diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 71c24e78..506f4ba2 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -137,7 +137,8 @@ class md_repo_client {
    }
 }
 
-class md_signer($dest_host=undef,$dest_dir="") {
+class md_signer($dest_host=undef,$dest_dir="",$luna_version="6.2") {
+   $pkcs11pin = hiera('pkcs11pin',"")
    package { ['xsltproc','libxml2-utils']: ensure => latest } ->
    sunet::snippets::secret_file {"/etc/credentials/metadata.key":
       hiera_key => 'eidas_metadata_key',
@@ -149,6 +150,21 @@ class md_signer($dest_host=undef,$dest_dir="") {
       pipeline          => "${name}.fd",
       volumes           => ["/etc/credentials:/etc/credentials"]
    }
+   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
+   sunet::docker_run {"${name}_hsmproxy":
+      hostname => "${::fqdn}",
+      image    => 'docker.sunet.se/luna-client',
+      imagetag => $luna_version,
+      volumes  => ['/dev/log:/dev/log','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
+      env      => ["PKCS11PIN=${pkcs11pin}"]
+   }
+   sunet::scriptherder::cronjob { "${name}_restart_hsmproxy":
+     cmd           => "/usr/sbin/service docker-${name}-hsmproxy restart'",
+     minute        => '9',
+     hour          => '0',
+     ok_criteria   => ['exit_status=0','max_age=48h'],
+     warn_criteria => ['exit_status=1','max_age=50h'],
+   }
    if ($dest_host) {
       sunet::ssh_host_credential { "${name}-publish-credential":
          hostname          => $dest_host,