diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix
index b15b1897e..d30e7ed8f 100644
--- a/1systems/tv/cd.nix
+++ b/1systems/tv/cd.nix
@@ -13,7 +13,7 @@ in
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-server.nix
     ../../2configs/tv/exim-smarthost.nix
-    ../../2configs/tv/git-public.nix
+    ../../2configs/tv/git.nix
     {
       imports = [ ../../2configs/tv/charybdis.nix ];
       tv.charybdis = {
diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix
index 03d0c00f1..3e5fb7286 100644
--- a/1systems/tv/mkdir.nix
+++ b/1systems/tv/mkdir.nix
@@ -9,7 +9,7 @@ with lib;
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-server.nix
     ../../2configs/tv/exim-smarthost.nix
-    ../../2configs/tv/git-public.nix
+    ../../2configs/tv/git.nix
     {
       imports = [ ../../2configs/tv/identity.nix ];
       tv.identity.self = config.tv.identity.hosts.mkdir;
diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix
index 367502eed..2d32d9e1f 100644
--- a/1systems/tv/nomic.nix
+++ b/1systems/tv/nomic.nix
@@ -8,7 +8,7 @@ with lib;
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-server.nix
     ../../2configs/tv/exim-retiolum.nix
-    ../../2configs/tv/git-public.nix
+    ../../2configs/tv/git.nix
     {
       imports = [ ../../2configs/tv/identity.nix ];
       tv.identity.self = config.tv.identity.hosts.nomic;
diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix
index 497354e68..c470086ce 100644
--- a/1systems/tv/rmdir.nix
+++ b/1systems/tv/rmdir.nix
@@ -9,7 +9,7 @@ with lib;
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-server.nix
     ../../2configs/tv/exim-smarthost.nix
-    ../../2configs/tv/git-public.nix
+    ../../2configs/tv/git.nix
     {
       imports = [ ../../2configs/tv/identity.nix ];
       tv.identity.self = config.tv.identity.hosts.rmdir;
diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix
index 8470a4f23..234b80559 100644
--- a/1systems/tv/wu.nix
+++ b/1systems/tv/wu.nix
@@ -12,8 +12,7 @@ in
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-client.nix
     ../../2configs/tv/exim-retiolum.nix
-    ../../2configs/tv/git-public.nix
-    # TODO git-private.nix
+    ../../2configs/tv/git.nix
     ../../2configs/tv/mail-client.nix
     ../../2configs/tv/xserver.nix
     ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled
diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix
similarity index 73%
rename from 2configs/tv/git-public.nix
rename to 2configs/tv/git.nix
index 1bf44e0fc..ac1c413c4 100644
--- a/2configs/tv/git-public.nix
+++ b/2configs/tv/git.nix
@@ -11,7 +11,11 @@ let
     };
   };
 
-  repos = public-repos;
+  repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
+    public-repos //
+    optionalAttrs config.tv.identity.self.secure restricted-repos
+  );
+
   rules = concatMap make-rules (attrValues repos);
 
   public-repos = mapAttrs make-public-repo {
@@ -36,6 +40,15 @@ let
     xintmap = {};
   };
 
+  restricted-repos = mapAttrs make-restricted-repo (
+    {
+      brain = {
+        collaborators = with users; [ lass makefu ];
+      };
+    } //
+    import /root/src/secrets/repos.nix { inherit config lib pkgs users; }
+  );
+
   # TODO move users to separate module
   users = mapAttrs make-user {
     tv = ../../Zpubkeys/tv_wu.ssh.pub;
@@ -57,6 +70,12 @@ let
     };
   };
 
+  make-restricted-repo = name: { desc ? null, ... }: {
+    inherit name desc;
+    public = false;
+    hooks = {}; # TODO default
+  };
+
   make-rules =
     with git // users;
     repo:
@@ -69,6 +88,11 @@ let
         user = [ lass makefu uriel ];
         repo = [ repo ];
         perm = fetch;
+      } ++
+      optional (length (repo.collaborators or []) > 0) {
+        user = repo.collaborators;
+        repo = [ repo ];
+        perm = fetch;
       };
 
   make-user = name: pubkey-file: {