pyrox.dev
1<chapter xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-user-management">
6 <title>User Management</title>
7 <para>
8 NixOS supports both declarative and imperative styles of user management. In
9 the declarative style, users are specified in
10 <filename>configuration.nix</filename>. For instance, the following states
11 that a user account named <literal>alice</literal> shall exist:
12<programlisting>
13<xref linkend="opt-users.users"/>.alice = {
14 <link linkend="opt-users.users._name__.isNormalUser">isNormalUser</link> = true;
15 <link linkend="opt-users.users._name__.home">home</link> = "/home/alice";
16 <link linkend="opt-users.users._name__.description">description</link> = "Alice Foobar";
17 <link linkend="opt-users.users._name__.extraGroups">extraGroups</link> = [ "wheel" "networkmanager" ];
18 <link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">openssh.authorizedKeys.keys</link> = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
19};
20</programlisting>
21 Note that <literal>alice</literal> is a member of the
22 <literal>wheel</literal> and <literal>networkmanager</literal> groups, which
23 allows her to use <command>sudo</command> to execute commands as
24 <literal>root</literal> and to configure the network, respectively. Also note
25 the SSH public key that allows remote logins with the corresponding private
26 key. Users created in this way do not have a password by default, so they
27 cannot log in via mechanisms that require a password. However, you can use
28 the <command>passwd</command> program to set a password, which is retained
29 across invocations of <command>nixos-rebuild</command>.
30 </para>
31 <para>
32 If you set <xref linkend="opt-users.mutableUsers"/> to false, then the
33 contents of <literal>/etc/passwd</literal> and <literal>/etc/group</literal>
34 will be congruent to your NixOS configuration. For instance, if you remove a
35 user from <xref linkend="opt-users.users"/> and run nixos-rebuild, the user
36 account will cease to exist. Also, imperative commands for managing users and
37 groups, such as useradd, are no longer available. Passwords may still be
38 assigned by setting the user's
39 <link linkend="opt-users.users._name__.hashedPassword">hashedPassword</link>
40 option. A hashed password can be generated using <command>mkpasswd -m
41 sha-512</command> after installing the <literal>mkpasswd</literal> package.
42 </para>
43 <para>
44 A user ID (uid) is assigned automatically. You can also specify a uid
45 manually by adding
46<programlisting>
47 uid = 1000;
48</programlisting>
49 to the user specification.
50 </para>
51 <para>
52 Groups can be specified similarly. The following states that a group named
53 <literal>students</literal> shall exist:
54<programlisting>
55<xref linkend="opt-users.groups"/>.students.gid = 1000;
56</programlisting>
57 As with users, the group ID (gid) is optional and will be assigned
58 automatically if it’s missing.
59 </para>
60 <para>
61 In the imperative style, users and groups are managed by commands such as
62 <command>useradd</command>, <command>groupmod</command> and so on. For
63 instance, to create a user account named <literal>alice</literal>:
64<screen>
65# useradd -m alice</screen>
66 To make all nix tools available to this new user use `su - USER` which opens
67 a login shell (==shell that loads the profile) for given user. This will
68 create the ~/.nix-defexpr symlink. So run:
69<screen>
70# su - alice -c "true"</screen>
71 The flag <option>-m</option> causes the creation of a home directory for the
72 new user, which is generally what you want. The user does not have an initial
73 password and therefore cannot log in. A password can be set using the
74 <command>passwd</command> utility:
75<screen>
76# passwd alice
77Enter new UNIX password: ***
78Retype new UNIX password: ***
79</screen>
80 A user can be deleted using <command>userdel</command>:
81<screen>
82# userdel -r alice</screen>
83 The flag <option>-r</option> deletes the user’s home directory. Accounts
84 can be modified using <command>usermod</command>. Unix groups can be managed
85 using <command>groupadd</command>, <command>groupmod</command> and
86 <command>groupdel</command>.
87 </para>
88</chapter>