- name: Get list of modified files
  become: true
  ansible.builtin.shell: |
    set -o pipefail && \
    git status --porcelain=v1 \
        | cut -c 4- \
        | grep -G -v '^{{ paths | map("regex_replace", "^/", "") | list | join("\|^") }}'
  args:
    chdir: /etc
  register: git_status
  changed_when: false
  failed_when: git_status.rc not in [0, 1]

- name: Fail if unexpected files were modified
  ansible.builtin.fail:
    msg: |
      Unexpected files were modified:
      {{ git_status.stdout }}
  when: git_status.rc == 0

- name: etckeeper commit
  become: true
  ansible.builtin.command: |
    etckeeper commit '{{ commit_msg }}'