diff --git a/machines/dev/fedi203/woodpecker.nix b/machines/dev/fedi203/woodpecker.nix
index 44eef282..a5f2e951 100644
--- a/machines/dev/fedi203/woodpecker.nix
+++ b/machines/dev/fedi203/woodpecker.nix
@@ -10,6 +10,11 @@
     defaults.email = "something@fediversity.eu";
   };
 
+  users.groups = {
+    woodpecker-agent-exec = { };
+    woodpecker-agent-docker = { };
+  };
+
   age.secrets =
     lib.mapAttrs
       (_: group: {
@@ -218,10 +223,15 @@
           attic-client
         ];
         environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ];
+        extraGroups = [ "woodpecker-agent-exec" ];
       };
       docker = {
         enable = true;
         environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
+        extraGroups = [
+          "podman"
+          "woodpecker-agent-docker"
+        ];
       };
     };
   };