diff --git a/pkgs/clan-cli/clan_cli/vars/check.py b/pkgs/clan-cli/clan_cli/vars/check.py
index 2f2c7fa34..60cadee47 100644
--- a/pkgs/clan-cli/clan_cli/vars/check.py
+++ b/pkgs/clan-cli/clan_cli/vars/check.py
@@ -8,7 +8,7 @@ from ..machines.machines import Machine
 log = logging.getLogger(__name__)
 
 
-def check_secrets(machine: Machine, generator_name: None | str = None) -> bool:
+def check_vars(machine: Machine, generator_name: None | str = None) -> bool:
     secret_vars_module = importlib.import_module(machine.secret_vars_module)
     secret_vars_store = secret_vars_module.SecretStore(machine=machine)
     public_vars_module = importlib.import_module(machine.public_vars_module)
@@ -47,7 +47,9 @@ def check_command(args: argparse.Namespace) -> None:
         name=args.machine,
         flake=args.flake,
     )
-    check_secrets(machine, generator_name=args.service)
+    ok = check_vars(machine, generator_name=args.service)
+    if not ok:
+        raise SystemExit(1)
 
 
 def register_check_parser(parser: argparse.ArgumentParser) -> None:
diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py
index ab6669c74..268547cb7 100644
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -21,7 +21,7 @@ from ..git import commit_files
 from ..machines.inventory import get_all_machines, get_selected_machines
 from ..machines.machines import Machine
 from ..nix import nix_shell
-from .check import check_secrets
+from .check import check_vars
 from .public_modules import FactStoreBase
 from .secret_modules import SecretStoreBase
 
@@ -101,7 +101,7 @@ def execute_generator(
     public_vars_store: FactStoreBase,
 ) -> bool:
     # check if all secrets exist and generate them if at least one is missing
-    needs_regeneration = not check_secrets(machine, generator_name=generator_name)
+    needs_regeneration = not check_vars(machine, generator_name=generator_name)
     log.debug(f"{generator_name} needs_regeneration: {needs_regeneration}")
     if not (needs_regeneration or regenerate):
         return False
diff --git a/pkgs/clan-cli/tests/test_vars.py b/pkgs/clan-cli/tests/test_vars.py
index abd52295c..8a1b0f66a 100644
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -13,6 +13,7 @@ from root import CLAN_CORE
 from clan_cli.clan_uri import FlakeId
 from clan_cli.machines.machines import Machine
 from clan_cli.nix import nix_shell
+from clan_cli.vars.check import check_vars
 from clan_cli.vars.list import stringify_all_vars
 from clan_cli.vars.public_modules import in_repo
 from clan_cli.vars.secret_modules import password_store, sops
@@ -78,13 +79,15 @@ def test_generate_public_var(
         machine_configs=dict(my_machine=config),
     )
     monkeypatch.chdir(flake.path)
+    machine = Machine(name="my_machine", flake=FlakeId(str(flake.path)))
+    assert not check_vars(machine)
     cli.run(["vars", "generate", "--flake", str(flake.path), "my_machine"])
+    assert check_vars(machine)
     store = in_repo.FactStore(
         Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     )
     assert store.exists("my_generator", "my_value")
     assert store.get("my_generator", "my_value").decode() == "hello\n"
-    machine = Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     vars_text = stringify_all_vars(machine)
     assert "my_generator/my_value: hello" in vars_text
 
@@ -106,7 +109,10 @@ def test_generate_secret_var_sops(
     )
     monkeypatch.chdir(flake.path)
     sops_setup.init()
+    machine = Machine(name="my_machine", flake=FlakeId(str(flake.path)))
+    assert not check_vars(machine)
     cli.run(["vars", "generate", "--flake", str(flake.path), "my_machine"])
+    assert check_vars(machine)
     in_repo_store = in_repo.FactStore(
         Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     )
@@ -116,7 +122,6 @@ def test_generate_secret_var_sops(
     )
     assert sops_store.exists("my_generator", "my_secret")
     assert sops_store.get("my_generator", "my_secret").decode() == "hello\n"
-    machine = Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     vars_text = stringify_all_vars(machine)
     assert "my_generator/my_secret" in vars_text
 
@@ -194,13 +199,15 @@ def test_generate_secret_var_password_store(
     subprocess.run(
         nix_shell(["nixpkgs#pass"], ["pass", "init", "test@local"]), check=True
     )
+    machine = Machine(name="my_machine", flake=FlakeId(str(flake.path)))
+    assert not check_vars(machine)
     cli.run(["vars", "generate", "--flake", str(flake.path), "my_machine"])
+    assert check_vars(machine)
     store = password_store.SecretStore(
         Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     )
     assert store.exists("my_generator", "my_secret")
     assert store.get("my_generator", "my_secret").decode() == "hello\n"
-    machine = Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     vars_text = stringify_all_vars(machine)
     assert "my_generator/my_secret" in vars_text