diff --git a/site-modules/profile/manifests/network.pp b/site-modules/profile/manifests/network.pp
index c52ddbbe..35c0a027 100644
--- a/site-modules/profile/manifests/network.pp
+++ b/site-modules/profile/manifests/network.pp
@@ -1,80 +1,84 @@
-# Network configuration for Software Heritage servers
+# Network configuration for Software Heritage servers.
+
+# This class is enabled when the `networks` hiera variable returns a value that
+# is not empty.
+
 class profile::network {
   debnet::iface::loopback { 'lo': }
 
   # The `networks` hiera variable is a dict mapping interface names to a
   # settings dict. Entries of the settings dict with undefined values are not
   # output in the interface configuration.
   # The settings dict has the following keys:
   # - type (defaults to 'static'): the type of the interface as used by
   #     ifupdown. A special type, 'private', generates a static configuration
   #     with a separate routing table for the networks defined in the
   #     `networks::private_routes` hiera variable (e.g. the OpenVPN and azure
   #     machines).
   # - address (ip address): ip address to set on the
   #     interface
   # - netmask (int or netmask): netmask for the network (e.g. 26 or 255.255.255.192)
   # - gateway (ip address): address of the gateway to use for the network
   # - mtu (int): MTU to set for the interface
   # - extras (dict): extra configuration entries to pass to ifupdown directly
   # - ups (list[str]): Instructions to run after the interface is brought up
   # - downs (list[str]): instructions to run when the interface is torn down
 
   $interfaces = lookup('networks')
   $private_routes = lookup('networks::private_routes', Hash, 'deep')
   each($interfaces) |$interface, $data| {
 
     $interface_type = pick($data['type'], 'static')
 
     if $interface_type == 'private' {
       file_line {'private route table':
         ensure => 'present',
         line   => '42 private',
         path   => '/etc/iproute2/rt_tables',
       }
 
       $filtered_routes = $private_routes.filter |$route_label, $route_data| { pick($route_data['enabled'], true) }
 
       $routes_up = $filtered_routes.map |$route_label, $route_data| {
         "ip route add ${route_data['network']} via ${route_data['gateway']}"
       }
 
       $routes_down = $filtered_routes.map |$route_label, $route_data| {
         "ip route del ${route_data['network']} via ${route_data['gateway']}"
       }.reverse
 
       $_ups = $routes_up + [
         "ip rule add from ${data['address']} table private",
         "ip route add 192.168.100.0/24 src ${data['address']} dev ${interface} table private",
         "ip route add default via ${data['gateway']} dev ${interface} table private",
         'ip route flush cache',
       ]
 
       $_downs = [
         "ip route del default via ${data['gateway']} dev ${interface} table private",
         "ip route del 192.168.100.0/24 src ${data['address']} dev ${interface} table private",
         "ip rule del from ${data['address']} table private",
       ] + $routes_down + [
         'ip route flush cache',
       ]
       $method = 'static'
       $gateway = undef
     } else {
       $method = $interface_type
       $gateway = $data['gateway']
       $_ups = []
       $_downs = []
     }
 
     debnet::iface { $interface:
       method  => $method,
       address => $data['address'],
       netmask => $data['netmask'],
       mtu     => $data['mtu'],
       gateway => $gateway,
       ups     => pick_default($data['ups'], $_ups, []),
       downs   => pick_default($data['downs'], $_downs, []),
       aux_ops => pick_default($data['extras'], {}),
     }
   }
 }
diff --git a/site-modules/role/manifests/swh_api.pp b/site-modules/role/manifests/swh_api.pp
index eb2a9341..6fafe87d 100644
--- a/site-modules/role/manifests/swh_api.pp
+++ b/site-modules/role/manifests/swh_api.pp
@@ -1,7 +1,5 @@
 class role::swh_api inherits role::swh_base_api {
-  include profile::network
-
   # Extra deposit and storage services
   include profile::swh::deploy::deposit
   include profile::swh::deploy::storage
 }
diff --git a/site-modules/role/manifests/swh_base.pp b/site-modules/role/manifests/swh_base.pp
index d37c8d97..e88ebe4b 100644
--- a/site-modules/role/manifests/swh_base.pp
+++ b/site-modules/role/manifests/swh_base.pp
@@ -1,18 +1,22 @@
 class role::swh_base {
   include profile::base
   include profile::ssh::server
   include profile::unbound
   include profile::systemd_journal
   include profile::resolv_conf
   include profile::puppet
   include profile::prometheus::node
   include profile::prometheus::statsd
   include profile::icinga2
   include profile::rsyslog
 
