diff --git a/fst/sandbox.go b/fst/sandbox.go
index 716e303..cc98ec8 100644
--- a/fst/sandbox.go
+++ b/fst/sandbox.go
@@ -245,29 +245,13 @@ func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Par
 			container.Bind(s.Etc, "/etc", 0)
 		}
 	} else {
+		const hostEtc = Tmp + "/etc"
+
 		etcPath := s.Etc
 		if etcPath == "" {
 			etcPath = "/etc"
 		}
-		container.Bind(etcPath, Tmp+"/etc", 0)
-
-		// link host /etc contents to prevent dropping passwd/group bind mounts
-		if d, err := sys.ReadDir(etcPath); err != nil {
-			return nil, nil, err
-		} else {
-			for _, ent := range d {
-				n := ent.Name()
-				switch n {
-				case "passwd":
-				case "group":
-
-				case "mtab":
-					container.Link("/proc/mounts", "/etc/"+n)
-				default:
-					container.Link(Tmp+"/etc/"+n, "/etc/"+n)
-				}
-			}
-		}
+		container.Bind(etcPath, hostEtc, 0).Etc(hostEtc)
 	}
 
 	return container, maps.Clone(s.Env), nil
diff --git a/internal/app/app_nixos_test.go b/internal/app/app_nixos_test.go
index da8111e..3017551 100644
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@@ -125,84 +125,7 @@ var testCasesNixos = []sealTestCase{
 				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
 				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
 				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Etc(fst.Tmp+"/etc").
 				Tmpfs("/run/user", 4096, 0755).
 				Tmpfs("/run/user/1971", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
diff --git a/internal/app/app_pd_test.go b/internal/app/app_pd_test.go
index 491a3a6..fc796ec 100644
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@@ -64,84 +64,7 @@ var testCasesPd = []sealTestCase{
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Etc(fst.Tmp+"/etc").
 				Tmpfs("/run/user", 4096, 0755).
 				Tmpfs("/run/user/65534", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
@@ -284,84 +207,7 @@ var testCasesPd = []sealTestCase{
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Etc(fst.Tmp+"/etc").
 				Tmpfs("/run/user", 4096, 0755).
 				Tmpfs("/run/user/65534", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
diff --git a/sandbox/ops.go b/sandbox/ops.go
index 1f1d5a9..fd56f61 100644
--- a/sandbox/ops.go
+++ b/sandbox/ops.go
@@ -440,3 +440,57 @@ func (f *Ops) PlaceP(name string, dataP **[]byte) *Ops {
 	*f = append(*f, t)
 	return f
 }
+
+func init() { gob.Register(new(AutoEtc)) }
+
+// AutoEtc creates a toplevel symlink mirror of a directory in sysroot with /etc semantics.
+// This is not a generic setup op. It is implemented here to reduce ipc overhead.
+type AutoEtc struct {
+	// this is an absolute path within sysroot
+	HostEtc string
+}
+
+func (e *AutoEtc) early(*Params) error { return nil }
+func (e *AutoEtc) apply(*Params) error {
+	if !path.IsAbs(e.HostEtc) {
+		return msg.WrapErr(syscall.EBADE,
+			fmt.Sprintf("path %q is not absolute", e.HostEtc))
+	}
+
+	const target = sysrootPath + "/etc/"
+	if err := os.MkdirAll(target, 0755); err != nil {
+		return wrapErrSelf(err)
+	}
+
+	if d, err := os.ReadDir(toSysroot(e.HostEtc)); err != nil {
+		return wrapErrSelf(err)
+	} else {
+		for _, ent := range d {
+			n := ent.Name()
+			switch n {
+			case "passwd":
+			case "group":
+
+			case "mtab":
+				if err = os.Symlink("/proc/mounts", target+n); err != nil {
+					return wrapErrSelf(err)
+				}
+
+			default:
+				if err = os.Symlink(path.Join(e.HostEtc, n), target+n); err != nil {
+					return wrapErrSelf(err)
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+func (e *AutoEtc) Is(op Op) bool {
+	ve, ok := op.(*AutoEtc)
+	return ok && ((e == nil && ve == nil) || (e != nil && ve != nil && *e == *ve))
+}
+func (*AutoEtc) prefix() string     { return "setting up" }
+func (e *AutoEtc) String() string   { return fmt.Sprintf("auto etc via %s", e.HostEtc) }
+func (f *Ops) Etc(host string) *Ops { *f = append(*f, &AutoEtc{host}); return f }