diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index c81a765f2a9cd1465d062cd64d4955cdfcc743eb..8df7f45845230c641b2cff262a0f7f56192b6cd8 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -1,10 +1,30 @@
-{ hostsMap
+# Define a function which returns a value which fills in all the holes left by
+# ``monitoring.nix``.
+{
+  # A set mapping VPN IP addresses as strings to lists of hostnames as
+  # strings.  The system's ``/etc/hosts`` will be populated with this
+  # information.
+  hostsMap
+
+  # See ``customize-issuer.nix``.
 , monitoringvpnKeyDir
-, publicIPv4
 , monitoringvpnIPv4
+
+  # XXX To be removed
+, publicIPv4
+
+  # A list of VPN IP addresses as strings indicating which clients will be
+  # allowed onto the VPN.
 , vpnClientIPs
+
+  # A list of VPN clients (IP addresses or hostnames) as strings indicating
+  # which nodes to scrape metrics from.
 , nodeExporterTargets
+
+  # ...
 , nginxExporterTargets ? []
+
+  # A string giving the NixOS state version for the system.
 , stateVersion
 , ...
 }: {
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index 2001dea8637a1dfa32b7789dea2d3ea2063773eb..b48820f0941694869fdda06e724ba1ae714b5993 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -1,8 +1,9 @@
+# Similar to ``issuer.nix`` but for a "monitoring"-type system.  Holes are
+# filled by ``customize-monitoring.nix``.
 rec {
   deployment = {
     secrets = {
       "monitoringvpn-private-key" = {
-        # source = ...;
         destination = "/run/keys/monitoringvpn/server.key";
         owner.user = "root";
         owner.group = "root";
@@ -10,7 +11,6 @@ rec {
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        # source = ...;
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
@@ -29,25 +29,9 @@ rec {
     # ../../nixos/modules/monitoring/server/loki.nix
   ];
 
-  services.private-storage.monitoring.vpn.server = {
-    # enable = ...;
-    # ip = ...;
-    # vpnClientIPs = ...;
-    # pubKeysPath = ...;
-  };
-
   services.private-storage.monitoring.grafana = {
     domain = "monitoring.private.storage";
     prometheusUrl = "http://localhost:9090/";
     lokiUrl = "http://localhost:3100/";
   };
-
-  services.private-storage.monitoring.prometheus = {
-    # nodeExporterTargets = ...;
-    # nginxExporterTargets = ...;
-  };
-
-  # system.stateVersion = ...;
-
-  # networking.hosts = ...;
 }