--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -25,8 +25,9 @@
         default = null;
       };
       secret = mkOption {
-        type = str;
+        type = nullOr str;
         description = "Encrypted secret data";
+        default = null;
       };
     };
   };
@@ -78,7 +79,7 @@
           {
             secrets = (mapAttrs cleanupSecret
               (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)
-            ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or {}));
+            ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or { }));
           }
         ];
     });
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -1,9 +1,12 @@
-{ lib, config, pkgs, ... }: with lib;
+{ lib, config, pkgs, ... }:
+
+with lib;
+
 let
   sysConfig = config;
   secretType = types.submodule ({ config, ... }: {
     config = {
-      path = mkOptionDefault (if config.secret == null then (error "secret is not set") else "/run/secrets/${config._module.args.name}");
+      path = mkOptionDefault "/run/secrets/${config._module.args.name}";
       publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);
     };
     options = {
@@ -35,12 +38,10 @@
 
       path = mkOption {
         type = types.str;
-        readOnly = true;
         description = "Path to the decrypted secret";
       };
       publicPath = mkOption {
         type = types.package;
-        readOnly = true;
         description = "Path to the public part of secret";
       };
     };