--- a/cmds/fleet/src/cmds/secrets/mod.rs
+++ b/cmds/fleet/src/cmds/secrets/mod.rs
@@ -6,16 +6,20 @@
 };
 use anyhow::{anyhow, bail, ensure, Context, Result};
 use chrono::{DateTime, Utc};
-use clap::Parser;
+use clap::{error::ErrorKind, Parser};
+use crossterm::{terminal, tty::IsTty};
+use itertools::Itertools;
 use owo_colors::OwoColorize;
 use serde::Deserialize;
 use std::{
 	collections::{BTreeSet, HashSet},
-	io::{self, Cursor, Read},
+	ffi::OsString,
+	io::{self, stdin, Cursor, Read, Write},
 	path::PathBuf,
 };
 use tabled::{Table, Tabled};
-use tokio::fs::read_to_string;
+use tempfile::NamedTempFile;
+use tokio::{fs::read_to_string, process::Command};
 use tracing::{error, info, info_span, warn, Instrument};
 
 #[derive(Parser)]
@@ -586,7 +590,7 @@
 							{
 								Ok(v) => v,
 								Err(e) => {
-									error!("{e}");
+									error!("{e:?}");
 									continue;
 								}
 							};
--- a/cmds/fleet/src/host.rs
+++ b/cmds/fleet/src/host.rs
@@ -385,7 +385,7 @@
 		let config_unchecked_field = nix_go!(fleet_field.unchecked.config);
 
 		let import = nix_go!(builtins_field.import);
-		let overlays = nix_go!(fleet_field.overlays);
+		let overlays = nix_go!(config_unchecked_field.overlays);
 		let nixpkgs = nix_go!(fleet_field.nixpkgs | import);
 
 		let default_pkgs = nix_go!(nixpkgs(Obj {
--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -153,7 +153,7 @@
     overlays = [
       (final: prev: let
         lib = final.lib;
-        inherit (lib) strings;
+        inherit (lib) strings concatMap;
         inherit (strings) escapeShellArgs;
       in {
         mkEncryptSecret = {
@@ -162,7 +162,7 @@
         }:
           prev.writeShellScript "encryptor" ''
             #!/bin/sh
-            exec ${rage}/bin/rage ${escapeShellArgs recipients} -e "$@"
+            exec ${rage}/bin/rage ${escapeShellArgs (concatMap (r: ["-r" r]) recipients)} -e "$@"
           '';
         # TODO: Move to fleet
         # TODO: Merge both generators to one with consistent options syntax?
@@ -177,8 +177,12 @@
           (prev.writeShellScript "impureGenerator.sh" ''
             #!/bin/sh
             set -eu
-            cd /var/empty
 
+            # TODO: Provide tempdir from outside, to make it securely erasurable as needed?
+            tmp=$(mktemp -d)
+            cd $tmp
+            # cd /var/empty
+
             created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")
 
             ${script}