diff --git a/prepare-root.sh b/prepare-root.sh
index 9cd3075..31dc575 100755
--- a/prepare-root.sh
+++ b/prepare-root.sh
@@ -292,6 +292,15 @@ mkdir -p "$sysroot"/usr/share/factory/{var/etc,home}
 
 chroot "$sysroot" update-ca-trust
 
+#---------------
+# tpm2-tss
+if [[ -f "$sysroot"/usr/lib/udev/rules.d/60-tpm-udev.rules ]]; then
+    echo 'tss:x:59:59:tpm user:/dev/null:/sbin/nologin' >> "$sysroot"/etc/passwd
+    echo 'tss:!!:15587::::::' >> "$sysroot"/etc/shadow
+    echo 'tss:x:59:' >> "$sysroot"/etc/group
+    echo 'tss:!::' >> "$sysroot"/etc/gshadow
+fi
+
 . "${BASEDIR}"/quirks/nss.sh
 
 for q in "${QUIRKS[@]}"; do 
@@ -316,15 +325,6 @@ C /var/etc/ssh - - - - -
 EOF
 fi
 
-#---------------
-# tpm2-tss 
-if [[ -f "$sysroot"/usr/lib/udev/rules.d/60-tpm-udev.rules ]]; then
-    echo 'tss:x:59:59:tpm user:/dev/null:/sbin/nologin' >> "$sysroot"/etc/passwd
-    echo 'tss:!!:15587::::::' >> "$sysroot"/etc/shadow
-    echo 'tss:x:59:' >> "$sysroot"/etc/group
-    echo 'tss:!::' >> "$sysroot"/etc/gshadow
-fi
-
 #---------------
 # NetworkManager
 if [[ -d "$sysroot"/etc/NetworkManager ]]; then
diff --git a/quirks/nss.sh b/quirks/nss.sh
index 4740020..b331fac 100644
--- a/quirks/nss.sh
+++ b/quirks/nss.sh
@@ -23,7 +23,7 @@ chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n adm
 chroot "$sysroot" bash -c 'passwd -e admin'
 
 mkdir -p "$sysroot"/usr/share/factory/var
-mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
+mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var/
 
 rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow-