feat(lostfiles): filter known/private/cache paths via auto-synced ignore

Upstream lostfiles has no extension mechanism; the weekly report ends
up dominated by files this repo intentionally deploys plus host-private
files we deliberately don't track plus regenerated GTK caches.

Add etc/lostfiles.ignore.tmpl which renders /etc/lostfiles.ignore from
two sources:
  1. Every file under etc/ in the repo (auto-enumerated at chezmoi-apply
     time, same find-sort pattern the etc deploy script uses). This
     keeps the ignore list in sync with what we actually deploy with
     zero manual maintenance.
  2. A static block for: the sudo-i symlink, host-private
     systemd-networkd units (99-hodor*, 99-mandibles*) which contain
     WireGuard secrets, the getty@tty1 autologin override which
     contains the username, and known pacman-hook-generated caches
     under /usr/lib/{gdk-pixbuf-2.0,gtk-4.0}/.

Wrap /usr/bin/lostfiles in lostfiles.service via grep -vFxf, with a
fallback when /etc/lostfiles.ignore doesn't yet exist (first deploy).

1 files changed, 1 insertions, 1 deletions

diff --git a/etc/systemd/system/lostfiles.service b/etc/systemd/system/lostfiles.service
index 4d94a18..d2df9e4 100644
--- a/etc/systemd/system/lostfiles.service
+++ b/etc/systemd/system/lostfiles.service
@@ -7,4 +7,4 @@ ConditionPathExists=/usr/bin/lostfiles
 Type=oneshot
 Nice=19
 IOSchedulingClass=idle
-ExecStart=/bin/sh -c '/usr/bin/lostfiles >/run/lostfiles.txt.tmp && mv /run/lostfiles.txt.tmp /run/lostfiles.txt'
+ExecStart=/bin/sh -c '/usr/bin/lostfiles | { if [ -f /etc/lostfiles.ignore ]; then grep -vFxf /etc/lostfiles.ignore; else cat; fi; } >/run/lostfiles.txt.tmp && mv /run/lostfiles.txt.tmp /run/lostfiles.txt'