diff --git a/alpine.ts b/alpine.ts
index 95841f1..8f87668 100644
--- a/alpine.ts
+++ b/alpine.ts
@@ -15,6 +15,7 @@ import { PasswdEntry, readPasswd } from "./helpers/passwd.js";
 import { logDebug } from "./helpers/logger.js";
 import assert from "node:assert";
 import { Persist } from "./persist.js";
+import { writePasswd } from "./passwd.js";
 
 export class Alpine {
   dir: string;
@@ -172,6 +173,7 @@ export class Alpine {
     const alpine = new Alpine({ dir });
     await alpine.fstab.write();
     await alpine.persist.write();
+    await writePasswd(alpine);
     return alpine;
   }
 }
diff --git a/index.ts b/index.ts
index 0b45b18..36d130f 100644
--- a/index.ts
+++ b/index.ts
@@ -15,10 +15,12 @@ import { setupDhcpcd } from "./services/dhcpcd.js";
 import { setupNtpsec } from "./services/ntpsec.js";
 import { setupGrafana } from "./services/grafana/index.js";
 import { setupLoki } from "./services/loki/index.js";
+import { generatePasswdSecretsFile } from "./passwd.js";
 
 if (process.argv[2] === "generate-secrets") {
   await generateForgejoSecretsFile();
   await generateGrafanaSecretsFile();
+  await generatePasswdSecretsFile();
   exit(0);
 }
 
diff --git a/passwd.ts b/passwd.ts
new file mode 100644
index 0000000..08e071a
--- /dev/null
+++ b/passwd.ts
@@ -0,0 +1,32 @@
+import { nanoid } from "nanoid";
+import { generateSecretsFile, loadSecretsFile } from "./helpers/secrets.js";
+import { Alpine } from "./alpine.js";
+import { execFile } from "./helpers/better-api.js";
+
+export interface PasswdSecrets {
+  rootPassword: string;
+}
+
+const loadPasswdSecretsFile = loadSecretsFile<PasswdSecrets>("passwd");
+export const generatePasswdSecretsFile = generateSecretsFile(
+  "passwd",
+  generatePasswdSecrets
+);
+async function generatePasswdSecrets(): Promise<PasswdSecrets> {
+  console.info(
+    "La contraseña por defecto de root va a estar en secrets/passwd.json"
+  );
+  return {
+    rootPassword: nanoid(),
+  };
+}
+
+export async function writePasswd(alpine: Alpine) {
+  const secrets = await loadPasswdSecretsFile();
+  const proc = execFile("chroot", [alpine.dir, "passwd", "root"]);
+  if (!proc.child.stdin) throw false;
+  proc.child.stdin.write(secrets.rootPassword + "\n");
+  proc.child.stdin.write(secrets.rootPassword + "\n");
+  proc.child.stdin.end();
+  await proc;
+}