diff --git a/data.nix b/data.nix
index c3ce908..1450101 100644
--- a/data.nix
+++ b/data.nix
@@ -14,6 +14,8 @@ rec {
     borgstor = 504;
 
     jakstpub = 505;
+
+    certget = 506;
   };
 
   ports = {
diff --git a/hosts/vno3-rp3b/configuration.nix b/hosts/vno3-rp3b/configuration.nix
index 9700a1e..d2868ef 100644
--- a/hosts/vno3-rp3b/configuration.nix
+++ b/hosts/vno3-rp3b/configuration.nix
@@ -72,6 +72,12 @@
         silenceLogs = true;
       };
 
+      certget = {
+        enable = true;
+        uidgid = myData.uidgid.certget;
+        sshKeys = [myData.hosts."vno1-oh2.servers.jakst".publicKey];
+      };
+
       borgstor = {
         enable = true;
         dataDir = "/data/borg";
diff --git a/modules/services/certget/default.nix b/modules/services/certget/default.nix
new file mode 100644
index 0000000..4237783
--- /dev/null
+++ b/modules/services/certget/default.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.mj.services.certget;
+in {
+  options.mj.services.certget = with lib.types; {
+    enable = lib.mkEnableOption "receive acme certs from somewhere";
+    uidgid = lib.mkOption {type = int;};
+    sshKeys = lib.mkOption {type = listOf str;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.certget = {
+      description = "Cert Getter";
+      home = "/var/lib/certget";
+      shell = "/bin/sh";
+      group = "certget";
+      isSystemUser = true;
+      createHome = true;
+      uid = cfg.uidgid;
+      openssh.authorizedKeys.keys =
+        map (
+          k: "command=\"${pkgs.rrsync}/bin/rrsync /var/lib/certget\",restrict ${k}"
+        )
+        cfg.sshKeys;
+    };
+    users.groups.certget.gid = cfg.uidgid;
+  };
+}
diff --git a/modules/services/default.nix b/modules/services/default.nix
index d07d8ac..4b093b2 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -6,6 +6,7 @@
 }: {
   imports = [
     ./borgstor
+    ./certget
     ./deployerbot
     ./friendlyport
     ./gitea
diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix
index 0c3e5d9..cf66a71 100644
--- a/modules/services/deployerbot/default.nix
+++ b/modules/services/deployerbot/default.nix
@@ -118,20 +118,18 @@ in {
       cfg = config.mj.services.deployerbot.follower;
     in
       lib.mkIf cfg.enable {
-        users.users = {
-          deployerbot-follower = {
-            description = "Deployerbot Follower";
-            home = "/var/lib/deployerbot-follower";
-            shell = "/bin/sh";
-            group = "deployerbot-follower";
-            extraGroups = ["wheel"];
-            isSystemUser = true;
-            createHome = true;
-            uid = cfg.uidgid;
-            openssh.authorizedKeys.keys = let
-              restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + cfg.publicKey;
-            in [restrictedPubKey];
-          };
+        users.users.deployerbot-follower = {
+          description = "Deployerbot Follower";
+          home = "/var/lib/deployerbot-follower";
+          shell = "/bin/sh";
+          group = "deployerbot-follower";
+          extraGroups = ["wheel"];
+          isSystemUser = true;
+          createHome = true;
+          uid = cfg.uidgid;
+          openssh.authorizedKeys.keys = let
+            restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + cfg.publicKey;
+          in [restrictedPubKey];
         };
         users.groups.deployerbot-follower.gid = cfg.uidgid;
         nix.settings.trusted-users = ["deployerbot-follower"];