diff --git a/flake.nix b/flake.nix
index 2c9aa7e..1100e17 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,9 +40,15 @@
     hostname = "atlas";
     username = "pinj";
     lib = nixpkgs.lib;
+    usernameValid =
+      builtins.match "^[a-z_][a-z0-9_]*$" username != null
+      && builtins.match "^_+$" username == null
+      && builtins.match "^nix" username == null
+      && username != "root";
     hostConfig = ./hosts + "/${hostname}/hardware-configuration.nix";
-    passwordHashPath = "/etc/nixos/secrets/${username}/password.hash";
-    specialArgs = { inherit inputs system hostname username passwordHashPath; };
+    passwordHashPath = assert usernameValid;
+      "/etc/nixos/secrets/${username}/password.hash";
+    specialArgs = { inherit inputs system hostname username usernameValid passwordHashPath; };
 
     # Verify mango flake exports the expected module
     mangoModule = assert lib.hasAttrByPath [ "nixosModules" "mango" ] mango;
diff --git a/modules/common.nix b/modules/common.nix
index 96aaf14..ec4924e 100644
--- a/modules/common.nix
+++ b/modules/common.nix
@@ -1,10 +1,10 @@
-{ config, pkgs, inputs, system, hostname, username, passwordHashPath, ... }:
+{ config, pkgs, inputs, system, hostname, username, usernameValid, passwordHashPath, ... }:
 
 {
   assertions = [
     {
-      assertion = builtins.match "^[a-z_][a-z0-9_]*$" username != null;
-      message = "username must be a simple system user name without path separators.";
+      assertion = usernameValid;
+      message = "username must be a simple system user name and not reserved.";
     }
   ];
   # --------------------------------------------------------------------------