diff --git a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json
index f12d436..1ce2736 100644
--- a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json
+++ b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json
@@ -22,15 +22,15 @@
             "ports": [
                 "8080:80"
             ],
-            "secrets": {
-                "foo": {
-                    "gid": 123,
+            "secrets": [
+                {
+                    "gid": "123",
                     "mode": "0440",
-                    "source": "web_cache_redis_secret",
-                    "target": "/run/secrets/web_cache_redis_secret",
-                    "uid": 123
+                    "source": "foo",
+                    "target": "/run/secrets/foo",
+                    "uid": "123"
                 }
-            },
+            ],
             "sysctls": {},
             "volumes": []
         }
diff --git a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
index 2504e9d..716d427 100644
--- a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
+++ b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
@@ -6,15 +6,15 @@
     ports = [
       "8080:80"
     ];
-    secrets = {
-      foo = {
-        source = "web_cache_redis_secret";
-        target = "/run/secrets/web_cache_redis_secret";
-        uid = 123;
-        gid = 123;
+    secrets = [
+      {
+        source = "foo";
+        target = "/run/secrets/foo";
+        uid = "123";
+        gid = "123";
         mode = "0440";
-      };
-    };
+      }
+    ];
   };
   secrets.foo.environment = "FOO";
 }
diff --git a/src/nix/modules/service/docker-compose-service.nix b/src/nix/modules/service/docker-compose-service.nix
index 0641cb7..f65118e 100644
--- a/src/nix/modules/service/docker-compose-service.nix
+++ b/src/nix/modules/service/docker-compose-service.nix
@@ -31,12 +31,12 @@ let
         description = serviceRef "secrets";
       };
       uid = mkOption {
-        type = nullOr (either str int);
+        type = nullOr str;
         default = null;
         description = serviceRef "secrets";
       };
       gid = mkOption {
-        type = nullOr (either str int);
+        type = nullOr str;
         default = null;
         description = serviceRef "secrets";
       };
@@ -128,7 +128,7 @@ in
             '';
           };
           secrets = mkOption {
-            type = nullOr (either (listOf str) (attrsOf serviceSecretType));
+            type = nullOr (listOf (either str serviceSecretType));
             default = null;
             description = ''
               Build-time secrets exposed to the service.
@@ -138,7 +138,7 @@ in
       });
     };
     service.secrets = mkOption {
-      type = either (listOf str) (attrsOf serviceSecretType);
+      type = nullOr (listOf (either str serviceSecretType));
       default = [];
       description = ''
         Run-time secrets exposed to the service.
@@ -451,7 +451,18 @@ in
   } // lib.optionalAttrs (config.service.extra_hosts != []) {
     inherit (config.service) extra_hosts;
   } // lib.optionalAttrs (config.service.secrets != []) {
-    inherit (config.service) secrets;
+    secrets = lib.lists.map (s: {
+    } // lib.optionalAttrs (s.source != null) {
+      inherit (s) source;
+    } // lib.optionalAttrs (s.target != null) {
+      inherit (s) target;
+    } // lib.optionalAttrs (s.uid != null) {
+      inherit (s) uid;
+    } // lib.optionalAttrs (s.gid != null) {
+      inherit (s) gid;
+    } // lib.optionalAttrs (s.mode != null) {
+      inherit (s) mode;
+    }) config.service.secrets;
   } // lib.optionalAttrs (config.service.hostname != null) {
     inherit (config.service) hostname;
   } // lib.optionalAttrs (config.service.dns != []) {