diff --git a/Propellor/Property/Cmd.hs b/Propellor/Property/Cmd.hs
index dc5073d..f661cf8 100644
--- a/Propellor/Property/Cmd.hs
+++ b/Propellor/Property/Cmd.hs
@@ -4,6 +4,7 @@ module Propellor.Property.Cmd (
 	scriptProperty,
 	userScriptProperty,
 	serviceRunning,
+	serviceRestarted,
 ) where
 
 import Control.Monad
@@ -47,13 +48,21 @@ userScriptProperty user script = cmdProperty "su" ["-c", shellcmd, user]
   where
 	shellcmd = intercalate " ; " ("set -e" : "cd" : script)
 
+type ServiceName = String
+
 -- | Ensures that a service is running.
 --
 -- Note that due to the general poor state of init scripts, the best
 -- we can do is try to start the service, and if it fails, assume
 -- this means it's already running.
-serviceRunning :: String -> Property
+serviceRunning :: ServiceName -> Property
 serviceRunning svc = Property ("running " ++ svc) $ do
 	void $ ensureProperty $
 		scriptProperty ["service " ++ shellEscape svc ++ " start >/dev/null 2>&1 || true"]
 	return NoChange
+
+serviceRestarted :: ServiceName -> Property
+serviceRestarted svc = Property ("restarted " ++ svc) $ do
+	void $ ensureProperty $
+		scriptProperty ["service " ++ shellEscape svc ++ " restart >/dev/null 2>&1 || true"]
+	return NoChange
diff --git a/Propellor/Property/OpenId.hs b/Propellor/Property/OpenId.hs
index 4ebf18f..0f207a5 100644
--- a/Propellor/Property/OpenId.hs
+++ b/Propellor/Property/OpenId.hs
@@ -9,6 +9,8 @@ providerFor users = propertyList ("openid provider") $
 	[ serviceRunning "apache2"
 		`requires` Apt.installed ["apache2"]
 	, Apt.installed ["simpleid"]
+		`onChange` serviceRestarted "apache2"
+	, serviceRestarted "apache2"
 	] ++ map identfile users
   where
 	identfile u = File.hasPrivContent $ concat
diff --git a/config-joey.hs b/config-joey.hs
index 4d4b8f1..c57dd5a 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -71,6 +71,7 @@ container _parenthost name
 			& serviceRunning "apache2"
 				`requires` Apt.installed ["apache2"]
 		]
+
 	-- My own openid provider. Uses php, so containerized for security
 	-- and administrative sanity.
 	| name == "openid-provider" = Just $ Docker.containerFrom