feat(etc): drift detection + auto-enumerating deploy template

- `just etc-drift` reports /etc files modified from pacman defaults
  (via pacman -Qii) and user-created files (via pacman -Qo), subtracting
  already-managed paths and patterns listed in etc/.ignore.
- Refactor run_onchange_after_deploy-etc.sh.tmpl to enumerate files under
  etc/ automatically via find; single combined hash via chezmoi output +
  sha256sum, so new files only need to be dropped into etc/.
- etc/.ignore seeds noise filters: machine-id, ssh host keys, pacman
  keyring, mirrorlist, shadow/passwd backups, sbctl keys, ca-certs.

1 files changed, 35 insertions, 0 deletions

diff --git a/etc/.ignore b/etc/.ignore
new file mode 100644
index 0000000..c15fb70
--- /dev/null
+++ b/etc/.ignore
@@ -0,0 +1,35 @@
+# Paths excluded from `just etc-drift` output.
+# Shell-glob patterns (case $path in $pat) work here: *, ?, [].
+
+# Per-host state / auto-generated
+/etc/machine-id
+/etc/adjtime
+/etc/.updated
+/etc/.pwd.lock
+/etc/mtab
+/etc/ld.so.cache
+
+# Per-host identity / secrets
+/etc/ssh/ssh_host_*
+/etc/shadow
+/etc/shadow-
+/etc/gshadow
+/etc/gshadow-
+/etc/passwd-
+/etc/group-
+
+# Regenerated by tools (not worth versioning)
+/etc/resolv.conf
+/etc/ssl/certs/*
+/etc/ca-certificates/extracted/*
+/etc/pacman.d/gnupg/*
+/etc/pacman.d/mirrorlist
+
+# Managed by useradd (podman uses them)
+/etc/subuid
+/etc/subgid
+/etc/subuid-
+/etc/subgid-
+
+# sbctl signed-boot state (keys live here; never commit)
+/etc/secureboot/*