diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 51046b436e297cdc5034134e3503556e8030588c..f617eef171cfaa35f7cf676915e57ba2654a4319 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -4,7 +4,8 @@
 # statically known.  This value is suitable for use as a module to be imported
 # into a more complete system configuration.  It is expected that the holes
 # will be filled by a sibling module created by ``customize-issuer.nix``.
-rec {
+{ config, ...}:
+{
   deployment = {
     secrets = {
       "ristretto-signing-key" = {
@@ -51,8 +52,8 @@ rec {
   services.private-storage-issuer = {
     enable = true;
     tls = true;
-    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
-    stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
+    ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
+    stripeSecretKeyPath = config.deployment.secrets.stripe-secret-key.destination;
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
   };
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index f8810be2f7e878eeb979e82d2746895d6157212e..7d59c296d12b06e430ff031b9f0b8b8a0e8616e1 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -1,6 +1,6 @@
 # Similar to ``issuer.nix`` but for a "monitoring"-type system.  Holes are
 # filled by ``customize-monitoring.nix``.
-rec {
+{
   deployment = {
     secrets = {
       "monitoringvpn-private-key" = {
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index ebad3d17e17e0098f6e098d61d7c614fde91b31e..52be81364a3659a625854503b8efa7a8c97e108b 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -1,6 +1,7 @@
 # Similar to ``issuer.nix`` but for a "storage"-type system.  Holes are filled
 # by ``customize-storage.nix``.
-rec {
+{ config, ...} :
+{
   deployment = {
     secrets = {
       "ristretto-signing-key" = {
@@ -48,6 +49,6 @@ rec {
     # Yep.  Turn it on.
     enable = true;
     # Give it the Ristretto signing key to support authorization.
-    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
+    ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
   };
 }