diff --git a/pp-node-exporter.nix b/pp-node-exporter.nix
index 11be08e..1ca9ee5 100644
--- a/pp-node-exporter.nix
+++ b/pp-node-exporter.nix
@@ -6,15 +6,19 @@ let
     text = cfg.prometheusCa;
   };
   yaml = pkgs.formats.yaml { };
-  nodeWebConfig = yaml.generate "prometheus-node-exporter-webconfig.yml" {
-    tls_server_config = {
-      client_ca_file = prometheusCaFile;
-      cert_file = cfg.prometheusNodeExporterCertFile;
-      key_file = cfg.prometheusNodeExporterCertKeyFile;
-      client_auth_type = "RequireAndVerifyClientCert";
-      client_allowed_sans = lib.mkIf (cfg.prometheusNodeExporterAllowScrapperSans != null) cfg.prometheusNodeExporterAllowScrapperSans;
-    };
-  };
+  nodeWebConfig = yaml.generate "prometheus-node-exporter-webconfig.yml" lib.mkMerge [
+    ({
+      tls_server_config = {
+        client_ca_file = prometheusCaFile;
+        cert_file = cfg.prometheusNodeExporterCertFile;
+        key_file = cfg.prometheusNodeExporterCertKeyFile;
+        client_auth_type = "RequireAndVerifyClientCert";
+      };
+    })
+    (lib.mkIf (cfg.prometheusNodeExporterAllowScrapperSans != null) {
+      tls_server_config.client_allowed_sans = cfg.prometheusNodeExporterAllowScrapperSans;
+    })
+  ];
 in {
   options.services.ppNodeExporter = {
     prometheusCa = lib.mkOption {