Home Explore Blog Models CI



nixpkgs
2nd chunk of `nixos/doc/manual/configuration/user-mgmt.chapter.md`
51d638d29373befead04916f3bc4b81928731d5d17449da70000000100000e28
A user ID (uid) is assigned automatically. You can also specify a uid
manually by adding

```nix
{ uid = 1000; }
```

to the user specification.

Groups can be specified similarly. The following states that a group
named `students` shall exist:

```nix
{ users.groups.students.gid = 1000; }
```

As with users, the group ID (gid) is optional and will be assigned
automatically if it's missing.

In the imperative style, users and groups are managed by commands such
as `useradd`, `groupmod` and so on. For instance, to create a user
account named `alice`:

```ShellSession
# useradd -m alice
```

To make all nix tools available to this new user use \`su - USER\` which
opens a login shell (==shell that loads the profile) for given user.
This will create the \~/.nix-defexpr symlink. So run:

```ShellSession
# su - alice -c "true"
```

The flag `-m` causes the creation of a home directory for the new user,
which is generally what you want. The user does not have an initial
password and therefore cannot log in. A password can be set using the
`passwd` utility:

```ShellSession
# passwd alice
Enter new UNIX password: ***
Retype new UNIX password: ***
```

A user can be deleted using `userdel`:

```ShellSession
# userdel -r alice
```

The flag `-r` deletes the user's home directory. Accounts can be
modified using `usermod`. Unix groups can be managed using `groupadd`,
`groupmod` and `groupdel`.

## Create users and groups with `systemd-sysusers` {#sec-systemd-sysusers}

::: {.note}
This is experimental.

Please consider using [Userborn](#sec-userborn) over systemd-sysusers as it's
more feature complete.
:::

Instead of using a custom perl script to create users and groups, you can use
systemd-sysusers:

```nix
{ systemd.sysusers.enable = true; }
```

The primary benefit of this is to remove a dependency on perl.

## Manage users and groups with `userborn` {#sec-userborn}

::: {.note}
This is experimental.
:::

Like systemd-sysusers, Userborn doesn't depend on Perl but offers some more
advantages over systemd-sysusers:

1. It can create "normal" users (with a GID >= 1000).
2. It can update some information about users. Most notably it can update their
   passwords.
3. It will warn when users use an insecure or unsupported password hashing
   scheme.

Userborn is the recommended way to manage users if you don't want to rely on
the Perl script. It aims to eventually replace the Perl script by default.

You can enable Userborn via:

```nix
{ services.userborn.enable = true; }
```

You can configure Userborn to store the password files
(`/etc/{group,passwd,shadow}`) outside of `/etc` and symlink them from this
location to `/etc`:

```nix
{ services.userborn.passwordFilesLocation = "/persistent/etc"; }
```

This is useful when you store `/etc` on a `tmpfs` or if `/etc` is immutable
(e.g. when using `system.etc.overlay.mutable = false;`). In the latter case the
original files are by default stored in `/var/lib/nixos`.

Userborn implements immutable users by re-mounting the password files
read-only. This means that unlike when using the Perl script, trying to add a
new user (e.g. via `useradd`) will fail right away.

## Restrict usage time {#sec-restrict-usage-time}

[Timekpr-nExT](https://mjasnik.gitlab.io/timekpr-next/) is a screen time managing application that helps optimizing time spent at computer for your subordinates, children or even for yourself.

You can enable it via:

```nix
{ services.timekpr.enable = true; }
```

This will install the `timekpr` package and start the `timekpr` service.
You can then use the `timekpra` application to configure time limits for users.
Title: NixOS User and Group Management: Imperative Methods and Advanced Tools
Summary
This section details various methods for user and group management in NixOS, following on from declarative methods. It explains how to manually assign User IDs (UIDs) and Group IDs (GIDs) for declarative users and groups. For imperative management, it covers standard Unix commands like `useradd` (with `-m` for home directory creation), `passwd` for setting passwords, `userdel` (with `-r` for home directory removal), `usermod`, `groupadd`, `groupmod`, and `groupdel`. It also introduces two experimental, Perl-free alternatives: `systemd-sysusers` for basic user/group creation, and `userborn` as a more robust solution that can create 'normal' users, update user information (including passwords), and enforce immutable users by remounting password files read-only. `Userborn` can also store password files outside `/etc`. Finally, the `Timekpr-nExT` application is presented as a tool to restrict user usage time.