diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 6e19ff997b88450a6f271c960ae099e44d0ea987..3080c3646cbbc333bce2d41a3804e430297aa1da 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -43,11 +43,35 @@
   # See customize-issuer.nix for an explanatoin of targetHost value.
   deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
 
-  deployment.secrets = {
-    "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
-    "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
-    "grafana-google-sso-secret".source = "${privateKeyPath}/grafana-google-sso.secret";
-  };
+  deployment.secrets = let
+    # When Grafana SSO is disabled there is not necessarily any client secret
+    # available.  Avoid telling morph that there is one in this case (so it
+    # avoids trying to read it and then failing).  Even if the secret did
+    # exist, if SSO is disabled there's no point sending the secret to the
+    # server.
+    #
+    # Also, we have to define this whole secret here so that we can configure
+    # it completely or not at all.  morph gets angry if we half configure it
+    # (say, by just omitting the "source" value).
+    grafanaSSO =
+      if googleOAuthClientID == ""
+      then { }
+      else {
+        "grafana-google-sso-secret" = {
+          source = "${privateKeyPath}/grafana-google-sso.secret";
+          destination = "/run/keys/grafana-google-sso.secret";
+          owner.user = "root";
+          owner.group = "root";
+          permissions = "0400";
+          action = ["sudo" "systemctl" "restart" "grafana.service"];
+        };
+      };
+    monitoringvpn = {
+      "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
+      "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
+    };
+    in
+      grafanaSSO // monitoringvpn;
 
   networking.domain = domain;
   networking.hosts = hostsMap;
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index 7623c478abc749077fb014119a859686a047ab61..d8af93b24119ba6dff5ce63a5b2d16fbd18edb71 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -17,13 +17,6 @@ rec {
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
-      "grafana-google-sso-secret" = {
-        destination = "/run/keys/grafana-google-sso.secret";
-        owner.user = "root";
-        owner.group = "root";
-        permissions = "0400";
-        action = ["sudo" "systemctl" "restart" "grafana.service"];
-      };
     };
   };