TurnKey includes etckeeper (using git as VC) by default. IIRC once per day it checks for uncommitted changes and auto commits them. It also has an apt hook, so it also commits prior to adding/removing software.
Obviously it doesn't catch everything (like you say sometimes config is elsewhere). But there is discussion on serverfault oh how to workaround that if you desire.
I don't really understand your security concerns. /etc is world readable already (and it has to be; otherwise apps couldn't read their config). And most important stuff there is only writeable by root (or sudo if installed) by default so I'm not sure what advantages would be gained by hiding it...
Already included OOTB! :)
Obviously it doesn't catch everything (like you say sometimes config is elsewhere). But there is discussion on serverfault oh how to workaround that if you desire.
I don't really understand your security concerns. /etc is world readable already (and it has to be; otherwise apps couldn't read their config). And most important stuff there is only writeable by root (or sudo if installed) by default so I'm not sure what advantages would be gained by hiding it...