Also make VPN optional for monitoring host

morph/lib/make-monitoring.nix

@@ -2,18 +2,20 @@
 , hardware
 , publicStoragePort
 , ristrettoSigningKeyPath
-, monitoringvpnKeyDir
 , passValue
 , sshUsers
 , stateVersion
-, monitoringvpnIPv4
-, vpnClientIPs
-, ... }: rec {
+, monitoringvpnIPv4 ? null
+, monitoringvpnKeyDir ? null
+, vpnClientIPs ? null
+, ... }: let
 
-  deployment = {
-    targetHost = publicIPv4;
+  enableVpn = if (monitoringvpnKeyDir != null &&
+                  monitoringvpnIPv4 != null &&
+                  vpnClientIPs != null)
+              then true else false;
 
-    secrets = {
+  vpnSecrets = if !enableVpn then {} else {
     "monitoringvpn-private-key" = {
       source = monitoringvpnKeyDir + "/server.key";
       destination = "/run/keys/monitoringvpn/server.key";
@@ -31,6 +33,12 @@
       action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
     };
   };
+in rec {
+
+  deployment = {
+    targetHost = publicIPv4;
+
+    secrets = { } // vpnSecrets;
   };
 
   imports = [
@@ -38,7 +46,7 @@
     ../../nixos/modules/monitoring/vpn/server.nix
   ];
 
-  services.private-storage.monitoring.vpn.server = {
+  services.private-storage.monitoring.vpn.server = if !enableVpn then {} else {
     enable = true;
     ip = monitoringvpnIPv4;
     inherit vpnClientIPs;