# Users

It might be nice to add a user to your system.

## Doas

Before creating the user install `doas` for when root is requiered:

```
# apk add doas
```

Also configure `doas` through `/etc/doas.d/main.conf`:

```
permit persist :wheel as root
permit nopasss :wheel cmd poweroff
permit nopasss :wheel cmd reboot
```

## Adding a user

Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname, groups and more:

```
# setup-user -g wheel,plugdev,_seatd,nix -f <"Full Name"> <username>
# passwd <username>
```

> It's also recommended to have an "admin" account which is the only one in the wheel group.

Don't login yet if you want to encrypt the directory.

If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with:

```
# passwd -l root
```

And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

```
root:x:0:0:root:/root:/sbin/nologin
```

### Encrypting the home directory

If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.

> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.

#### Setup

First install the `fscrypt`, `e2fsprogs-extra` and `util-linux-login` packages:

```
# apk add fscrypt e2fsprogs-extra util-linux-login
```

Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:

```
# tune2fs -O encrypt /dev/vg<m>/home<n>
# fscrypt setup
# fscrypt setup /home
```

And edit `/etc/pam.d/login` and adding these lines to their corresponding sections:

```
auth     optional    pam_fscrypt.so
...
session  optional    pam_fscrypt.so
```

#### Encrypting a user's home

Encrypt the directory with:

```
# fscrypt encrypt /home/<username> --user=<username>
[Enter 1 so that it's unlocks when the user logs in]
```

Then login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:

```
$ fscrypt status /home/<username>
```