so far today i have learned:
- dbus-daemon does not support #systemd DynamicUser (use dbus-broker)
- #polkit does not like DynamicUser (have to use real user)
- polkit does not support SupplementaryGroups (have to use real group membership)
- systemd does not like sudo, generally inhibits setuid (probably for the best)

and all i wanted was a minimal permissions thingy to remotely shutdown a raspberry pi...