diff --git a/docs/alpine-desktop-setup/post-install/users.md b/docs/alpine-desktop-setup/post-install/users.md index e69de29..6d769ff 100644 --- a/docs/alpine-desktop-setup/post-install/users.md +++ b/docs/alpine-desktop-setup/post-install/users.md @@ -0,0 +1,89 @@ +# Users + +It might be nice to add a user to your system. + +## Doas + +Before creating the user install `doas` for when root is requiered: + +``` +# apk add doas +``` + +Also configure `doas` through `/etc/doas.d/main.conf`: + +``` +permit persist :wheel as root +permit nopasss :wheel cmd poweroff +permit nopasss :wheel cmd reboot +``` + +## Adding a user + +Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname, groups and more: + +``` +# setup-user -g wheel,plugdev,_seatd,nix -f <"Full Name"> +# passwd +``` + +> It's also recommended to only have an "admin" account which is in the wheel group. + +Don't login yet if you want to encrypt the directory. + +If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with: + +``` +# passwd -l root +``` + +And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`: + +``` +root:x:0:0:root:/root:/sbin/nologin +``` + +### Encrypting the home directory + +If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory. + +> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt. + +#### Setup + +First install the `fscrypt`, `e2fsprogs-extra` and `util-linux-login` packages: + +``` +# apk add fscrypt e2fsprogs-extra util-linux-login +``` + +Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory: + +``` +# tune2fs -O encrypt /dev/vg/home +# fscrypt setup +# fscrypt setup /home +``` + +And edit `/etc/pam.d/login` and adding these lines to their corresponding sections: + +``` +auth optional pam_fscrypt.so +... +session optional pam_fscrypt.so +``` + +#### Encrypting a user's home + +Encrypt the directory with: + +``` +# fscrypt encrypt /home/ --user= +[Enter 1 so that it's unlocks when the user logs in] +``` + +Then login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run: + +``` +$ fscrypt status /home/ +```