fix(init): template the polkit rule on --group too

polkit rule 50-decnet-workers.rules hardcoded isInGroup("decnet"),
so when 'decnet init --group anti' installed systemd units as
User=anti / Group=anti, the API (running as anti) could no longer
systemctl start/stop decnet-*.service — polkit fell back to
'interactive authentication required', which in a daemon context is
a hard fail:

  START FAILED · COLLECTOR — Failed to start decnet-collector.service:
  Access denied as the requested operation requires interactive
  authentication.

Rename the rule to .j2, parameterise the group on {{ group }}, and
route _install_polkit through _render_template /
_write_rendered_if_changed. Now the polkit rule matches whatever
group was passed to 'decnet init'.

Test fixture updated to seed the .j2 variant.

deploy/polkit/50-decnet-workers.rules.j2

@@ -1,10 +1,14 @@
-// Allow members of the 'decnet' group to manage DECNET systemd units
+// Allow members of the '{{ group }}' group to manage DECNET systemd units
 // (start / stop / restart / reload) without a password prompt.
 //
 // Scope is locked to units matching `decnet-<name>.service` or the
 // `decnet.target` grouping unit. Any other unit is unaffected by this
 // rule and still goes through the default polkit policy.
 //
+// The group name is rendered at `decnet init` time from --group; the
+// default is `decnet`, but dev boxes that pass --group $USER get a
+// rule that matches the operator's own login group.
+//
 // Install: /etc/polkit-1/rules.d/50-decnet-workers.rules
 
 polkit.addRule(function(action, subject) {
@@ -12,7 +16,7 @@ polkit.addRule(function(action, subject) {
         var unit = action.lookup("unit");
         if (unit &&
             /^decnet-[a-z]+\.service$|^decnet\.target$/.test(unit) &&
-            subject.isInGroup("decnet")) {
+            subject.isInGroup("{{ group }}")) {
             return polkit.Result.YES;
         }
     }