nixos/doc/manual/configuration/user-mgmt.chapter.md at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / doc / manual / configuration / user-mgmt.chapter.md
at master 5.2 kB view raw view rendered
  1# User Management {#sec-user-management}
  2
  3NixOS supports both declarative and imperative styles of user
  4management. In the declarative style, users are specified in
  5`configuration.nix`. For instance, the following states that a user
  6account named `alice` shall exist:
  7
  8```nix
  9{
 10  users.users.alice = {
 11    isNormalUser = true;
 12    home = "/home/alice";
 13    description = "Alice Foobar";
 14    extraGroups = [
 15      "wheel"
 16      "networkmanager"
 17    ];
 18    openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
 19  };
 20}
 21```
 22
 23Note that `alice` is a member of the `wheel` and `networkmanager`
 24groups, which allows her to use `sudo` to execute commands as `root` and
 25to configure the network, respectively. Also note the SSH public key
 26that allows remote logins with the corresponding private key. Users
 27created in this way do not have a password by default, so they cannot
 28log in via mechanisms that require a password. However, you can use the
 29`passwd` program to set a password, which is retained across invocations
 30of `nixos-rebuild`.
 31
 32If you set [](#opt-users.mutableUsers) to
 33false, then the contents of `/etc/passwd` and `/etc/group` will be congruent
 34to your NixOS configuration. For instance, if you remove a user from
 35[](#opt-users.users) and run nixos-rebuild, the user
 36account will cease to exist. Also, imperative commands for managing users and
 37groups, such as useradd, are no longer available. Passwords may still be
 38assigned by setting the user's
 39[hashedPassword](#opt-users.users._name_.hashedPassword) option. A
 40hashed password can be generated using `mkpasswd`.
 41
 42A user ID (uid) is assigned automatically. You can also specify a uid
 43manually by adding
 44
 45```nix
 46{ uid = 1000; }
 47```
 48
 49to the user specification.
 50
 51Groups can be specified similarly. The following states that a group
 52named `students` shall exist:
 53
 54```nix
 55{ users.groups.students.gid = 1000; }
 56```
 57
 58As with users, the group ID (gid) is optional and will be assigned
 59automatically if it's missing.
 60
 61In the imperative style, users and groups are managed by commands such
 62as `useradd`, `groupmod` and so on. For instance, to create a user
 63account named `alice`:
 64
 65```ShellSession
 66# useradd -m alice
 67```
 68
 69To make all nix tools available to this new user use \`su - USER\` which
 70opens a login shell (==shell that loads the profile) for given user.
 71This will create the \~/.nix-defexpr symlink. So run:
 72
 73```ShellSession
 74# su - alice -c "true"
 75```
 76
 77The flag `-m` causes the creation of a home directory for the new user,
 78which is generally what you want. The user does not have an initial
 79password and therefore cannot log in. A password can be set using the
 80`passwd` utility:
 81
 82```ShellSession
 83# passwd alice
 84Enter new UNIX password: ***
 85Retype new UNIX password: ***
 86```
 87
 88A user can be deleted using `userdel`:
 89
 90```ShellSession
 91# userdel -r alice
 92```
 93
 94The flag `-r` deletes the user's home directory. Accounts can be
 95modified using `usermod`. Unix groups can be managed using `groupadd`,
 96`groupmod` and `groupdel`.
 97
 98## Create users and groups with `systemd-sysusers` {#sec-systemd-sysusers}
 99
100::: {.note}
101This is experimental.
102
103Please consider using [Userborn](#sec-userborn) over systemd-sysusers as it's
104more feature complete.
105:::
106
107Instead of using a custom perl script to create users and groups, you can use
108systemd-sysusers:
109
110```nix
111{ systemd.sysusers.enable = true; }
112```
113
114The primary benefit of this is to remove a dependency on perl.
115
116## Manage users and groups with `userborn` {#sec-userborn}
117
118::: {.note}
119This is experimental.
120:::
121
122Like systemd-sysusers, Userborn doesn't depend on Perl but offers some more
123advantages over systemd-sysusers:
124
1251. It can create "normal" users (with a GID >= 1000).
1262. It can update some information about users. Most notably it can update their
127   passwords.
1283. It will warn when users use an insecure or unsupported password hashing
129   scheme.
130
131Userborn is the recommended way to manage users if you don't want to rely on
132the Perl script. It aims to eventually replace the Perl script by default.
133
134You can enable Userborn via:
135
136```nix
137{ services.userborn.enable = true; }
138```
139
140You can configure Userborn to store the password files
141(`/etc/{group,passwd,shadow}`) outside of `/etc` and symlink them from this
142location to `/etc`:
143
144```nix
145{ services.userborn.passwordFilesLocation = "/persistent/etc"; }
146```
147
148This is useful when you store `/etc` on a `tmpfs` or if `/etc` is immutable
149(e.g. when using `system.etc.overlay.mutable = false;`). In the latter case the
150original files are by default stored in `/var/lib/nixos`.
151
152Userborn implements immutable users by re-mounting the password files
153read-only. This means that unlike when using the Perl script, trying to add a
154new user (e.g. via `useradd`) will fail right away.
155
156## Restrict usage time {#sec-restrict-usage-time}
157
158[Timekpr-nExT](https://mjasnik.gitlab.io/timekpr-next/) is a screen time managing application that helps optimizing time spent at computer for your subordinates, children or even for yourself.
159
160You can enable it via:
161
162```nix
163{ services.timekpr.enable = true; }
164```
165
166This will install the `timekpr` package and start the `timekpr` service.
167You can then use the `timekpra` application to configure time limits for users.