diff --git a/nixosModules/clanCore/vars/secret/password-store.nix b/nixosModules/clanCore/vars/secret/password-store.nix
index ccfee34ed..518f8dd2e 100644
--- a/nixosModules/clanCore/vars/secret/password-store.nix
+++ b/nixosModules/clanCore/vars/secret/password-store.nix
@@ -24,7 +24,7 @@ let
         mount --bind --make-private /run/secrets.tmp /run/secrets.tmp
         mount --bind --make-private /run/secrets /run/secrets
         tar -xf "$src" -C /run/secrets.tmp
-        move-mount --beneath --move /run/secrets.tmp /run/secrets
+        move-mount --beneath --move /run/secrets.tmp /run/secrets >/dev/null
         umount -R /run/secrets.tmp
         rmdir /run/secrets.tmp
         umount --lazy /run/secrets
@@ -44,7 +44,7 @@ in
       lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store")
         {
           fileModule = file: {
-            path = "/run/secrets/vars/${file.config.generatorName}/${file.config.name}";
+            path = "/run/secrets/${file.config.generatorName}/${file.config.name}";
           };
           secretUploadDirectory = lib.mkDefault "/etc/secrets";
           secretModule = "clan_cli.vars.secret_modules.password_store";
diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
index 50bb3101d..4af78b6ad 100644
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
@@ -126,7 +126,13 @@ class SecretStore(SecretStoreBase):
 
         # we sort the hashes to make sure that the order is always the same
         hashes.sort()
-        return b"\n".join(hashes)
+
+        manifest = []
+        for gen_name, generator in self.machine.vars_generators.items():
+            for f_name in generator["files"]:
+                manifest.append(f"{gen_name}/{f_name}".encode())
+        manifest += hashes
+        return b"\n".join(manifest)
 
     @override
     def needs_upload(self) -> bool:
@@ -147,13 +153,18 @@ class SecretStore(SecretStoreBase):
     def upload(self, output_dir: Path) -> None:
         with tarfile.open(output_dir / "secrets.tar.gz", "w:gz") as tar:
             for gen_name, generator in self.machine.vars_generators.items():
-                tar_dir = tarfile.TarInfo(name=gen_name)
-                tar_dir.type = tarfile.DIRTYPE
-                tar_dir.mode = 0o511
-                tar.addfile(tarinfo=tar_dir)
+                dir_exists = False
                 for f_name, file in generator["files"].items():
                     if not file["deploy"]:
                         continue
+                    if not file["secret"]:
+                        continue
+                    if not dir_exists:
+                        tar_dir = tarfile.TarInfo(name=gen_name)
+                        tar_dir.type = tarfile.DIRTYPE
+                        tar_dir.mode = 0o511
+                        tar.addfile(tarinfo=tar_dir)
+                        dir_exists = True
                     tar_file = tarfile.TarInfo(name=f"{gen_name}/{f_name}")
                     content = self.get(gen_name, f_name, generator["share"])
                     tar_file.size = len(content)