users

*An instance of this module will create a user account on the added machines, along with a generated password that is constant across machines and user settings. *

Usage🔗

{
  inventory.instances = {
    # Deploy user alice on all machines. Don't prompt for password (will be
    # auto-generated).
    user-alice = {
      module = {
        name = "users";
        input = "clan-core";
      };
      roles.default.tags.all = { };
      roles.default.settings = {
        user = "alice";
        prompt = false;
      };
    };

    # Deploy user Carol on all machines. Prompt only once and use the
    # same password on all machines. (`share = true`)
    user-carol = {
      module = {
        name = "users";
        input = "clan-core";
      };
      roles.default.tags.all = { };
      roles.default.settings = {
        user = "carol";
        share = true;
      };
    };

    # Deploy user bob only on his laptop. Prompt for a password.
    user-bob = {
      module = {
        name = "users";
        input = "clan-core";
      };
      roles.default.machines.bobs-laptop = { };
      roles.default.settings.user = "bob";
    };
  };
}

Migration from root-password module🔗

The deprecated clan.root-password module has been replaced by the users module. Here's how to migrate:

1. Update your flake configuration🔗

Replace the root-password module import with a users service instance:

# OLD - Remove this from your nixosModules:
imports = [
  self.inputs.clan-core.clanModules.root-password
];

# NEW - Add to inventory.instances or machines/flake-module.nix:
instances = {
  users-root = {
    module.name = "users";
    module.input = "clan-core";
    roles.default.tags.nixos = { };
    roles.default.settings = {
      user = "root";
      prompt = false;  # Set to true if you want to be prompted
      groups = [ ];
    };
  };
};

2. Migrate vars🔗

The vars structure has changed from root-password to user-password-root:

# For each machine, rename the vars directories:
cd vars/per-machine/<machine-name>/
mv root-password user-password-root
mv user-password-root/password-hash user-password-root/user-password-hash
mv user-password-root/password user-password-root/user-password

Roles🔗

The users service has the following roles:

• default

Options for the default role🔗

groups🔗

Additional groups the user should be added to. You can add any group that exists on your system. Make sure these group exists on all machines where the user is enabled.

Commonly used groups:

• "wheel" - Allows the user to run commands as root using sudo.
• "networkmanager" - Allows the user to manage network connections.
• "video" - Allows the user to access video devices.
• "input" - Allows the user to access input devices.

Type: list of string

Default:

[ ]

[
  "wheel"
  "networkmanager"
  "video"
  "input"
]

Declared in: clanServices/users/default.nix

prompt🔗

Whether the user should be prompted for a password.

Effects:

• enabled (true) - Prompt for a password during the machine installation or update workflow.
• disabled (false) - Generate a password during the machine installation or update workflow.

The password can be shown in two steps:

• clan vars list <machine-name>
• clan vars get <machine-name> <name-of-password-variable>

Type: boolean

Default:

true

false

Declared in: clanServices/users/default.nix

share🔗

Weather the user should have the same password on all machines.

By default, you will be prompted for a new password for every host. Unless generate is set to true.

Type: boolean

Default:

false

true

Declared in: clanServices/users/default.nix

user🔗

The user the password should be generated for.

Type: string

"alice"

Declared in: clanServices/users/default.nix