documentation/docs/alpine-desktop-setup/post-install/users.md

# Users

It might be nice to add a user to your system.

## Wheel

Before creating the user install `doas`, to use when root is required:

```
# apk add doas
```

Configure `doas` through `/etc/doas.d/main.conf`:

```
permit persist :wheel as root
permit nopasss :_power cmd /sbin/poweroff
permit nopasss :_power cmd /sbin/reboot
```

and create a `_power` group for users to be able to poweroff the system without root:

```
# addgroup -S _power
```

## Adding a user

Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, full name with `-f`, groups and more:

```
# setup-user -g wheel,_power -f "<Full Name>" <username>
# passwd <username>
```

> It is recommended to have an "admin" account which is the sole account in the wheel group.

You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```

> Do not log in yet if you want to encrypt the user's home directory.

If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

```
# passwd -l root
```

and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

```
root:x:0:0:root:/root:/sbin/nologin
```

## Encrypting the home directory

> Not yet working, DO NOT FOLLOW.

If you are running a system with multiple users or if you want an extra layer of protection then it is possible to encrypt every user's home directory.

> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.

First install the `fscrypt` and `e2fsprogs-extra` packages:

```
# apk add fscrypt e2fsprogs-extra
```

Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:

```
# tune2fs -O encrypt /dev/vg<n>/alp_home
# fscrypt setup
# fscrypt setup /home
```

And in `/etc/pam.d/login` add these lines to their corresponding sections:

```
auth     optional    pam_fscrypt.so
...
session  optional    pam_fscrypt.so
```

Then encrypt the home directory with:

```
# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```

Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:

```
$ fscrypt status /home/<username>
```

## TLDR

If you have already set up a system with a user but want to add another do this:

```
# setup-user -g (wheel,)nix,_power -f "<Full Name>" <username>
# passwd <username>
[Change shell in /etc/passwd]
# fscrypt encrypt /home/<username> --user=<username> # Doesn't work yet
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```
Added users page 2023-12-28 15:09:21 +01:00			`# Users`

			`It might be nice to add a user to your system.`

Added ZFS install for alpine-server. 2024-08-10 21:54:34 +02:00			`## Wheel`
Updated some naming schemes in alpine server and desktop sections. 2024-07-08 12:56:43 +02:00
Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			Before creating the user install `doas`, to use when root is required:
Added users page 2023-12-28 15:09:21 +01:00
			```
			`# apk add doas`
			```

Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			Configure `doas` through `/etc/doas.d/main.conf`:
Added users page 2023-12-28 15:09:21 +01:00
			```
			`permit persist :wheel as root`
Added login-manager and tweaked a few things 2024-05-09 12:27:11 +02:00			`permit nopasss :_power cmd /sbin/poweroff`
			`permit nopasss :_power cmd /sbin/reboot`
Added _power group 2023-12-28 15:18:15 +01:00			```

Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			and create a `_power` group for users to be able to poweroff the system without root:
Added _power group 2023-12-28 15:18:15 +01:00
			```
			`# addgroup -S _power`
Added users page 2023-12-28 15:09:21 +01:00			```

			`## Adding a user`

Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, full name with `-f`, groups and more:
Added users page 2023-12-28 15:09:21 +01:00
			```
Updated some naming schemes in alpine server and desktop sections. 2024-07-08 12:56:43 +02:00			`# setup-user -g wheel,_power -f "<Full Name>" <username>`
Added users page 2023-12-28 15:09:21 +01:00			`# passwd <username>`
			```

Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			`> It is recommended to have an "admin" account which is the sole account in the wheel group.`
Swapped a line around 2023-12-28 16:13:04 +01:00
Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
Expanded user section 2023-12-28 16:04:13 +01:00
			```
			`<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>`
			```

Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			`> Do not log in yet if you want to encrypt the user's home directory.`
Added users page 2023-12-28 15:09:21 +01:00
Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
Added users page 2023-12-28 15:09:21 +01:00
			```
			`# passwd -l root`
			```

Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
Added users page 2023-12-28 15:09:21 +01:00
			```
			`root:x:0:0:root:/root:/sbin/nologin`
			```

Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			`## Encrypting the home directory`
Updated some naming schemes in alpine server and desktop sections. 2024-07-08 12:56:43 +02:00
Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			`> Not yet working, DO NOT FOLLOW.`
Updated some naming schemes in alpine server and desktop sections. 2024-07-08 12:56:43 +02:00
Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			`If you are running a system with multiple users or if you want an extra layer of protection then it is possible to encrypt every user's home directory.`
Added users page 2023-12-28 15:09:21 +01:00
			`> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.`

Moved util-linux-login 2023-12-29 21:33:58 +01:00			First install the `fscrypt` and `e2fsprogs-extra` packages:
Added users page 2023-12-28 15:09:21 +01:00
			```
Moved util-linux-login 2023-12-29 21:33:58 +01:00			`# apk add fscrypt e2fsprogs-extra`
Added users page 2023-12-28 15:09:21 +01:00			```

			Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:

			```
Forgot to update that one 2024-01-06 16:55:36 +01:00			`# tune2fs -O encrypt /dev/vg<n>/alp_home`
Added users page 2023-12-28 15:09:21 +01:00			`# fscrypt setup`
			`# fscrypt setup /home`
			```

English is hard 2023-12-29 21:44:44 +01:00			And in `/etc/pam.d/login` add these lines to their corresponding sections:
Added users page 2023-12-28 15:09:21 +01:00
			```
			`auth optional pam_fscrypt.so`
			`...`
			`session optional pam_fscrypt.so`
			```

Updated the post-install sections of alpine-desktop. 2024-07-10 22:26:12 +02:00			`Then encrypt the home directory with:`
Added users page 2023-12-28 15:09:21 +01:00
			```
			`# fscrypt encrypt /home/<username> --user=<username>`
Expanded user section 2023-12-28 16:04:13 +01:00			`[Create a new login protector]`
			`[Enter 1 so that it unlocks the directory when the user logs in]`
Added users page 2023-12-28 15:09:21 +01:00			```

Expanded user section 2023-12-28 16:04:13 +01:00			`Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:`
Added users page 2023-12-28 15:09:21 +01:00
			```
			`$ fscrypt status /home/<username>`
			```
Expanded user section 2023-12-28 16:04:13 +01:00
			`## TLDR`

			`If you have already set up a system with a user but want to add another do this:`

			```
Updated networkmanager things 2023-12-30 22:48:50 +01:00			`# setup-user -g (wheel,)nix,_power -f "<Full Name>" <username>`
Expanded user section 2023-12-28 16:04:13 +01:00			`# passwd <username>`
			`[Change shell in /etc/passwd]`
fscrypt doesn't work just yet 2023-12-28 16:31:21 +01:00			`# fscrypt encrypt /home/<username> --user=<username> # Doesn't work yet`
Expanded user section 2023-12-28 16:04:13 +01:00			`[Create a new login protector]`
			`[Enter 1 so that it unlocks the directory when the user logs in]`
			```