diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index 1ee2db347a9ccb099547f1282a516327055ca5fc..370f177e97ba63f26e4d325a6329666907608ed9 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -2,35 +2,43 @@
 , hardware
 , publicStoragePort
 , ristrettoSigningKeyPath
-, monitoringvpnKeyDir
 , passValue
 , sshUsers
 , stateVersion
-, monitoringvpnIPv4
-, vpnClientIPs
-, ... }: rec {
+, monitoringvpnIPv4 ? null
+, monitoringvpnKeyDir ? null
+, vpnClientIPs ? null
+, ... }: let
+
+  enableVpn = if (monitoringvpnKeyDir != null &&
+                  monitoringvpnIPv4 != null &&
+                  vpnClientIPs != null)
+              then true else false;
+
+  vpnSecrets = if !enableVpn then {} else {
+    "monitoringvpn-private-key" = {
+      source = monitoringvpnKeyDir + "/server.key";
+      destination = "/run/keys/monitoringvpn/server.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+    "monitoringvpn-preshared-key" = {
+      source = monitoringvpnKeyDir + "/preshared.key";
+      destination = "/run/keys/monitoringvpn/preshared.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+  };
+in rec {
 
   deployment = {
     targetHost = publicIPv4;
 
-    secrets = {
-      "monitoringvpn-private-key" = {
-        source = monitoringvpnKeyDir + "/server.key";
-        destination = "/run/keys/monitoringvpn/server.key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-      };
-      "monitoringvpn-preshared-key" = {
-        source = monitoringvpnKeyDir + "/preshared.key";
-        destination = "/run/keys/monitoringvpn/preshared.key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-      };
-    };
+    secrets = { } // vpnSecrets;
   };
 
   imports = [
@@ -38,7 +46,7 @@
     ../../nixos/modules/monitoring/vpn/server.nix
   ];
 
-  services.private-storage.monitoring.vpn.server = {
+  services.private-storage.monitoring.vpn.server = if !enableVpn then {} else {
     enable = true;
     ip = monitoringvpnIPv4;
     inherit vpnClientIPs;