diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index a5f2575aaef5fca0cf15f5d125981f150a0f20a3..c4d8bcdb87c0386d4ca59ee30676e9c292f8fd6b 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -174,10 +174,15 @@ in {
       nginxExporterTargets = [];
     };
 
-    services.private-storage.monitoring.grafana = {
+    grafana = {
       inherit (cfg) googleOAuthClientID enableSlackAlert enableZulipAlert;
       inherit letsEncryptAdminEmail;
       domains = cfg.monitoringDomains;
+      prometheusUrl = "http://localhost:9090/";
+      lokiUrl = "http://localhost:3100/";
+      googleOAuthClientSecretFile = /run/keys/grafana-google-sso.secret;
+      adminPasswordFile = /run/keys/grafana-admin.password;
+      metricsAllowedIp = "${monitoringvpnIPv4}/24";
     };
 
     services.private-storage.monitoring.exporters.node.enable = true;
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 5299829ccc7fec081e9ccb4f0e41c66daa8a0251..6e78f53f5bef77c6fe737f8202e0abf39459cd28 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -6,26 +6,26 @@
 { config, lib, ... }:
 
 let
-  cfg = config.services.private-storage.monitoring.grafana;
+  cfg = config.grafana;
 
 in {
 
-  options.services.private-storage.monitoring.grafana = {
+  options.grafana = {
     domains = lib.mkOption
     { type = lib.types.listOf lib.types.str;
-      example = [ "grafana.grid.private.storage" ];
+      example = [ "grafana.example.com" ];
       description = "The domain names at which the server is reachable.";
     };
     prometheusUrl = lib.mkOption
     { type = lib.types.str;
       example = "http://prometheus:9090/";
-      default = "http://localhost:9090/";
+      default = "";
       description = "The URL of the Prometheus host to access";
     };
     lokiUrl = lib.mkOption
     { type = lib.types.str;
       example = "http://loki:3100/";
-      default = "http://localhost:3100/";
+      default = "";
       description = "The URL of the Loki host to access";
     };
     letsEncryptAdminEmail = lib.mkOption
@@ -35,22 +35,28 @@ in {
         operational contact for the service's TLS certificate.
       '';
     };
+    allowAnonymousViewers = lib.mkOption
+    { type = lib.types.bool;
+      default = false;
+      description = ''
+        Allow read access w/o any authentication.
+      '';
+    };
     googleOAuthClientID = lib.mkOption
     { type = lib.types.str;
       example = "grafana-staging-345678";
-      default = "replace-by-your-client-id-or-set-empty-string-for-anonymous-access";
-      description = "The GSuite OAuth2 SSO Client ID.  Empty string turns SSO auth off and anonymous (free for all) access on.";
+      default = "";
+      description = "The GSuite OAuth2 SSO Client ID.";
     };
     googleOAuthClientSecretFile = lib.mkOption
     { type = lib.types.path;
-      example = /var/secret/monitoring-gsuite-client-secret;
-      default = /run/keys/grafana-google-sso.secret;
+      example = /var/secret/grafana-gsuite-client-secret;
+      default = "";
       description = "The path to the GSuite SSO secret file.";
     };
     adminPasswordFile = lib.mkOption
     { type = lib.types.path;
-      example = "/var/secret/monitoring-admin-password";
-      default = /run/keys/grafana-admin.password;
+      example = "/run/secrets/grafana-admin-password";
       description = "A file containing the password for the Grafana Admin account.";
     };
     enableSlackAlert = lib.mkOption
@@ -83,6 +89,12 @@ in {
         Where to find the file that containts the Zulip URL.
       '';
     };
+    metricsAllowedIp = lib.mkOption
+    { type = lib.types.str;
+      example = "192.168.0.0/24";
+      default = "0.0.0.0/0";
+      description = "The IP subnet allowd to access metrics";
+    };
   };
 
   config =
@@ -123,13 +135,13 @@ in {
         # The auth sections since NixOS 22.11 are named a bit funky with a dot in the name
         #
         # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication
-        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/
-        "auth.anonymous" = lib.mkIf (cfg.googleOAuthClientID == "") {
+        "auth.anonymous" = lib.mkIf (cfg.allowAnonymousViewers) {
           enabled = true;
-          org_role = "Admin";
+          org_role = "Viewer";
           org_name = "Main Org.";
         };
-        "auth.google" = lib.mkIf (cfg.googleOAuthClientID != "") {
+        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/
+        "auth.google" = lib.mkIf (cfg.googleOAuthClientID != "" && cfg.googleOAuthClientSecretFile != "") {
           enabled = true;
           # Grafana considers it "sign up" to let in a user it has
           # never seen before.
@@ -148,20 +160,21 @@ in {
       provision = {
         enable = true;
         # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
-        datasources.settings.datasources = [{
+        datasources.settings.datasources =
+        [ ] ++ (lib.optionals (cfg.prometheusUrl != "") [{
           name = "Prometheus";
           type = "prometheus";
           uid = "LocalPrometheus";
           access = "proxy";
           url = cfg.prometheusUrl;
           isDefault = true;
-        } {
+        }]) ++ (lib.optionals (cfg.lokiUrl != "") [{
           name = "Loki";
           type = "loki";
           uid = "LocalLoki";
           access = "proxy";
           url = cfg.lokiUrl;
-        }];
+        }]);
         # See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
         dashboards.settings.providers = [{
           name = "provisioned";
@@ -221,10 +234,9 @@ in {
           proxyWebsockets = true;
         };
         locations."/metrics" = {
-          # Only allow our monitoringvpn subnet
-          # And localhost since we're the monitoring server currently
+          # Only allow localhost and a for now
           extraConfig = ''
-            allow ${config.grid.monitoringvpnIPv4}/24;
+            allow ${toString cfg.metricsAllowedIp};
             allow 127.0.0.1;
             allow ::1;
             deny all;