pyrox.dev
1<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-user-management">
2 <title>User Management</title>
3 <para>
4 NixOS supports both declarative and imperative styles of user
5 management. In the declarative style, users are specified in
6 <literal>configuration.nix</literal>. For instance, the following
7 states that a user account named <literal>alice</literal> shall
8 exist:
9 </para>
10 <programlisting language="bash">
11users.users.alice = {
12 isNormalUser = true;
13 home = "/home/alice";
14 description = "Alice Foobar";
15 extraGroups = [ "wheel" "networkmanager" ];
16 openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
17};
18</programlisting>
19 <para>
20 Note that <literal>alice</literal> is a member of the
21 <literal>wheel</literal> and <literal>networkmanager</literal>
22 groups, which allows her to use <literal>sudo</literal> to execute
23 commands as <literal>root</literal> and to configure the network,
24 respectively. Also note the SSH public key that allows remote logins
25 with the corresponding private key. Users created in this way do not
26 have a password by default, so they cannot log in via mechanisms
27 that require a password. However, you can use the
28 <literal>passwd</literal> program to set a password, which is
29 retained across invocations of <literal>nixos-rebuild</literal>.
30 </para>
31 <para>
32 If you set <xref linkend="opt-users.mutableUsers" /> to false, then
33 the contents of <literal>/etc/passwd</literal> and
34 <literal>/etc/group</literal> will be congruent to your NixOS
35 configuration. For instance, if you remove a user from
36 <xref linkend="opt-users.users" /> and run nixos-rebuild, the user
37 account will cease to exist. Also, imperative commands for managing
38 users and groups, such as useradd, are no longer available.
39 Passwords may still be assigned by setting the user's
40 <link linkend="opt-users.users._name_.hashedPassword">hashedPassword</link>
41 option. A hashed password can be generated using
42 <literal>mkpasswd</literal>.
43 </para>
44 <para>
45 A user ID (uid) is assigned automatically. You can also specify a
46 uid manually by adding
47 </para>
48 <programlisting language="bash">
49uid = 1000;
50</programlisting>
51 <para>
52 to the user specification.
53 </para>
54 <para>
55 Groups can be specified similarly. The following states that a group
56 named <literal>students</literal> shall exist:
57 </para>
58 <programlisting language="bash">
59users.groups.students.gid = 1000;
60</programlisting>
61 <para>
62 As with users, the group ID (gid) is optional and will be assigned
63 automatically if it’s missing.
64 </para>
65 <para>
66 In the imperative style, users and groups are managed by commands
67 such as <literal>useradd</literal>, <literal>groupmod</literal> and
68 so on. For instance, to create a user account named
69 <literal>alice</literal>:
70 </para>
71 <programlisting>
72# useradd -m alice
73</programlisting>
74 <para>
75 To make all nix tools available to this new user use `su - USER`
76 which opens a login shell (==shell that loads the profile) for given
77 user. This will create the ~/.nix-defexpr symlink. So run:
78 </para>
79 <programlisting>
80# su - alice -c "true"
81</programlisting>
82 <para>
83 The flag <literal>-m</literal> causes the creation of a home
84 directory for the new user, which is generally what you want. The
85 user does not have an initial password and therefore cannot log in.
86 A password can be set using the <literal>passwd</literal> utility:
87 </para>
88 <programlisting>
89# passwd alice
90Enter new UNIX password: ***
91Retype new UNIX password: ***
92</programlisting>
93 <para>
94 A user can be deleted using <literal>userdel</literal>:
95 </para>
96 <programlisting>
97# userdel -r alice
98</programlisting>
99 <para>
100 The flag <literal>-r</literal> deletes the user’s home directory.
101 Accounts can be modified using <literal>usermod</literal>. Unix
102 groups can be managed using <literal>groupadd</literal>,
103 <literal>groupmod</literal> and <literal>groupdel</literal>.
104 </para>
105</chapter>