Recently I had to clean one of my server (a virtual machine hosted by Tetaneutral) to make it as close to a fresh install as possible, but without reinstalling it or migrate it somewhere else. It is an old server and it has been installed by hand. Since I now use Ansible to manage my other servers, I wanted to include it to the inventory and apply the same configuration on it.
On Archlinux, I used to use this command which list me all configuration files (in /etc) which have diverged from the version shipped by the package:
$ pacman -Qii | awk '/^MODIFIED/ {print $2}'
I didn't find a simple equivalent way to do it in Debian with dpkg tools,
however I found debsums, an extra package that does the job pretty well:
$ debsums -se
I then can restore the package's version by reinstalling the corresponding
package with --force-confask option:
# apt install --reinstall -o Dpkg::Options::="--force-confask"
Here is an oneliner to automate the process (careful, it doesn't ask for any confirmation!):
# debsums -se 2>&1 |awk '{print $4}' |xargs -n 1 dpkg -S |awk -F: '{print $1}' |sort -u |xargs apt install --reinstall -o Dpkg::Options::="--force-confask" -o Dpkg::Options::="--force-confnew"
Since xargs doesn't work well with interactive commands, I force the choice by passing both --force-confask and --force-confnew options.
As a conclusion, keep in mind the configuration files added in *.d/ directories won't be listed nor removed, so you still have to clean these directories manually.