diff --git a/tasks/rosetta/configure_maintenance.yml b/tasks/rosetta/configure_maintenance.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e4c390dfe27cf0c312f40e9afebfa5617b414c3d
--- /dev/null
+++ b/tasks/rosetta/configure_maintenance.yml
@@ -0,0 +1,35 @@
+---
+# ZIH has monthly maintenance windows for their VMware environment, which also
+# affects the Library Manager VMs used by SLUBArchiv.digital. This time window
+# is also used for upgrading the OS and IBM packages on the storage servers. To
+# make sure that there is no write/read access during that time, we shutdown
+# Rosetta and start them afterwards using systemd timers.
+- name: create directory for SystemD units
+  ansible.builtin.file:
+    path: "/usr/local/lib/systemd/system/"
+    mode: "0755"
+    state: directory
+    owner: "root"
+    group: "root"
+- name: install Rosetta maintenance services and timers
+  ansible.builtin.template:
+    src: "usr/local/lib/systemd/system/{{ item }}.j2"
+    dest: "/usr/local/lib/systemd/system/{{ item }}"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  loop:
+    - "rosetta_maintenance_begin.service"
+    - "rosetta_maintenance_begin.timer"
+    - "rosetta_maintenance_end.timer"
+- name: enable Rosetta maintenance services and timers
+  ansible.builtin.systemd:
+    name: "{{ item.name }}"
+    enabled: "{{ item.enabled | default(true) }}"
+    state: "{{ item.state | default('started') }}"
+    daemon_reload: true
+  loop:
+    - name: "rosetta_maintenance_begin.service"
+      state: "stopped"
+    - name: "rosetta_maintenance_begin.timer"
+    - name: "rosetta_maintenance_end.timer"
diff --git a/tasks/rosetta/main_rosetta.yml b/tasks/rosetta/main_rosetta.yml
index 651543e9e370fce83adff2cca280949d579efe52..1b8bce032eb515183a43c8fc0ec3259e81a8c39c 100644
--- a/tasks/rosetta/main_rosetta.yml
+++ b/tasks/rosetta/main_rosetta.yml
@@ -13,6 +13,9 @@
 - name: configure Rosetta prerequisites
   ansible.builtin.import_tasks: "rosetta/configure_rosetta_prerequisites.yml"
   tags: [rosetta]
+- name: configure Rosetta maintenance timer
+  ansible.builtin.import_tasks: "rosetta/configure_maintenance.yml"
+  tags: [rosetta, maintenance, systemd, timer, cron, cronjob]
 - name: install Check_MK plugins for Rosetta
   ansible.builtin.import_tasks: "rosetta/install_checkmk_plugins_rosetta.yml"
   tags: [checkmk, monitoring]
diff --git a/templates/usr/local/lib/systemd/system/rosetta_maintenance_begin.service.j2 b/templates/usr/local/lib/systemd/system/rosetta_maintenance_begin.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..056d22d47836c774352f9556e7826a3448a5d773
--- /dev/null
+++ b/templates/usr/local/lib/systemd/system/rosetta_maintenance_begin.service.j2
@@ -0,0 +1,36 @@
+[Unit]
+Description=stop Rosetta for monthly maintenance at ZIH
+After=remote-fs.target
+Conflicts=exlibris.service
+
+[Service]
+Type=simple
+Restart=no
+ExecStart=true
+User={{ vault_rosetta_user }}
+Group={{ vault_rosetta_group }}
+
+### Security features
+# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# or at `man (5) systemd.exec`
+ProtectSystem=strict
+ProtectHome=read-only
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+#RestrictSUIDSGID=true
+## RemoveIPC=true
+## PrivateMounts=true
+## MountFlags=
+## SystemCallFilter is a Whitelist!!!
+#SystemCallFilter=@debug,@file-system
+#SystemCallErrorNumber=1337
+
+[Install]
+WantedBy=multi-user.target
diff --git a/templates/usr/local/lib/systemd/system/rosetta_maintenance_begin.timer.j2 b/templates/usr/local/lib/systemd/system/rosetta_maintenance_begin.timer.j2
new file mode 100644
index 0000000000000000000000000000000000000000..32991bc2f1fa90f1f122f9f5c7f501bbb227b8df
--- /dev/null
+++ b/templates/usr/local/lib/systemd/system/rosetta_maintenance_begin.timer.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=timer for rosetta_maintenance.service
+
+[Timer]
+# run on the 1st Tuesday of each month
+# You can validate your calendar expressions using `systemd-analyze calendar EXPR`.
+OnCalendar=Tue *-*-01..07 08:00:00
+Unit=rosetta_maintenance_begin
+
+[Install]
+WantedBy=default.target
diff --git a/templates/usr/local/lib/systemd/system/rosetta_maintenance_end.timer.j2 b/templates/usr/local/lib/systemd/system/rosetta_maintenance_end.timer.j2
new file mode 100644
index 0000000000000000000000000000000000000000..7a5522d4a6283b3c0b5c98ec1671b0872edd90fe
--- /dev/null
+++ b/templates/usr/local/lib/systemd/system/rosetta_maintenance_end.timer.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=timer for rosetta_maintenance.service
+
+[Timer]
+# run on the 1st Tuesday of each month
+# You can validate your calendar expressions using `systemd-analyze calendar EXPR`.
+OnCalendar=Tue *-*-01..07 11:00:00
+Unit=exlibris.service
+
+[Install]
+WantedBy=default.target