diff --git a/morph/lib/customize-storage.nix b/morph/lib/customize-storage.nix
index 2153d78a48dafed72f10daaba9029fe6626d468b..b9d25e985977bc77d08c21fd869644ab170c3b64 100644
--- a/morph/lib/customize-storage.nix
+++ b/morph/lib/customize-storage.nix
@@ -1,11 +1,24 @@
-{ ristrettoSigningKeyPath
-, passValue
-, publicStoragePort
-, sshUsers
-, publicIPv4
+# Define a function which returns a value which fills in all the holes left by
+# ``storage.nix``.
+{
+  # See ``customize-issuer.nix``
+  ristrettoSigningKeyPath
 , monitoringvpnKeyDir
 , monitoringvpnEndpoint
 , monitoringvpnIPv4
+, sshUsers
+
+  # An integer giving the value of a single pass in byte×months.
+, passValue
+
+  # An integer giving the port number to include in Tahoe storage service
+  # advertisements and on which to listen for storage connections.
+, publicStoragePort
+
+  # XXX To be removed
+, publicIPv4
+
+  # A string giving the NixOS state version for the system.
 , stateVersion
 , ...
 }: {
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 2835e024b67150f646ecfe1d7c6d20ca7fb3ec06..1cac51b43aa38fb90a535fd34ba53363fc0cdbaa 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -1,8 +1,9 @@
+# Similar to ``issuer.nix`` but for a "storage"-type system.  Holes are filled
+# by ``customize-storage.nix``.
 rec {
   deployment = {
     secrets = {
       "ristretto-signing-key" = {
-        # source = ...;
         destination = "/run/keys/ristretto.signing-key";
         owner.user = "root";
         owner.group = "root";
@@ -13,7 +14,6 @@ rec {
         action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
       };
       "monitoringvpn-secret-key" = {
-        # source = ...;
         destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
@@ -21,7 +21,6 @@ rec {
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        # source = ...;
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
@@ -46,24 +45,7 @@ rec {
   services.private-storage = {
     # Yep.  Turn it on.
     enable = true;
-    # Get the public IPv4 address from the node configuration.
-    # inherit (cfg) publicIPv4;
-    # And the port to operate on is specified via parameter.
-    # inherit publicStoragePort;
-    # Give it the Ristretto signing key, too, to support authorization.
+    # Give it the Ristretto signing key to support authorization.
     ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
-    # Assign the configured pass value.
-    # inherit passValue;
-    # It gets the users, too.
-    # sshUsers = ...;
-  };
-
-  # system.stateVersion = ...'
-
-  services.private-storage.monitoring.vpn.client = {
-    # enable = ...;
-    # ip = ...;
-    # endpoint = ...;
-    # endpointPublicKeyFile = ...;
   };
 }