From a41ef52249a2a16af1990ac583722c73764beda0 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Wed, 22 Apr 2026 14:07:17 -0400
Subject: [PATCH] chore(polkit): allow decnet group to manage decnet-*.service
 without password
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Scoped rule — matches only `decnet-<name>.service` and `decnet.target`.
Any unit outside that regex falls through to the default polkit policy.
Required so the API (running as the `decnet` user) can invoke
`systemctl start decnet-<name>.service` non-interactively.
---
 deploy/polkit/50-decnet-workers.rules | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 deploy/polkit/50-decnet-workers.rules

diff --git a/deploy/polkit/50-decnet-workers.rules b/deploy/polkit/50-decnet-workers.rules
new file mode 100644
index 00000000..f9f2afaf
--- /dev/null
+++ b/deploy/polkit/50-decnet-workers.rules
@@ -0,0 +1,19 @@
+// Allow members of the 'decnet' group to manage DECNET systemd units
+// (start / stop / restart / reload) without a password prompt.
+//
+// Scope is locked to units matching `decnet-<name>.service` or the
+// `decnet.target` grouping unit. Any other unit is unaffected by this
+// rule and still goes through the default polkit policy.
+//
+// Install: /etc/polkit-1/rules.d/50-decnet-workers.rules
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units") {
+        var unit = action.lookup("unit");
+        if (unit &&
+            /^decnet-[a-z]+\.service$|^decnet\.target$/.test(unit) &&
+            subject.isInGroup("decnet")) {
+            return polkit.Result.YES;
+        }
+    }
+});