diff --git a/services/comms/guest-name-job.yaml b/services/comms/guest-name-job.yaml
index 21a8af5..3eae2dd 100644
--- a/services/comms/guest-name-job.yaml
+++ b/services/comms/guest-name-job.yaml
@@ -8,7 +8,7 @@ metadata:
     atlas.bstein.dev/glue: "true"
 spec:
   schedule: "*/1 * * * *"
-  suspend: false
+  suspend: true
   concurrencyPolicy: Forbid
   successfulJobsHistoryLimit: 1
   failedJobsHistoryLimit: 1
diff --git a/services/maintenance/ariadne-deployment.yaml b/services/maintenance/ariadne-deployment.yaml
index 0543f80..cd0d38c 100644
--- a/services/maintenance/ariadne-deployment.yaml
+++ b/services/maintenance/ariadne-deployment.yaml
@@ -78,6 +78,8 @@ spec:
               value: bstein-dev-home-admin
             - name: PORTAL_PUBLIC_BASE_URL
               value: https://bstein.dev
+            - name: ARIADNE_LOG_LEVEL
+              value: INFO
             - name: PORTAL_ADMIN_USERS
               value: bstein
             - name: PORTAL_ADMIN_GROUPS
@@ -120,6 +122,26 @@ spec:
               value: firefly-user-sync
             - name: FIREFLY_USER_SYNC_WAIT_TIMEOUT_SEC
               value: "90"
+            - name: VAULT_NAMESPACE
+              value: vault
+            - name: VAULT_K8S_AUTH_CRONJOB
+              value: vault-k8s-auth-config
+            - name: VAULT_OIDC_CRONJOB
+              value: vault-oidc-config
+            - name: VAULT_JOB_WAIT_TIMEOUT_SEC
+              value: "120"
+            - name: COMMS_NAMESPACE
+              value: comms
+            - name: COMMS_GUEST_NAME_CRONJOB
+              value: guest-name-randomizer
+            - name: COMMS_PIN_INVITE_CRONJOB
+              value: pin-othrys-invite
+            - name: COMMS_RESET_ROOM_CRONJOB
+              value: othrys-room-reset
+            - name: COMMS_SEED_ROOM_CRONJOB
+              value: seed-othrys-room
+            - name: COMMS_JOB_WAIT_TIMEOUT_SEC
+              value: "60"
             - name: VAULTWARDEN_NAMESPACE
               value: vaultwarden
             - name: VAULTWARDEN_POD_LABEL
@@ -154,6 +176,18 @@ spec:
               value: "*/15 * * * *"
             - name: ARIADNE_SCHEDULE_WGER_ADMIN
               value: "15 3 * * *"
+            - name: ARIADNE_SCHEDULE_VAULT_K8S_AUTH
+              value: "*/15 * * * *"
+            - name: ARIADNE_SCHEDULE_VAULT_OIDC
+              value: "*/15 * * * *"
+            - name: ARIADNE_SCHEDULE_COMMS_GUEST_NAME
+              value: "*/1 * * * *"
+            - name: ARIADNE_SCHEDULE_COMMS_PIN_INVITE
+              value: "*/30 * * * *"
+            - name: ARIADNE_SCHEDULE_COMMS_RESET_ROOM
+              value: "0 0 1 1 *"
+            - name: ARIADNE_SCHEDULE_COMMS_SEED_ROOM
+              value: "*/10 * * * *"
             - name: WELCOME_EMAIL_ENABLED
               value: "true"
             - name: K8S_API_TIMEOUT_SEC
diff --git a/services/maintenance/ariadne-rbac.yaml b/services/maintenance/ariadne-rbac.yaml
new file mode 100644
index 0000000..8d2a2a9
--- /dev/null
+++ b/services/maintenance/ariadne-rbac.yaml
@@ -0,0 +1,29 @@
+# services/maintenance/ariadne-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ariadne-job-spawner
+rules:
+  - apiGroups: ["batch"]
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ariadne-job-spawner
+subjects:
+  - kind: ServiceAccount
+    name: ariadne
+    namespace: maintenance
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ariadne-job-spawner
diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml
index 80c61df..0810f5e 100644
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@@ -8,6 +8,7 @@ resources:
   - vault-serviceaccount.yaml
   - vault-sync-deployment.yaml
   - ariadne-serviceaccount.yaml
+  - ariadne-rbac.yaml
   - disable-k3s-traefik-serviceaccount.yaml
   - k3s-traefik-cleanup-rbac.yaml
   - node-nofile-serviceaccount.yaml
diff --git a/services/vault/k8s-auth-config-cronjob.yaml b/services/vault/k8s-auth-config-cronjob.yaml
index 29e8e80..e7cca14 100644
--- a/services/vault/k8s-auth-config-cronjob.yaml
+++ b/services/vault/k8s-auth-config-cronjob.yaml
@@ -8,6 +8,7 @@ metadata:
     atlas.bstein.dev/glue: "true"
 spec:
   schedule: "*/15 * * * *"
+  suspend: true
   concurrencyPolicy: Forbid
   successfulJobsHistoryLimit: 1
   failedJobsHistoryLimit: 3
diff --git a/services/vault/oidc-config-cronjob.yaml b/services/vault/oidc-config-cronjob.yaml
index 013c9f3..4d317c5 100644
--- a/services/vault/oidc-config-cronjob.yaml
+++ b/services/vault/oidc-config-cronjob.yaml
@@ -8,6 +8,7 @@ metadata:
     atlas.bstein.dev/glue: "true"
 spec:
   schedule: "*/15 * * * *"
+  suspend: true
   concurrencyPolicy: Forbid
   successfulJobsHistoryLimit: 1
   failedJobsHistoryLimit: 3