diff --git a/clanServices/zitadel/roles/controller.nix b/clanServices/zitadel/roles/controller.nix
index 4b12b9c..38c1595 100644
--- a/clanServices/zitadel/roles/controller.nix
+++ b/clanServices/zitadel/roles/controller.nix
@@ -1,10 +1,18 @@
-{ instanceName, settings, machine, roles, config, ... }: {
+{ instanceName, settings, machine, roles, config, pkgs, ... }: {
   config = {
     clan.core.vars.generators = {
       zitadel = {
         share = false;
+
+        files.initial-admin-password = { secret = true; deploy = true; };
+
+        runtimeInputs = with pkgs; [ pwgen ];
+
+        script = ''
+          pwgen 50 1 > "$out/token"
+        '';
       };
-    }
+    };
 
     services.zitadel.steps.${instanceName} = {
       InstanceName = settings.hostName;
@@ -19,7 +27,7 @@
             Address = "chris@kruining.eu";
             Verified = true;
           };
-          Password = "KaasIsAwesome1!";
+          Password = config.clan.core.vars.generators.zitadel.initial-admin-password.value;
         };
       };
     };