pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / doc / manual / configuration / user-mgmt.chapter.md
at 22.05-pre 3.0 kB view raw view rendered
1# User Management {#sec-user-management} 2 3NixOS supports both declarative and imperative styles of user 4management. In the declarative style, users are specified in 5`configuration.nix`. For instance, the following states that a user 6account named `alice` shall exist: 7 8```nix 9users.users.alice = { 10 isNormalUser = true; 11 home = "/home/alice"; 12 description = "Alice Foobar"; 13 extraGroups = [ "wheel" "networkmanager" ]; 14 openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ]; 15}; 16``` 17 18Note that `alice` is a member of the `wheel` and `networkmanager` 19groups, which allows her to use `sudo` to execute commands as `root` and 20to configure the network, respectively. Also note the SSH public key 21that allows remote logins with the corresponding private key. Users 22created in this way do not have a password by default, so they cannot 23log in via mechanisms that require a password. However, you can use the 24`passwd` program to set a password, which is retained across invocations 25of `nixos-rebuild`. 26 27If you set [](#opt-users.mutableUsers) to 28false, then the contents of `/etc/passwd` and `/etc/group` will be congruent 29to your NixOS configuration. For instance, if you remove a user from 30[](#opt-users.users) and run nixos-rebuild, the user 31account will cease to exist. Also, imperative commands for managing users and 32groups, such as useradd, are no longer available. Passwords may still be 33assigned by setting the user\'s 34[hashedPassword](#opt-users.users._name_.hashedPassword) option. A 35hashed password can be generated using `mkpasswd -m 36 sha-512`. 37 38A user ID (uid) is assigned automatically. You can also specify a uid 39manually by adding 40 41```nix 42uid = 1000; 43``` 44 45to the user specification. 46 47Groups can be specified similarly. The following states that a group 48named `students` shall exist: 49 50```nix 51users.groups.students.gid = 1000; 52``` 53 54As with users, the group ID (gid) is optional and will be assigned 55automatically if it's missing. 56 57In the imperative style, users and groups are managed by commands such 58as `useradd`, `groupmod` and so on. For instance, to create a user 59account named `alice`: 60 61```ShellSession 62# useradd -m alice 63``` 64 65To make all nix tools available to this new user use \`su - USER\` which 66opens a login shell (==shell that loads the profile) for given user. 67This will create the \~/.nix-defexpr symlink. So run: 68 69```ShellSession 70# su - alice -c "true" 71``` 72 73The flag `-m` causes the creation of a home directory for the new user, 74which is generally what you want. The user does not have an initial 75password and therefore cannot log in. A password can be set using the 76`passwd` utility: 77 78```ShellSession 79# passwd alice 80Enter new UNIX password: *** 81Retype new UNIX password: *** 82``` 83 84A user can be deleted using `userdel`: 85 86```ShellSession 87# userdel -r alice 88``` 89 90The flag `-r` deletes the user's home directory. Accounts can be 91modified using `usermod`. Unix groups can be managed using `groupadd`, 92`groupmod` and `groupdel`.