pyrox.dev
1# User Management {#sec-user-management}
2
3NixOS supports both declarative and imperative styles of user
4management. In the declarative style, users are specified in
5`configuration.nix`. For instance, the following states that a user
6account named `alice` shall exist:
7
8```nix
9{
10 users.users.alice = {
11 isNormalUser = true;
12 home = "/home/alice";
13 description = "Alice Foobar";
14 extraGroups = [ "wheel" "networkmanager" ];
15 openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
16 };
17}
18```
19
20Note that `alice` is a member of the `wheel` and `networkmanager`
21groups, which allows her to use `sudo` to execute commands as `root` and
22to configure the network, respectively. Also note the SSH public key
23that allows remote logins with the corresponding private key. Users
24created in this way do not have a password by default, so they cannot
25log in via mechanisms that require a password. However, you can use the
26`passwd` program to set a password, which is retained across invocations
27of `nixos-rebuild`.
28
29If you set [](#opt-users.mutableUsers) to
30false, then the contents of `/etc/passwd` and `/etc/group` will be congruent
31to your NixOS configuration. For instance, if you remove a user from
32[](#opt-users.users) and run nixos-rebuild, the user
33account will cease to exist. Also, imperative commands for managing users and
34groups, such as useradd, are no longer available. Passwords may still be
35assigned by setting the user's
36[hashedPassword](#opt-users.users._name_.hashedPassword) option. A
37hashed password can be generated using `mkpasswd`.
38
39A user ID (uid) is assigned automatically. You can also specify a uid
40manually by adding
41
42```nix
43{
44 uid = 1000;
45}
46```
47
48to the user specification.
49
50Groups can be specified similarly. The following states that a group
51named `students` shall exist:
52
53```nix
54{
55 users.groups.students.gid = 1000;
56}
57```
58
59As with users, the group ID (gid) is optional and will be assigned
60automatically if it's missing.
61
62In the imperative style, users and groups are managed by commands such
63as `useradd`, `groupmod` and so on. For instance, to create a user
64account named `alice`:
65
66```ShellSession
67# useradd -m alice
68```
69
70To make all nix tools available to this new user use \`su - USER\` which
71opens a login shell (==shell that loads the profile) for given user.
72This will create the \~/.nix-defexpr symlink. So run:
73
74```ShellSession
75# su - alice -c "true"
76```
77
78The flag `-m` causes the creation of a home directory for the new user,
79which is generally what you want. The user does not have an initial
80password and therefore cannot log in. A password can be set using the
81`passwd` utility:
82
83```ShellSession
84# passwd alice
85Enter new UNIX password: ***
86Retype new UNIX password: ***
87```
88
89A user can be deleted using `userdel`:
90
91```ShellSession
92# userdel -r alice
93```
94
95The flag `-r` deletes the user's home directory. Accounts can be
96modified using `usermod`. Unix groups can be managed using `groupadd`,
97`groupmod` and `groupdel`.
98
99## Create users and groups with `systemd-sysusers` {#sec-systemd-sysusers}
100
101::: {.note}
102This is experimental.
103:::
104
105Instead of using a custom perl script to create users and groups, you can use
106systemd-sysusers:
107
108```nix
109{
110 systemd.sysusers.enable = true;
111}
112```
113
114The primary benefit of this is to remove a dependency on perl.