diff --git a/autobahn.nix b/autobahn.nix
index 5403cd5c8dc65d3daec3062b4eec535bd9b3cb70..3cc1df2138e783f7bb212b50ba09435773233b88 100644
--- a/autobahn.nix
+++ b/autobahn.nix
@@ -1,11 +1,35 @@
-{ fetchFromGitHub, autobahn }:
-autobahn.overrideAttrs (old: rec {
+{ lib, buildPythonPackage, fetchFromGitHub, isPy3k,
+  six, txaio, twisted, zope_interface, cffi, trollius, futures, cryptography,
+  mock, pytest
+}:
+buildPythonPackage rec {
   pname = "autobahn";
   version = "19.7.1";
+
   src = fetchFromGitHub {
     owner = "crossbario";
     repo = "autobahn-python";
     rev = "v${version}";
     sha256 = "1gl2m18s77hlpiglh44plv3k6b965n66ylnxbzgvzcdl9jf3l3q3";
   };
-})
+
+  propagatedBuildInputs = [ six txaio twisted zope_interface cffi cryptography ] ++
+    (lib.optionals (!isPy3k) [ trollius futures ]);
+
+  checkInputs = [ mock pytest ];
+  checkPhase = ''
+    runHook preCheck
+    USE_TWISTED=true py.test $out
+    runHook postCheck
+  '';
+
+  # XXX Fails for some reason I don't understand.
+  doCheck = false;
+
+  meta = with lib; {
+    description = "WebSocket and WAMP in Python for Twisted and asyncio.";
+    homepage    = "https://crossbar.io/autobahn";
+    license     = licenses.mit;
+    maintainers = with maintainers; [ nand0p ];
+  };
+}
diff --git a/cryptography.nix b/cryptography.nix
index dc61091ba397fc0c1d6c0ebaf7f8192040201f55..bfa6d30208387b334af63b072b3e409b6d39a063 100644
--- a/cryptography.nix
+++ b/cryptography.nix
@@ -1,11 +1,75 @@
-{ fetchFromGitHub, cryptography }:
-cryptography.overrideAttrs (old: rec {
+{ stdenv
+, buildPythonPackage
+, fetchFromGitHub
+, openssl
+, cryptography_vectors
+, darwin
+, asn1crypto
+, packaging
+, six
+, pythonOlder
+, enum34
+, ipaddress
+, isPyPy
+, cffi
+, pytest
+, pretend
+, iso8601
+, pytz
+, hypothesis
+}:
+
+buildPythonPackage rec {
   pname = "cryptography";
-  version = "2.7";
+  version = "2.7"; # Also update the hash in vectors.nix
+
   src = fetchFromGitHub {
     owner = "pyca";
     repo = "cryptography";
     rev = "2.7";
     sha256 = "145byri5c3b8m6dbhwb6yxrv9jrr652l3z1w16mz205z8dz38qja";
   };
-})
+
+  outputs = [ "out" "dev" ];
+
+  buildInputs = [ openssl ]
+             ++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
+  propagatedBuildInputs = [
+    asn1crypto
+    packaging
+    six
+  ] ++ stdenv.lib.optional (pythonOlder "3.4") enum34
+  ++ stdenv.lib.optional (pythonOlder "3.3") ipaddress
+  ++ stdenv.lib.optional (!isPyPy) cffi;
+
+  checkInputs = [
+    cryptography_vectors
+    hypothesis
+    iso8601
+    pretend
+    pytest
+    pytz
+  ];
+
+  checkPhase = ''
+    py.test --disable-pytest-warnings tests
+  '';
+
+  # IOKit's dependencies are inconsistent between OSX versions, so this is the best we
+  # can do until nix 1.11's release
+  __impureHostDeps = [ "/usr/lib" ];
+
+  meta = with stdenv.lib; {
+    description = "A package which provides cryptographic recipes and primitives";
+    longDescription = ''
+      Cryptography includes both high level recipes and low level interfaces to
+      common cryptographic algorithms such as symmetric ciphers, message
+      digests, and key derivation functions.
+      Our goal is for it to be your "cryptographic standard library". It
+      supports Python 2.7, Python 3.4+, and PyPy 5.3+.
+    '';
+    homepage = https://github.com/pyca/cryptography;
+    license = with licenses; [ asl20 bsd3 psfl ];
+    maintainers = with maintainers; [ primeos ];
+  };
+}
diff --git a/default.nix b/default.nix
index 541516016c036faac170dc6c32087293035ce859..06e185c4d85697fa06bb7f119d5b306c76e12bb7 100644
--- a/default.nix
+++ b/default.nix
@@ -1,5 +1,2 @@
-{ pkgs ? import <nixpkgs> { } }:
-let
-  newpkgs = import pkgs.path { overlays = [ import ./overlays.nix ]; };
-in
-  pkgs.pythonPackages.callPackage ./secure-access-token-authorizer.nix { }
+{ pkgs ? import <nixpkgs> { overlays = [ (import ./overlays.nix) ]; } }:
+pkgs.python27Packages.callPackage ./secure-access-token-authorizer.nix { }
diff --git a/overlays.nix b/overlays.nix
index 12280b9138ed4ff09550cadac518ef8668e639de..7e503de7cb5f4c38b5b9d2b13a25987089b74eeb 100644
--- a/overlays.nix
+++ b/overlays.nix
@@ -1,17 +1,19 @@
 self: super: {
-  python = super.python.override {
+  python27 = super.python27.override {
     packageOverrides = python-self: python-super: {
       # new tahoe-lafs dependency
-      eliot = pkgs.pythonPackages.callPackage ./eliot.nix { };
+      eliot = python-super.callPackage ./eliot.nix { };
       # new autobahn requires a newer cryptography
-      cryptography = pkgs.pythonPackages.callPackage ./cryptography.nix { };
+      cryptography = python-super.callPackage ./cryptography.nix { };
+      # new cryptography requires a newer cryptography_vectors
+      cryptography_vectors = python-super.callPackage ./cryptography_vectors.nix { };
       # new tahoe-lafs depends on a very recent autobahn for better
       # websocket testing features.
-      autobahn = pkgs.pythonPackages.callPackage ./autobahn.nix { };
+      autobahn = python-super.callPackage ./autobahn.nix { };
 
