diff --git a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json
index b26ccf7..bec164b 100644
--- a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json
+++ b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json
@@ -21,6 +21,14 @@
             "ports": [
                 "8080:80"
             ],
+            "secrets": {
+                "foo": {
+                    "gid": 123,
+                    "mode": "0440",
+                    "source": "web_cache_redis_secret",
+                    "uid": 123
+                }
+            },
             "sysctls": {},
             "volumes": []
         }
diff --git a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
index 2f85c6d..a5b3e22 100644
--- a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
+++ b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
@@ -6,6 +6,14 @@
     ports = [
       "8080:80"
     ];
+    secrets = {
+      foo = {
+        source = "web_cache_redis_secret";
+        uid = 123;
+        gid = 123;
+        mode = "0440";
+      };
+    };
   };
   secrets.foo.environment = "FOO";
 }
diff --git a/src/nix/modules/service/docker-compose-service.nix b/src/nix/modules/service/docker-compose-service.nix
index 3b3b4df..37591d9 100644
--- a/src/nix/modules/service/docker-compose-service.nix
+++ b/src/nix/modules/service/docker-compose-service.nix
@@ -18,6 +18,36 @@ let
   cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
   cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
 
+  serviceSecretType = types.submodule {
+    options = {
+      source = mkOption {
+        type = nullOr str;
+        default = null;
+        description = serviceRef "secrets";
+      };
+      uid = mkOption {
+        type = nullOr (either str int);
+        default = null;
+        description = serviceRef "secrets";
+      };
+      gid = mkOption {
+        type = nullOr (either str int);
+        default = null;
+        description = serviceRef "secrets";
+      };
+      mode = mkOption {
+        type = nullOr str;
+        default = null;
+        example = "0444";
+        description = ''
+          The default value of is usually 0444. This option may not be supported
+          when not deploying to a Swarm.
+          ${serviceRef "secrets"}
+        '';
+      };
+    };
+  };
+
 in
 {
   imports = [
@@ -93,7 +123,7 @@ in
             '';
           };
           secrets = mkOption {
-            type = nullOr (listOf str);
+            type = nullOr (either (listOf str) (attrsOf serviceSecretType));
             default = null;
             description = ''
               Build-time secrets exposed to the service.
@@ -103,11 +133,19 @@ in
       });
     };
     service.secrets = mkOption {
-      type = listOf str;
+      type = either (listOf str) (attrsOf serviceSecretType);
       default = [];
       description = ''
         Run-time secrets exposed to the service.
       '';
+      example = {
+        redis_secret = {
+          source = "web_cache_redis_secret";
+          uid = 123;
+          gid = 123;
+          mode = "0440";
+        };
+      };
     };
     service.hostname = mkOption {
       type = nullOr str;