diff --git a/services/maintenance/rpi-resource-reservation-daemonset.yaml b/services/maintenance/rpi-resource-reservation-daemonset.yaml
index fa8324e7..2172afd2 100644
--- a/services/maintenance/rpi-resource-reservation-daemonset.yaml
+++ b/services/maintenance/rpi-resource-reservation-daemonset.yaml
@@ -15,7 +15,7 @@ spec:
       labels:
         app: rpi-resource-reservation
       annotations:
-        atlas.bstein.dev/reservation-revision: "2026-05-19-2"
+        atlas.bstein.dev/reservation-revision: "2026-05-19-3"
     spec:
       serviceAccountName: node-nofile
       nodeSelector:
diff --git a/services/maintenance/scripts/rpi_resource_reservation.sh b/services/maintenance/scripts/rpi_resource_reservation.sh
index 65a67042..86b07c3b 100644
--- a/services/maintenance/scripts/rpi_resource_reservation.sh
+++ b/services/maintenance/scripts/rpi_resource_reservation.sh
@@ -8,6 +8,8 @@ config_dir="${host_root}/etc/rancher/k3s/config.yaml.d"
 config_file="${config_dir}/90-atlas-rpi-reservations.yaml"
 kubelet_config_dir="${host_root}/var/lib/rancher/k3s/agent/etc/kubelet.conf.d"
 kubelet_config_file="${kubelet_config_dir}/90-atlas-rpi-reservations.conf"
+systemd_override_dir="${host_root}/etc/systemd/system/${unit}.service.d"
+systemd_override_file="${systemd_override_dir}/90-atlas-rpi-reservations.conf"
 
 if [ ! -f "${unit_file}" ]; then
   echo "k3s-agent unit not found; this guardrail only manages worker agents"
@@ -70,6 +72,28 @@ if [ ! -f "${kubelet_config_file}" ] || ! cmp -s "${kubelet_tmp_file}" "${kubele
 fi
 rm -f "${kubelet_tmp_file}"
 
+override_tmp_file="$(mktemp)"
+cat > "${override_tmp_file}" <<'EOF'
+[Service]
+UnsetEnvironment=K3S_KUBELET_ARG
+ExecStart=
+ExecStart=/usr/local/bin/k3s agent \
+  --kubelet-arg=container-log-max-files=2 \
+  --kubelet-arg=system-reserved=cpu=250m,memory=384Mi,ephemeral-storage=1Gi \
+  --kubelet-arg=kube-reserved=cpu=150m,memory=256Mi,ephemeral-storage=1Gi \
+  --kubelet-arg=eviction-hard=memory.available<512Mi,nodefs.available<10%,imagefs.available<10% \
+  --kubelet-arg=eviction-soft=memory.available<768Mi,nodefs.available<15%,imagefs.available<15% \
+  --kubelet-arg=eviction-soft-grace-period=memory.available=1m,nodefs.available=2m,imagefs.available=2m \
+  --kubelet-arg=eviction-max-pod-grace-period=60
+EOF
+
+if [ ! -f "${systemd_override_file}" ] || ! cmp -s "${override_tmp_file}" "${systemd_override_file}"; then
+  mkdir -p "${systemd_override_dir}"
+  install -m 0644 "${override_tmp_file}" "${systemd_override_file}"
+  changed=1
+fi
+rm -f "${override_tmp_file}"
+
 if [ "${changed}" -eq 1 ]; then
   delay="$(( (RANDOM % 420) + 30 ))"
   echo "updated RPi kubelet reservations; restarting ${unit} after ${delay}s"