diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 3def2d77556e8b82b5fd0dbd2513f3d08b7ea2c7..51f41832ded8fe18290c47b5b3ad85fb58c2a511 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -61,7 +61,7 @@ let
       (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
         googleOAuthClientID = config.monitoringGoogleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index e663d2243e4aa6078260e41f07f807f606e64ef6..06eefdd28da57ad65ea99543ba8421bc934ef752 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -38,7 +38,7 @@ let
       gridlib.hardware-aws
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
         googleOAuthClientID = config.monitoringGoogleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index fbbbd9f13e49cfdc7fd2f0687fa2fe12df91ea33..7b06c99e1f7a1b65b535f924a0a24aebe6753586 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -51,7 +51,7 @@ let
       gridlib.hardware-aws
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
         googleOAuthClientID = config.monitoringGoogleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index f5b820a272fcfd4ea7106af32ad2fd0ac5c8ece3..391aa5602575100c8650d8e4fb6892e38fc95ebf 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -13,6 +13,7 @@
 , privateKeyPath
 , monitoringvpnIPv4
 , domain
+, sshUsers
 , letsEncryptAdminEmail
 
   # A list of VPN IP addresses as strings indicating which clients will be
@@ -84,6 +85,8 @@
   networking.domain = domain;
   networking.hosts = hostsMap;
 
+  services.private-storage.sshUsers = sshUsers;
+
   services.private-storage.monitoring.vpn.server = {
     enable = true;
     ip = monitoringvpnIPv4;
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index d8af93b24119ba6dff5ce63a5b2d16fbd18edb71..f8810be2f7e878eeb979e82d2746895d6157212e 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -21,6 +21,8 @@ rec {
   };
 
   imports = [
+    # Give it a good SSH configuration.
+    ../../nixos/modules/ssh.nix
     # Allow us to remotely trigger updates to this system.
     ../../nixos/modules/deployment.nix
 
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index da56a43012b7e53a6d5ced17123eb3d898b24f3e..ce1f928b2738066811425a3c7e3e3c85c03ac272 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -182,11 +182,17 @@ in {
           "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
     };
 
-    # Certificate renewal.  We must declare that we *require* it in our
-    # service above.
-    systemd.services."${certServiceName}" = {
-      enable = true;
+    # Certificate renewal.  A short-lived service meant to be repeatedly
+    # activated to request a new certificate be issued, if the current one is
+    # close to expiring.
+    systemd.services.${certServiceName} = {
+      enable = cfg.tls;
       description = "Certificate ${domain}";
+      # Activate this unit periodically so that certbot can determine if the
+      # certificate expiration time is close enough to warrant a renewal
+      # request.
+      startAt = "weekly";
+
       serviceConfig = {
         ExecStart =
         let
@@ -201,6 +207,7 @@ in {
           '';
       };
     };
+
     # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
     networking.firewall.allowedTCPPorts = [
       80