diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 9a929d2cf4613874379fdcc7a52f241c10f63f18..cebcc2ae55233b0221c3657ed170c15233eea294 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -9,4 +9,5 @@
 , "allowedChargeOrigins": [
     "http://localhost:5000"
   ]
+, "googleOAuthClientID": ""
 }
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 320aa9519176ac4c8cc5e762672046a8046066d4..e1bcbe43501c109ef6dacee62f422ac6f5a506bc 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -61,14 +61,12 @@ let
       (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail googleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
       })
       deployment
     ];
-    # Allow anonymous access to Grafana in local development environment:
-    services.private-storage.monitoring.grafana.googleOAuthClientID = "";
   };
 
   # TBD: derive these automatically:
diff --git a/morph/grid/production/config.json b/morph/grid/production/config.json
index 092e4dff7b4c026c816afdd85b2a454089204141..f9ca1b0b7bb2f4ecf1f36497540d54ff5e736cf4 100644
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
@@ -15,4 +15,5 @@
   , "https://private.storage"
   , "https://www.private.storage"
   ]
+, "googleOAuthClientID": "productiongrid-replaceme"
 }
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index 78f79bcec05cfb8a420eb5202dec9a5dc2196f2f..17de72837d1f2b3faaea6832a7d6fce6ae5cdc01 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -30,8 +30,6 @@ let
       }))
       deployment
     ];
-    services.private-storage.monitoring.grafana.googleOAuthClientID = "";
-    services.private-storage.monitoring.grafana.googleOAuthClientSecretFile = /run/keys/grafana-google-sso.secret;
   };
 
   monitoring = {
@@ -40,7 +38,7 @@ let
       gridlib.hardware-aws
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail googleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
       })
diff --git a/morph/grid/testing/config.json b/morph/grid/testing/config.json
index 8b94959557364d8af8f1f4aa61c5647b46db9932..10c772c518ff51f19f8df15f46a6e39da200e3ba 100644
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
@@ -14,4 +14,5 @@
   , "https://privatestorage-staging.com"
   , "https://www.privatestorage-staging.com"
   ]
+, "googleOAuthClientID": "testinggrid-replaceme"
 }
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 5f9a286f5fdf6b48a6400f7d19fb519a93c7752f..ed07b504e743b53f30c2347483f3a0f47f728f83 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -51,14 +51,12 @@ let
       gridlib.hardware-aws
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
+        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail googleOAuthClientID;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
       })
       deployment
     ];
-    services.private-storage.monitoring.grafana.googleOAuthClientID = "";
-    services.private-storage.monitoring.grafana.googleOAuthClientSecretFile = /run/keys/grafana-google-sso.secret;
   };
 
   # TBD: derive these automatically:
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 23b0e0d4ea2d181b788f279db67968dfeb6fe1fb..56de405f83d76767adefea69eba5adb5d5819914 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -31,6 +31,9 @@
   # which nodes to scrape PaymentServer metrics from.
 , paymentExporterTargets ? []
 
+  # A string containing the ClientID for authorization against GSuite
+, googleOAuthClientID
+
   # A string giving the NixOS state version for the system.
 , stateVersion
 , ...
@@ -63,6 +66,7 @@
 
   services.private-storage.monitoring.grafana = {
     inherit letsEncryptAdminEmail;
+    inherit googleOAuthClientID;
     domain = "${config.networking.hostName}.${config.networking.domain}";
   };
 
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 242b2640a85c345675ff57f7d59806500563dae6..7fe92e5e66024a14d1badfa251bcc9cbbb02d75f 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -50,7 +50,7 @@ in {
     googleOAuthClientSecretFile = lib.mkOption
     { type = lib.types.path;
       example = lib.literalExample "\${privKeyPath}/grafana-gsuite-client-secret";
-      default = null;
+      default = /run/keys/grafana-google-sso.secret;
       description = "The path to the GSuite SSO secret file.";
     };
   };