diff --git a/ops/nixos/lib/secretsmgr.nix b/ops/nixos/lib/secretsmgr.nix
index 9a8decc3a1..5ebed8c8aa 100644
--- a/ops/nixos/lib/secretsmgr.nix
+++ b/ops/nixos/lib/secretsmgr.nix
@@ -120,6 +120,16 @@ in
       };
     };
 
+    systemd.timers.secretsmgr = {
+      requires = ["vault-agent.service"];
+      after = ["vault-agent.service" "network-online.target"];
+
+      timerConfig = {
+        OnActiveSec = "30";
+        OnUnitInactiveSec = "30min";
+      };
+    };
+
     systemd.tmpfiles.rules = [
       "d /var/lib/acme 0711 secretsmgr secretsmgr - -"
       "d /var/lib/secretsmgr 0711 secretsmgr secretsmgr - -"