pyrox.dev
1<chapter xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-user-management">
6
7<title>User Management</title>
8
9<para>NixOS supports both declarative and imperative styles of user
10management. In the declarative style, users are specified in
11<filename>configuration.nix</filename>. For instance, the following
12states that a user account named <literal>alice</literal> shall exist:
13
14<programlisting>
15users.extraUsers.alice =
16 { isNormalUser = true;
17 home = "/home/alice";
18 description = "Alice Foobar";
19 extraGroups = [ "wheel" "networkmanager" ];
20 openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
21 };
22</programlisting>
23
24Note that <literal>alice</literal> is a member of the
25<literal>wheel</literal> and <literal>networkmanager</literal> groups,
26which allows her to use <command>sudo</command> to execute commands as
27<literal>root</literal> and to configure the network, respectively.
28Also note the SSH public key that allows remote logins with the
29corresponding private key. Users created in this way do not have a
30password by default, so they cannot log in via mechanisms that require
31a password. However, you can use the <command>passwd</command> program
32to set a password, which is retained across invocations of
33<command>nixos-rebuild</command>.</para>
34
35<para>If you set users.mutableUsers to false, then the contents of /etc/passwd
36and /etc/group will be congruent to your NixOS configuration. For instance,
37if you remove a user from users.extraUsers and run nixos-rebuild, the user
38account will cease to exist. Also, imperative commands for managing users
39and groups, such as useradd, are no longer available. Passwords may still be
40assigned by setting the user's <literal>hashedPassword</literal> option. A
41hashed password can be generated using <command>mkpasswd -m sha-512</command>
42after installing the <literal>mkpasswd</literal> package.</para>
43
44<para>A user ID (uid) is assigned automatically. You can also specify
45a uid manually by adding
46
47<programlisting>
48 uid = 1000;
49</programlisting>
50
51to the user specification.</para>
52
53<para>Groups can be specified similarly. The following states that a
54group named <literal>students</literal> shall exist:
55
56<programlisting>
57users.extraGroups.students.gid = 1000;
58</programlisting>
59
60As with users, the group ID (gid) is optional and will be assigned
61automatically if it’s missing.</para>
62
63<para>In the imperative style, users and groups are managed by
64commands such as <command>useradd</command>,
65<command>groupmod</command> and so on. For instance, to create a user
66account named <literal>alice</literal>:
67
68<screen>
69# useradd -m alice</screen>
70
71To make all nix tools available to this new user use `su - USER` which
72opens a login shell (==shell that loads the profile) for given user.
73This will create the ~/.nix-defexpr symlink. So run:
74
75<screen>
76# su - alice -c "true"</screen>
77
78
79The flag <option>-m</option> causes the creation of a home directory
80for the new user, which is generally what you want. The user does not
81have an initial password and therefore cannot log in. A password can
82be set using the <command>passwd</command> utility:
83
84<screen>
85# passwd alice
86Enter new UNIX password: ***
87Retype new UNIX password: ***
88</screen>
89
90A user can be deleted using <command>userdel</command>:
91
92<screen>
93# userdel -r alice</screen>
94
95The flag <option>-r</option> deletes the user’s home directory.
96Accounts can be modified using <command>usermod</command>. Unix
97groups can be managed using <command>groupadd</command>,
98<command>groupmod</command> and <command>groupdel</command>.</para>
99
100</chapter>