diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index aea3a9df56c41a260a217e2b4d02c7a170bccd6a..8cdeafe85f6bbefd4a04544acee5a88acd980ee5 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -51,14 +51,13 @@ in lib.make-grid {
     # doesn't specify one.
     #
     # The names must be unique!
-    "payments.privatestorage.io" = lib.make-issuer (cfg // {
-      publicIPv4 = "18.184.142.208";
-      monitoringvpnIPv4 = "172.23.23.11";
-      inherit monitoringvpnKeyDir;
-      inherit sshUsers;
-      hardware = lib.hardware-aws;
-      stateVersion = "19.03";
-    });
+    "payments.privatestorage.io" = rec {
+      imports = [
+        lib.issuer
+        lib.hardware-aws
+        (lib.customize-issuer cfg sshUsers monitoringvpnKeyDir "172.23.23.11" "19.03")
+      ];
+    };
 
     "storage001" = lib.make-storage (cfg // {
         cfg = import ./storage001-config.nix;
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 73635932a4ed97fd482ec8cb57dc904c2cde519c..e7d68256ea05e9dc23879e5152675a3ba5fa4197 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -20,14 +20,13 @@ in lib.make-grid {
     nodeExporterTargets = [ "monitoring" "payments" "storage001" ];
 
   in {
-    "payments" = lib.make-issuer (cfg // {
-      publicIPv4 = "18.194.183.13";
-      monitoringvpnIPv4 = "172.23.23.11";
-      inherit monitoringvpnKeyDir;
-      inherit sshUsers;
-      hardware = lib.hardware-aws;
-      stateVersion = "19.03";
-    });
+    payments = rec {
+      imports = [
+        lib.issuer
+        lib.hardware-aws
+        (lib.customize-issuer cfg sshUsers monitoringvpnKeyDir "172.23.23.11" "19.03")
+      ];
+    };
 
     "storage001" = lib.make-testing (cfg // {
       publicIPv4 = "3.120.26.190";
diff --git a/morph/lib/default.nix b/morph/lib/default.nix
index 7d28796d38e59a6c3a395130722983375d058583..30ef223999e62f8404eb08a8e41ae39e152ba738 100644
--- a/morph/lib/default.nix
+++ b/morph/lib/default.nix
@@ -1,6 +1,5 @@
 rec {
   make-grid = import ./make-grid.nix;
-  make-issuer = import ./make-issuer.nix;
   make-testing = import ./make-testing.nix;
   make-storage = import ./make-storage.nix;
   make-monitoring = import ./make-monitoring.nix;
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
deleted file mode 100644
index bbdf0cebbf770738e9ccb997daec75e58df021b5..0000000000000000000000000000000000000000
--- a/morph/lib/make-issuer.nix
+++ /dev/null
@@ -1,91 +0,0 @@
-{ hardware
-, ristrettoSigningKeyPath
-, stripeSecretKeyPath
-, issuerDomains
-, letsEncryptAdminEmail
-, allowedChargeOrigins
-, sshUsers
-, stateVersion
-, publicIPv4
-, monitoringvpnKeyDir ? null
-, monitoringvpnIPv4 ? null
-, monitoringvpnEndpoint ? null
-, ...
-}: let
-
-  enableVpn = monitoringvpnKeyDir != null &&
-              monitoringvpnIPv4 != null &&
-              monitoringvpnEndpoint != null;
-
-  vpnSecrets = if !enableVpn then {} else {
-    "monitoringvpn-secret-key" = {
-      source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
-      destination = "/run/keys/monitoringvpn/client.key";
-      owner.user = "root";
-      owner.group = "root";
-      permissions = "0400";
-      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-    };
-    "monitoringvpn-preshared-key" = {
-      source = monitoringvpnKeyDir + "/preshared.key";
-      destination = "/run/keys/monitoringvpn/preshared.key";
-      owner.user = "root";
-      owner.group = "root";
-      permissions = "0400";
-      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
-    };
-  };
-
-in rec {
-  deployment = {
-    targetHost = publicIPv4;
-
-    secrets = {
-      "ristretto-signing-key" = {
-        source = ristrettoSigningKeyPath;
-        destination = "/run/keys/ristretto.signing-key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
-      };
-      "stripe-secret-key" = {
-        source = stripeSecretKeyPath;
-        destination = "/run/keys/stripe.secret-key";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
-      };
-    } // vpnSecrets;
-  };
-
-  imports = [
-    hardware
-    ../../nixos/modules/issuer.nix
-    ../../nixos/modules/monitoring/vpn/client.nix
-    ../../nixos/modules/monitoring/exporters/node.nix
-  ];
-
-  services.private-storage.sshUsers = sshUsers;
-  services.private-storage-issuer = {
-    enable = true;
-    tls = true;
-    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
-    stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
-    database = "SQLite3";
-    databasePath = "/var/db/vouchers.sqlite3";
-    inherit letsEncryptAdminEmail;
-    domains = issuerDomains;
-    inherit allowedChargeOrigins;
-  };
-
-  system.stateVersion = stateVersion;
-
-  services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
-    enable = true;
-    ip = monitoringvpnIPv4;
-    endpoint = monitoringvpnEndpoint;
-    endpointPublicKeyFile = monitoringvpnKeyDir + "/server.pub";
-  };
-}