diff --git a/hosts/modules/derived-secrets/default.nix b/hosts/modules/derived-secrets/default.nix
index 02a5af16..648bf592 100644
--- a/hosts/modules/derived-secrets/default.nix
+++ b/hosts/modules/derived-secrets/default.nix
@@ -1,16 +1,14 @@
 { config, lib, pkgs, ... }:
 
 let
-  inherit (builtins) toString;
-  inherit (lib) mapAttrs mkOption types;
 
   hash-path-with-salt = pkgs.static-nix-shell.mkBash {
     pname = "hash-path-with-salt";
     src = ./.;
   };
-  
+
   cfg = config.sane.derived-secrets;
-  secret = types.submodule {
+  secret = with lib; types.submodule {
     options = {
       len = mkOption {
         type = types.int;
@@ -23,7 +21,7 @@ let
 in
 {
   options = {
-    sane.derived-secrets = mkOption {
+    sane.derived-secrets = with lib; mkOption {
       type = types.attrsOf secret;
       default = {};
       description = ''
@@ -36,11 +34,12 @@ in
   };
 
   config = {
-    sane.fs = mapAttrs (path: c: {
+    sane.fs = lib.mapAttrs (path: c: {
       generated.command = [
         "${hash-path-with-salt}/bin/hash-path-with-salt"
         path
         c.encoding
+        (builtins.toString (c.len * 2))
       ];
       generated.acl.mode = "0600";
     }) cfg;
diff --git a/hosts/modules/derived-secrets/hash-path-with-salt b/hosts/modules/derived-secrets/hash-path-with-salt
index 26ab2421..8057e8de 100755
--- a/hosts/modules/derived-secrets/hash-path-with-salt
+++ b/hosts/modules/derived-secrets/hash-path-with-salt
@@ -2,9 +2,10 @@
 #!nix-shell -i bash
 file="$1"
 enc="$2"
+nibbles="$3"
 echo "$file" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
   | sha512sum \
-  | cut -c 1-${toString (c.len * 2)} \
+  | cut -c "1-$nibbles" \
   | tr a-z A-Z \
   | basenc -d --base16 \
   | basenc "--$enc" \