diff --git a/acme_rsync_caladan/Makefile b/caladan/acme_rsync/Makefile
similarity index 100%
rename from acme_rsync_caladan/Makefile
rename to caladan/acme_rsync/Makefile
diff --git a/acme_rsync_fugu/Makefile b/fugu/acme_rsync/Makefile
similarity index 100%
rename from acme_rsync_fugu/Makefile
rename to fugu/acme_rsync/Makefile
diff --git a/acme_renew/Makefile b/narwhal/acme_renew/Makefile
similarity index 100%
rename from acme_renew/Makefile
rename to narwhal/acme_renew/Makefile
diff --git a/acme_renew/README.md b/narwhal/acme_renew/README.md
similarity index 100%
rename from acme_renew/README.md
rename to narwhal/acme_renew/README.md
diff --git a/ddns/Makefile b/narwhal/ddns/Makefile
similarity index 100%
rename from ddns/Makefile
rename to narwhal/ddns/Makefile
diff --git a/ddns/README.md b/narwhal/ddns/README.md
similarity index 100%
rename from ddns/README.md
rename to narwhal/ddns/README.md
diff --git a/pikvm/acme_rsync/Makefile b/pikvm/acme_rsync/Makefile
new file mode 100644
index 0000000..a53f15c
--- /dev/null
+++ b/pikvm/acme_rsync/Makefile
@@ -0,0 +1,67 @@
+# because we are using pikvm here and making use of its persistent storage,
+# remember to run it as `kvmd-pstrun make`
+# https://docs.pikvm.org/pst/
+
+ifdef KVMD_PST_DATA  # should be set to `/var/lib/kvmd/pst/data`
+DATA_DIR := $(KVMD_PST_DATA)
+else
+DATA_DIR := /tmp
+endif
+
+WD=$(DATA_DIR)/dags/acme_rsync
+
+.PHONY: all sync_certs
+
+NGINX_RELOAD=$(WD)/nginx_reload
+
+all: sync_certs $(NGINX_RELOAD)
+
+###############################################################################
+
+ACME_DIR=$(DATA_DIR)/acme
+DOMAIN=monotremata.xyz
+CERT_PATH=$(ACME_DIR)/$(DOMAIN)
+CERT=$(CERT_PATH)/fullchain.cer
+KEY=$(CERT_PATH)/$(DOMAIN).key
+
+###############################################################################
+
+$(CERT): sync_certs
+$(KEY): sync_certs
+
+###############################################################################
+# Sync the certificates using rsync. Because `sync` is a phony
+# target, it will be run each time, but the certificate files will only be
+# updated if a renewal happens
+
+$(CERT): sync_certs
+$(KEY): sync_certs
+
+RSYNCD_HOST=narwhal
+RSYNCD_USER=user
+
+GOPASS=doas -u gopass gopass
+RSYNC_PASSWORD = $(shell $(GOPASS) $(RSYNCD_HOST)/rsyncd/$(RSYNCD_USER))
+
+REMOTE_ACME_PATH=rsync://$(RSYNCD_USER)@10.0.0.5/acme
+RSYNC_OPTS=--archive --delete --acls --xattrs --compress --verbose --human-readable
+
+sync_certs:
+	mkdir -p $(ACME_DIR)
+	@echo "data dir: $(DATA_DIR)"
+	@echo "running rsync"
+	@export RSYNC_PASSWORD=$(RSYNC_PASSWORD); \
+	rsync \
+		$(RSYNC_OPTS) \
+		$(REMOTE_ACME_PATH) \
+		$(ACME_DIR)
+
+###############################################################################
+
+$(NGINX_RELOAD): $(CERT) $(KEY)
+	@echo "reloading nginx"
+	mkdir -p $(@D)
+	systemctl reload kvmd-nginx
+	touch $@
+
+###############################################################################