--- a/modules/nixos.nix
+++ b/modules/nixos.nix
@@ -38,9 +38,8 @@
             let
               inherit (hostArgs.config) system;
             in
-            config.nixpkgs.buildUsing.lib.nixosSystem {
-              inherit system;
-              modules = [
+            config.nixpkgs.buildUsing.lib.evalModules {
+              modules = (import "${config.nixpkgs.buildUsing}/nixos/modules/module-list.nix") ++ [
                 (module // { key = "attr<host.nixos>"; })
                 (config.nixos // { key = "attr<fleet.nixos>"; })
               ];
@@ -57,9 +56,6 @@
                         "input is not a flake, perhaps flake = false was added to te input declaration?"
                     )
                 ) inputs;
-                self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" (
-                  _fleetFlakeRootConfig.perInput system self
-                );
               };
             };
         };
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,6 +3,7 @@
   fleetLib,
   config,
   pkgs,
+  host,
   fleetConfiguration,
   ...
 }:
@@ -13,7 +14,7 @@
     ;
   inherit (lib.stringsWithDeps) stringAfter;
   inherit (lib.options) mkOption literalExpression;
-  inherit (lib.lists) optional;
+  inherit (lib.lists) optional elem;
   inherit (lib.attrsets) mapAttrs mapAttrsToList;
   inherit (lib.modules) mkIf;
   inherit (lib.types)
@@ -109,7 +110,7 @@
         # C api is broken in regard to thunks
         # https://github.com/NixOS/nix/issues/12800
         parts = let 
-          hostName = sysConfig.networking.hostName;
+          hostName = host._module.args.name;
           generator = config.generator;
         in builtins.deepSeq [
           hostName
@@ -154,9 +155,9 @@
     assertions = mapAttrsToList (name: secret: let
       hasSharedDefinition = fleetConfiguration.secrets ? name;
     in {
-      assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
+      assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners);
       message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
-      else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
+      else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host";
     }) config.secrets;
 
     systemd.services.fleet-install-secrets = mkIf useSysusers {
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -22,14 +22,10 @@
     {
       options = {
         expectedOwners = mkOption {
-          type = nullOr (listOf str);
+          type = listOf str;
           description = ''
             Specifies the list of hosts authorized to decrypt and access this shared secret.
-
-            When null, secret ownership is managed manually via fleet.nix and CLI.
-            Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.
           '';
-          default = null;
         };
         regenerateOnOwnerAdded = mkOption {
           type = bool;