diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index b10bd83a94253aa64344571a473e093114f3a9a6..994c43d492eddf16c2d80548dfc235fd95d1d790 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -50,7 +50,7 @@ let
       (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
-        inherit (config) domain publicKeyPath privateKeyPath;
+        inherit (config) domain publicKeyPath privateKeyPath letsEncryptAdminEmail;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
       })
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 906e900ac5c802de149e4b75680ebd0bd39f11ad..8fea577341a4432b799c0604717969a4a4939054 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -13,6 +13,7 @@
 , privateKeyPath
 , monitoringvpnIPv4
 , domain
+, letsEncryptAdminEmail
 
   # A list of VPN IP addresses as strings indicating which clients will be
   # allowed onto the VPN.
@@ -59,7 +60,10 @@
     inherit paymentExporterTargets;
   };
 
-  services.private-storage.monitoring.grafana.domain = "${config.networking.hostName}.${config.networking.domain}";
+  services.private-storage.monitoring.grafana = {
+    inherit letsEncryptAdminEmail;
+    domain = "${config.networking.hostName}.${config.networking.domain}";
+  };
 
   system.stateVersion = stateVersion;
 }
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index e035b6d34f3090e20b412dded3400b8e07a789fc..329c7a1917a097c8274e12b9648dddec6727b15a 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -34,6 +34,13 @@ in {
       default = "http://localhost:3100/";
       description = "The URL of the Loki host to access";
     };
+    letsEncryptAdminEmail = lib.mkOption
+    { type = lib.types.str;
+      description = ''
+        An email address to give to Let's Encrypt as an
+        operational contact for the service's TLS certificate.
+      '';
+    };
     googleOAuthClientID = lib.mkOption
     { type = lib.types.str;
       example = lib.literalExample "grafana-staging-345678";
@@ -87,6 +94,8 @@ in {
     };
 
     # nginx reverse proxy
+    security.acme.email = cfg.letsEncryptAdminEmail;
+    security.acme.acceptTerms = true;
     services.nginx = {
       enable = true;