# Users

To run containers securely; in an environment with fewer privileges, a user is necessary.

## Wheel

Before creating the user install `doas`, to use when root is required:

```
# apk add doas
```

Configure `doas` through `/etc/doas.d/main.conf`:

```
permit persist :wheel as root
```

## Adding a user

Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, groups and more:

```
# setup-user -g wheel,_power <username>
# passwd <username>
```

> Make sure that the home dataset is decrypted and mounted, before creating a user. 

You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```

If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

```
# passwd -l root
```

and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

```
root:x:0:0:root:/root:/sbin/nologin
```

## User services

The user will have its own init system, for the management of user containers and other user services. The `runsvdir` command of the `runit` init system will be used to create a local init system for the user. 

```
# apk add runit
```

Create `/etc/init.d/runsvdir-user`, which will be the init script for the local init system of the user. 

```
#!/sbin/openrc-run

user="${RC_SVCNAME##*.}"
svdir="/home/${user}/.local/service"
pidfile="/run/runsvdir-user.${user}.pid"

command="/usr/bin/runsvdir"
command_args="$svdir"
command_user="$user"
command_background=true

depend()
{
    after mount-home
}
```

Make `/etc/init.d/runsvdir-user` an executable

```
# chmod +x /etc/init.d/runsvdir-user
```

Link the user to `/etc/init.d/runsvdir-user`

```
# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>
```

Finally, add the service to the manual runlevel

```
# rc-update add runsvdir-user.<username> manual
```

> This process can of course be repeated for several users.

### Mounting home

Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel. 

Create `/etc/init.d/mount-home`

```
#!/sbin/openrc-run

depend()
{
    need localmount
}

start()
{
    zfs load-key -L prompt tank/home
    zfs mount tank/home
}

stop()
{
    zfs unmount tank/home
    zfs unload-key tank/home
}
```

Make `/etc/init.d/mount-home` an executable

```
# chmod +x /etc/init.d/mount-home
```

Add the service to the manual runlevel

```
# rc-update add mount-home manual
```

Now the scripts can be started accordingly with

```
# openrc -n manual
```

> Note that after a reboot this command should be performed to decrypt the home partition and to start the user services.