diff --git a/lib/default.nix b/lib/default.nix
index 8086bb75..3bba64ef 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -32,6 +32,7 @@ let
 
   cfg = config.c3d2;
 
+
 in {
 
   imports = [ ./users ];
@@ -118,6 +119,9 @@ in {
     # Configuration specific to this machine
 
     assertions = [
+      { assertion = cfg.isInHq -> (config.users.users.root.password == null);
+        message = "Root passwords not allowed in HQ";
+      }
       {
         assertion = let
           check = hostName: hostName == config.networking.hostName;