diff --git a/paris-container.nix b/paris-container.nix
index 0665dcf..5a289b5 100644
--- a/paris-container.nix
+++ b/paris-container.nix
@@ -231,7 +231,7 @@ in {
     };
 
     systemd.services."container@paris".after =
-      [ config.fudo.secrets.secret-target ];
+      optional (!isNull cfg.kerberos) config.fudo.secrets.secret-target;
 
     containers.paris = {
       autoStart = true;
@@ -276,7 +276,7 @@ in {
 
         security.pam.krb5.enable = true;
 
-        krb5 = {
+        krb5 = mkIf (!isNull cfg.kerberos) {
           enable = true;
           kerberos = pkgs.heimdal;
           libdefaults = config.krb5.libdefaults;
@@ -296,7 +296,7 @@ in {
               UseDns = true;
               PermitRootLogin = "no";
             };
-            extraConfig = ''
+            extraConfig = optionalString (!isNull cfg.kerberos) ''
               GSSAPIAuthentication yes
               GSSAPICleanupCredentials yes
             '';