diff --git a/nixos/22.05/capsul-init b/nixos/22.05/capsul-init
index fdef65d..3b9000a 100644
--- a/nixos/22.05/capsul-init
+++ b/nixos/22.05/capsul-init
@@ -5,7 +5,10 @@ homedir="/home/$user"
 
 mkdir -p "$homedir/.ssh"
 chmod 700 "$homedir/.ssh"
-chown -R "$user:$user" "$homedir"
+chown -R "$user" "$homedir"
+
+mkdir "/mnt"
+chmod -R 755 "/mnt"
 
 mount -t iso9660 -o ro /dev/sr0 /mnt
 
@@ -13,9 +16,15 @@ grep '\- ssh' /mnt/user-data  | cut -d ' ' -f 8- > "$homedir/.ssh/authorized_key
 
 chmod 600 "$homedir/.ssh/authorized_keys"
 
-chown "$user:$user" "$homedir/.ssh/authorized_keys"
+chown "$user" "$homedir/.ssh/authorized_keys"
 
-/run/current-system/profile/sbin/resize2fs /dev/vda2
+# set random forgotten password for cyberian and root
+pass="\$(head /dev/urandom | tr -dc a-z0-9 | head -c30)"
+echo "cyberian:\$pass" | chpasswd
+pass="\$(head /dev/urandom | tr -dc a-z0-9 | head -c30)"
+echo "root:\$pass" | chpasswd
+
+resize2fs /dev/vda2
 
 umount /mnt
 rm /root/capsul-init
diff --git a/nixos/22.05/configuration.nix b/nixos/22.05/configuration.nix
index 257ba17..1f88205 100644
--- a/nixos/22.05/configuration.nix
+++ b/nixos/22.05/configuration.nix
@@ -8,9 +8,9 @@
     ./hardware-configuration.nix
   ];
 
-  # we always want nano & vi
+  # we always want nano & vim
   environment.systemPackages = with pkgs; [
-    vi
+    vim
     nano
   ];
 
diff --git a/nixos/22.05/final-configuration.nix b/nixos/22.05/final-configuration.nix
index ddb46ce..e8c9aa6 100644
--- a/nixos/22.05/final-configuration.nix
+++ b/nixos/22.05/final-configuration.nix
@@ -11,7 +11,7 @@
   # we always want nano & vi
   environment.systemPackages = with pkgs; [
     nano
-    vi
+    vim
   ];
 
   boot.loader.grub.enable = true;
@@ -21,16 +21,20 @@
 
   users.users.cyberian = {
     isNormalUser = true;
+    extraGroups = [ "wheel" ];
   };
+  security.sudo.wheelNeedsPassword = false; # We throw away the password but we still want root
 
   services.openssh = {
     enable = true;
+    passwordAuthentication = false;
   };
 
   # Feel free to remove this after first boot
   # /root/capsul-init gets deleted after first run
   systemd.services.capsul-init = {
     enable = true;
+    path = [ pkgs.coreutils pkgs.e2fsprogs pkgs.shadow pkgs.mount pkgs.umount ];
     unitConfig = {
       ConditionPathExists = "/root/capsul-init";
     };
diff --git a/nixos/22.05/packer.json b/nixos/22.05/packer.json
index d48ac78..e74b4f0 100644
--- a/nixos/22.05/packer.json
+++ b/nixos/22.05/packer.json
@@ -35,18 +35,6 @@
         "inline": ["echo 'reconnected after rebooting'"],
         "pause_before": "30s"
     },
-    {
-        "type": "file",
-        "source": "capsul-init",
-        "destination": "/tmp/capsul-init"
-    },
-    {
-        "type": "shell",
-        "inline": [
-          "mv /tmp/capsul-init /root/capsul-init",
-          "chmod +x /root/capsul-init"
-        ]
-    },
     {
         "type": "file",
         "source": "final-configuration.nix",
@@ -59,6 +47,18 @@
           "rm -f /etc/ssh/*key*",
           "printf '' > /etc/machine-id"
         ]
+    },
+    {
+        "type": "file",
+        "source": "capsul-init",
+        "destination": "/tmp/capsul-init"
+    },
+    {
+        "type": "shell",
+        "inline": [
+          "mv /tmp/capsul-init /root/capsul-init",
+          "chmod +x /root/capsul-init"
+        ]
     }
   ],
   "builders": [
diff --git a/nixos/TODO.md b/nixos/TODO.md
deleted file mode 100644
index ff4e0d4..0000000
--- a/nixos/TODO.md
+++ /dev/null
@@ -1,2 +0,0 @@
-- test that the systemd module works as intended
-- `nixos-delete-generations`