User management: Difference between revisions

Revision as of 20:05, 15 May 2025

On NixOS, system users and their properties are declaratively managed through the users.users and users.groups options in the NixOS configuration.

For additional details, refer to NixOS Manual: Chapter - User Management.

Note: The option users.users has an alias users.extraUsers, and similarly, users.groups can also be referred to as users.extraGroups.

User Password

⚠︎

Warning: Avoid publishing hashed passwords, as they still pose a security risk if exposed. Consider using Agenix or sops-nix to manage passwords.

User passwords can be defined declaratively by specifying a hashed password in the system configuration. To generate a password hash, run the following command and enter the desired password when prompted: mkpasswd

The resulting hash can then be assigned to hashedPassword, initialHashedPassword, or hashedPasswordFile options within the user definition. Example:

❄︎ /etc/nixos/configuration.nix

  users.users.alice = {
    ...
    hashedPassword = "$y$j9T$VQsJBEktGmRh14iCMzZ4v1$oN/Gb8KkSOvial2QaECWu1Oo/voyJCOZdX1nXAyGlt6";
  };

User Home Directories

By default, user home directories are created at /home/<username> when users.users.<name>.isNormalUser is true.

Custom home directories can be set via the home option: users.users.alice.home = "/data/alice";

User Shell Configuration

Main article: Command Shell

Login shells can be customized by setting the users.users.<name>.shell option.

User SSH Authorized Keys

Main article: SSH public key authentication#SSH server configuration

SSH authentication can be customized by setting the users.users.<name>.openssh.authorizedKeys option.

Home Manager

For additional user environment configuration, including management of dotfiles, shell settings, and user-specific packages, consider using Home Manager.

@@ Line 11: / Line 11: @@
 User passwords can be defined declaratively by specifying a hashed password in the system configuration. To generate a password hash, run the following command and enter the desired password when prompted: <code>mkpasswd</code>
-The resulting hash can then be assigned to <code>hashedPassword</code>, <code>initialHashedPassword</code>, or <code>hashedPasswordFile</code> options within the user definition. For more information, refer to {{nixos:option|users.users.*.*hashedPassword}}. Example:
+The resulting hash can then be assigned to {{nixos:option|users.users.*.*hashedPassword|hashedPassword, initialHashedPassword, or hashedPasswordFile}} options within the user definition. Example:
 {{file|/etc/nixos/configuration.nix|nix|
@@ Line 24: / Line 24: @@
 == User Home Directories ==
-By default, user home directories are created at <code>/home/<username></code> when {{nixos:option|users.users.*.isNormalUser}} is true.
+By default, user home directories are created at <code>/home/<username></code> when {{nixos:option|users.users.*.isNormalUser|users.users.<name>.isNormalUser}} is true.
 Custom home directories can be set via the <code>home</code> option:
@@ Line 33: / Line 33: @@
 {{main|Command Shell}}
-Login shells can be customized by setting the {{nixos:option|users.users.*.shell}} option.
+Login shells can be customized by setting the {{nixos:option|users.users.*.shell|users.users.<name>.shell}} option.
 == User SSH Authorized Keys ==
@@ Line 39: / Line 39: @@
 {{main|SSH public key authentication#SSH server configuration}}
-SSH authentication can be customized by setting the {{nixos:option|users.users.*.openssh.authorizedKeys}} option.
+SSH authentication can be customized by setting the {{nixos:option|users.users.*.openssh.authorizedKeys|users.users.<name>.openssh.authorizedKeys}} option.
 == Home Manager ==
 For additional user environment configuration, including management of dotfiles, shell settings, and user-specific packages, consider using [[Home Manager]].