diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix
index 8ab8edb28c..3de2e54a2b 100644
--- a/ops/nixos/totoro/default.nix
+++ b/ops/nixos/totoro/default.nix
@@ -396,6 +396,7 @@ in {
 
   systemd.services.alertmanager-discord = {
     enable = true;
+    wantedBy = [ "multi-user.target" ];
     serviceConfig = {
       ExecStart = "${depot.pkgs.alertmanager-discord}/bin/alertmanager-discord -listen.address 127.0.0.1:9997";
       EnvironmentFile = pkgs.writeText "discord-secret" ''
@@ -411,5 +412,33 @@ in {
     };
   };
 
+  systemd.services.sslrenew-raritan = {
+    enable = true;
+    after = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${depot.ops.raritan.ssl-renew}/lego.sh";
+      EnvironmentFile = pkgs.writeText "sslrenew-secret" ''
+        CERTIFICATE_DOMAIN=kvm.lukegb.xyz
+        LETSENCRYPT_EMAIL=letsencrypt@lukegb.com
+        CF_DNS_API_TOKEN=${secrets.cloudflareCredentials.token}
+        RARITAN_IP=192.168.1.50
+        RARITAN_USERNAME=${secrets.raritan.sslrenew.username}
+        RARITAN_PASSWORD=${secrets.raritan.sslrenew.password}
+      '';
+      DynamicUser = true;
+      StateDirectory = "sslrenew-raritan";
+      StateDirectoryMode = "0700";
+      WorkingDirectory = "/var/lib/sslrenew-raritan";
+    };
+  };
+  systemd.timers.sslrenew-raritan = {
+    enable = true;
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+    };
+  };
+
   system.stateVersion = "20.03";
 }