diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 7c8356a210cf5f3193efe2272c92d640e7158988..410bce47db83381f42949a4b8dd3f552f1b0bc5c 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -1,11 +1,46 @@
-{ ristrettoSigningKeyPath
+# Define a function which returns a value which fills in all the holes left by
+# ``issuer.nix``.
+{
+  # A path on the deployment system to a file containing the Ristretto signing
+  # key.  This is used as the source of the Ristretto signing key morph
+  # secret.
+  ristrettoSigningKeyPath
+
+  # A path on the deployment system to a file containing the Stripe secret
+  # key.  This is used as the source of the Stripe secret key morph secret.
 , stripeSecretKeyPath
+
+  # A path on the deployment system to a directory containing a number of
+  # VPN-related secrets.  This is expected to contain a number of files named
+  # like ``<VPN IPv4 address>.key`` containing the VPN private key for the
+  # corresponding host.  It must also contain ``server.pub`` and
+  # ``preshared.key`` holding the VPN server's public key and the pre-shared
+  # key, respectively.  All of these things are used as the sources of various
+  # VPN-related morph secrets.
 , monitoringvpnKeyDir
+
+  # A string giving the IP address and port number (":"-separated) of the VPN
+  # server.
 , monitoringvpnEndpoint
+
+  # A string giving the VPN IPv4 address for this system.
 , monitoringvpnIPv4
+
+  # A set mapping usernames as strings to SSH public keys as strings.  For
+  # each element of the site, the indicated user is configured on the system
+  # with the indicated SSH key as an authorized key.
 , sshUsers
+
+  # A string giving an email address to use for Let's Encrypt registration and
+  # certificate issuance.
 , letsEncryptAdminEmail
+
+  # A list of strings giving the domain names that point at this issuer
+  # system.  These will all be included in Let's Encrypt certificate.
 , issuerDomains
+
+  # A list of strings giving CORS Origins will the issuer will be configured
+  # to allow.
 , allowedChargeOrigins
 , ...
 }: {
@@ -25,9 +60,8 @@
   };
 
   services.private-storage-issuer = {
-    letsEncryptAdminEmail = letsEncryptAdminEmail;
+    inherit letsEncryptAdminEmail allowedChargeOrigins;
     domains = issuerDomains;
-    allowedChargeOrigins = allowedChargeOrigins;
   };
 
   system.stateVersion = "19.03";
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index efba08ba1d92520398ec030a37d1df16912d4c13..417ef7965ea0120322995059fcca7a5a9afe2543 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -1,8 +1,13 @@
+# This is all of the static NixOS system configuration necessary to specify an
+# "issuer"-type system.  The configuration has various holes in it which must
+# be filled somehow.  These holes correspond to configuration which is not
+# statically known.  This value is suitable for use as a module to be imported
+# into a more complete system configuration.  It is expected that the holes
+# will be filled by a sibling module created by ``customize-issuer.nix``.
 rec {
   deployment = {
     secrets = {
       "ristretto-signing-key" = {
-        # source = ... fill this in ...
         destination = "/run/keys/ristretto.signing-key";
         owner.user = "root";
         owner.group = "root";
@@ -10,7 +15,6 @@ rec {
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
       "stripe-secret-key" = {
-        # source = ... fill this in ...
         destination = "/run/keys/stripe.secret-key";
         owner.user = "root";
         owner.group = "root";
@@ -19,7 +23,6 @@ rec {
       };
 
       "monitoringvpn-secret-key" = {
-        # source = ... fill this in ...
         destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
@@ -27,7 +30,6 @@ rec {
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        # source = ... fill this in ...
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
@@ -43,15 +45,6 @@ rec {
     ../../nixos/modules/monitoring/exporters/node.nix
   ];
 
-  services.private-storage = {
-    # sshUsers = ...
-    monitoring.vpn.client = {
-      # enable = ...
-      # ip = ...
-      # endpoint = ...
-      # endpointPublicKeyFile = ...
-    };
-  };
   services.private-storage-issuer = {
     enable = true;
     tls = true;
@@ -59,10 +52,5 @@ rec {
     stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
-    # letsEncryptAdminEmail = ...;
-    # domains = ...;
-    # allowedChargeOrigins = ...;
   };
-
-  # system.stateVersion = ...
 }