diff --git a/float/.gitrepo b/float/.gitrepo
index 88bd8cc6638d7bb0ef4391e387a1dc909e8c0b03..60b6a9b1f9554124f75e4e0a3ead379595bede23 100644
--- a/float/.gitrepo
+++ b/float/.gitrepo
@@ -6,7 +6,7 @@
 [subrepo]
 	remote = https://git.autistici.org/ai3/float.git
 	branch = master
-	commit = b02a3496b03886b59f9b1fd6c197d06c4a9ce66d
-	parent = c6d787af527667d24631d61f7b3050d25cce8139
-	cmdver = 0.4.6
+	commit = 89039534fb72c317de51d7a5c2f8e6815d61b982
+	parent = 155d2691324dc97829db4e0a5f77b512bb8c0647
+	cmdver = 0.4.7
 	method = merge
diff --git a/float/float b/float/float
index d2727f32f661788a374f9b582c198066a89bfdb7..eae52a4b41c868271de51dee956f69ca1a7ee62a 100755
--- a/float/float
+++ b/float/float
@@ -364,14 +364,13 @@ def command_create_env(path, services, passwords, playbooks,
     # Catch ValueError to handle parsing errors for composite-valued
     # options and print a friendly message.
     try:
-        all_vars['inventory']['hosts'] = _random_hosts(
-            num_hosts,
-            _parse_additional_host_groups(additional_host_groups),
-        )
+        extra_memberships = _parse_additional_host_groups(additional_host_groups)
     except ValueError:
         print('Unable to parse additional-host-group spec', file=sys.stderr)
         return 1
 
+    all_vars['inventory']['hosts'] = _random_hosts(num_hosts, extra_memberships)
+
     all_vars['ram'] = ram
     all_vars['config']['domain_public'] = [domain]
     all_vars['config']['domain'] = (
diff --git a/float/plugins/action/x509_ca.py b/float/plugins/action/x509_ca.py
index 155601ee8c4b0590a715c7aba01aaac699e76d64..d1125dc7483a2def631da0778052121066d86741 100644
--- a/float/plugins/action/x509_ca.py
+++ b/float/plugins/action/x509_ca.py
@@ -53,6 +53,6 @@ class ActionModule(ActionBase):
                     'x509ca', 'init', '--subject=' + ca_subject,
                     '--ca-cert=' + ca_cert_path, '--ca-key=' + tmp_ca_key_path])
                 vault_encrypt(tmp_ca_key_path, ca_key_path)
-        
+
         result['changed'] = changed
         return result
diff --git a/float/roles/float-base-datasets/templates/litestream-restore-script.j2 b/float/roles/float-base-datasets/templates/litestream-restore-script.j2
index f37e36dc622ebe65cf35be79a1e8f22cc1bb5bff..05778ce7b65632f175c670c57bf2c55fcdf71238 100644
--- a/float/roles/float-base-datasets/templates/litestream-restore-script.j2
+++ b/float/roles/float-base-datasets/templates/litestream-restore-script.j2
@@ -6,7 +6,7 @@
 set -a
 . /etc/litestream/{{ dataset_tag }}.env
 
-/usr/bin/litestream restore --config=/etc/litestream/{{ dataset_tag }}.yml --if-replica-exists -v "{{ dataset_path }}/{{ dataset_filename }}"
+/usr/bin/litestream restore --config=/etc/litestream/{{ dataset_tag }}.yml --if-replica-exists "{{ dataset_path }}/{{ dataset_filename }}"
 
 if [ $? -gt 0 ]; then
     echo "ERROR: restore failed!" >&2
diff --git a/float/roles/float-base/files/modprobe-hardening.conf b/float/roles/float-base/files/modprobe-hardening.conf
index c0cd23ff654465b795d0334bf5c1eda4ac385905..1ac8e81b77a46f798eeab02831d4645bf792fade 100644
--- a/float/roles/float-base/files/modprobe-hardening.conf
+++ b/float/roles/float-base/files/modprobe-hardening.conf
@@ -1,6 +1,3 @@
-# Disable automatic conntrack helper assignment.
-options nf_conntrack nf_conntrack_helper=0
-
 # Obscure network protocols with a bad security track record.
 install dccp /bin/false
 install sctp /bin/false
diff --git a/float/roles/float-base/tasks/debian_misc.yml b/float/roles/float-base/tasks/debian_misc.yml
index 6b305e44bd8ff258cc3b072f26277484c5a8791c..f49112ed74d70328602de91ffdb3e551737227d1 100644
--- a/float/roles/float-base/tasks/debian_misc.yml
+++ b/float/roles/float-base/tasks/debian_misc.yml
@@ -38,6 +38,11 @@
     dest: "/etc/sysctl.conf"
   notify: reload sysctl
 
+- name: Configure kernel modules
+  template:
+    src: "modules.conf.j2"
+    dest: "/etc/modules-load.d/float-base.conf"
+
 - name: Configure systemd
   copy:
     src: "system.conf"
diff --git a/float/roles/float-base/templates/modules.conf.j2 b/float/roles/float-base/templates/modules.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f25d925e95265d5d1d4d90d9fa7fd890c5684d15
--- /dev/null
+++ b/float/roles/float-base/templates/modules.conf.j2
@@ -0,0 +1,2 @@
+# Make nf_conntrack sysctl available
+nf_conntrack
diff --git a/float/roles/float-infra-acme/templates/config.yml.j2 b/float/roles/float-infra-acme/templates/config.yml.j2
index 8533272b1cbd62b5a6704169c5075c007e29a222..eecede7a5063d2347a52b08796f86f08b8c19348 100644
--- a/float/roles/float-infra-acme/templates/config.yml.j2
+++ b/float/roles/float-infra-acme/templates/config.yml.j2
@@ -10,9 +10,9 @@ http:
   enabled: true
 dns:
   enabled: true
-  tsig_key_name: "acme"
-  tsig_key_algo: "{{ acme_tsig_key.algo }}"
-  tsig_key_secret: "{{ acme_tsig_key.private }}"
+  tsig_key_name: "acme."
+  tsig_key_algo: "{{ acme_tsig_key.algo | lower }}."
+  tsig_key_secret: "{{ acme_tsig_key.public }}"
   nameservers:
 {% for h in services['dns'].hosts | sort %}
     - {{ h }}.dns.{{ domain }}
diff --git a/float/roles/float-infra-dns/files/in-view.sed b/float/roles/float-infra-dns/files/in-view.sed
new file mode 100644
index 0000000000000000000000000000000000000000..507eb209da257b748feab3fb739eb535ca0a5746
--- /dev/null
+++ b/float/roles/float-infra-dns/files/in-view.sed
@@ -0,0 +1,10 @@
+# Script to convert each zone in a view to a series of in-view declarations
+1i\
+// Automatically generated, do not edit.
+/^zone/{
+a\
+	in-view "internal-in";\
+};
+p
+}
+
diff --git a/float/roles/float-infra-dns/tasks/main.yml b/float/roles/float-infra-dns/tasks/main.yml
index 99d0a1b5d4b39d783e9a103637cc583acd02598c..5c5224361bf5302597279ef3ee766c08d3ada17d 100644
--- a/float/roles/float-infra-dns/tasks/main.yml
+++ b/float/roles/float-infra-dns/tasks/main.yml
@@ -29,6 +29,11 @@
   notify: reload bind
   register: dns_config
 
+- name: Install in-view.sed script
+  copy:
+    src: "in-view.sed"
+    dest: "/etc/bind/in-view.sed"
+
 - name: Create bind9 zone dirs
   file:
     path: "/etc/bind/zones"
@@ -60,6 +65,7 @@
   changed_when: false
   with_items:
     - named.conf.zones
+    - named.conf.zones.in-view
     - named.conf.internal-custom-zones
     - named.conf.external-custom-zones
 
@@ -103,13 +109,17 @@
   file:
     path: "/etc/credentials/dnssec"
     state: directory
-    mode: 0700
+    owner: root
+    group: bind
+    mode: 0750
 
 - name: Install DNSSEC keys
   copy:
     src: "{{ item }}"
     dest: "/etc/credentials/dnssec/{{ item | basename }}"
-    mode: 0600
+    owner: root
+    group: bind
+    mode: 0640
   with_fileglob:
     - "{{ credentials_dir }}/dnssec/K*.private"
     - "{{ credentials_dir }}/dnssec/K*.key"
diff --git a/float/roles/float-infra-dns/templates/bind/named.conf.local b/float/roles/float-infra-dns/templates/bind/named.conf.local
index baa7da72d83bdf1eb103d82094c7bd98189eb845..7b4fb378eaadae67b4ff9c6a068005cf40183545 100644
--- a/float/roles/float-infra-dns/templates/bind/named.conf.local
+++ b/float/roles/float-infra-dns/templates/bind/named.conf.local
@@ -32,6 +32,6 @@ view "external-in" in {
   // Include manually-maintained zones.
   include "/etc/bind/named.conf.external-custom-zones";
 
-// Include zonetool-maintained zones.
-  include "/etc/bind/named.conf.zones";
+  // Include zonetool-maintained zones (in-view references).
+  include "/etc/bind/named.conf.zones.in-view";
 };
diff --git a/float/roles/float-infra-dns/templates/bind/named.conf.options b/float/roles/float-infra-dns/templates/bind/named.conf.options
index b0ace7b0aee4b0f6e97664ada32e88444f01ddba..aeae164ebc06cf7ad6d346103c9b2a7effce8028 100644
--- a/float/roles/float-infra-dns/templates/bind/named.conf.options
+++ b/float/roles/float-infra-dns/templates/bind/named.conf.options
@@ -30,6 +30,9 @@ options {
 
   dnssec-validation auto;
 
+  // For re-signing with dynamic updates.
+  key-directory "/etc/credentials/dnssec";
+
   notify no;
   rrset-order { order random; };
 
diff --git a/float/roles/float-infra-dns/templates/update-dns b/float/roles/float-infra-dns/templates/update-dns
index aba76507bbf22ccdf6c2facee318fbd1ccacbaf0..0d378a745f6f12d2bcf816edf2771e8abb11b1e1 100755
--- a/float/roles/float-infra-dns/templates/update-dns
+++ b/float/roles/float-infra-dns/templates/update-dns
@@ -3,7 +3,11 @@
 # Wrapper for zonetool, with the right options.
 #
 
-exec /usr/bin/zonetool \
+set -e
+
+rndc freeze
+
+/usr/bin/zonetool \
      --config /etc/dns/zonetool.yml \
      --named-conf /etc/bind/named.conf.zones \
      --output-dir /etc/bind/zones --delete \
@@ -11,4 +15,12 @@ exec /usr/bin/zonetool \
      --ds-dir /etc/bind/dnssec-ds \
      --nsec3-salt {{ dnssec_nsec3_salt }} \
      --dnssec-refresh \
+     --update-policy 'grant acme zonesub TXT' \
      /etc/dns/manual /etc/dns/auto
+
+sed -n -f /etc/bind/in-view.sed \
+     /etc/bind/named.conf.zones \
+     > /etc/bind/named.conf.zones.in-view
+
+rndc thaw
+
diff --git a/float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties b/float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties
index 6dd5029fb02d991f966270c6a1584bd49f28141b..d2aa7b05983e77009db9396852f10f51b18c027d 100644
--- a/float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties
+++ b/float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties
@@ -7,6 +7,9 @@ status = error
 logger.action.name = org.elasticsearch.action
 logger.action.level = debug
 
+logger.deprecation.name = org.elasticsearch.deprecation
+logger.deprecation.level = error
+
 appender.rolling.type = RollingFile
 appender.rolling.name = rolling
 appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
diff --git a/float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml b/float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml
index 60015730c61efb806fcbf3a5d0075ac92c58a7bd..9aa4a9023bf5ab0e498ab3a85da214e5bdf0d380 100644
--- a/float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml
+++ b/float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml
@@ -2,7 +2,7 @@ groups:
   - name: roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf
     rules:
       - record: target:probe_ssl_cert_expiry:days
-        expr: ((min(probe_ssl_earliest_cert_expiry) by (probe,host)) - time()) / 86400
+        expr: ((min(probe_ssl_earliest_cert_expiry) by (float_job,probe,host)) - time()) / 86400
 
       - record: service_credentials_expiration_time:days
         expr: ((min(service_credentials_expiration_time) by (name,float_service)) - time()) / 86400
diff --git a/float/roles/float-util-credentials/tasks/main.yml b/float/roles/float-util-credentials/tasks/main.yml
index b7cf1fe8446feba87c3ae0db84af9dc65386f09c..da74408723ca7d8e309c65d02979151fedd386d9 100644
--- a/float/roles/float-util-credentials/tasks/main.yml
+++ b/float/roles/float-util-credentials/tasks/main.yml
@@ -76,7 +76,7 @@
         params: "{{ item.0.x509_params|default({}) }}"
         private_key_path: "/etc/credentials/{{ item.0.credentials.ca_tag | default(default_ca_tag) }}/{{ item.0.credentials.name }}/{{ item.0.mode }}/private_key.pem"
         check: false
-      when: "item.1.changed"
+      when: "item.1.changed or (force_renew_credentials | default(False))"
       loop: "{{ credentials | zip(x509_should_update.results) | list }}"
       register: x509_csr