
         "owner": "tahoe-lafs",
         "repo": "tahoe-lafs",
-        "rev": "d3c6f58a8ded7db3324ef97c47f5c1921c3d58b7",
-        "sha256": "18zr6l53r32pigymsnv10m67kgf981bxl8c3rjhv5bikfnf986q8",
+        "rev": "tahoe-lafs-1.17.0",
+        "sha256": "0vjq7g1lfjd16y0iwnfsccp5k3q3av7wllkyqbsyd877a29nibzi",
         "type": "tarball",
-        "url": "https://github.com/tahoe-lafs/tahoe-lafs/archive/d3c6f58a8ded7db3324ef97c47f5c1921c3d58b7.tar.gz",
+        "url": "https://github.com/tahoe-lafs/tahoe-lafs/archive/tahoe-lafs-1.17.0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }
diff --git a/setup.cfg b/setup.cfg
index c1c6250091326d2793a6d2d3ed9843dcde0b0578..6d39a54cf210521314307ad39114e59389be8e12 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -40,13 +40,8 @@ install_requires =
     # The pip resolver sometimes finds treq's dependencies first and these are
     # incompatible with Tahoe-LAFS'.  So duplicate them here (the ones that
     # have been observed to cause problems).
-    Twisted[tls,conch]>=18.4.0
-
-    # Lease renewal changes aren't available from a release of Tahoe yet.
-    # Note "Public index servers SHOULD NOT allow the use of direct references
-    # in uploaded distributions."
-    # https://www.python.org/dev/peps/pep-0440/#direct-references
-    tahoe-lafs @ https://github.com/tahoe-lafs/tahoe-lafs/archive/d3c6f58a8ded7db3324ef97c47f5c1921c3d58b7.zip
+    Twisted[tls,conch] >= 19.10.0
+    tahoe-lafs >=1.17,<1.18
     treq
     pyutil
     prometheus-client
diff --git a/shell.nix b/shell.nix
index 0f661ebc3692fbf6bfe199abc0cbd8fbd6feaa8e..46c096c1229e4345de1edc0c7d95d22a4b9a7b9a 100644
--- a/shell.nix
+++ b/shell.nix
@@ -2,7 +2,7 @@ let
   sources = import nix/sources.nix;
 in
 { pkgs ? import sources.release2105 {}
-, tahoe-lafs-source ? "tahoe-lafs"
+, tahoe-lafs-source ? "tahoe-lafs-1.17.0"
 }:
   let
     tests = pkgs.callPackage ./tests.nix {
diff --git a/tests.nix b/tests.nix
index e69b4e781e55a7d8a0a02ebe1e57724626a6aaa5..6bbd41ba7e53105ba3f17cfb08cfaa5b8f76c1d8 100644
--- a/tests.nix
+++ b/tests.nix
@@ -4,7 +4,7 @@ in
 { pkgs ? import sources.release2105 {}
 , pypiData ? sources.pypi-deps-db
 , mach-nix ? import sources.mach-nix { inherit pkgs pypiData; }
-, tahoe-lafs-source ? "tahoe-lafs"
+, tahoe-lafs-source ? "tahoe-lafs-1.17.0"
 , tahoe-lafs-repo ? sources.${tahoe-lafs-source}
 , privatestorage ? import ./. {
     inherit pkgs pypiData mach-nix;
@@ -20,7 +20,7 @@ in
     inherit (pkgs) lib;
     inherit (privatestorage) zkapauthorizer;
     hypothesisProfile' = if hypothesisProfile == null then "default" else hypothesisProfile;
-    defaultTrialArgs = [ "--rterrors" ] ++ (lib.optional (! collectCoverage) "--jobs=$NIX_BUILD_CORES");
+    defaultTrialArgs = [ "--rterrors" ] ++ (lib.optional (! collectCoverage) "--jobs=$(($NIX_BUILD_CORES > 8 ? 8 : $NIX_BUILD_CORES))");
     trialArgs' = if trialArgs == null then defaultTrialArgs else trialArgs;
     extraTrialArgs = builtins.concatStringsSep " " trialArgs';
     testSuite' = if testSuite == null then "_zkapauthorizer" else testSuite;