From 372b8b27a64179602a8c81fe9d12931ebb5b8cef Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Tue, 21 Apr 2026 01:23:46 +0100
Subject: feat(etc): drift detection + auto-enumerating deploy template

- `just etc-drift` reports /etc files modified from pacman defaults
  (via pacman -Qii) and user-created files (via pacman -Qo), subtracting
  already-managed paths and patterns listed in etc/.ignore.
- Refactor run_onchange_after_deploy-etc.sh.tmpl to enumerate files under
  etc/ automatically via find; single combined hash via chezmoi output +
  sha256sum, so new files only need to be dropped into etc/.
- etc/.ignore seeds noise filters: machine-id, ssh host keys, pacman
  keyring, mirrorlist, shadow/passwd backups, sbctl keys, ca-certs.
---
 run_onchange_after_deploy-etc.sh.tmpl | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

(limited to 'run_onchange_after_deploy-etc.sh.tmpl')

diff --git a/run_onchange_after_deploy-etc.sh.tmpl b/run_onchange_after_deploy-etc.sh.tmpl
index 225ceac..04f72c1 100755
--- a/run_onchange_after_deploy-etc.sh.tmpl
+++ b/run_onchange_after_deploy-etc.sh.tmpl
@@ -1,26 +1,14 @@
 #!/bin/sh
-# Deploy system-level configs from etc/ to /etc/
-# chezmoi re-runs this script when any hash below changes.
-# {{ include "etc/doas.conf" | sha256sum }}
-# {{ include "etc/modules-load.d/tcp_bbr.conf" | sha256sum }}
-# {{ include "etc/pacman.d/hooks/orphans.hook" | sha256sum }}
-# {{ include "etc/sysctl.d/99-sysctl.conf" | sha256sum }}
-# {{ include "etc/systemd/system.conf.d/timeout.conf" | sha256sum }}
-# {{ include "etc/xdg/reflector/reflector.conf" | sha256sum }}
+# Deploy system-level configs from etc/ to /etc/.
+# chezmoi re-runs this script whenever any file under etc/ changes.
+# etc/ content hash: {{ output "sh" "-c" (printf "cd %q && find etc -type f ! -name .ignore -exec sha256sum {} + | LC_ALL=C sort" .chezmoi.sourceDir) | sha256sum }}
 set -eu
 
-for f in \
-    doas.conf \
-    modules-load.d/tcp_bbr.conf \
-    pacman.d/hooks/orphans.hook \
-    sysctl.d/99-sysctl.conf \
-    systemd/system.conf.d/timeout.conf \
-    xdg/reflector/reflector.conf
-do
-    doas mkdir -p "/etc/$(dirname "$f")"
-    doas cp --remove-destination "$CHEZMOI_SOURCE_DIR/etc/$f" "/etc/$f"
+cd "$CHEZMOI_SOURCE_DIR"
+find etc -type f ! -name .ignore | while IFS= read -r src; do
+    dest="/${src}"
+    doas install -D -m 0644 -o root -g root "$src" "$dest"
 done
 
 # doas refuses to parse /etc/doas.conf unless it's 0400 root:root
-doas chown root:root /etc/doas.conf
 doas chmod 0400 /etc/doas.conf
-- 
cgit v1.2.3-70-g09d2