diff --git a/machines/orbi/hardware-configuration/default.nix b/machines/orbi/hardware-configuration/default.nix
index 2958053..d71ac9f 100644
--- a/machines/orbi/hardware-configuration/default.nix
+++ b/machines/orbi/hardware-configuration/default.nix
@@ -43,8 +43,10 @@ in
     efiSupport = false; # we created a ef02 partition because uefi is not supported on hetzner online machines.
   };
 
-  # Initial empty root password for easy login:
-  users.users.root.initialHashedPassword = "";
+  # root password
+  clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
+  users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path;
+
   services.openssh.settings.PermitRootLogin = "prohibit-password";
   services.openssh.settings.PasswordAuthentication = false;