pyrox.dev
1<chapter xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-user-management">
6
7<title>User Management</title>
8
9<para>NixOS supports both declarative and imperative styles of user
10management. In the declarative style, users are specified in
11<filename>configuration.nix</filename>. For instance, the following
12states that a user account named <literal>alice</literal> shall exist:
13
14<programlisting>
15users.extraUsers.alice =
16 { isNormalUser = true;
17 home = "/home/alice";
18 description = "Alice Foobar";
19 extraGroups = [ "wheel" "networkmanager" ];
20 openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
21 };
22</programlisting>
23
24Note that <literal>alice</literal> is a member of the
25<literal>wheel</literal> and <literal>networkmanager</literal> groups,
26which allows her to use <command>sudo</command> to execute commands as
27<literal>root</literal> and to configure the network, respectively.
28Also note the SSH public key that allows remote logins with the
29corresponding private key. Users created in this way do not have a
30password by default, so they cannot log in via mechanisms that require
31a password. However, you can use the <command>passwd</command> program
32to set a password, which is retained across invocations of
33<command>nixos-rebuild</command>.</para>
34
35<para>If you set users.mutableUsers to false, then the contents of /etc/passwd
36and /etc/group will be congruent to your NixOS configuration. For instance,
37if you remove a user from users.extraUsers and run nixos-rebuild, the user
38account will cease to exist. Also, imperative commands for managing users
39and groups, such as useradd, are no longer available.</para>
40
41<para>A user ID (uid) is assigned automatically. You can also specify
42a uid manually by adding
43
44<programlisting>
45 uid = 1000;
46</programlisting>
47
48to the user specification.</para>
49
50<para>Groups can be specified similarly. The following states that a
51group named <literal>students</literal> shall exist:
52
53<programlisting>
54users.extraGroups.students.gid = 1000;
55</programlisting>
56
57As with users, the group ID (gid) is optional and will be assigned
58automatically if it’s missing.</para>
59
60<para>In the imperative style, users and groups are managed by
61commands such as <command>useradd</command>,
62<command>groupmod</command> and so on. For instance, to create a user
63account named <literal>alice</literal>:
64
65<screen>
66# useradd -m alice</screen>
67
68To make all nix tools available to this new user use `su - USER` which
69opens a login shell (==shell that loads the profile) for given user.
70This will create the ~/.nix-defexpr symlink. So run:
71
72<screen>
73# su - alice -c "true"</screen>
74
75
76The flag <option>-m</option> causes the creation of a home directory
77for the new user, which is generally what you want. The user does not
78have an initial password and therefore cannot log in. A password can
79be set using the <command>passwd</command> utility:
80
81<screen>
82# passwd alice
83Enter new UNIX password: ***
84Retype new UNIX password: ***
85</screen>
86
87A user can be deleted using <command>userdel</command>:
88
89<screen>
90# userdel -r alice</screen>
91
92The flag <option>-r</option> deletes the user’s home directory.
93Accounts can be modified using <command>usermod</command>. Unix
94groups can be managed using <command>groupadd</command>,
95<command>groupmod</command> and <command>groupdel</command>.</para>
96
97</chapter>