diff --git a/cloneperf b/cloneperf
new file mode 100755
index 0000000..44acf16
--- /dev/null
+++ b/cloneperf
@@ -0,0 +1,16 @@
+#!/bin/sh
+ts=$(date +"%Y-%m-%d_%H:%M:%S")
+log=cloneperf-$ts.log
+host=${host:-git.sr.ht}
+printf 'cloneperf host=%s ts=%s notes=%s\n\n' "$host" "$ts" "$*" | tee -a $log
+
+printf '%s\n' "$ ssh git@$host" | tee -a $log
+/usr/bin/time -p ssh git@$host 2>&1 | tee -a $log
+
+printf '\n' | tee -a $log
+
+printf '%s\n' "$ git clone git@$host:~sircmpwn/scdoc" | tee -a $log
+/usr/bin/time -p git clone git@$host:~sircmpwn/scdoc /tmp/scdoc-$ts 2>&1 | tee -a $log
+rm -rf /tmp/scdoc-$ts
+
+printf "\nResults written to %s\n" "$log"
diff --git a/config.example.ini b/config.example.ini
index 58038e1..6e9f6d9 100644
--- a/config.example.ini
+++ b/config.example.ini
@@ -19,11 +19,22 @@ owner-email=sir@cmpwn.com
 # The source code for your fork of sr.ht
 source-url=https://git.sr.ht/~sircmpwn/srht
 #
-# A secret key to encrypt session cookies with
-secret-key=CHANGEME
+# A key used for encrypting session cookies. Use `srht-keygen service` to
+# generate the service key. This must be shared between each node of the same
+# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
+# different keys. If you configure all of your services with the same
+# config.ini, you may use the same service-key for all of them.
+service-key=
 #
-# The redis host url.
-redis-host=redis://localhost:6379/0
+# A secret key to encrypt internal messages with. Use `srht-keygen network` to
+# generate this key. It must be consistent between all services and nodes.
+network-key=
+#
+# The redis host URL. This is used for caching and temporary storage, and must
+# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be
+# shared between services. It may be shared between services, however, with no
+# ill effect, if this better suits your infrastructure.
+redis-host=
 
 [mail]
 #
@@ -38,10 +49,12 @@ smtp-from=
 error-to=
 error-from=
 #
-# Your PGP key information (DO NOT mix up pub and priv here)
-# You must remove the password from your secret key, if present.
-# You can do this with gpg --edit-key [key-id], then use the passwd
-# command and do not enter a new password.
+# You should generate a PGP key to allow users to authenticate emails received
+# from your services. Use `gpg --edit-key [key id]` to remove the password from
+# your private key, then export it to a file and set pgp-privkey to the path to
+# that file. pgp-pubkey should be set to the path to your public key, and
+# pgp-key-id should be set to the key ID string. Outgoing emails are signed with
+# this PGP key.
 pgp-privkey=
 pgp-pubkey=
 pgp-key-id=
@@ -49,10 +62,11 @@ pgp-key-id=
 [webhooks]
 #
 # base64-encoded Ed25519 key for signing webhook payloads. This should be
-# consistent for all *.sr.ht sites, as we'll use this key to verify signatures
-# from other sites in your network.
+# consistent between all services.
 #
-# Use the srht-webhook-keygen command to generate a key.
+# Use the `srht-keygen webhook` command to generate this key. Put the private
+# key here and distribute the public key to anyone who would want to verify
+# webhook payloads from your service.
 private-key=
 
 [git.sr.ht]
diff --git a/gitsrht-keys/main.go b/gitsrht-keys/main.go
index 66fbfc1..bd86c58 100644
--- a/gitsrht-keys/main.go
+++ b/gitsrht-keys/main.go
@@ -31,12 +31,6 @@ func main() {
 	)
 	// TODO: update key last used timestamp on meta.sr.ht
 
-	redisHost, ok := config.Get("sr.ht", "redis-host")
-	if !ok {
-		redisHost = "localhost:6379"
-	}
-	redis := goredis.NewClient(&goredis.Options{Addr: redisHost})
-
 	logf, err := os.OpenFile(logFile,
 		os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
 	if err != nil {
@@ -55,9 +49,18 @@ func main() {
 	}
 	if err != nil {
 		logger.Fatalf("Failed to load config file: %v", err)
-		os.Exit(0)
 	}
 
+	redisHost, ok := config.Get("sr.ht", "redis-host")
+	if !ok {
+		redisHost = "redis://localhost:6379"
+	}
+	ropts, err := goredis.ParseURL(redisHost)
+	if err != nil {
+		logger.Fatalf("Failed to parse redis host: %v", err)
+	}
+	redis := goredis.NewClient(ropts)
+
 	keyType, b64key, prefix, err = srhtkeys.ParseArgs(logger)
 	if err != nil {
 		os.Exit(0)
diff --git a/gitsrht-update-hook/post-update.go b/gitsrht-update-hook/post-update.go
index f921188..90ffc67 100644
--- a/gitsrht-update-hook/post-update.go
+++ b/gitsrht-update-hook/post-update.go
@@ -162,9 +162,13 @@ func postUpdate() {
 
 	redisHost, ok := config.Get("sr.ht", "redis-host")
 	if !ok {
-		redisHost = "localhost:6379"
+		redisHost = "redis://localhost:6379"
 	}
-	redis := goredis.NewClient(&goredis.Options{Addr: redisHost})
+	ropts, err := goredis.ParseURL(redisHost)
+	if err != nil {
+		logger.Fatalf("Failed to parse redis host: %v", err)
+	}
+	redis := goredis.NewClient(ropts)
 	for i, refname := range refs {
 		var oldref, newref string
 		var oldobj, newobj object.Object
diff --git a/gitsrht-update-hook/update.go b/gitsrht-update-hook/update.go
index 31a986e..72c661a 100644
--- a/gitsrht-update-hook/update.go
+++ b/gitsrht-update-hook/update.go
@@ -24,9 +24,13 @@ func update() {
 
 	redisHost, ok := config.Get("sr.ht", "redis-host")
 	if !ok {
-		redisHost = "localhost:6379"
+		redisHost = "redis://localhost:6379"
 	}
-	redis := goredis.NewClient(&goredis.Options{Addr: redisHost})
+	ropts, err := goredis.ParseURL(redisHost)
+	if err != nil {
+		logger.Fatalf("Failed to parse redis host: %v", err)
+	}
+	redis := goredis.NewClient(ropts)
 	redis.Set(fmt.Sprintf("update.%s.%s", pushUuid, refname),
 		fmt.Sprintf("%s:%s", oldref, newref), 10*time.Minute)
 }