about summary refs log tree commit diff
path: root/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml')
-rw-r--r--nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml88
1 files changed, 88 insertions, 0 deletions
diff --git a/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml b/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml
new file mode 100644
index 000000000000..4b1710f3a2b1
--- /dev/null
+++ b/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml
@@ -0,0 +1,88 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-user-management">
+ <title>User Management</title>
+ <para>
+  NixOS supports both declarative and imperative styles of user management. In
+  the declarative style, users are specified in
+  <filename>configuration.nix</filename>. For instance, the following states
+  that a user account named <literal>alice</literal> shall exist:
+<programlisting>
+<xref linkend="opt-users.users"/>.alice = {
+  <link linkend="opt-users.users._name__.isNormalUser">isNormalUser</link> = true;
+  <link linkend="opt-users.users._name__.home">home</link> = "/home/alice";
+  <link linkend="opt-users.users._name__.description">description</link> = "Alice Foobar";
+  <link linkend="opt-users.users._name__.extraGroups">extraGroups</link> = [ "wheel" "networkmanager" ];
+  <link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">openssh.authorizedKeys.keys</link> = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
+};
+</programlisting>
+  Note that <literal>alice</literal> is a member of the
+  <literal>wheel</literal> and <literal>networkmanager</literal> groups, which
+  allows her to use <command>sudo</command> to execute commands as
+  <literal>root</literal> and to configure the network, respectively. Also note
+  the SSH public key that allows remote logins with the corresponding private
+  key. Users created in this way do not have a password by default, so they
+  cannot log in via mechanisms that require a password. However, you can use
+  the <command>passwd</command> program to set a password, which is retained
+  across invocations of <command>nixos-rebuild</command>.
+ </para>
+ <para>
+  If you set <xref linkend="opt-users.mutableUsers"/> to false, then the
+  contents of <literal>/etc/passwd</literal> and <literal>/etc/group</literal>
+  will be congruent to your NixOS configuration. For instance, if you remove a
+  user from <xref linkend="opt-users.users"/> and run nixos-rebuild, the user
+  account will cease to exist. Also, imperative commands for managing users and
+  groups, such as useradd, are no longer available. Passwords may still be
+  assigned by setting the user's
+  <link linkend="opt-users.users._name__.hashedPassword">hashedPassword</link>
+  option. A hashed password can be generated using <command>mkpasswd -m
+  sha-512</command> after installing the <literal>mkpasswd</literal> package.
+ </para>
+ <para>
+  A user ID (uid) is assigned automatically. You can also specify a uid
+  manually by adding
+<programlisting>
+uid = 1000;
+</programlisting>
+  to the user specification.
+ </para>
+ <para>
+  Groups can be specified similarly. The following states that a group named
+  <literal>students</literal> shall exist:
+<programlisting>
+<xref linkend="opt-users.groups"/>.students.gid = 1000;
+</programlisting>
+  As with users, the group ID (gid) is optional and will be assigned
+  automatically if it’s missing.
+ </para>
+ <para>
+  In the imperative style, users and groups are managed by commands such as
+  <command>useradd</command>, <command>groupmod</command> and so on. For
+  instance, to create a user account named <literal>alice</literal>:
+<screen>
+# useradd -m alice</screen>
+  To make all nix tools available to this new user use `su - USER` which opens
+  a login shell (==shell that loads the profile) for given user. This will
+  create the ~/.nix-defexpr symlink. So run:
+<screen>
+# su - alice -c "true"</screen>
+  The flag <option>-m</option> causes the creation of a home directory for the
+  new user, which is generally what you want. The user does not have an initial
+  password and therefore cannot log in. A password can be set using the
+  <command>passwd</command> utility:
+<screen>
+# passwd alice
+Enter new UNIX password: ***
+Retype new UNIX password: ***
+</screen>
+  A user can be deleted using <command>userdel</command>:
+<screen>
+# userdel -r alice</screen>
+  The flag <option>-r</option> deletes the user’s home directory. Accounts
+  can be modified using <command>usermod</command>. Unix groups can be managed
+  using <command>groupadd</command>, <command>groupmod</command> and
+  <command>groupdel</command>.
+ </para>
+</chapter>
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-09 02:30:34 +0000