documentation/docs/alpine-desktop-setup/post-install/users.md

# Users

It might be nice to add a user to your system.

## Doas

Before creating the user install `doas` for when root is requiered:

```
# apk add doas
```

Also configure `doas` through `/etc/doas.d/main.conf`:

```
permit persist :wheel as root
permit nopasss :_power cmd poweroff
permit nopasss :_power cmd reboot
```

And create a `_power` group for user's to be able to poweroff the system without root:

```
# addgroup -S _power
```

## Adding a user

Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname, groups and more:

```
# setup-user -g wheel,plugdev,_seatd,nix,_power -f "<Full Name>" <username>
# passwd <username>
```

> It's also recommended to have an "admin" account which is the only one in the wheel group.

And you may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```

Don't login yet if you want to encrypt the directory.

If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with:

```
# passwd -l root
```

And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

```
root:x:0:0:root:/root:/sbin/nologin
```

### Encrypting the home directory

If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.

> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.

#### Setting up fscrypt

First install the `fscrypt`, `e2fsprogs-extra` and `util-linux-login` packages:

```
# apk add fscrypt e2fsprogs-extra util-linux-login
```

Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:

```
# tune2fs -O encrypt /dev/vg<m>/home<n>
# fscrypt setup
# fscrypt setup /home
```

And edit `/etc/pam.d/login` and adding these lines to their corresponding sections:

```
auth     optional    pam_fscrypt.so
...
session  optional    pam_fscrypt.so
```

#### Encrypting a user's home

Encrypt the directory with:

```
# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```

Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:

```
$ fscrypt status /home/<username>
```

## TLDR

If you have already set up a system with a user but want to add another do this:

```
# setup-user -g (wheel,)plugdev,_seatd,nix,_power -f "<Full Name>" <username>
# passwd <username>
[Change shell in /etc/passwd]
# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```
Added users page 2023-12-28 15:09:21 +01:00			`# Users`

			`It might be nice to add a user to your system.`

			`## Doas`

			Before creating the user install `doas` for when root is requiered:

			```
			`# apk add doas`
			```

			Also configure `doas` through `/etc/doas.d/main.conf`:

			```
			`permit persist :wheel as root`
Added _power group 2023-12-28 15:18:15 +01:00			`permit nopasss :_power cmd poweroff`
			`permit nopasss :_power cmd reboot`
			```

			And create a `_power` group for user's to be able to poweroff the system without root:

			```
			`# addgroup -S _power`
Added users page 2023-12-28 15:09:21 +01:00			```

			`## Adding a user`

			Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname, groups and more:

			```
Expanded user section 2023-12-28 16:04:13 +01:00			`# setup-user -g wheel,plugdev,_seatd,nix,_power -f "<Full Name>" <username>`
Added users page 2023-12-28 15:09:21 +01:00			`# passwd <username>`
			```

Swapped a line around 2023-12-28 16:13:04 +01:00			`> It's also recommended to have an "admin" account which is the only one in the wheel group.`

			And you may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
Expanded user section 2023-12-28 16:04:13 +01:00
			```
			`<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>`
			```

Added users page 2023-12-28 15:09:21 +01:00			`Don't login yet if you want to encrypt the directory.`

			If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with:

			```
			`# passwd -l root`
			```

			And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

			```
			`root:x:0:0:root:/root:/sbin/nologin`
			```

			`### Encrypting the home directory`

			`If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.`

			`> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.`

Renamed a header 2023-12-28 16:05:29 +01:00			`#### Setting up fscrypt`
Added users page 2023-12-28 15:09:21 +01:00
			First install the `fscrypt`, `e2fsprogs-extra` and `util-linux-login` packages:

			```
			`# apk add fscrypt e2fsprogs-extra util-linux-login`
			```

			Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:

			```
			`# tune2fs -O encrypt /dev/vg<m>/home<n>`
			`# fscrypt setup`
			`# fscrypt setup /home`
			```

			And edit `/etc/pam.d/login` and adding these lines to their corresponding sections:

			```
			`auth optional pam_fscrypt.so`
			`...`
			`session optional pam_fscrypt.so`
			```

			`#### Encrypting a user's home`

			`Encrypt the directory with:`

			```
			`# fscrypt encrypt /home/<username> --user=<username>`
Expanded user section 2023-12-28 16:04:13 +01:00			`[Create a new login protector]`
			`[Enter 1 so that it unlocks the directory when the user logs in]`
Added users page 2023-12-28 15:09:21 +01:00			```

Expanded user section 2023-12-28 16:04:13 +01:00			`Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:`
Added users page 2023-12-28 15:09:21 +01:00
			```
			`$ fscrypt status /home/<username>`
			```
Expanded user section 2023-12-28 16:04:13 +01:00
			`## TLDR`

			`If you have already set up a system with a user but want to add another do this:`

			```
			`# setup-user -g (wheel,)plugdev,_seatd,nix,_power -f "<Full Name>" <username>`
			`# passwd <username>`
			`[Change shell in /etc/passwd]`
			`# fscrypt encrypt /home/<username> --user=<username>`
			`[Create a new login protector]`
			`[Enter 1 so that it unlocks the directory when the user logs in]`
			```