diff --git a/roles/dbscripts/files/lastsync.service b/roles/dbscripts/files/lastsync.service
index 703b6b77ef8d07e3d7a8a362e547189e6132b566..20c6753048940c4b59744a9dca01d74e6ffd1923 100644
--- a/roles/dbscripts/files/lastsync.service
+++ b/roles/dbscripts/files/lastsync.service
@@ -3,5 +3,5 @@ Description=lastsync
 
 [Service]
 Type=oneshot
-User=ftp
-ExecStart=/usr/bin/bash -c "date +%%s > /srv/ftp/lastsync"
+ExecStart=/usr/bin/bash -c "date +%%s > /srv/ftp/lastsync.tmp && \
+    mv /srv/ftp/lastsync.tmp /srv/ftp/lastsync"
diff --git a/roles/dbscripts/templates/rsyncd.conf.proto.j2 b/roles/dbscripts/templates/rsyncd.conf.proto.j2
index 2b61d0b7d9547be7105aabf1ec3c6f296ee01cfb..4e52328d92837f8dec8e383fe8580e7986ae416e 100644
--- a/roles/dbscripts/templates/rsyncd.conf.proto.j2
+++ b/roles/dbscripts/templates/rsyncd.conf.proto.j2
@@ -30,19 +30,19 @@ hosts deny = *
 [ftp]
 	path = /srv/ftp
 	comment = ftp area (most mirrors should use this)
-	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/
+	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/ /lastsync.tmp
 
 [ftp_tier1]
 	path = /srv/ftp
 	comment = ftp area (most mirrors should use this)
-	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/
+	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/ /lastsync.tmp
 	hosts allow = @@ALLOWHOSTS_TIER1@@
 	max connections = 0
 
 [ftp_auth]
 	path = /srv/ftp
 	comment = ftp area, passworded (same as 'ftp')
-	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/
+	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/ /lastsync.tmp
 	hosts allow = *
 	auth users = *
 	secrets file = /etc/rsyncd.secrets
@@ -52,19 +52,19 @@ hosts deny = *
 [ftpfull]
 	path = /srv/ftp
 	comment = ftp area (everything, including very old versions, except sources)
-	exclude = /sources/
+	exclude = /sources/ /lastsync.tmp
 
 [ftpfull_tier1]
 	path = /srv/ftp
 	comment = ftp area (everything, including very old versions, except sources)
-	exclude = /sources/
+	exclude = /sources/ /lastsync.tmp
 	hosts allow = @@ALLOWHOSTS_TIER1@@
 	max connections = 0
 
 [ftpfull_auth]
 	path = /srv/ftp
 	comment = ftp area (everything, including very old versions, except sources)
-	exclude = /sources/
+	exclude = /sources/ /lastsync.tmp
 	hosts allow = *
 	auth users = *
 	secrets file = /etc/rsyncd.secrets
@@ -74,17 +74,20 @@ hosts deny = *
 [kitchensink]
 	path = /srv/ftp
 	comment = ftp area (everything, including very old versions)
+	exclude = /lastsync.tmp
 	hosts allow = {{ hostvars['archlinux.org']['ipv4_address'] }} {{ hostvars['archlinux.org']['ipv6_address'] }}
 
 [kitchensink_tier1]
 	path = /srv/ftp
 	comment = ftp area (everything, including very old versions)
+	exclude = /lastsync.tmp
 	hosts allow = @@ALLOWHOSTS_TIER1@@ {{ hostvars['gemini.archlinux.org']['ipv4_address'] }} {{ hostvars['gemini.archlinux.org']['ipv6_address'] }} {{ hostvars['repos.archlinux.org']['ipv4_address'] }} {{ hostvars['repos.archlinux.org']['ipv6_address'] }}
 	max connections = 0
 
 [kitchensink_auth]
 	path = /srv/ftp
 	comment = ftp area (everything, including very old versions)
+	exclude = /lastsync.tmp
 	hosts allow = *
 	auth users = *
 	secrets file = /etc/rsyncd.secrets