documentation/docs/alpine-server-setup/post-install/users.md

# Users

To run containers securely; in an environment with fewer privileges, a user is necessary.

## Wheel

Before creating the user, install `doas`. To be able to "do as" root when it is required:

```
# apk add doas
```

Configure `doas` through `/etc/doas.d/main.conf`:

```
permit persist :wheel as root
```

## Adding a user

A user can be added in Alpine Linux with the `setup-user` script. Here we can specify the name, groups and more:

```
# setup-user -g wheel <username>
# passwd <username>
```

> Make sure that the home dataset is decrypted and mounted, before creating a user. 

You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```

If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

```
# passwd -l root
```

and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

```
root:x:0:0:root:/root:/sbin/nologin
```

## User services

The user will have its own init system, for the management of user containers and other user services. The `runsvdir` command of the `runit` init system will be used to create a local init system for the user. 

```
# apk add runit
```

Create `/etc/init.d/runsvdir-user`, which will be the init script for the local init system of the user. 

```
#!/sbin/openrc-run

user="${RC_SVCNAME##*.}"
svdir="/home/${user}/.local/service"
pidfile="/run/runsvdir-user.${user}.pid"

command="/usr/bin/runsvdir"
command_args="$svdir"
command_user="$user"
command_background=true

depend()
{
    after mount-home
}
```

Make `/etc/init.d/runsvdir-user` an executable

```
# chmod +x /etc/init.d/runsvdir-user
```

Link the user to `/etc/init.d/runsvdir-user`

```
# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>
```

Finally, add the service to the manual runlevel

```
# rc-update add runsvdir-user.<username> manual
```

> This process can of course be repeated for several users.

### Mounting home

Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel. 

Create `/etc/init.d/mount-home`

```
#!/sbin/openrc-run

depend()
{
    need localmount
}

start()
{
    zfs load-key -L prompt tank/home
    zfs mount tank/home
}

stop()
{
    zfs unmount tank/home
    zfs unload-key tank/home
}
```

Make `/etc/init.d/mount-home` an executable

```
# chmod +x /etc/init.d/mount-home
```

Add the service to the manual runlevel

```
# rc-update add mount-home manual
```

Now the scripts can be started accordingly with

```
# openrc -n manual
```

> Note that after a reboot this command should be performed to decrypt the home partition and to start the user services.
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00			`# Users`

			`To run containers securely; in an environment with fewer privileges, a user is necessary.`

			`## Wheel`

Updated users in post-install of alpine-server setup. 2024-08-11 22:44:17 +02:00			Before creating the user, install `doas`. To be able to "do as" root when it is required:
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00
			```
			`# apk add doas`
			```

			Configure `doas` through `/etc/doas.d/main.conf`:

			```
			`permit persist :wheel as root`
			```

			`## Adding a user`

Updated users in post-install of alpine-server setup. 2024-08-11 22:44:17 +02:00			A user can be added in Alpine Linux with the `setup-user` script. Here we can specify the name, groups and more:
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00
			```
Updated users in post-install of alpine-server setup. 2024-08-11 22:44:17 +02:00			`# setup-user -g wheel <username>`
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00			`# passwd <username>`
			```

Added user services and mount-home to users in alpine-server setup. 2024-08-11 22:39:30 +02:00			`> Make sure that the home dataset is decrypted and mounted, before creating a user.`

			You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

			```
			`<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>`
			```

Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00			If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

			```
			`# passwd -l root`
			```

			and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

			```
			`root:x:0:0:root:/root:/sbin/nologin`
			```

			`## User services`

Added user services and mount-home to users in alpine-server setup. 2024-08-11 22:39:30 +02:00			The user will have its own init system, for the management of user containers and other user services. The `runsvdir` command of the `runit` init system will be used to create a local init system for the user.

			```
			`# apk add runit`
			```

			Create `/etc/init.d/runsvdir-user`, which will be the init script for the local init system of the user.

			```
			`#!/sbin/openrc-run`

			`user="${RC_SVCNAME##*.}"`
			`svdir="/home/${user}/.local/service"`
			`pidfile="/run/runsvdir-user.${user}.pid"`

			`command="/usr/bin/runsvdir"`
			`command_args="$svdir"`
			`command_user="$user"`
			`command_background=true`

			`depend()`
			`{`
			`after mount-home`
			`}`
			```

			Make `/etc/init.d/runsvdir-user` an executable

			```
			`# chmod +x /etc/init.d/runsvdir-user`
			```

			Link the user to `/etc/init.d/runsvdir-user`

			```
			`# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>`
			```

			`Finally, add the service to the manual runlevel`

			```
			`# rc-update add runsvdir-user.<username> manual`
			```

			`> This process can of course be repeated for several users.`

			`### Mounting home`

			`Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel.`

			Create `/etc/init.d/mount-home`

			```
			`#!/sbin/openrc-run`

			`depend()`
			`{`
			`need localmount`
			`}`

			`start()`
			`{`
			`zfs load-key -L prompt tank/home`
			`zfs mount tank/home`
			`}`

			`stop()`
			`{`
			`zfs unmount tank/home`
			`zfs unload-key tank/home`
			`}`
			```

			Make `/etc/init.d/mount-home` an executable

			```
			`# chmod +x /etc/init.d/mount-home`
			```

			`Add the service to the manual runlevel`

			```
			`# rc-update add mount-home manual`
			```

			`Now the scripts can be started accordingly with`

			```
			`# openrc -n manual`
			```

			`> Note that after a reboot this command should be performed to decrypt the home partition and to start the user services.`