diff --git a/platform/vault/files/generate-secrets/go.mod b/platform/vault/files/generate-secrets/go.mod
index b420cdc2..58fe8a64 100644
--- a/platform/vault/files/generate-secrets/go.mod
+++ b/platform/vault/files/generate-secrets/go.mod
@@ -2,8 +2,9 @@ module git.khuedoan.com/khuedoan/homelab/vault/init
 
 go 1.17
 
+require github.com/hashicorp/vault/api v1.4.1
+
 require (
-	github.com/hashicorp/vault/api v1.4.1
 	github.com/armon/go-metrics v0.3.9 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
@@ -38,6 +39,7 @@ require (
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/sethvargo/go-password v0.2.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
 	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
diff --git a/platform/vault/files/generate-secrets/main.go b/platform/vault/files/generate-secrets/main.go
index 72d2c743..44a44d39 100644
--- a/platform/vault/files/generate-secrets/main.go
+++ b/platform/vault/files/generate-secrets/main.go
@@ -1,10 +1,32 @@
 package main
 
+// TODO WIP
+
+// TODO env vars
+// export VAULT_ADDR='https://127.0.0.1:8200'
+// export VAULT_TOKEN=root
+
+// TODO ACL policy
+// path "secret/*" {
+//   capabilities = [
+//     "create",
+//     "list"
+//   ]
+// }
+
+// TODO config syntax with yaml
+// randomPasswords:
+//   - path: gitea/admin-password
+//     length: 32
+//     special: false
+//     state: present
+
 import (
 	"log"
 	// "crypto/rand"
 
 	vault "github.com/hashicorp/vault/api"
+	"github.com/sethvargo/go-password/password"
 )
 
 func main() {
@@ -17,20 +39,31 @@ func main() {
 		log.Fatalf("unable to initialize Vault client: %v", err)
 	}
 
-	// Authenticate
-	// WARNING: This quickstart uses the root token for our Vault dev server.
-	// Don't do this in production!
-	client.SetToken("root") // TODO use secure token
+	client.SetToken("root")
 
-	secretData := map[string]interface{}{
-		"data": map[string]interface{}{
-			"value": "verystronkpassword",
-		},
-	}
+	path := "secret/data/gitea/admin-password"
 
-	_, err = client.Logical().Write("secret/data/gitea/admin-password", secretData)
-	if err != nil {
-		log.Fatalf("Unable to write secret: %v", err)
+	secret, _ := client.Logical().Read(path)
+
+	if secret == nil {
+		res, err := password.Generate(32, 24, 8, false, true)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		secretData := map[string]interface{}{
+			"data": map[string]interface{}{
+				"value": res,
+			},
+		}
+
+		_, err = client.Logical().Write(path, secretData)
+		if err != nil {
+			log.Fatalf("Unable to write secret: %v", err)
+		} else {
+			log.Println("Secret written successfully.")
+		}
+	} else {
+		log.Println("Secret already existed.")
 	}
-	log.Println("Secret written successfully.")
 }