diff --git a/deploy.sh b/deploy.sh
index 1354fd3..a30b8c6 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -72,5 +72,5 @@ consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YE
 EOF
 
 	ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh
-	ssh -F ssh_config $SSH_DEST rm -rv $TMP_PATH
+	ssh -F ssh_config $SSH_DEST rm -rv '/tmp/tmp-deploy-*'
 done
diff --git a/genpki.sh b/genpki.sh
index be10f6f..0ee6331 100755
--- a/genpki.sh
+++ b/genpki.sh
@@ -45,7 +45,8 @@ O = Deuxfleurs
 CN = $APP
 
 [v3_req]
-keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth
+keyUsage = keyEncipherment, keyCertSign, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
 subjectAltName = @alt_names
 
 [alt_names]
@@ -85,7 +86,8 @@ O = Deuxfleurs
 CN = $APP-client
 
 [v3_req]
-keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth
+keyUsage = keyEncipherment, keyCertSign, dataEncipherment
+extendedKeyUsage = clientAuth
 subjectAltName = @alt_names
 
 [alt_names]
@@ -97,8 +99,8 @@ EOF
 		rm $CERT-client.csr
 	fi
 
-	if [ ! -f $CERT-client.p12 ]; then
-		openssl pkcs12 -export -out $CERT-client.p12 \
-			-in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
-	fi
+	#if [ ! -f $CERT-client.p12 ]; then
+	#	openssl pkcs12 -export -out $CERT-client.p12 \
+	#		-in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
+	#fi
 done
diff --git a/site/neptune.nix b/site/neptune.nix
index 781e512..f7517c2 100644
--- a/site/neptune.nix
+++ b/site/neptune.nix
@@ -9,4 +9,12 @@
   services.nomad.settings.datacenter = "neptune";
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "0 2 * * * ${config.system.path}/bin/nix-collect-garbage --delete-older-than 10d"
+      "30 2 * * * ${config.system.path}/bin/docker run --rm -it -v /var/lib/drone/nix:/nix nixpkgs/nix:nixos-21.05 nix-collect-garbage --delete-older-than 10d"
+    ];
+  };
 }