diff --git a/hosts/homeserver/default.nix b/hosts/homeserver/default.nix
index e6c18bd..a8beb12 100644
--- a/hosts/homeserver/default.nix
+++ b/hosts/homeserver/default.nix
@@ -29,14 +29,14 @@
           gui.domain = "syncthing.${privateDomain}";
           doBackups = true;
         };
-      };
 
-      web-services = {
         atuin = {
           enable = true;
           domain = "atuin.${privateDomain}";
         };
+      };
 
+      web-services = {
         filebrowser = {
           enable = true;
           domain = "files.${privateDomain}";
diff --git a/modules/home/programs/git.nix b/modules/home/programs/git.nix
index 671075b..a2488f7 100644
--- a/modules/home/programs/git.nix
+++ b/modules/home/programs/git.nix
@@ -4,7 +4,7 @@
 
   config = lib.mkIf config.custom.programs.git.enable {
     sops.secrets =
-      config.custom.sops.secretsData.ssh-key
+      config.custom.sops.secrets.ssh-key
       |> lib.mapAttrs' (
         name: _: lib.nameValuePair "ssh-key/${name}" { path = "${config.home.homeDirectory}/.ssh/${name}"; }
       );
@@ -42,7 +42,7 @@
       lazygit.enable = true;
 
       ssh.matchBlocks =
-        config.custom.sops.secretsData.ssh-key
+        config.custom.sops.secrets.ssh-key
         |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; });
     };
   };
diff --git a/modules/home/sops.nix b/modules/home/sops.nix
index ff3cf3b..99b75c6 100644
--- a/modules/home/sops.nix
+++ b/modules/home/sops.nix
@@ -25,7 +25,7 @@ in
       type = self.lib.types.existingPath;
       default = "${self}/users/${config.home.username}/@${osConfig.networking.hostName}/secrets.json";
     };
-    secretsData = lib.mkOption {
+    secrets = lib.mkOption {
       type = lib.types.anything;
       default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON;
     };
@@ -38,21 +38,11 @@ in
     };
 
     assertions =
-      (
-        config.sops.secrets
-        |> lib.attrNames
-        |> lib.map (secretPath: {
-          assertion = cfg.secretsData |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
-          message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json";
-        })
-      )
-      ++ (
-        lib.removeAttrs cfg.secretsData [ "sops" ]
-        |> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/")
-        |> lib.map (secretPath: {
-          assertion = config.sops.secrets |> lib.hasAttr secretPath;
-          message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module";
-        })
-      );
+      config.sops.secrets
+      |> lib.attrNames
+      |> lib.map (secretPath: {
+        assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
+        message = "Sops secret `${secretPath}` must be defined in secrets.json";
+      });
   };
 }
diff --git a/modules/nixos/networking/underlay.nix b/modules/nixos/networking/underlay.nix
index 20f9efa..125cc75 100644
--- a/modules/nixos/networking/underlay.nix
+++ b/modules/nixos/networking/underlay.nix
@@ -33,7 +33,7 @@ in
       enable = lib.mkEnableOption "";
       networks = lib.mkOption {
         type = lib.types.listOf lib.types.nonEmptyStr;
-        default = config.custom.sops.secretsData.iwd |> lib.attrNames;
+        default = config.custom.sops.secrets.iwd |> lib.attrNames;
       };
     };
   };
diff --git a/modules/nixos/web-services/atuin.nix b/modules/nixos/services/atuin.nix
similarity index 92%
rename from modules/nixos/web-services/atuin.nix
rename to modules/nixos/services/atuin.nix
index 79bf168..234cf84 100644
--- a/modules/nixos/web-services/atuin.nix
+++ b/modules/nixos/services/atuin.nix
@@ -1,10 +1,10 @@
 { config, lib, ... }:
 let
-  cfg = config.custom.web-services.atuin;
+  cfg = config.custom.services.atuin;
   dataDir = "/var/lib/atuin";
 in
 {
-  options.custom.web-services.atuin = {
+  options.custom.services.atuin = {
     enable = lib.mkEnableOption "";
     domain = lib.mkOption {
       type = lib.types.nonEmptyStr;
diff --git a/modules/nixos/services/syncthing.nix b/modules/nixos/services/syncthing.nix
index 73fe5f7..44bd538 100644
--- a/modules/nixos/services/syncthing.nix
+++ b/modules/nixos/services/syncthing.nix
@@ -11,7 +11,7 @@ let
 
   inherit (config.services.syncthing) dataDir;
 
-  useSopsSecrets = config.custom.sops.secretsData |> lib.hasAttr "syncthing";
+  useSopsSecrets = config.custom.sops.secrets |> lib.hasAttr "syncthing";
 in
 {
   options.custom.services.syncthing = {
diff --git a/modules/nixos/sops.nix b/modules/nixos/sops.nix
index 1dd2c27..760fceb 100644
--- a/modules/nixos/sops.nix
+++ b/modules/nixos/sops.nix
@@ -21,7 +21,7 @@ in
       type = self.lib.types.existingPath;
       default = "${self}/hosts/${config.networking.hostName}/secrets.json";
     };
-    secretsData = lib.mkOption {
+    secrets = lib.mkOption {
       type = lib.types.anything;
       default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON;
     };
@@ -36,21 +36,11 @@ in
     };
 
     assertions =
-      (
-        config.sops.secrets
-        |> lib.attrNames
-        |> lib.map (secretPath: {
-          assertion = cfg.secretsData |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
-          message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json";
-        })
-      )
-      ++ (
-        lib.removeAttrs cfg.secretsData [ "sops" ]
-        |> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/")
-        |> lib.map (secretPath: {
-          assertion = config.sops.secrets |> lib.hasAttr secretPath;
-          message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module";
-        })
-      );
+      config.sops.secrets
+      |> lib.attrNames
+      |> lib.map (secretPath: {
+        assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
+        message = "Sops secret `${secretPath}` must be defined in secrets.json";
+      });
   };
 }