# Allow the bty-web service user to invoke its privileged helper
# without a password. One helper today:
#   * ``bty-web-tftp`` -- start / stop / restart dnsmasq.service
#                          (the TFTP daemon). The helper validates
#                          the action against a hard-coded allowlist
#                          before invoking systemctl.
#
# Cloud-init writes this file via write_files; the cooked image's
# runcmd chmods it to 0440 (sudo refuses to load anything with
# looser perms).
bty ALL=(root) NOPASSWD: /usr/local/sbin/bty-web-tftp
