diff --git a/clanServices/users/flake-module.nix b/clanServices/users/flake-module.nix
index adf40791d..c38475d1c 100644
--- a/clanServices/users/flake-module.nix
+++ b/clanServices/users/flake-module.nix
@@ -4,13 +4,14 @@ let
 in
 {
   clan.modules.users = module;
+
   perSystem =
     { ... }:
     {
       clan.nixosTests.users = {
         imports = [ ./tests/vm/default.nix ];
 
-        clan.modules."@clan/users" = module;
+        clan.modules.users = module;
       };
     };
 }
diff --git a/clanServices/users/tests/vm/default.nix b/clanServices/users/tests/vm/default.nix
index d9781a448..84651ad17 100644
--- a/clanServices/users/tests/vm/default.nix
+++ b/clanServices/users/tests/vm/default.nix
@@ -2,50 +2,71 @@
   name = "service-users";
 
   clan = {
+    test.useContainers = false;
     directory = ./.;
     inventory = {
-      machines.server = { };
+      machines.machine = { };
 
       instances = {
-        root-password-test = {
-          module.name = "@clan/users";
+        users-root = {
+          module.name = "users";
           module.input = "self";
-          roles.default.machines."server".settings = {
+          roles.default.machines.machine.settings = {
             user = "root";
             prompt = false;
           };
         };
-        user-password-test = {
-          module.name = "@clan/users";
+        users-testuser = {
+          module.name = "users";
           module.input = "self";
-          roles.default.machines."server".settings = {
+          roles.default.machines.machine.settings = {
             user = "testuser";
             prompt = false;
           };
         };
+        users-admin = {
+          module.name = "users";
+          module.input = "self";
+          roles.default.machines.machine.settings = {
+            user = "admin";
+            prompt = false;
+            groups = [ "wheel" ];
+          };
+        };
       };
     };
   };
 
   nodes = {
-    server = {
-      users.users.testuser.group = "testuser";
-      users.groups.testuser = { };
-    };
+    machine =
+      { pkgs, lib, ... }:
+      {
+        environment.systemPackages = [ pkgs.tree ]; # TODO: debug
+
+        clan.core.vars.generators.user-password-root.files.user-password.deploy = lib.mkForce true;
+        clan.core.vars.generators.user-password-testuser.files.user-password.deploy = lib.mkForce true;
+      };
   };
 
   testScript = ''
     start_all()
 
-    server.wait_for_unit("multi-user.target")
+    machine.wait_for_unit("multi-user.target")
 
-    # Check that the testuser account exists
-    server.succeed("id testuser")
+    # Assert that the testuser exists
+    machine.succeed("id testuser")
 
-    # Try to log in as the user using the generated password
-    # TODO: fix
-    # password = server.succeed("cat /run/clan/vars/user-password/user-password").strip()
-    # server.succeed(f"echo '{password}' | su - testuser -c 'echo Login successful'")
+    # TODO: debug
+    machine.succeed("tree /run/secrets/vars")
 
+    machine.fail("su - admin -c 'echo wrong-password | su - testuser -c \"echo Login successful\"'")
+
+    output = machine.succeed("sudo --reset-timestamp --stdin -u testuser echo Login successful < /run/secrets/vars/user-password-testuser/user-password")
+    assert output.strip() == "Login successful", f"Failed to log in as testuser: {output=}"
+
+    machine.fail("sudo --reset-timestamp --stdin -iu root echo Login successful < /run/secrets/vars/user-password-testuser/user-password")
+
+    output = machine.succeed("sudo --reset-timestamp --stdin -u root echo Login successful < /run/secrets/vars/user-password-root/user-password")
+    assert output.strip() == "Login successful", f"Failed to log in as root: {output=}"
   '';
 }