> Make sure that the home dataset is decrypted and mounted, before creating a user.
You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
```
# passwd -l root
```
and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
The user will have its own init system, for the management of user containers and other user services. The `runsvdir` command of the `runit` init system will be used to create a local init system for the user.
```
# apk add runit
```
Create `/etc/init.d/runsvdir-user`, which will be the init script for the local init system of the user.
> This process can of course be repeated for several users.
### Mounting home
Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel.
Create `/etc/init.d/mount-home`
```
#!/sbin/openrc-run
depend()
{
need localmount
}
start()
{
zfs load-key -L prompt tank/home
zfs mount tank/home
}
stop()
{
zfs unmount tank/home
zfs unload-key tank/home
}
```
Make `/etc/init.d/mount-home` an executable
```
# chmod +x /etc/init.d/mount-home
```
Add the service to the manual runlevel
```
# rc-update add mount-home manual
```
Now the scripts can be started accordingly with
```
# openrc -n manual
```
> Note that after a reboot this command should be performed to decrypt the home partition and to start the user services.