diff --git a/clanModules/flake-module.nix b/clanModules/flake-module.nix
index ddce51168..b58022430 100644
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@@ -18,6 +18,7 @@
     sshd = ./sshd.nix;
     sunshine = ./sunshine.nix;
     syncthing = ./syncthing.nix;
+    root-password = ./root-password.nix;
     thelounge = ./thelounge.nix;
     vm-user = ./vm-user.nix;
     waypipe = ./waypipe.nix;
diff --git a/clanModules/root-password.nix b/clanModules/root-password.nix
new file mode 100644
index 000000000..7dfb06138
--- /dev/null
+++ b/clanModules/root-password.nix
@@ -0,0 +1,19 @@
+{ pkgs, config, ... }:
+{
+  users.mutableUsers = false;
+  users.extraUsers.root.hashedPasswordFile = "/run/secrets-for-users/passwordHash";
+  sops.secrets."${config.clanCore.machineName}-passwordHash".neededForUsers = true;
+  clanCore.facts.services.password = {
+    secret.password = { };
+    secret.passwordHash = { };
+    generator.path = with pkgs; [
+      coreutils
+      xkcdpass
+      mkpasswd
+    ];
+    generator.script = ''
+      xkcdpass -c 3 -d -  > $secrets/password
+      cat $secrets/password | mkpasswd -s -m sha-512 > $secrets/passwordHash
+    '';
+  };
+}