diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
index 6ddd085..7985736 100644
--- a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
+++ b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
@@ -6,7 +6,8 @@
 }:
 let
   cfg = config.khscodes.infrastructure.vault-server-approle;
-  userExists = username: (builtins.hasAttr username config.users.users) && config.users.users.enable;
+  userExists =
+    username: (builtins.hasAttr username config.users.users) && config.users.users.khs.enable;
   setKhsPassword = pkgs.writeShellApplication {
     name = "set-khs-password";
     runtimeInputs = [
@@ -37,8 +38,20 @@ in
         perms = "0600";
         owner = "root";
         group = "root";
-        exec = lib.getExe setKhsPassword;
+        restartUnits = [ "set-khs-password.service" ];
       }
     ];
+    systemd.services.set-khs-password = {
+      enable = true;
+      unitConfig = {
+        ConditionPathExists = "/run/unix-users/khs";
+      };
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        ExecStart = lib.getExe setKhsPassword;
+      };
+    };
   };
 }