Creating a public/passwordless user account

Hello! A week back I asked how I could set up a guest user account on my laptop with a home directory that wipes on reboot. While I succeeded with that, there’s still one part that I’m not quite happy with; guest users currently need to log in with a password.

Ideally, friends would be able to simply select the “Guest” user in the login screen, and with that enter the session. I have looked in the docs but haven’t figured out how to do it. Setting users.users.guest.password = null; did not work. What must I do to achieve my desired result, and are there any security risks that could arise from doing this?

I am using home-manager, and have GNOME as my desktop environment if that helps with anything!

I think the only way to do this is by defining a PAM rule. The relevant service is gdm-password, so something like this should work (warning, untested, might botch your PAM config which is a thing that can lock you out of your system—be prepared to boot from NixOS install media just in case this goes horribly):

  security.pam.services.gdm-password.rules.auth.guest = {
    enable = true;
    order = config.security.pam.services.gdm-password.rules.auth.unix.order - 50;
    control = "sufficient";
    modulePath = "${config.security.pam.package}/lib/security/pam_succeed_if.so";
    args = [ "user" "=" "guest" ];
  };