# Paths excluded from `just etc-drift` output.
# Shell-glob patterns (case $path in $pat) work here: *, ?, [].

# Per-host state / auto-generated
/etc/machine-id
/etc/adjtime
/etc/.updated
/etc/.pwd.lock
/etc/mtab
/etc/ld.so.cache
/etc/hostname
/etc/xml/catalog

# Per-host identity / secrets
/etc/ssh/ssh_host_*
/etc/passwd
/etc/passwd-
/etc/group
/etc/group-
/etc/shadow
/etc/shadow-
/etc/gshadow
/etc/gshadow-
/etc/shells

# pacman leftovers from removed packages
*.pacsave
*.pacsave.*
*.pacnew
*.pacorig

# Regenerated by tools (not worth versioning)
/etc/resolv.conf
/etc/ssl/certs/*
/etc/ca-certificates/extracted/*
/etc/pacman.d/gnupg/*
/etc/pacman.d/mirrorlist

# Host-specific (UUIDs, partition layout)
/etc/fstab

# Managed by useradd (podman uses them)
/etc/subuid
/etc/subgid
/etc/subuid-
/etc/subgid-

# sbctl signed-boot state (keys live here; never commit)
/etc/secureboot/*

# WireGuard peer configs — .netdev has PrivateKey=, .network has public IPs (PII).
# Keep local only. To version: template secrets via `pass` at chezmoi apply time.
/etc/systemd/network/99-hodor.*
/etc/systemd/network/99-mandibles.*

# Contains hardcoded username (autologin); host-specific
/etc/systemd/system/getty@tty1.service.d/override.conf