diff --git a/acme-to-vault.nomad.hcl b/acme-to-vault.nomad.hcl
index cee062b..f72e7fd 100644
--- a/acme-to-vault.nomad.hcl
+++ b/acme-to-vault.nomad.hcl
@@ -9,6 +9,10 @@ job [[ .acme.job_name | toJSON ]] {
       mode = "bridge"
     }
 
+    ephemeral_disk {
+      size = 101
+    }
+
     service {
       name = "[[ .acme.job_name ]][[ .env.suffix ]]"
       port = 8787
@@ -29,6 +33,8 @@ job [[ .acme.job_name | toJSON ]] {
 
       config {
         image = [[ .acme.image | toJSON ]]
+        readonly_rootfs = true
+        pids_limit = 20
       }
 
       vault {
diff --git a/deps/common b/deps/common
index 026777b..31af380 160000
--- a/deps/common
+++ b/deps/common
@@ -1 +1 @@
-Subproject commit 026777bd644b84396138f1c3e940c93d1f78b563
+Subproject commit 31af38020d602f57674da408a8e628dba0c7c1af
diff --git a/images/acme-to-vault/root/usr/local/bin/acme-to-vault.sh b/images/acme-to-vault/root/usr/local/bin/acme-to-vault.sh
index f1907de..bdef423 100755
--- a/images/acme-to-vault/root/usr/local/bin/acme-to-vault.sh
+++ b/images/acme-to-vault/root/usr/local/bin/acme-to-vault.sh
@@ -66,9 +66,9 @@ main
 # If a cron expression is defined, run a cron daemon
 if [ -n "${ACME_CRON}" -a -z "${ACME_CRON_RUNNING:-}" ]; then
   echo "Running using cron with expression ${ACME_CRON}"
-  cat <<_EOF > /tmp/crontab
+  cat <<_EOF > /dev/shm/crontab
   ${ACME_CRON} /usr/local/bin/acme-to-vault.sh
 _EOF
   export ACME_CRON_RUNNING=true
-  supercronic /tmp/crontab
+  supercronic /dev/shm/crontab
 fi
diff --git a/variables.yml b/variables.yml
index 16b90fd..9ceada6 100644
--- a/variables.yml
+++ b/variables.yml
@@ -5,7 +5,7 @@ acme:
   job_name: acme-to-vault
 
   # The Docker image to use
-  image: danielberteaud/acme-to-vault:20230903-1
+  image: danielberteaud/acme-to-vault:23.09-1
 
   # If a cron expression is defined, the service will stay running and renew certs.
   # If an empty string, the container will exit after running once