tom: separate service permissions to prefer shared access ports

Author: theorderingmachine

CHANGELOG.md

@@ -6,6 +6,7 @@ versioning is done in a continuous fashion without worries of breaking changes.
 
 ## patches
 
+- `tom`: separate service permissions to prefer shared access ports 2026-02-05
 - `claude`: avoid resetting memories of past conversations on start 2026-02-05
 - `blog`: run pages and app immediate after restarted server is set 2026-02-02
 - `quintus`: host a calendar service with the kind ordering machine 2026-01-31

machines/tom/configuration.nix

@@ -198,21 +198,49 @@
       };
       "aws/iam/minecraft" = {
         format = "dotenv";
+        owner = "minecraft";
+        group = "minecraft";
         sopsFile = ./services/minecraft-server/vault.env;
       };
       "github/oauth" = {
         owner = config.users.users.default.name;
         group = "wheel";
       };
-      "github/runners/blog" = { };
-      "github/runners/coffee" = { };
-      "github/runners/dotfiles" = { };
-      "github/runners/etime" = { };
-      "github/runners/quintus" = { };
-      "github/runners/slacks" = { };
-      "restic/minecraft" = { };
-      "tailscale/auth" = { };
+      "github/runners/blog" = {
+        owner = "blog";
+        group = "blog";
+      };
+      "github/runners/coffee" = {
+        owner = "coffee";
+        group = "coffee";
+      };
+      "github/runners/dotfiles" = {
+        owner = "dotfiles";
+        group = "dotfiles";
+      };
+      "github/runners/etime" = {
+        owner = "etime";
+        group = "etime";
+      };
+      "github/runners/quintus" = {
+        owner = "quintus";
+        group = "quintus";
+      };
+      "github/runners/slacks" = {
+        owner = "slacks";
+        group = "slacks";
+      };
+      "restic/minecraft" = {
+        owner = "minecraft";
+        group = "minecraft";
+      };
+      "tailscale/auth" = {
+        owner = "root";
+        group = "root";
+      };
       "tom/password" = {
+        owner = "root";
+        group = "root";
         neededForUsers = true;
       };
       "tom/sops/private" = {
@@ -223,6 +251,7 @@
       "tom/ssh/public" = {
         owner = config.users.users.default.name;
         group = "wheel";
+        mode = "0644";
         path = "${config.users.users.default.home}/.ssh/id_ed25519.pub";
       };
       "tom/ssh/private" = {
@@ -231,15 +260,25 @@
         path = "${config.users.users.default.home}/.ssh/id_ed25519";
       };
       "tom/ssh/host/ed25519/public" = {
+        owner = "root";
+        group = "root";
+        mode = "0644";
         path = "/etc/ssh/ssh_host_ed25519_key.pub";
       };
       "tom/ssh/host/ed25519/private" = {
+        owner = "root";
+        group = "root";
         path = "/etc/ssh/ssh_host_ed25519_key";
       };
       "tom/ssh/host/rsa/public" = {
+        owner = "root";
+        group = "root";
+        mode = "0644";
         path = "/etc/ssh/ssh_host_rsa_key.pub";
       };
       "tom/ssh/host/rsa/private" = {
+        owner = "root";
+        group = "root";
         path = "/etc/ssh/ssh_host_rsa_key";
       };
       "tom/wireguard/private" = {

machines/tom/services/github-runners/default.nix

@@ -1,27 +1,65 @@
 # https://docs.github.com/actions
 { pkgs, ... }:
 {
+  users = {
+    users = {
+      blog = {
+        isSystemUser = true;
+        group = "blog";
+      };
+      coffee = {
+        isSystemUser = true;
+        group = "coffee";
+      };
+      dotfiles = {
+        isSystemUser = true;
+        group = "dotfiles";
+      };
+      etime = {
+        isSystemUser = true;
+        group = "etime";
+      };
+      quintus = {
+        isSystemUser = true;
+        group = "quintus";
+      };
+      slacks = {
+        isSystemUser = true;
+        group = "slacks";
+      };
+    };
+    groups = {
+      blog = { };
+      coffee = { };
+      dotfiles = { };
+      etime = { };
+      quintus = { };
+      slacks = { };
+    };
+  };
   services.github-runners = {
     blog = {
       enable = true;
       ephemeral = true;
       extraPackages = [
         pkgs.gh # https://github.com/cli/cli
       ];
-      group = "wheel";
+      group = "blog";
       name = "tom";
       replace = true;
       tokenFile = "/run/secrets/github/runners/blog";
       url = "https://github.com/zimeg/blog";
-      user = "root";
+      user = "blog";
     };
     coffee = {
       enable = true;
       ephemeral = true;
+      group = "coffee";
       name = "tom";
       replace = true;
       tokenFile = "/run/secrets/github/runners/coffee";
       url = "https://github.com/maintainersdotcoffee/shop";
+      user = "coffee";
     };
     dotfiles = {
       enable = true;
@@ -32,21 +70,25 @@
       extraPackages = [
         pkgs.fastfetch # https://github.com/fastfetch-cli/fastfetch
       ];
+      group = "dotfiles";
       name = "tom";
       replace = true;
       tokenFile = "/run/secrets/github/runners/dotfiles";
       url = "https://github.com/zimeg/.DOTFILES";
+      user = "dotfiles";
     };
     etime = {
       enable = true;
       ephemeral = true;
       extraPackages = [
         pkgs.time
       ];
+      group = "etime";
       name = "tom";
       replace = true;
       tokenFile = "/run/secrets/github/runners/etime";
       url = "https://github.com/zimeg/emporia-time";
+      user = "etime";
     };
     slacks = {
       enable = true;
@@ -57,21 +99,22 @@
         pkgs.rsync # https://github.com/rsyncproject/rsync
         pkgs.which # https://git.savannah.gnu.org/cgit/which.git
       ];
-      group = "wheel";
+      group = "slacks";
       name = "tom";
       replace = true;
       tokenFile = "/run/secrets/github/runners/slacks";
       url = "https://github.com/zimeg/slack-sandbox";
-      user = "root";
+      user = "slacks";
     };
     quintus = {
       enable = true;
       ephemeral = true;
+      group = "quintus";
       name = "tom";
       replace = true;
       tokenFile = "/run/secrets/github/runners/quintus";
       url = "https://github.com/zimeg/quintus";
-      user = "root";
+      user = "quintus";
     };
   };
 }

machines/tom/services/restic/default.nix

@@ -3,6 +3,7 @@
   services.restic.backups = {
     minecraft = {
       initialize = true;
+      user = "minecraft";
       environmentFile = "/run/secrets/aws/iam/minecraft";
       passwordFile = "/run/secrets/restic/minecraft";
       repository = "s3:s3.us-east-1.amazonaws.com/tom.25565";