diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 56184fbcd854ba8120fd5a2062d4656fd0448db3..f4273dc5710d5a5bcff78acd219c850d55a17cd5 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -1,6 +1,8 @@
 { "publicStoragePort": 8898
 , "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
 , "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
+, "monitoringvpnSecretKeyPath": "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key"
+, "monitoringvpnPresharedKeyPath" : "../../PrivateStorageSecrets/monitoringvpn/preshared.key"
 , "passValue": 1000000
 , "issuerDomain": "payments.localdev"
 , "letsEncryptAdminEmail": "florian@privatestorage.io"
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index e241b917367bb04a8c10830b6d946410994de547..82b194840db0d2387b10d435dfbc0e1dd8066b26 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -1,6 +1,8 @@
 { hardware
 , ristrettoSigningKeyPath
 , stripeSecretKeyPath
+, monitoringvpnSecretKeyPath
+, monitoringvpnPresharedKeyPath
 , issuerDomain
 , letsEncryptAdminEmail
 , allowedChargeOrigins
@@ -31,7 +33,7 @@
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
       "monitoringvpn-secret-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
+        source = monitoringvpnSecretKeyPath;
         destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
@@ -39,7 +41,7 @@
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        source = monitoringvpnPresharedKeyPath;
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index 2a2cde3d19326c8e90c6f3896c827bca0be76a74..464b021821b25838065aeda3b05ccba62d11eb5f 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -1,11 +1,22 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, vpnClientIPs, ... }: rec {
+{ publicIPv4
+, hardware
+, publicStoragePort
+, ristrettoSigningKeyPath
+, monitoringvpnSecretKeyPath
+, monitoringvpnPresharedKeyPath
+, passValue
+, sshUsers
+, stateVersion
+, monitoringvpnIPv4
+, vpnClientIPs
+, ... }: rec {
 
   deployment = {
     targetHost = publicIPv4;
 
     secrets = {
       "monitoringvpn-private-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/server.key";
+        source = monitoringvpnSecretKeyPath;
         destination = "/run/keys/monitoringvpn/server.key";
         owner.user = "root";
         owner.group = "root";
@@ -21,7 +32,7 @@
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        source = monitoringvpnPresharedKeyPath;
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index c96a51c2aed555797366dc0a39040bce04d80b25..7cd3c80aa0e237d003f07e9f95ee5eac211a5ca5 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -1,4 +1,14 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, ... }: rec {
+{ publicIPv4
+, hardware
+, publicStoragePort
+, ristrettoSigningKeyPath
+, monitoringvpnSecretKeyPath
+, monitoringvpnPresharedKeyPath
+, passValue
+, sshUsers
+, stateVersion
+, monitoringvpnIPv4
+, ... }: rec {
 
   deployment = {
     targetHost = publicIPv4;
@@ -16,7 +26,7 @@
         action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
       };
       "monitoringvpn-secret-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
+        source = monitoringvpnSecretKeyPath;
         destination = "/run/keys/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
@@ -24,7 +34,7 @@
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
       "monitoringvpn-preshared-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        source = monitoringvpnPresharedKeyPath;
         destination = "/run/keys/monitoringvpn/preshared.key";
         owner.user = "root";
         owner.group = "root";