diff --git a/hosts/common/users/primary/nixos.nix b/hosts/common/users/primary/nixos.nix
index 489fbde..0bac19a 100644
--- a/hosts/common/users/primary/nixos.nix
+++ b/hosts/common/users/primary/nixos.nix
@@ -12,35 +12,40 @@
   # Decrypt password to /run/secrets-for-users/ so it can be used to create the user
   sopsHashedPasswordFile = lib.optionalString (!config.hostSpec.isMinimal) config.sops.secrets."passwords/${hostSpec.username}".path;
 in {
-  users.mutableUsers = false; # Only allow declarative credentials; Required for password to be set via sops during system activation!
-  users.users.${hostSpec.username} = {
-    home = "/home/${hostSpec.username}";
-    isNormalUser = true;
-    hashedPasswordFile = sopsHashedPasswordFile; # Blank if sops is not working.
+  users = {
+    mutableUsers = false; # Only allow declarative credentials; Required for password to be set via sops during system activation!
+    users = {
+      # Default user for the host set in hostspec
+      ${hostSpec.username} = {
+        home = "/home/${hostSpec.username}";
+        isNormalUser = true;
+        hashedPasswordFile = sopsHashedPasswordFile; # Blank if sops is not working.
 
-    extraGroups = lib.flatten [
-      "wheel"
-      (ifTheyExist [
-        "audio"
-        "video"
-        "docker"
-        "podman"
-        "dialout"
-        "git"
-        "networkmanager"
-        "scanner" # for print/scan"
-        "lp" # for print/scan"
-      ])
-    ];
+        extraGroups = lib.flatten [
+          "wheel"
+          (ifTheyExist [
+            "audio"
+            "video"
+            "docker"
+            "podman"
+            "dialout"
+            "git"
+            "networkmanager"
+            "scanner" # for print/scan"
+            "lp" # for print/scan"
+          ])
+        ];
+      };
+
+      # Root user setup
+      root = {
+        shell = pkgs.zsh;
+        hashedPasswordFile = config.users.users.${hostSpec.username}.hashedPasswordFile;
+        hashedPassword = config.users.users.${hostSpec.username}.hashedPassword;
+        openssh.authorizedKeys.keys = config.users.users.${hostSpec.username}.openssh.authorizedKeys.keys; # root's ssh keys are mainly used for remote deployment.
+      };
+    };
   };
-
   # No matter what environment we are in we want these tools for root, and the user(s)
   programs.git.enable = true;
-
-  users.users.root = {
-    shell = pkgs.zsh;
-    hashedPasswordFile = config.users.users.${hostSpec.username}.hashedPasswordFile;
-    hashedPassword = config.users.users.${hostSpec.username}.hashedPassword; # This comes from hosts/common/optional/minimal.nix and gets overridden if sops is working
-    openssh.authorizedKeys.keys = config.users.users.${hostSpec.username}.openssh.authorizedKeys.keys; # root's ssh keys are mainly used for remote deployment.
-  };
 }