diff --git a/checks/sanity-checks/dont-depend-on-repo-root.nix b/checks/dont-depend-on-repo-root.nix
similarity index 100%
rename from checks/sanity-checks/dont-depend-on-repo-root.nix
rename to checks/dont-depend-on-repo-root.nix
diff --git a/checks/flake-module.nix b/checks/flake-module.nix
index 0af739b25..c601a98f7 100644
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -14,7 +14,7 @@ in
     ./installation/flake-module.nix
     ./morph/flake-module.nix
     ./nixos-documentation/flake-module.nix
-    ./sanity-checks/dont-depend-on-repo-root.nix
+    ./dont-depend-on-repo-root.nix
   ];
   perSystem =
     {
diff --git a/clanModules/data-mesher/shared.nix b/clanModules/data-mesher/shared.nix
index 54db475e9..01422286e 100644
--- a/clanModules/data-mesher/shared.nix
+++ b/clanModules/data-mesher/shared.nix
@@ -105,10 +105,7 @@ in
           private_key = {
             inherit owner;
           };
-          public_key = {
-            inherit owner;
-            secret = false;
-          };
+          public_key.secret = false;
         };
 
       runtimeInputs = [
@@ -134,10 +131,7 @@ in
           private_key = {
             inherit owner;
           };
-          public_key = {
-            inherit owner;
-            secret = false;
-          };
+          public_key.secret = false;
         };
 
       runtimeInputs = [
diff --git a/nixosModules/clanCore/vars/default.nix b/nixosModules/clanCore/vars/default.nix
index 4f8538e90..7d935f46f 100644
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -58,7 +58,16 @@ in
               )
             )
             ''
-              The config.clan.core.vars.generators.${generator.name}.files.${file.name} is not secret, but has non-default owner/group/mode set.
+              The config.clan.core.vars.generators.${generator.name}.files.${file.name} is not secret:
+              ${lib.optionalString (file.owner != "root") ''
+                The owner is set to ${file.owner}, but should be root.
+              ''}
+              ${lib.optionalString (file.group != (if _class == "darwin" then "wheel" else "root")) ''
+                The group is set to ${file.group}, but should be ${if _class == "darwin" then "wheel" else "root"}.
+              ''}
+              ${lib.optionalString (file.mode != "0400") ''
+                The mode is set to ${file.mode}, but should be 0400.
+              ''}
               This doesn't work because the file will be added to the nix store
             ''
       ) [ ] (lib.attrValues generator.files)