diff --git a/scripts/letsencrypt-wildcard b/scripts/letsencrypt-wildcard
new file mode 100755
index 0000000..98eca7a
--- /dev/null
+++ b/scripts/letsencrypt-wildcard
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+if [[ -z "$1" ]] || [[ "$1" == '--help' ]]
+then
+    echo "Usage: $0 <wildcard-domain>"
+    exit 1
+fi
+
+set -e
+
+domain=$1
+certalias="_.$1"
+
+tmpdir=$(mktemp -d)
+trap 'cd /; rm -Rf "$tmpdir"' EXIT
+
+export BW_REPO_PATH="${BW_REPO_PATH:-$PWD}"
+
+cd -- "$tmpdir"
+git clone https://github.com/dehydrated-io/dehydrated.git
+cd dehydrated
+git checkout "$(git describe --tags --abbrev=0)"
+
+cat >config <<EOF
+BASEDIR=$tmpdir
+KEYSIZE=4096
+HOOK=$tmpdir/dehydrated/hook
+RENEW_DAYS=90
+CHALLENGETYPE=dns-01
+EOF
+
+cat >hook <<"EOF"
+#!/usr/bin/env bash
+
+if [[ "$1" == 'deploy_challenge' ]]
+then
+    domain=$2
+    token_value=$4
+
+    echo
+    echo You must now provide this DNS record:
+    echo "$(tput bold)_acme-challenge.$domain. IN TXT $token_value$(tput sgr0)"
+    echo
+    echo "Hit ENTER once it's available."
+    read
+fi
+EOF
+chmod +x hook
+
+cat <<EOF
+
+You will soon be asked to create several DNS records.
+$(tput bold)Please create all of them. The second one does NOT replace
+the first one.$(tput sgr0)
+
+EOF
+
+./dehydrated --register --accept-terms -f config
+./dehydrated -c -d "$domain" --alias "$certalias" -d "*.$domain" -f config
+
+cd -- "$tmpdir"/certs/"$certalias"
+
+echo
+echo Copying final files:
+echo
+bw_repo=$(bw debug -c 'print(repo.path)')
+cp -v cert.pem "$bw_repo"/data/ssl/"$certalias".crt.pem
+cp -v chain.pem "$bw_repo"/data/ssl/"$certalias".crt_intermediate.pem
+
+echo "Encrypting private key via bw ..."
+bw debug -c "repo.vault.encrypt_file('$tmpdir/certs/$certalias/privkey.pem', 'ssl/$certalias.key.pem.vault')"
+
+echo
+echo "Certificate and key created."
diff --git a/scripts/passwords-for b/scripts/passwords-for
new file mode 100755
index 0000000..3aa0d53
--- /dev/null
+++ b/scripts/passwords-for
@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+from os import environ
+from sys import argv
+
+from bundlewrap.repo import Repository
+from bundlewrap.utils import Fault
+from bundlewrap.exceptions import FaultUnavailable
+
+
+path = environ.get('BW_REPO_PATH', '.')
+repo = Repository(path)
+
+def print_faults(dictionary, keypath=[]):
+    for key, value in sorted(dictionary.items()):
+        if isinstance(value, Fault):
+            try:
+                resolved_fault = value.value
+            except FaultUnavailable:
+                print('{}/{}: [permission denied]'.format('/'.join(keypath), key))
+            else:
+                if '\n' not in resolved_fault:
+                    print('{}/{}: {}'.format('/'.join(keypath), key, value))
+        elif isinstance(value, dict):
+            print_faults(value, keypath=keypath+[key])
+
+
+if len(argv) == 1:
+    print('node name missing')
+    exit(1)
+
+node = repo.get_node(argv[1])
+print_faults(node.metadata)