diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 3def2d77556e8b82b5fd0dbd2513f3d08b7ea2c7..51f41832ded8fe18290c47b5b3ad85fb58c2a511 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -61,7 +61,7 @@ let
       (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
         googleOAuthClientID = config.monitoringGoogleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index e663d2243e4aa6078260e41f07f807f606e64ef6..06eefdd28da57ad65ea99543ba8421bc934ef752 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -38,7 +38,7 @@ let
       gridlib.hardware-aws
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
         googleOAuthClientID = config.monitoringGoogleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index fbbbd9f13e49cfdc7fd2f0687fa2fe12df91ea33..7b06c99e1f7a1b65b535f924a0a24aebe6753586 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -51,7 +51,7 @@ let
       gridlib.hardware-aws
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
         googleOAuthClientID = config.monitoringGoogleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index f5b820a272fcfd4ea7106af32ad2fd0ac5c8ece3..391aa5602575100c8650d8e4fb6892e38fc95ebf 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -13,6 +13,7 @@
 , privateKeyPath
 , monitoringvpnIPv4
 , domain
+, sshUsers
 , letsEncryptAdminEmail
 
   # A list of VPN IP addresses as strings indicating which clients will be
@@ -84,6 +85,8 @@
   networking.domain = domain;
   networking.hosts = hostsMap;
 
+  services.private-storage.sshUsers = sshUsers;
+
   services.private-storage.monitoring.vpn.server = {
     enable = true;
     ip = monitoringvpnIPv4;
diff --git a/morph/lib/issuer-aws.nix b/morph/lib/issuer-aws.nix
index a66ab72addd43da1feb96bdd86d46312ec327fd3..bf7de56cfb570857da32c34ebfcc9b21c91e702e 100644
--- a/morph/lib/issuer-aws.nix
+++ b/morph/lib/issuer-aws.nix
@@ -9,7 +9,7 @@
   boot.kernel.sysctl = { "vm.swappiness" = 0; };
   swapDevices = [ {
     device = "/var/swapfile";
-    size = 8192; # megabytes
+    size = 4096; # megabytes
     randomEncryption = true;
   } ];
 
@@ -17,4 +17,11 @@
   # morph-supplied name.  See also
   # <https://github.com/DBCDK/morph/issues/146>.
   networking.hostName = name;
+
+  # Clean up packages after a while
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
 }
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index d8af93b24119ba6dff5ce63a5b2d16fbd18edb71..f8810be2f7e878eeb979e82d2746895d6157212e 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -21,6 +21,8 @@ rec {
   };
 
   imports = [
+    # Give it a good SSH configuration.
+    ../../nixos/modules/ssh.nix
     # Allow us to remotely trigger updates to this system.
     ../../nixos/modules/deployment.nix
 
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index da56a43012b7e53a6d5ced17123eb3d898b24f3e..ce1f928b2738066811425a3c7e3e3c85c03ac272 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -182,11 +182,17 @@ in {
           "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
     };
 
-    # Certificate renewal.  We must declare that we *require* it in our
-    # service above.
-    systemd.services."${certServiceName}" = {
-      enable = true;
+    # Certificate renewal.  A short-lived service meant to be repeatedly
+    # activated to request a new certificate be issued, if the current one is
+    # close to expiring.
+    systemd.services.${certServiceName} = {
+      enable = cfg.tls;
       description = "Certificate ${domain}";
+      # Activate this unit periodically so that certbot can determine if the
+      # certificate expiration time is close enough to warrant a renewal
+      # request.
+      startAt = "weekly";
+
       serviceConfig = {
         ExecStart =
         let
@@ -201,6 +207,7 @@ in {
           '';
       };
     };
+
     # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
     networking.firewall.allowedTCPPorts = [
       80
diff --git a/nixos/modules/monitoring/server/grafana-config/resources-overview.json b/nixos/modules/monitoring/server/grafana-config/resources-overview.json
index cd171d50594d77153f4d905bd91aec12f6bafcb9..8cf342514143d84de1263a3d6debaf8e40b4c922 100644
--- a/nixos/modules/monitoring/server/grafana-config/resources-overview.json
+++ b/nixos/modules/monitoring/server/grafana-config/resources-overview.json
@@ -1281,6 +1281,6 @@
   "timepicker": {},
   "timezone": "utc",
   "title": "Resources overview",
-  "uid": "ResSatUse",
+  "uid": "ResourcesOverview",
   "version": 1
 }
diff --git a/nixos/modules/monitoring/server/grafana-config/services-overview.json b/nixos/modules/monitoring/server/grafana-config/services-overview.json
index 8ee7b130ce917183edfa26a7a53c1a8df1353303..1606d2e59593fea116323dfaea25448bc4fbc9b6 100644
--- a/nixos/modules/monitoring/server/grafana-config/services-overview.json
+++ b/nixos/modules/monitoring/server/grafana-config/services-overview.json
@@ -659,6 +659,6 @@
   },
   "timezone": "",
   "title": "Services overview",
-  "uid": "JX3RVEk7k",
+  "uid": "ServicesOverview",
   "version": 6
 }
diff --git a/nixos/modules/monitoring/server/prometheus.nix b/nixos/modules/monitoring/server/prometheus.nix
index c92261ccad2ebdd8dd34dda9027e66962b345be9..1f27f023df5b3211a81e3603226cc7cfe2c25e27 100644
--- a/nixos/modules/monitoring/server/prometheus.nix
+++ b/nixos/modules/monitoring/server/prometheus.nix
@@ -59,7 +59,9 @@ in {
           scheme = "https";
           tls_config.insecure_skip_verify = true;
           static_configs = [{
-            targets = cfg.paymentExporterTargets;
+            # Explicitly setting the port number so the relabel_config can filter it out again.
+            # Leaving it out makes the port number show in Grafana.
+            targets = map (x: x + ":443") cfg.paymentExporterTargets;
           }];
           relabel_configs = [ dropPortNumber ];
         }
diff --git a/nixpkgs-ps.json b/nixpkgs-ps.json
index 97449535de722fdaf89d8551c6bd6d124e3818c7..58add30734e8f7b9b2840a9be38693ceb6a4249d 100644
--- a/nixpkgs-ps.json
+++ b/nixpkgs-ps.json
@@ -1,4 +1,4 @@
 { "name": "nixpkgs"
-, "url": "https://github.com/PrivateStorageio/nixpkgs/archive/a5cbaadd9676e8c568061e92bbf5ad6a5d884ded.tar.gz"
-, "sha256": "0q5zknsp0qb25ag9zr9bw1ap7pb3f76bxsw81ahxkzj4z5dw6k2f"
+, "url": "https://github.com/PrivateStorageio/nixpkgs/archive/5ebd5af2d5c6caf23735c8c0e6bc27357fa8d2a8.tar.gz"
+, "sha256": "1g2bvs8prqjskzv8s1qmh36k7rmj98jib0syqbrq02xxzw5dpqb4"
 }