# Users It might be nice to add a user to your system. ## Wheel Before creating the user, install `doas`. To be able to "do as" root when it is required: ``` # apk add doas ``` Configure `doas` through `/etc/doas.d/main.conf`: ``` permit persist :wheel as root permit nopasss :_power cmd /sbin/poweroff permit nopasss :_power cmd /sbin/reboot ``` and create a `_power` group for users to be able to power off the system without root: ``` # addgroup -S _power ``` ## Adding a user Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, groups and more: ``` # setup-user -g wheel,_power # passwd ``` > It is recommended to have an "admin" account which is the sole account in the wheel group. You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default: ``` :x:1234:1234::/home/:/bin/ ``` > Do not log in yet if you want to encrypt the user's home directory. If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with: ``` # passwd -l root ``` and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`: ``` root:x:0:0:root:/root:/sbin/nologin ``` ## Encrypting the home directory > Not yet working, DO NOT FOLLOW. If you are running a system with multiple users or if you want an extra layer of protection then it is possible to encrypt every user's home directory. > Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt. First install the `fscrypt` and `e2fsprogs-extra` packages: ``` # apk add fscrypt e2fsprogs-extra ``` Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory: ``` # tune2fs -O encrypt /dev/vg/alp_home # fscrypt setup # fscrypt setup /home ``` And in `/etc/pam.d/login` add these lines to their corresponding sections: ``` auth optional pam_fscrypt.so ... session optional pam_fscrypt.so ``` Then encrypt the home directory with: ``` # fscrypt encrypt /home/ --user= [Create a new login protector] [Enter 1 so that it unlocks the directory when the user logs in] ``` Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run: ``` $ fscrypt status /home/ ``` ## TLDR If you have already set up a system with a user but want to add another do this: ``` # setup-user -g (wheel,)nix,_power -f "" # passwd [Change shell in /etc/passwd] # fscrypt encrypt /home/ --user= # Doesn't work yet [Create a new login protector] [Enter 1 so that it unlocks the directory when the user logs in] ```