diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml
index ca32537..0a92987 100644
--- a/roles/debian-base/defaults/main.yaml
+++ b/roles/debian-base/defaults/main.yaml
@@ -1,3 +1,4 @@
+root_password: Pa$$w0rd
 vn_witness: false
 default_user: user
 root_password: Pa$$w0rd
diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml
index 4db5680..ccb64ce 100644
--- a/roles/debian-base/tasks/main.yml
+++ b/roles/debian-base/tasks/main.yml
@@ -1,5 +1,7 @@
 - import_tasks: witness.yml
   tags: witness
+- import_tasks: root.yml
+  tags: root
 - import_tasks: resolv.yml
   tags: resolv
 - import_tasks: timesync.yml
diff --git a/roles/debian-once/tasks/root.yml b/roles/debian-base/tasks/root.yml
similarity index 90%
rename from roles/debian-once/tasks/root.yml
rename to roles/debian-base/tasks/root.yml
index ad021ca..b00d8f2 100644
--- a/roles/debian-once/tasks/root.yml
+++ b/roles/debian-base/tasks/root.yml
@@ -13,6 +13,7 @@
       }}
   environment:
     PASSBOLT_CREATE_NEW_RESOURCE: true
+  when: vn_witness
 - name: Save the root password to file
   copy:
     content: "{{ root_password }}\n"
@@ -20,7 +21,10 @@
     owner: root
     group: root
     mode: '0600'
+  when: vn_witness
+  register: local
 - name: Change root password
   user:
     name: root
     password: "{{ root_password | password_hash('sha512') }}"
+  when: local.changed
diff --git a/roles/debian-once/defaults/main.yaml b/roles/debian-once/defaults/main.yaml
deleted file mode 100644
index a0671ab..0000000
--- a/roles/debian-once/defaults/main.yaml
+++ /dev/null
@@ -1 +0,0 @@
-root_password: Pa$$w0rd
diff --git a/roles/debian-once/tasks/main.yml b/roles/debian-once/tasks/main.yml
deleted file mode 100644
index e5da03c..0000000
--- a/roles/debian-once/tasks/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- import_tasks: root.yml
-  tags: root