diff --git a/clanModules/root-password/default.nix b/clanModules/root-password/default.nix
index 9c901f30e..a340730e3 100644
--- a/clanModules/root-password/default.nix
+++ b/clanModules/root-password/default.nix
@@ -9,9 +9,9 @@
   users.users.root.hashedPasswordFile =
     config.clan.core.facts.services.root-password.secret.password-hash.path;
 
-  sops.secrets."${config.clan.core.machineName}-password-hash".neededForUsers = lib.mkIf (
-    config.clan.core.facts.secretStore == "sops"
-  ) true;
+  sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
+    "${config.clan.core.machineName}-password-hash".neededForUsers = true;
+  };
 
   clan.core.facts.services.root-password = {
     secret.password = { };
diff --git a/clanModules/user-password/default.nix b/clanModules/user-password/default.nix
index f76c7f397..14b1f0177 100644
--- a/clanModules/user-password/default.nix
+++ b/clanModules/user-password/default.nix
@@ -23,7 +23,11 @@
     users.mutableUsers = false;
     users.users.${config.clan.user-password.user}.hashedPasswordFile =
       config.clan.core.facts.services.user-password.secret.user-password-hash.path;
-    sops.secrets."${config.clan.core.machineName}-user-password-hash".neededForUsers = true;
+
+    sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
+      "${config.clan.core.machineName}-user-password-hash".neededForUsers = true;
+    };
+
     clan.core.facts.services.user-password = {
       secret.user-password = { };
       secret.user-password-hash = { };