diff --git a/clanModules/root-password/default.nix b/clanModules/root-password/default.nix
index 932e76d69..f6d2e4cc3 100644
--- a/clanModules/root-password/default.nix
+++ b/clanModules/root-password/default.nix
@@ -1,29 +1,35 @@
 {
   pkgs,
   config,
-  lib,
   ...
 }:
 {
   users.mutableUsers = false;
   users.users.root.hashedPasswordFile =
-    config.clan.core.facts.services.root-password.secret.password-hash.path;
+    config.clan.core.vars.generators.root-password.files.password-hash.path;
 
-  sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
-    "${config.clan.core.settings.machine.name}-password-hash".neededForUsers = true;
-  };
-
-  clan.core.facts.services.root-password = {
-    secret.password = { };
-    secret.password-hash = { };
-    generator.path = with pkgs; [
-      coreutils
-      xkcdpass
-      mkpasswd
+  clan.core.vars.generators.root-password = {
+    files.password-hash = {
+      neededFor = "users";
+    };
+    migrateFact = "root-password";
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.mkpasswd
+      pkgs.xkcdpass
     ];
-    generator.script = ''
-      xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $secrets/password
-      cat $secrets/password | mkpasswd -s -m sha-512 | tr -d "\n" > $secrets/password-hash
+    prompts.password.createFile = true;
+    prompts.password.type = "hidden";
+    prompts.password.description = "You can autogenerate a password, if you leave this prompt blank.";
+
+    script = ''
+      prompt_value=$(cat $prompts/password)
+      if [[ -n ''${prompt_value-} ]]; then
+        echo $prompt_value | tr -d "\n" > $out/password
+      else
+        xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $out/password
+      fi
+      cat $out/password | mkpasswd -s -m sha-512 | tr -d "\n" > $out/password-hash
     '';
   };
 }