diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
index 7985736..6b0941e 100644
--- a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
+++ b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
@@ -15,14 +15,21 @@ let
       pkgs.uutils-coreutils-noprefix
     ];
     text = ''
+      owner_id="$(stat -c "%u" /run/unix-users/khs)"
+      group_id="$(stat -c "%g" /run/unix-users/khs)"
+
+      if [[ "$owner_id" != "0" || "$group_id" != "0" ]]; then
+        >&2 echo "Not setting password due to bad ownership"
+        exit 1
+      fi
       hashed_passwd="$(cat /run/unix-users/khs)"
       usermod --password "$hashed_passwd" khs
     '';
   };
 in
 {
-  config = lib.mkIf cfg.enable {
-    khscodes.infrastructure.vault-server-approle.policy = lib.mkIf (userExists "khs") {
+  config = lib.mkIf (cfg.enable && (userExists "khs")) {
+    khscodes.infrastructure.vault-server-approle.policy = {
       "unix-users/data/khs/password" = {
         capabilities = [ "read" ];
       };