diff --git a/lib/default.nix b/lib/default.nix
index 8c4bb7fd..829946de 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -21,6 +21,8 @@ let
   inherit (strings) concatStringsSep;
 in
 rec {
+  inherit (import ./expr-to-nix-str.nix { inherit lib; }) toNixString;
+
   isSubsetOf = needle: haystack: length (lib.lists.intersectLists needle haystack) == length needle;
 
   haveCommonElements = needle: haystack: length (lib.lists.intersectLists needle haystack) > 0;
diff --git a/lib/expr-to-nix-str.nix b/lib/expr-to-nix-str.nix
new file mode 100644
index 00000000..4b1b3521
--- /dev/null
+++ b/lib/expr-to-nix-str.nix
@@ -0,0 +1,20 @@
+rec {
+  toNixString =
+    expr:
+    if builtins.isList expr then
+      "[" + builtins.concatStringsSep " " (builtins.map toNixString expr) + "]"
+    else if builtins.isAttrs expr then
+      "{ "
+      + builtins.concatStringsSep " " (
+        builtins.map (name: name + " = " + toNixString (expr.${name}) + ";") (builtins.attrNames expr)
+      )
+      + " }"
+    else if expr == null then
+      "null"
+    else if builtins.isString expr then
+      "\"" + expr + "\""
+    else if builtins.isBool expr then
+      (if expr then "true" else "false")
+    else
+      builtins.toString expr;
+}
diff --git a/modules/secrets.nix b/modules/secrets.nix
index dda94119..222eb110 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -1,4 +1,9 @@
-{ withSystem, inputs, ... }:
+{
+  withSystem,
+  inputs,
+  self,
+  ...
+}:
 {
   flake.modules.nixos.mcl-secrets =
     {
@@ -93,18 +98,29 @@
                     description = "Extra keys which can decrypt the secrets.";
                   };
                   nix-file = mkOption {
-                    default = builtins.toFile "${serviceName}-secrets.nix" ''
-                      let
-                        hostKey = ["${sshKey}"];
-                        extraKeysPerService = ["${concatStringsSep "\"\"" config.extraKeys}"];
-                        extraKeysPerHost = ["${concatStringsSep "\"\"" mcl-secrets.extraKeys}"];
-                      in {
-                        ${concatMapStringsSep "\n" (
-                          n: "\"${n}.age\".publicKeys = hostKey ++ extraKeysPerService ++ extraKeysPerHost;"
-                        ) (builtins.attrNames config.secrets)}
-                      }
-                    '';
                     type = types.path;
+                    # default = builtins.toFile "${serviceName}-secrets.nix" ''
+                    #   let
+                    #     hostKey = ["${sshKey}"];
+                    #     extraKeysPerService = ["${concatStringsSep "\"\"" config.extraKeys}"];
+                    #     extraKeysPerHost = ["${concatStringsSep "\"\"" mcl-secrets.extraKeys}"];
+                    #   in {
+                    #     ${concatMapStringsSep "\n" (
+                    #       n: "\"${n}.age\".publicKeys = hostKey ++ extraKeysPerService ++ extraKeysPerHost;"
+                    #     ) (builtins.attrNames config.secrets)}
+                    #   }
+                    # '';
+                    default = builtins.toFile "${serviceName}-secrets.nix" (
+                      (import ../lib/expr-to-nix-str.nix).toNixString (
+                        builtins.mapAttrs (
+                          n: _:
+                          {
+                            ${n}.age.publicKeys = sshKey ++ config.extraKeys;
+                          }
+                            config.secrets
+                        )
+                      )
+                    );
                   };
                 };
               }