From 372b8b27a64179602a8c81fe9d12931ebb5b8cef Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Tue, 21 Apr 2026 01:23:46 +0100
Subject: feat(etc): drift detection + auto-enumerating deploy template

- `just etc-drift` reports /etc files modified from pacman defaults
  (via pacman -Qii) and user-created files (via pacman -Qo), subtracting
  already-managed paths and patterns listed in etc/.ignore.
- Refactor run_onchange_after_deploy-etc.sh.tmpl to enumerate files under
  etc/ automatically via find; single combined hash via chezmoi output +
  sha256sum, so new files only need to be dropped into etc/.
- etc/.ignore seeds noise filters: machine-id, ssh host keys, pacman
  keyring, mirrorlist, shadow/passwd backups, sbctl keys, ca-certs.
---
 justfile | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

(limited to 'justfile')

diff --git a/justfile b/justfile
index 26058db..f73d4e5 100644
--- a/justfile
+++ b/justfile
@@ -178,6 +178,48 @@ services-drift:
     comm -13 "$tmp/curated" "$tmp/enabled" | comm -23 - "$tmp/ignore" | sed 's/^/  uncurated:   /'
 
 
+# ═══════════════════════════════════════════════════════════════════
+# System config (/etc)
+# ═══════════════════════════════════════════════════════════════════
+
+# Show /etc drift: package configs modified from defaults, plus user-created files
+etc-drift:
+    #!/usr/bin/env bash
+    set -eo pipefail
+    tmp=$(mktemp -d); trap 'rm -rf "$tmp"' EXIT
+
+    find etc -type f ! -name .ignore 2>/dev/null \
+        | sed 's|^etc/|/etc/|' | sort -u > "$tmp/managed"
+
+    patterns=()
+    if [ -f etc/.ignore ]; then
+        while IFS= read -r line; do
+            [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue
+            patterns+=("$line")
+        done < etc/.ignore
+    fi
+
+    keep() {
+        local path=$1
+        grep -qxF "$path" "$tmp/managed" && return 1
+        for pat in ${patterns[@]+"${patterns[@]}"}; do
+            [[ "$path" == $pat ]] && return 1
+        done
+        return 0
+    }
+
+    echo "=== /etc drift ==="
+    echo "--- modified package configs ---"
+    pacman -Qii 2>/dev/null | grep -oP 'MODIFIED\t\K/\S+' | sort -u \
+        | while IFS= read -r p; do keep "$p" && echo "  modified: $p"; done
+
+    echo "--- user-created (no owning package) ---"
+    find /etc -xdev -type f -print0 2>/dev/null \
+        | xargs -0 pacman -Qo 2>&1 >/dev/null \
+        | sed -n 's/^error: No package owns //p' | sort -u \
+        | while IFS= read -r p; do keep "$p" && echo "  unowned:  $p"; done
+
+
 # ═══════════════════════════════════════════════════════════════════
 # Package management
 # ═══════════════════════════════════════════════════════════════════
-- 
cgit v1.2.3-70-g09d2