diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml
index 252b6dfe4965b89de1746ff4e9f017511d5b76d4..b4dcd416229a253d8161fcdc02df5bdf1c6c4ae7 100644
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -43,7 +43,7 @@
     - { role: uwsgi, tags: ['uwsgi'] }
     - { role: php-fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'pdo_pgsql', 'pgsql', 'sockets', 'zip'], zend_extensions: ['opcache'], tags: ["php-fpm"] }
     - { role: memcached, tags: ['memcached'] }
-    - { role: archweb, tags: ["archweb"] }
+    - { role: archweb, archweb_planet: true, tags: ["archweb"] }
     - role: security_tracker
       security_tracker_domain: "security.archlinux.org"
       security_tracker_nginx_conf: '/etc/nginx/nginx.d/security-tracker.conf'
diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml
index 4baa8bcbc16cd71f2fb5a402a43e8a7e9e444344..ab72bc39d75d2d95b6932be179ddf925418fb3f5 100644
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -165,6 +165,18 @@
     - daemon reload
   when: archweb_services or archweb_populate_signoffs
 
+- name: install planet service
+  template: src="archweb-planet.service.j2" dest="/etc/systemd/system/archweb-planet.service" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_planet
+
+- name: install planet timer
+  template: src="archweb-planet.timer.j2" dest="/etc/systemd/system/archweb-planet.timer" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_planet
+
 - name: install pgp_import service
   template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
   notify:
@@ -273,6 +285,10 @@
   service: name="archweb-populate_signoffs.timer" enabled=yes state=started
   when: archweb_services or archweb_populate_signoffs
 
+- name: start and enable archweb planet timer
+  service: name="archweb-planet.timer" enabled=yes state=started
+  when: archweb_planet
+
 - name: start and enable archweb donor_import timer
   service: name="archweb-donor_import.timer" enabled=yes state=started
   when: archweb_donor_import|bool
diff --git a/roles/archweb/templates/archweb-planet.service.j2 b/roles/archweb/templates/archweb-planet.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d23b7a39ad154cd9b5adb4acfd973040da7008f6
--- /dev/null
+++ b/roles/archweb/templates/archweb-planet.service.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=archweb update planet service
+After=network.target
+
+[Service]
+Type=oneshot
+User=archweb
+WorkingDirectory={{ archweb_dir }}
+ExecStart={{ archweb_dir }}/env/bin/python manage.py update_planet -v3
+
+ProtectSystem=full
+PrivateTmp=true
+PrivateDevices=true
+
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+NoNewPrivileges=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/archweb/templates/archweb-planet.timer.j2 b/roles/archweb/templates/archweb-planet.timer.j2
new file mode 100644
index 0000000000000000000000000000000000000000..7ebd26be57281e5884084cd3b728d6c28c49b148
--- /dev/null
+++ b/roles/archweb/templates/archweb-planet.timer.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=archweb planet timer
+
+[Timer]
+OnUnitActiveSec=60m
+OnBootSec=15min
+RandomizedDelaySec=1min
+
+[Install]
+WantedBy=timers.target