diff --git a/modules/hostapd/service.nix b/modules/hostapd/service.nix
index 8ffe3e0..64eb958 100644
--- a/modules/hostapd/service.nix
+++ b/modules/hostapd/service.nix
@@ -9,7 +9,7 @@
 { interface, params} :
 let
   inherit (liminix.services) longrun;
-  inherit (lib) concatStringsSep mapAttrsToList;
+  inherit (lib) concatStringsSep mapAttrsToList unique ;
   inherit (builtins) map filter attrValues length head typeOf;
 
   # This is not a friendly interface to configuring a wireless AP: it
@@ -51,19 +51,9 @@ let
       exec ${hostapd}/bin/hostapd -i $(output ${interface} ifname) -P /run/${name}/hostapd.pid -S /run/${name}/hostapd.conf
     '';
   };
-  watched-services =
-    (filter (f: typeOf f == "set") (attrValues attrs));
-
+  watch = filter (f: typeOf f == "set") (attrValues attrs);
 in svc.secrets.subscriber.build {
-  watch = {
-    service = assert (length watched-services == 1); (head watched-services).service;
-    paths = unique (
-      map (s: s.path)
-        (filter
-          (f: f.service == (head watched-services).service)
-          watched-services
-        ));
-  };
+  inherit watch;
   inherit service;
   action = "restart-all";
 }
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index ab394b9..5106ff0 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -37,16 +37,9 @@ in {
       };
     };
     subscriber = config.system.callService ./subscriber.nix {
-      watch = {
-        service = mkOption {
-          description = "secrets service to subscribe to";
-          type = liminix.lib.types.service;
-        };
-        paths = mkOption {
-          description = "list of output paths we are interested in";
-          example = ["wan/l2tp" "wifi/wlan5"];
-          type = types.listOf types.str;
-        };
+      watch = mkOption {
+        description = "secrets paths to subscribe to";
+        type = types.listOf types.attrs;
       };
       service = mkOption {
         description = "subscribing service that will receive notification";
diff --git a/modules/secrets/subscriber.nix b/modules/secrets/subscriber.nix
index 398506a..e9679cb 100644
--- a/modules/secrets/subscriber.nix
+++ b/modules/secrets/subscriber.nix
@@ -4,9 +4,21 @@
 { watch, service, action } :
 let
   inherit (liminix.services) oneshot longrun;
-  inherit (builtins) toString;
+  inherit (builtins) length head toString;
+  inherit (lib) unique optional;
   inherit (service) name;
-  watcher = let name' = "check-${name}"; in longrun {
+
+  watched-services = unique (map (f: f.service) watch);
+  paths = unique (map (f: f.path) watch);
+
+  watched-service =
+    if length watched-services == 0
+    then null
+    else if length watched-services == 1
+    then head watched-services
+    else throw "cannot subscribe to more than one source service for secrets";
+
+  watcher = let name' = "restart-${name}"; in longrun {
     name = name';
     run = ''
       dir=/run/service/${name}
@@ -14,10 +26,12 @@ let
       if test -e $dir/notification-fd; then flag="-U"; else flag="-u"; fi
       ${s6}/bin/s6-svwait $flag /run/service/${name} || exit
       PATH=${s6-rc}/bin:${s6}/bin:$PATH
-      ${watch-outputs}/bin/watch-outputs -r ${name} ${watch.service} ${lib.concatStringsSep " " watch.paths}
+      ${watch-outputs}/bin/watch-outputs -r ${name} ${watched-service.name} ${lib.concatStringsSep " " paths}
     '';
   };
 in service.overrideAttrs(o: {
-  buildInputs =  (lim.orEmpty o.buildInputs) ++ [ watcher ];
-  dependencies = (lim.orEmpty o.dependencies) ++ [ watcher ];
+  buildInputs =  (lim.orEmpty o.buildInputs) ++
+                 optional (watched-service != null) watcher;
+  dependencies = (lim.orEmpty o.dependencies) ++
+                 optional (watched-service != null)  watcher;
 })