diff --git a/modules/nixos/dgn-s3/default.nix b/modules/nixos/dgn-s3/default.nix
index 99cc114..8b61b87 100644
--- a/modules/nixos/dgn-s3/default.nix
+++ b/modules/nixos/dgn-s3/default.nix
@@ -29,9 +29,11 @@ let
     port
     ;
 
-  mkListen =
-    local: port:
-    mkIf (port != null) "${if local then "127.0.0.1" else "[::]"}:${builtins.toString port}";
+  mkIfNotNull = v: mkIf (v != null);
+
+  mkListen = local: port: "${if local then "127.0.0.1" else "[::]"}:${builtins.toString port}";
+
+  mkOptionalListen = local: port: mkIfNotNull port (mkListen local port);
 
   mkPortOption =
     name:
@@ -119,23 +121,25 @@ in
 
         compression_level = 7;
 
-        rpc_bind_addr = mkListen false cfg.ports.rpc;
+        rpc_bind_addr = mkOptionalListen false cfg.ports.rpc;
         rpc_public_addr = "${meta.network.${name}.netbirdIp}:${builtins.toString cfg.ports.rpc}";
         rpc_secret_file = config.age.secrets."garage-rpc_secret_file".path;
 
         s3_api = {
           s3_region = "garage";
-          api_bind_addr = mkListen true cfg.ports.s3_api;
+          api_bind_addr = mkOptionalListen true cfg.ports.s3_api;
           root_domain = mkDefault ".s3.dgnum";
         };
 
         s3_web = {
-          bind_addr = mkListen true cfg.ports.s3_web;
+          bind_addr = mkOptionalListen true cfg.ports.s3_web;
           index = "index.html";
           root_domain = mkDefault ".web.dgnum";
         };
 
-        k2v_api.api_bind_addr = mkListen false cfg.ports.k2v_api;
+        k2v_api = mkIfNotNull cfg.ports.k2v_api {
+          api_bind_addr = mkListen false cfg.ports.k2v_api;
+        };
 
         admin = {
           api_bind_addr = mkListen true cfg.ports.admin_api;