diff --git a/clanModules/root-password/default.nix b/clanModules/root-password/default.nix
index 932e76d69..c29ca6e22 100644
--- a/clanModules/root-password/default.nix
+++ b/clanModules/root-password/default.nix
@@ -1,29 +1,34 @@
 {
   pkgs,
   config,
-  lib,
   ...
 }:
 {
   users.mutableUsers = false;
   users.users.root.hashedPasswordFile =
-    config.clan.core.facts.services.root-password.secret.password-hash.path;
+    config.clan.core.vars.generators.root-password.files.password-hash.path;
 
-  sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
-    "${config.clan.core.settings.machine.name}-password-hash".neededForUsers = true;
-  };
-
-  clan.core.facts.services.root-password = {
-    secret.password = { };
-    secret.password-hash = { };
-    generator.path = with pkgs; [
-      coreutils
-      xkcdpass
-      mkpasswd
+  clan.core.vars.generators.root-password = {
+    files.password-hash = {
+      neededFor = "users";
+    };
+    migrateFact = "root-password";
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.mkpasswd
+      pkgs.xkcdpass
     ];
-    generator.script = ''
-      xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $secrets/password
-      cat $secrets/password | mkpasswd -s -m sha-512 | tr -d "\n" > $secrets/password-hash
+    prompts.password.type = "hidden";
+    prompts.password.description = "You can autogenerate a password, if you leave this prompt blank.";
+
+    script = ''
+      prompt_value=$(cat $prompts/password)
+      if [[ -n ''${prompt_value-} ]]; then
+        echo $prompt_value | tr -d "\n" > $out/password
+      else
+        xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $out/password
+      fi
+      mkpasswd -s -m sha-512 < $out/password | tr -d "\n" > $out/password-hash
     '';
   };
 }
diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py
index 51dd64465..0a5f79c5a 100644
--- a/pkgs/clan-cli/tests/test_secrets_generate.py
+++ b/pkgs/clan-cli/tests/test_secrets_generate.py
@@ -81,8 +81,26 @@ def test_generate_secret(
         Machine(name="vm2", flake=FlakeId(str(test_flake_with_core.path)))
     )
 
-    assert store2.exists("", "password")
-    assert store2.exists("", "password-hash")
+    # Should not exist clan facts generate
+    assert not store2.exists("", "password")
+    assert not store2.exists("", "password-hash")
+    # clan vars generate
+    # TODO: Test vars
+    # varsStore = VarsSecretStore(
+    #     machine=Machine(name="vm2", flake=FlakeId(str(test_flake_with_core.path)))
+    # )
+    # generators = get_generators(str(test_flake_with_core.path), "vm2")
+    # generator = next((gen for gen in generators if gen.name == "root-password"), None)
+
+    # if not generator:
+    #     raise Exception("Generator not found")
+
+    # password_update = GeneratorUpdate(
+    #     generator=generator.name, prompt_values={"password": "1234"}
+    # )
+    # set_prompts(str(test_flake_with_core.path), "vm2", [password_update])
+    # assert varsStore.exists(generator, "root-password")
+
     assert store2.exists("", "user-password")
     assert store2.exists("", "user-password-hash")
     assert store2.exists("", "age.key")
@@ -96,14 +114,6 @@ def test_generate_secret(
     assert age_secret.isprintable()
     assert is_valid_age_key(age_secret)
 
-    # Assert that root-password is valid
-    pwd_secret = store2.get("", "password").decode()
-    assert pwd_secret.isprintable()
-    assert pwd_secret.isascii()
-    pwd_hash = store2.get("", "password-hash").decode()
-    assert pwd_hash.isprintable()
-    assert pwd_hash.isascii()
-
     # Assert that user-password is valid
     pwd_secret = store2.get("", "user-password").decode()
     assert pwd_secret.isprintable()
diff --git a/pkgs/clan-cli/tests/test_secrets_password_store.py b/pkgs/clan-cli/tests/test_secrets_password_store.py
index bdfe71e94..8229147a2 100644
--- a/pkgs/clan-cli/tests/test_secrets_password_store.py
+++ b/pkgs/clan-cli/tests/test_secrets_password_store.py
@@ -85,19 +85,13 @@ def test_upload_secret(
     assert zerotier_identity_secret.exists()
     assert store.exists("", "zerotier-identity-secret")
 
-    assert store.exists("", "password")
-    assert store.exists("", "password-hash")
     assert store.exists("", "user-password")
     assert store.exists("", "user-password-hash")
     assert store.exists("", "zerotier-identity-secret")
 
-    # Assert that root-password is valid
-    pwd_secret = store.get("", "password").decode()
-    assert pwd_secret.isprintable()
-    assert pwd_secret.isascii()
-    pwd_hash = store.get("", "password-hash").decode()
-    assert pwd_hash.isprintable()
-    assert pwd_hash.isascii()
+    # Since root-password uses Vars they should not be uploaded / generated by the facts
+    assert not store.exists("", "password")
+    assert not store.exists("", "password-hash")
 
     # Assert that user-password is valid
     pwd_secret = store.get("", "user-password").decode()