diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix
index de34394bf1b9094e27c83819c4234d125c0312dd..8a096d3c0a7b75740f9bb96aabba5e939b1c7e98 100644
--- a/morph/lib/make-storage.nix
+++ b/morph/lib/make-storage.nix
@@ -11,11 +11,36 @@
                              # to avoid breaking some software such as
                              # database servers. You should change this only
                              # after NixOS release notes say you should.
-, monitoringvpnKeyDir        # The directory that holds the VPN keys.
-, monitoringvpnIPv4          # This node's IP in the monitoring VPN.
-, monitoringvpnEndpoint      # The VPN server and port.
+, monitoringvpnKeyDir ? null # The directory that holds the VPN keys.
+, monitoringvpnIPv4 ? null   # This node's IP in the monitoring VPN.
+, monitoringvpnEndpoint ? null # The VPN server and port.
 , ...
-}: rec {
+}: let
+
+  enableVpn = monitoringvpnKeyDir != null &&
+              monitoringvpnIPv4 != null &&
+              monitoringvpnEndpoint != null;
+
+  vpnSecrets = if !enableVpn then {} else {
+    "monitoringvpn-secret-key" = {
+      source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
+      destination = "/run/keys/monitoringvpn/client.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+    "monitoringvpn-preshared-key" = {
+      source = monitoringvpnKeyDir + "/preshared.key";
+      destination = "/run/keys/monitoringvpn/preshared.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+  };
+
+in rec {
   deployment = {
     targetHost = cfg.publicIPv4;
 
@@ -31,7 +56,7 @@
         # extract it from the tahoe-lafs nixos module somehow?
         action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
       };
-    };
+    } // vpnSecrets;
   };
 
   # Any extra NixOS modules to load on this server.
@@ -75,7 +100,7 @@
 
   system.stateVersion = stateVersion;
 
-  services.private-storage.monitoring.vpn.client = {
+  services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
     enable = true;
     ip = monitoringvpnIPv4;
     endpoint = monitoringvpnEndpoint;