# Paths excluded from `just etc-drift` output.
# Shell-glob patterns (case $path in $pat) work here: *, ?, [].

# Per-host state / auto-generated
/etc/machine-id
/etc/adjtime
/etc/.updated
/etc/.pwd.lock
/etc/mtab
/etc/ld.so.cache
/etc/hostname
/etc/xml/catalog

# Per-host identity / secrets
/etc/ssh/ssh_host_*
/etc/shadow
/etc/shadow-
/etc/gshadow
/etc/gshadow-
/etc/passwd-
/etc/group-

# pacman leftovers from removed packages
*.pacsave
*.pacsave.*
*.pacnew
*.pacorig

# Regenerated by tools (not worth versioning)
/etc/resolv.conf
/etc/ssl/certs/*
/etc/ca-certificates/extracted/*
/etc/pacman.d/gnupg/*
/etc/pacman.d/mirrorlist

# Managed by useradd (podman uses them)
/etc/subuid
/etc/subgid
/etc/subuid-
/etc/subgid-

# sbctl signed-boot state (keys live here; never commit)
/etc/secureboot/*

# WireGuard peer configs contain PrivateKey= — keep local only.
# To version these, template PrivateKey via `pass` at chezmoi apply time.
/etc/systemd/network/99-hodor.netdev
/etc/systemd/network/99-mandibles.netdev