       # tahoe-lafs in nixpkgs is packaged as an application!  so we have to
       # re-package it ourselves as a library.
-      tahoe-lafs = pkgs.pythonPackages.callPackage ./tahoe-lafs.nix { };
+      tahoe-lafs = python-super.callPackage ./tahoe-lafs.nix { };
     };
   };
 }
diff --git a/secure-access-token-authorizer.nix b/secure-access-token-authorizer.nix
index e3dda5a536b714e2daea9edf6304be8a5b453a06..b76b884c87c66730b85cd8b1aa9eda2aa4e6339f 100644
--- a/secure-access-token-authorizer.nix
+++ b/secure-access-token-authorizer.nix
@@ -1,4 +1,7 @@
-{ buildPythonPackage, sphinx, circleci-cli, pythonPackages }:
+{ buildPythonPackage, sphinx, circleci-cli
+, attrs, zope_interface, twisted, tahoe-lafs
+, fixtures, testtools, hypothesis, pyflakes
+}:
 buildPythonPackage rec {
   version = "0.0";
   name = "secure-access-token-authorizer-${version}";
@@ -8,21 +11,21 @@ buildPythonPackage rec {
     circleci-cli
   ];
 
-  propagatedBuildInputs = with pythonPackages; [
+  propagatedBuildInputs = [
     attrs
     zope_interface
     twisted
     tahoe-lafs
   ];
 
-  checkInputs = with pythonPackages; [
+  checkInputs = [
     fixtures
     testtools
     hypothesis
   ];
 
   checkPhase = ''
-    ${pythonPackages.pyflakes}/bin/pyflakes src/_secureaccesstokenauthorizer
-    ${pythonPackages.twisted}/bin/trial _secureaccesstokenauthorizer
+    ${pyflakes}/bin/pyflakes src/_secureaccesstokenauthorizer
+    ${twisted}/bin/trial _secureaccesstokenauthorizer
   '';
 }
diff --git a/shell.nix b/shell.nix
index a6addc9f2402478336235d187d8939858aa6a670..5dcc7a8b4dc3eb06fef0a879f02209e866a65ae1 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,12 +1,13 @@
-{ pkgs ? import <nixpkgs> { } }:
+{ pkgs ? import <nixpkgs> { overlays = [ (import ./overlays.nix) ]; } }:
 let
   satauthorizer = pkgs.callPackage ./default.nix { };
 in
   (pkgs.python27.buildEnv.override {
-    extraLibs = [
-      pkgs.python27Packages.fixtures
-      pkgs.python27Packages.testtools
-      pkgs.python27Packages.hypothesis
+    extraLibs = with pkgs.python27Packages; [
+      fixtures
+      testtools
+      hypothesis
+      pyhamcrest
       satauthorizer
     ];
     ignoreCollisions = true;
diff --git a/tahoe-lafs.nix b/tahoe-lafs.nix
index f5a1ff651a9c522467c10e94170b414220ed286e..649d0cd237310dff41d59fa1fcf0b500e2c47655 100644
--- a/tahoe-lafs.nix
+++ b/tahoe-lafs.nix
@@ -1,4 +1,9 @@
-{ fetchFromGitHub, nettools, pythonPackages, buildPythonPackage, eliot, autobahn }:
+{ fetchFromGitHub, nettools, pythonPackages, buildPythonPackage
+, twisted, foolscap, nevow, simplejson, zfec, pycryptopp, darcsver
+, setuptoolsTrial, setuptoolsDarcs, pycrypto, pyasn1, zope_interface
+, service-identity, pyyaml, magic-wormhole, treq, appdirs
+, eliot, autobahn
+}:
 buildPythonPackage rec {
   version = "1.14.0.dev";
   name = "tahoe-lafs-${version}";
@@ -27,11 +32,11 @@ buildPythonPackage rec {
 
 
   propagatedBuildInputs = with pythonPackages; [
-    twisted autobahn foolscap nevow simplejson zfec pycryptopp darcsver
+    twisted foolscap nevow simplejson zfec pycryptopp darcsver
     setuptoolsTrial setuptoolsDarcs pycrypto pyasn1 zope_interface
     service-identity pyyaml magic-wormhole treq appdirs
 
-    eliot
+    eliot autobahn
   ];
 
   doCheck = false;