diff --git a/flake.lock b/flake.lock
index 1e733a2..d94d3c9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -524,11 +524,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1765212399,
-        "narHash": "sha256-QEjuaK17HddWr0ZBRhsg3nt4QhSxQZ1i9YO2ctV045c=",
+        "lastModified": 1766142512,
+        "narHash": "sha256-h/vlxWqgEGbnrTWAFW+TCTJSQ1mAlkWyMM3HyHeqpF4=",
         "ref": "refs/heads/main",
-        "rev": "43c8697580bb389aea565459802c3b9827aa2d3d",
-        "revCount": 38,
+        "rev": "b87ab22fedeb4187669f1e546f18fb7d781721ba",
+        "revCount": 40,
         "type": "git",
         "url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets"
       },
diff --git a/roles/common/configuration.nix b/roles/common/configuration.nix
index f51dacc..4862efe 100755
--- a/roles/common/configuration.nix
+++ b/roles/common/configuration.nix
@@ -94,6 +94,7 @@
     isNormalUser = true;
     description = "Toast";
     extraGroups = ["wheel"];
+    hashedPasswordFile = config.sops.secrets.toast.path;
   };
 
   # Set up time zone.
@@ -162,6 +163,10 @@
   sops = {
     age.sshKeyPaths = ["/persist/id_host"];
     defaultSopsFile = "${flakeSelf.inputs.secrets}/${config.networking.hostName}.yaml";
+    secrets.toast = {
+      sopsFile = "${flakeSelf.inputs.secrets}/passwd.yaml";
+      neededForUsers = true;
+    };
   };
 
   catppuccin.grub.enable = true;