diff --git a/flake.nix b/flake.nix
index b11dbed..b7fd152 100644
--- a/flake.nix
+++ b/flake.nix
@@ -135,7 +135,13 @@
           inherit (self.checks.${system}.pre-commit) shellHook;
         };
 
-        packages = import ./pkgs { inherit pkgs; };
+        packages =
+          let
+            packages = import ./pkgs { inherit pkgs; };
+            isSystem = pkg: builtins.elem system pkg.meta.platforms;
+            finalPackages = lib.flip lib.filterAttrs packages (_: isSystem);
+          in
+          finalPackages;
       }) // {
       overlay = self.overlays.pkgs;
 
diff --git a/home/secrets/default.nix b/home/secrets/default.nix
index 3624472..ac0e5b5 100644
--- a/home/secrets/default.nix
+++ b/home/secrets/default.nix
@@ -2,13 +2,17 @@
 
 with lib;
 let
-  canaryHash = builtins.hashFile "sha256" ./canary;
-  expectedHash =
-    "9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
+  throwOnCanary =
+    let
+      canaryHash = builtins.hashFile "sha256" ./canary;
+      expectedHash =
+        "9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
+    in
+    if canaryHash != expectedHash
+    then throw "Secrets are not readable. Have you run `git-crypt unlock`?"
+    else id;
 in
-if canaryHash != expectedHash then
-  abort "Secrets are not readable. Have you run `git-crypt unlock`?"
-else {
+throwOnCanary {
   options.my.secrets = mkOption {
     type = types.attrs;
   };
diff --git a/pkgs/bw-pass/default.nix b/pkgs/bw-pass/default.nix
index a5297d5..6f27bd3 100644
--- a/pkgs/bw-pass/default.nix
+++ b/pkgs/bw-pass/default.nix
@@ -39,7 +39,7 @@ stdenvNoCC.mkDerivation rec {
     description = "A simple script to query a password from bitwarden";
     homepage = "https://gitea.belanyi.fr/ambroisie/nix-config";
     license = with licenses; [ mit ];
-    platforms = platforms.unix;
+    platforms = platforms.linux;
     maintainers = with maintainers; [ ambroisie ];
   };
 }
diff --git a/secrets/default.nix b/secrets/default.nix
index 8c34abe..754483d 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,14 +1,18 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 
 with lib;
 let
-  canaryHash = builtins.hashFile "sha256" ./canary;
-  expectedHash =
-    "9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
+  throwOnCanary =
+    let
+      canaryHash = builtins.hashFile "sha256" ./canary;
+      expectedHash =
+        "9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
+    in
+    if canaryHash != expectedHash
+    then throw "Secrets are not readable. Have you run `git-crypt unlock`?"
+    else id;
 in
-if canaryHash != expectedHash then
-  abort "Secrets are not readable. Have you run `git-crypt unlock`?"
-else {
+throwOnCanary {
   options.my.secrets = mkOption {
     type = types.attrs;
   };
@@ -50,6 +54,6 @@ else {
       root.hashedPassword = fileContents ./users/root/password.txt;
     };
 
-    wireguard = pkgs.callPackage ./wireguard { };
+    wireguard = import ./wireguard { inherit lib; };
   };
 }