   if $::virtual == 'physical' {
     include profile::megacli
   }
 
+  if lookup('networks', {default_value => {}}) {
+    include profile::network
+  }
+
   include profile::swh
 }
diff --git a/site-modules/role/manifests/swh_deposit.pp b/site-modules/role/manifests/swh_deposit.pp
index 37193939..a322d3d0 100644
--- a/site-modules/role/manifests/swh_deposit.pp
+++ b/site-modules/role/manifests/swh_deposit.pp
@@ -1,9 +1,7 @@
 class role::swh_deposit inherits role::swh_server {
-  include profile::network
-
   # Web UI
   include profile::swh::deploy::deposit
 
   # Apache logs
   include profile::filebeat
 }
diff --git a/site-modules/role/manifests/swh_forge.pp b/site-modules/role/manifests/swh_forge.pp
index 7ed3d911..58016941 100644
--- a/site-modules/role/manifests/swh_forge.pp
+++ b/site-modules/role/manifests/swh_forge.pp
@@ -1,12 +1,10 @@
 class role::swh_forge inherits role::swh_server {
-  include profile::network
-
   include profile::apache::rewrite_domains
 
   include profile::phabricator
   include profile::mediawiki
 
   # Reverse proxies
   include profile::jenkins::reverse_proxy
   include profile::keycloak::reverse_proxy
 }
diff --git a/site-modules/role/manifests/swh_gateway.pp b/site-modules/role/manifests/swh_gateway.pp
index 780550b6..3ee9ded2 100644
--- a/site-modules/role/manifests/swh_gateway.pp
+++ b/site-modules/role/manifests/swh_gateway.pp
@@ -1,3 +1,2 @@
 class role::swh_gateway inherits role::swh_base {
-  include profile::network
 }
diff --git a/site-modules/role/manifests/swh_sysadmin.pp b/site-modules/role/manifests/swh_sysadmin.pp
index 680534dd..3e77911c 100644
--- a/site-modules/role/manifests/swh_sysadmin.pp
+++ b/site-modules/role/manifests/swh_sysadmin.pp
@@ -1,28 +1,26 @@
 class role::swh_sysadmin inherits role::swh_server {
-  include profile::network
-
   include profile::prometheus::server
   include profile::grafana
 
   include profile::prometheus::sql
 
   include profile::puppet::master
   include profile::letsencrypt
 
   include profile::icinga2::icingaweb2
 
   include profile::apache::simple_server
   include ::apache::mod::rewrite
 
   include profile::bind_server::primary
 
   include profile::annex_web
   include profile::stats_web
   include profile::docs_web
   include profile::debian_repository
   include profile::bitbucket_archive_web
 
   include profile::sentry::reverse_proxy
 
   include profile::weekly_report_bot
 }
diff --git a/site-modules/role/manifests/swh_worker_inria.pp b/site-modules/role/manifests/swh_worker_inria.pp
index 0200d7b3..abe5a23c 100644
--- a/site-modules/role/manifests/swh_worker_inria.pp
+++ b/site-modules/role/manifests/swh_worker_inria.pp
@@ -1,3 +1,2 @@
 class role::swh_worker_inria inherits role::swh_worker {
-  include profile::network
 }