fix(init): template the polkit rule on --group too

polkit rule 50-decnet-workers.rules hardcoded isInGroup("decnet"), so when 'decnet init --group anti' installed systemd units as User=anti / Group=anti, the API (running as anti) could no longer systemctl start/stop decnet-*.service — polkit fell back to 'interactive authentication required', which in a daemon context is a hard fail: START FAILED · COLLECTOR — Failed to start decnet-collector.service: Access denied as the requested operation requires interactive authentication. Rename the rule to .j2, parameterise the group on {{ group }}, and route _install_polkit through _render_template / _write_rendered_if_changed. Now the polkit rule matches whatever group was passed to 'decnet init'. Test fixture updated to seed the .j2 variant.
2026-04-24 01:07:16 -04:00
parent 08436433ef
commit e4ccf30133
3 changed files with 26 additions and 9 deletions
--- a/tests/cli/test_init.py
+++ b/tests/cli/test_init.py
@@ -77,7 +77,9 @@ def _seed_deploy(monkeypatch: Any, tmp_path: Path) -> Path:
        "ExecStart={{ install_dir }}/venv/bin/decnet api\n"
    )
    (deploy / "decnet.target").write_text("# target\n")
-    (deploy / "polkit" / "50-decnet-workers.rules").write_text("// rule\n")
+    (deploy / "polkit" / "50-decnet-workers.rules.j2").write_text(
+        '// rule for {{ group }}\n'
+    )
    (deploy / "tmpfiles.d" / "decnet.conf").write_text("d /run/decnet\n")
    monkeypatch.setattr(_init, "_deploy_root", lambda: deploy)
    return deploy