diff --git a/nix/module.nix b/nix/module.nix
index ed4ce0e..27bb0ed 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -5,9 +5,10 @@
   ...
 }:
 let
+  cfg = config.labmon;
   settingsFormat = pkgs.format.toml { };
 
-  settingsFile = settingsFormat.generate "labmon.toml" config.labmon.settings;
+  settingsFile = settingsFormat.generate "labmon.toml" cfg.labmon.settings;
 in
 {
   options.labmon = {
@@ -21,45 +22,47 @@ in
     };
   };
 
-  systemd.services.labmon = {
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
+  config = lib.mkIf cfg.enable {
+    systemd.services.labmon = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
 
-    serviceConfig = {
-      ExecStart = "${pkgs.labmon}/bin/labmon ${settingsFile}";
-      DynamicUser = true;
-      Restart = "always";
+      serviceConfig = {
+        ExecStart = "${pkgs.labmon}/bin/labmon ${settingsFile}";
+        DynamicUser = true;
+        Restart = "always";
 
-      # Hardening
-      DevicePolicy = "strict";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "full";
-      RemoveIPC = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-      ];
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
+        # Hardening
+        DevicePolicy = "strict";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "full";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+      };
     };
   };
 }