diff --git a/doc/manual/configuration.xml b/doc/manual/configuration.xml
index daee0248e88..6a217243c00 100644
--- a/doc/manual/configuration.xml
+++ b/doc/manual/configuration.xml
@@ -305,6 +305,93 @@ manpage or the Nix manual.
+
+
+User management
+
+NixOS supports both declarative and imperative styles of user
+management. In the declarative style, users are specified in
+configuration.nix. For instance, the following
+states that a user accound named alice shall exist:
+
+
+users.extraUsers.alice =
+ { createHome = true;
+ home = "/home/alice";
+ description = "Alice Foobar";
+ extraGroups = [ "wheel" ];
+ isSystemUser = false;
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
+ };
+
+
+Note that alice is a member of the
+wheel group, which allows her to use
+sudo to execute commands as
+root. Also note the SSH public key that allows
+remote logins with the corresponding private key. Users created in
+this way do not have a password by default, so they cannot log in via
+mechanisms that require a password. However, you can use the
+passwd program to set a password, which is retained
+across invocations of nixos-rebuild.
+
+A user ID (uid) is assigned automatically. You can also specify
+a uid manually by adding
+
+
+ uid = 1000;
+
+
+to the user specification.
+
+Groups can be specified similarly. The following states that a
+group named students shall exist:
+
+
+users.extraGroups.students.gid = 1000;
+
+
+As with users, the group ID (gid) is optional and will be assigned
+automatically if it’s missing.
+
+Currently declarative user management is not perfect:
+nixos-rebuild does not know how to realise certain
+configuration changes. This includes removing a user or group, and
+removing group membership from a user.
+
+In the imperative style, users and groups are managed by
+commands such as useradd,
+groupmod and so on. For instance, to create a user
+account named alice:
+
+
+$ useradd -m alice
+
+The flag causes the creation of a home directory
+for the new user, which is generally what you want. The user does not
+have an initial password and therefore cannot log in. A password can
+be set using the passwd utility:
+
+
+$ passwd alice
+Enter new UNIX password: ***
+Retype new UNIX password: ***
+
+
+A user can be deleted using userdel:
+
+
+$ userdel -r alice
+
+The flag deletes the user’s home directory.
+Accounts can be modified using usermod. Unix
+groups can be managed using groupadd,
+groupmod and groupdel.
+
+
+
+
Networking
diff --git a/doc/manual/running.xml b/doc/manual/running.xml
index ac3ce40339d..5799aeec5d0 100644
--- a/doc/manual/running.xml
+++ b/doc/manual/running.xml
@@ -282,6 +282,11 @@ Dec 29 01:30:22 mandark kernel[6131]: [1053513.909444] CPU6: Core temperature ab
+The system journal is readable by root and by users in the
+wheel and systemd-journal
+groups. All users have a private journal that can be read using
+journalctl.
+