Skip to content

users

*An instance of this module will create a user account on the added machines, along with a generated password that is constant across machines and user settings. *

System

Usage

{
  inventory.instances = {
    # Deploy user alice on all machines. Don't prompt for password (will be
    # auto-generated).
    user-alice = {
      module = {
        name = "users";
        input = "clan-core";
      };
      roles.default.tags.all = { };
      roles.default.settings = {
        user = "alice";
        prompt = false;
      };
    };

    # Deploy user Carol on all machines. Prompt only once and use the
    # same password on all machines. (`share = true`)
    user-carol = {
      module = {
        name = "users";
        input = "clan";
      };
      roles.default.tags.all = { };
      roles.default.settings = {
        user = "carol";
        share = true;
      };
    };

    # Deploy user bob only on his laptop. Prompt for a password.
    user-bob = {
      module = {
        name = "users";
        input = "clan-core";
      };
      roles.default.machines.bobs-laptop = { };
      roles.default.settings.user = "bob";
    };
  };
}

Migration from root-password module

The deprecated clan.root-password module has been replaced by the users module. Here's how to migrate:

1. Update your flake configuration

Replace the root-password module import with a users service instance:

# OLD - Remove this from your nixosModules:
imports = [
  self.inputs.clan-core.clanModules.root-password
];

# NEW - Add to inventory.instances or machines/flake-module.nix:
instances = {
  users-root = {
    module.name = "users";
    module.input = "clan-core";
    roles.default.tags.nixos = { };
    roles.default.settings = {
      user = "root";
      prompt = false;  # Set to true if you want to be prompted
      groups = [ ];
    };
  };
};

2. Migrate vars

The vars structure has changed from root-password to user-password-root:

# For each machine, rename the vars directories:
cd vars/per-machine/<machine-name>/
mv root-password user-password-root
mv user-password-root/password-hash user-password-root/user-password-hash
mv user-password-root/password user-password-root/user-password

Roles

The users module has the following roles:

  • default

Options for the default role

groups

Additional groups the user should be added to. You can add any group that exists on your system. Make sure these group exists on all machines where the user is enabled.

Commonly used groups:

  • "wheel" - Allows the user to run commands as root using sudo.
  • "networkmanager" - Allows the user to manage network connections.
  • "video" - Allows the user to access video devices.
  • "input" - Allows the user to access input devices.

Type: list of string

Default:

[ ]
Example 
[
  "wheel"
  "networkmanager"
  "video"
  "input"
]

Declared in: clanServices/users/default.nix

prompt

Whether the user should be prompted for a password.

Effects:

  • enabled (true) - Prompt for a password during the machine installation or update workflow.
  • disabled (false) - Generate a password during the machine installation or update workflow.

The password can be shown in two steps:

  • clan vars list <machine-name>
  • clan vars get <machine-name> <name-of-password-variable>

Type: boolean

Default:

true
Example 
false

Declared in: clanServices/users/default.nix

share

Weather the user should have the same password on all machines.

By default, you will be prompted for a new password for every host. Unless generate is set to true.

Type: boolean

Default:

false
Example 
true

Declared in: clanServices/users/default.nix

user

The user the password should be generated for.

Type: string

Example 
"alice"

Declared in: clanServices/users/default.nix