diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 2705635..7840f32 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -31,6 +31,7 @@ in {
     ./services/openssh.nix
     ./services/pcscd.nix
     ./services/pipewire.nix
+    ./services/polkit.nix
     ./services/printing.nix
     ./services/resolved.nix
     ./services/smartd.nix
diff --git a/hosts/common/services/polkit.nix b/hosts/common/services/polkit.nix
new file mode 100644
index 0000000..b479a05
--- /dev/null
+++ b/hosts/common/services/polkit.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+let
+  cfg = config.security.polkit;
+in
+{
+  systemd.services.polkit.serviceConfig = lib.mkIf cfg.enable {
+    RuntimeDirectory = [
+      "polkit-1"
+      "polkit-1/root-mnt"
+    ];
+    RootDirectory = "/run/polkit-1/root-mnt";
+    BindPaths = [ "/run/dbus/system_bus_socket" ];
+    BindReadOnlyPaths = [
+      builtins.storeDir
+      "/etc"
+      "/run/systemd"
+      "/run/current-system/sw/share/polkit-1"
+    ];
+  };
+}