diff --git a/hosts/by-name/lappy/default.nix b/hosts/by-name/lappy/default.nix
index cf14cc82a..c18b7beaa 100644
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@@ -10,7 +10,7 @@
 
   # sane.packages.enableDevPkgs = true;
 
-  # sane.users.guest.enable = true;
+  # sane.guest.enable = true;
   sane.gui.sway.enable = true;
   sane.persist.enable = true;
   sane.nixcache.enable = true;
diff --git a/hosts/common/users.nix b/hosts/common/users.nix
index 53bd54c33..7bfbe2167 100644
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -3,12 +3,12 @@
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 with lib;
 let
-  cfg = config.sane.users;
+  cfg = config.sane.guest;
   fs = sane-lib.fs;
 in
 {
   options = {
-    sane.users.guest.enable = mkOption {
+    sane.guest.enable = mkOption {
       default = false;
       type = types.bool;
     };
@@ -104,11 +104,11 @@ in
     # used by password managers, e.g. unix `pass`
     sane.fs."/home/colin/.password-store" = fs.wantedSymlinkTo "/home/colin/knowledge/secrets/accounts";
 
-    sane.persist.sys.plaintext = mkIf cfg.guest.enable [
+    sane.persist.sys.plaintext = mkIf cfg.enable [
       # intentionally allow other users to write to the guest folder
       { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
     ];
-    users.users.guest = mkIf cfg.guest.enable {
+    users.users.guest = mkIf cfg.enable {
       isNormalUser = true;
       home = "/home/guest";
       subUidRanges = [
diff --git a/modules/default.nix b/modules/default.nix
index 83be03760..2307e5194 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -12,6 +12,7 @@
     ./services
     ./sops.nix
     ./ssh.nix
+    ./users.nix
   ];
 
   _module.args =  {
diff --git a/modules/users.nix b/modules/users.nix
new file mode 100644
index 000000000..c1bd65460
--- /dev/null
+++ b/modules/users.nix
@@ -0,0 +1,48 @@
+{ config, lib, sane-lib, ... }:
+
+let
+  inherit (lib) mapAttrs' mapAttrsToList mkMerge mkOption types;
+  cfg = config.sane.users;
+  path-lib = sane-lib.path;
+  userModule = types.submodule {
+    options = {
+      fs = mkOption {
+        type = types.attrs;
+        description = ''
+          entries to pass onto `sane.fs` after prepending the user's home-dir to the path.
+          e.g. `sane.users.colin.fs."/.config/aerc" = X`
+            => `sane.fs."/home/colin/.config/aerc" = X;
+        '';
+      };
+    };
+  };
+  processUser = user: defn: {
+    sane.fs = mapAttrs' (path: value: {
+      # TODO: query the user's home dir!
+      name = path-lib.concat [ "/home/${user}" path ];
+      inherit value;
+    }) defn.fs;
+  };
+in
+{
+  options = {
+    sane.users = mkOption {
+      type = types.attrsOf userModule;
+      default = {};
+      description = ''
+        options to apply to the given user.
+        the user is expected to be created externally.
+        configs applied at this level are simply transformed and then merged
+        into the toplevel `sane` options. it's merely a shorthand.
+      '';
+    };
+  };
+  config =
+    let
+      configs = mapAttrsToList processUser cfg;
+      take = f: {
+        sane.fs = f.sane.fs;
+      };
+    in
+      take (sane-lib.mkTypedMerge take configs);
+}