diff --git a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
index 716d427..995100c 100644
--- a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
+++ b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
@@ -6,15 +6,14 @@
     ports = [
       "8080:80"
     ];
-    secrets = [
-      {
-        source = "foo";
+    secrets = {
+      "foo" = {
         target = "/run/secrets/foo";
         uid = "123";
         gid = "123";
         mode = "0440";
-      }
-    ];
+      };
+    };
   };
   secrets.foo.environment = "FOO";
 }
diff --git a/src/nix/modules/service/docker-compose-service.nix b/src/nix/modules/service/docker-compose-service.nix
index f65118e..baec199 100644
--- a/src/nix/modules/service/docker-compose-service.nix
+++ b/src/nix/modules/service/docker-compose-service.nix
@@ -128,7 +128,7 @@ in
             '';
           };
           secrets = mkOption {
-            type = nullOr (listOf (either str serviceSecretType));
+            type = nullOr (either (listOf str) (attrsOf serviceSecretType));
             default = null;
             description = ''
               Build-time secrets exposed to the service.
@@ -138,7 +138,7 @@ in
       });
     };
     service.secrets = mkOption {
-      type = nullOr (listOf (either str serviceSecretType));
+      type = nullOr (either (listOf str) (attrsOf serviceSecretType));
       default = [];
       description = ''
         Run-time secrets exposed to the service.
@@ -451,7 +451,9 @@ in
   } // lib.optionalAttrs (config.service.extra_hosts != []) {
     inherit (config.service) extra_hosts;
   } // lib.optionalAttrs (config.service.secrets != []) {
-    secrets = lib.lists.map (s: {
+    secrets = lib.mapAttrsToList (k: s: {
+      source = k;
+      target = k;
     } // lib.optionalAttrs (s.source != null) {
       inherit (s) source;
     } // lib.optionalAttrs (s.target != null) {