documentation/docs/alpine-desktop-setup/post-install/users.md

# Users

It might be nice to add a user to your system.

## Doas

Before creating the user install `doas` for when root is requiered:

```
# apk add doas
```

Also configure `doas` through `/etc/doas.d/main.conf`:

```
permit persist :wheel as root
permit nopasss :_power cmd poweroff
permit nopasss :_power cmd reboot
```

And create a `_power` group for user's to be able to poweroff the system without root:

```
# addgroup -S _power
```

## Adding a user

Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname, groups and more:

```
# setup-user -g wheel,plugdev,_seatd,nix,_power -f "<Full Name>" <username>
# passwd <username>
```

And you (might) have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```

> It's also recommended to have an "admin" account which is the only one in the wheel group.

Don't login yet if you want to encrypt the directory.

If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with:

```
# passwd -l root
```

And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

```
root:x:0:0:root:/root:/sbin/nologin
```

### Encrypting the home directory

If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.

> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.

#### Setup

First install the `fscrypt`, `e2fsprogs-extra` and `util-linux-login` packages:

```
# apk add fscrypt e2fsprogs-extra util-linux-login
```

Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:

```
# tune2fs -O encrypt /dev/vg<m>/home<n>
# fscrypt setup
# fscrypt setup /home
```

And edit `/etc/pam.d/login` and adding these lines to their corresponding sections:

```
auth     optional    pam_fscrypt.so
...
session  optional    pam_fscrypt.so
```

#### Encrypting a user's home

Encrypt the directory with:

```
# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```

Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:

```
$ fscrypt status /home/<username>
```

## TLDR

If you have already set up a system with a user but want to add another do this:

```
# setup-user -g (wheel,)plugdev,_seatd,nix,_power -f "<Full Name>" <username>
# passwd <username>
[Change shell in /etc/passwd]
# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```
Added users page 2023-12-28 15:09:21 +01:00			`# Users`

			`It might be nice to add a user to your system.`

			`## Doas`

			Before creating the user install `doas` for when root is requiered:

			```
			`# apk add doas`
			```

			Also configure `doas` through `/etc/doas.d/main.conf`:

			```
			`permit persist :wheel as root`
Added _power group 2023-12-28 15:18:15 +01:00			`permit nopasss :_power cmd poweroff`
			`permit nopasss :_power cmd reboot`
			```

			And create a `_power` group for user's to be able to poweroff the system without root:

			```
			`# addgroup -S _power`
Added users page 2023-12-28 15:09:21 +01:00			```

			`## Adding a user`

			Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname, groups and more:

			```
Expanded user section 2023-12-28 16:04:13 +01:00			`# setup-user -g wheel,plugdev,_seatd,nix,_power -f "<Full Name>" <username>`
Added users page 2023-12-28 15:09:21 +01:00			`# passwd <username>`
			```

Expanded user section 2023-12-28 16:04:13 +01:00			And you (might) have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

			```
			`<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>`
			```

Better language 2023-12-28 15:10:22 +01:00			`> It's also recommended to have an "admin" account which is the only one in the wheel group.`
Added users page 2023-12-28 15:09:21 +01:00
			`Don't login yet if you want to encrypt the directory.`

			If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with:

			```
			`# passwd -l root`
			```

			And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

			```
			`root:x:0:0:root:/root:/sbin/nologin`
			```

			`### Encrypting the home directory`

			`If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.`

			`> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.`

			`#### Setup`

			First install the `fscrypt`, `e2fsprogs-extra` and `util-linux-login` packages:

			```
			`# apk add fscrypt e2fsprogs-extra util-linux-login`
			```

			Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:

			```
			`# tune2fs -O encrypt /dev/vg<m>/home<n>`
			`# fscrypt setup`
			`# fscrypt setup /home`
			```

			And edit `/etc/pam.d/login` and adding these lines to their corresponding sections:

			```
			`auth optional pam_fscrypt.so`
			`...`
			`session optional pam_fscrypt.so`
			```

			`#### Encrypting a user's home`

			`Encrypt the directory with:`

			```
			`# fscrypt encrypt /home/<username> --user=<username>`
Expanded user section 2023-12-28 16:04:13 +01:00			`[Create a new login protector]`
			`[Enter 1 so that it unlocks the directory when the user logs in]`
Added users page 2023-12-28 15:09:21 +01:00			```

Expanded user section 2023-12-28 16:04:13 +01:00			`Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:`
Added users page 2023-12-28 15:09:21 +01:00
			```
			`$ fscrypt status /home/<username>`
			```
Expanded user section 2023-12-28 16:04:13 +01:00
			`## TLDR`

			`If you have already set up a system with a user but want to add another do this:`

			```
			`# setup-user -g (wheel,)plugdev,_seatd,nix,_power -f "<Full Name>" <username>`
			`# passwd <username>`
			`[Change shell in /etc/passwd]`
			`# fscrypt encrypt /home/<username> --user=<username>`
			`[Create a new login protector]`
			`[Enter 1 so that it unlocks the directory when the user logs in]`
			```