diff --git a/playbooks/init-credentials.yml b/playbooks/init-credentials.yml
index 8c445b9fc8a276f22ef212d2d535ddb2d61cb44f..6c8682a1232d20c805aa94f2f0305f25d92c3cd3 100644
--- a/playbooks/init-credentials.yml
+++ b/playbooks/init-credentials.yml
@@ -33,19 +33,13 @@
         dest: "{{ vars_dir }}/secrets.yml"
         state: link
 
-    # Generate the SSH CA.
     - name: Generate SSH CA
       local_action: sshca ca="{{ credentials_dir }}/ssh/key"
+      when: enable_ssh
 
-    # Generate the SSO ED25519 key pair.
     - name: Generate SSO credentials
       local_action: ed25519 privkey="{{ credentials_dir }}/sso/secret.key" pubkey="{{ credentials_dir }}/sso/public.key"
 
-    # Generate all the X509 service credentials. The first time this
-    # runs, the service CA will be initialized too.
-    #- name: Generate X509 credentials for all services
-    #  local_action: x509 ca_root="{{ credentials_dir }}/x509" ca_subject="{{ x509_ca_subject | default('') }}" domain="{{ domain }}"
-
     - name: Generate global DH params
       local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam"
 
diff --git a/roles/vagrant-compat/tasks/main.yml b/roles/vagrant-compat/tasks/main.yml
index 2e427fd4636413b40c792d0ee0b9e14cff3550b6..9097aadc681972866258586aac2c41a8132c8344 100644
--- a/roles/vagrant-compat/tasks/main.yml
+++ b/roles/vagrant-compat/tasks/main.yml
@@ -9,3 +9,5 @@
   copy:
     dest: /etc/ssh/authorized_keys/vagrant
     content: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
+  when: enable_ssh
+