diff --git a/machines/lappy/default.nix b/machines/lappy/default.nix
index 9c6b4a76a..7c7bc741b 100644
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -4,6 +4,7 @@
     ./fs.nix
   ];
 
+  colinsane.users.guest.enable = true;
   colinsane.gui.sway.enable = true;
   colinsane.impermanence.enable = true;
   boot.loader.generic-extlinux-compatible.enable = true;
diff --git a/modules/universal/allocations.nix b/modules/universal/allocations.nix
index 5ceffc0c9..2991d7bc2 100644
--- a/modules/universal/allocations.nix
+++ b/modules/universal/allocations.nix
@@ -24,6 +24,7 @@ in
     colinsane.allocations.greeter-gid = mkId 999;
 
     colinsane.allocations.colin-uid = mkId 1000;
+    colinsane.allocations.guest-uid = mkId 1100;
 
     # found on all machines
     colinsane.allocations.sshd-uid = mkId 2001;  # 997
diff --git a/modules/universal/env/users.nix b/modules/universal/env/users.nix
index f2d9e349a..79ac69485 100644
--- a/modules/universal/env/users.nix
+++ b/modules/universal/env/users.nix
@@ -1,77 +1,107 @@
 { config, pkgs, lib, ... }:
 
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
+with lib;
+let
+  cfg = config.colinsane.users;
+in
 {
-  # Users are exactly these specified here;
-  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
-  users.mutableUsers = false;
-
-  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
-  users.users.colin = {
-    # sets group to "users" (?)
-    isNormalUser = true;
-    home = "/home/colin";
-    uid = config.colinsane.allocations.colin-uid;
-    # i don't get exactly what this is, but nixos defaults to this non-deterministically
-    # in /var/lib/nixos/auto-subuid-map and i don't want that.
-    subUidRanges = [
-      { startUid=100000; count=1; }
-    ];
-    group = "users";
-    extraGroups = [
-      "wheel"
-      "nixbuild"
-      "networkmanager"
-      # phosh/mobile. XXX colin: unsure if necessary
-      "video"
-      "feedbackd"
-      "dialout" # required for modem access
-    ];
-    initialPassword = lib.mkDefault "";
-    shell = pkgs.zsh;
-    # shell = pkgs.bashInteractive;
-    # XXX colin: create ssh key for THIS user by logging in and running:
-    #   ssh-keygen -t ed25519
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
-      # moby doesn't need to login to any other devices yet
-      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
-    ];
+  options = {
+    colinsane.users.guest.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
   };
 
-  security.sudo = {
-    enable = true;
-    wheelNeedsPassword = false;
+  config = {
+    # Users are exactly these specified here;
+    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+    users.mutableUsers = false;
+
+    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+    users.users.colin = {
+      # sets group to "users" (?)
+      isNormalUser = true;
+      home = "/home/colin";
+      uid = config.colinsane.allocations.colin-uid;
+      # i don't get exactly what this is, but nixos defaults to this non-deterministically
+      # in /var/lib/nixos/auto-subuid-map and i don't want that.
+      subUidRanges = [
+        { startUid=100000; count=1; }
+      ];
+      group = "users";
+      extraGroups = [
+        "wheel"
+        "nixbuild"
+        "networkmanager"
+        # phosh/mobile. XXX colin: unsure if necessary
+        "video"
+        "feedbackd"
+        "dialout" # required for modem access
+      ];
+      initialPassword = lib.mkDefault "";
+      shell = pkgs.zsh;
+      # shell = pkgs.bashInteractive;
+      # XXX colin: create ssh key for THIS user by logging in and running:
+      #   ssh-keygen -t ed25519
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
+        # moby doesn't need to login to any other devices yet
+        # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
+      ];
+    };
+
+    colinsane.impermanence.service-dirs = mkIf cfg.guest.enable [
+      { user = "guest"; group = "users"; directory = "/home/guest"; }
+    ];
+    users.users.guest = mkIf cfg.guest.enable {
+      isNormalUser = true;
+      home = "/home/guest";
+      uid = config.colinsane.allocations.guest-uid;
+      subUidRanges = [
+        { startUid=200000; count=1; }
+      ];
+      group = "users";
+      initialPassword = lib.mkDefault "";
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [
+        # TODO: insert pubkeys that should be allowed in
+      ];
+    };
+
+    security.sudo = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+
+    services.openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+    };
+
+    # affix some UIDs which were historically auto-generated
+    users.users.sshd.uid = config.colinsane.allocations.sshd-uid;
+    users.groups.polkituser.gid = config.colinsane.allocations.polkituser-gid;
+    users.groups.sshd.gid = config.colinsane.allocations.sshd-gid;
+    users.groups.systemd-coredump.gid = config.colinsane.allocations.systemd-coredump-gid;
+
+    # guarantee determinism in uid/gid generation for users:
+    assertions = let
+      uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
+        assertion = user.uid != null;
+        message = "non-deterministic uid detected for: ${name}";
+      }) config.users.users);
+      gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
+        assertion = group.gid != null;
+        message = "non-deterministic gid detected for: ${name}";
+      }) config.users.groups);
+      autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
+        assertion = !user.autoSubUidGidRange;
+        message = "non-deterministic subUids/Guids detected for: ${name}";
+      }) config.users.users);
+    in uidAssertions ++ gidAssertions ++ autoSubAssertions;
   };
-
-  services.openssh = {
-    enable = true;
-    permitRootLogin = "no";
-    passwordAuthentication = false;
-  };
-
-  # affix some UIDs which were historically auto-generated
-  users.users.sshd.uid = config.colinsane.allocations.sshd-uid;
-  users.groups.polkituser.gid = config.colinsane.allocations.polkituser-gid;
-  users.groups.sshd.gid = config.colinsane.allocations.sshd-gid;
-  users.groups.systemd-coredump.gid = config.colinsane.allocations.systemd-coredump-gid;
-
-  # guarantee determinism in uid/gid generation for users:
-  assertions = let
-    uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
-      assertion = user.uid != null;
-      message = "non-deterministic uid detected for: ${name}";
-    }) config.users.users);
-    gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
-      assertion = group.gid != null;
-      message = "non-deterministic gid detected for: ${name}";
-    }) config.users.groups);
-    autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
-      assertion = !user.autoSubUidGidRange;
-      message = "non-deterministic subUids/Guids detected for: ${name}";
-    }) config.users.users);
-  in uidAssertions ++ gidAssertions ++ autoSubAssertions;
-
 }