---
title: "Examples"
html_title: "Enroll Examples"
description: "Copy/paste recipes for Enroll: Ansible, Puppet, Salt, fleets, drift detection, and safe storage."
---
<header class="py-5 hero">
  <div class="container py-3">
    <div class="kicker mb-3"><i class="bi bi-terminal"></i> Examples</div>
    <h1 class="display-6 fw-bold mb-2">Copy/paste recipes</h1>
    <p class="lead mb-0">Practical flows you can adapt to Ansible, Puppet, Salt, or all three.</p>
  </div>
</header>

<main class="py-5">
  <div class="container">

    <div class="row g-4">
      <div class="col-lg-6">
        <div class="feature-card p-4 h-100">
          <div class="fw-semibold mb-2">Harvest once, try each renderer locally</div>
          <div class="codeblock terminal">
            <button class="btn btn-sm btn-outline-secondary copy-btn" data-copy-target="#ex-single-local"><i class="bi bi-clipboard"></i> Copy</button>
            <pre class="mb-0"><code id="ex-single-local"><span class="prompt">$</span> enroll harvest --out /tmp/enroll-harvest

# Ansible noop
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target ansible --out /tmp/enroll-ansible
<span class="prompt">$</span> ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml --diff --check

# Puppet noop
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target puppet --out /tmp/enroll-puppet
<span class="prompt">$</span> puppet apply --modulepath /tmp/enroll-puppet/modules /tmp/enroll-puppet/manifests/site.pp --noop

# Salt noop
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target salt --out /tmp/enroll-salt
<span class="prompt">$</span> salt-call --local --file-root /tmp/enroll-salt/states state.apply test=True</code></pre>
          </div>
          <p class="small text-secondary mt-2 mb-0">Great for “make this box reproducible”, testing renderer output, or building a golden baseline you will refine.</p>
        </div>
      </div>

      <div class="col-lg-6">
        <div class="feature-card p-4 h-100">
          <div class="fw-semibold mb-2">Enroll a remote host over SSH</div>
          <div class="codeblock terminal">
            <button class="btn btn-sm btn-outline-secondary copy-btn" data-copy-target="#ex-remote"><i class="bi bi-clipboard"></i> Copy</button>
            <pre class="mb-0"><code id="ex-remote"><span class="prompt">$</span> enroll harvest \
  --remote-host myhost.example.com \
  --remote-user myuser \
  --out /tmp/enroll-harvest

<span class="prompt">$</span> enroll manifest \
  --harvest /tmp/enroll-harvest \
  --target puppet \
  --out /tmp/enroll-puppet</code></pre>
          </div>
          <p class="small text-secondary mt-2 mb-0">The bundle lands locally. Change <code>--target puppet</code> to <code>ansible</code> or <code>salt</code> without re-harvesting. For remote sudo prompts use <code>--ask-become-pass</code>/<code>-K</code>; use <code>--no-sudo</code> for a less complete non-root harvest.</p>
        </div>
      </div>

      <div class="col-lg-6">
        <div class="feature-card p-4 h-100">
          <div class="fw-semibold mb-2">Fleets: <code>--fqdn</code> output</div>
          <div class="codeblock terminal">
            <button class="btn btn-sm btn-outline-secondary copy-btn" data-copy-target="#ex-multisite"><i class="bi bi-clipboard"></i> Copy</button>
            <pre class="mb-0"><code id="ex-multisite"><span class="prompt">$</span> fqdn="$(hostname -f)"
<span class="prompt">$</span> enroll harvest --out /tmp/enroll-harvest

# Ansible: inventory/host_vars and a per-host playbook
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target ansible --out /tmp/enroll-ansible --fqdn "$fqdn"
<span class="prompt">$</span> ansible-playbook /tmp/enroll-ansible/playbooks/${fqdn}.yml -i /tmp/enroll-ansible/inventory/hosts.ini -c local --check --diff

# Puppet: Hiera data keyed by certname
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target puppet --out /tmp/enroll-puppet --fqdn "$fqdn"
<span class="prompt">$</span> puppet apply --modulepath /tmp/enroll-puppet/modules --hiera_config /tmp/enroll-puppet/hiera.yaml --certname "$fqdn" /tmp/enroll-puppet/manifests/site.pp --noop

# Salt: pillar data keyed by minion id
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target salt --out /tmp/enroll-salt --fqdn "$fqdn"
<span class="prompt">$</span> salt-call --local --id "$fqdn" --file-root /tmp/enroll-salt/states --pillar-root /tmp/enroll-salt/pillar state.apply test=True</code></pre>
          </div>
          <p class="small text-secondary mt-2 mb-0"><code>--fqdn</code> disables common grouping and moves host-specific state into the target’s native host-data layer: inventory, Hiera, or pillar.</p>
        </div>
      </div>

      <div class="col-lg-6">
        <div class="feature-card p-4 h-100">
          <div class="fw-semibold mb-2">Control role/module/state grouping</div>
          <div class="codeblock terminal">
            <button class="btn btn-sm btn-outline-secondary copy-btn" data-copy-target="#ex-grouping"><i class="bi bi-clipboard"></i> Copy</button>
            <pre class="mb-0"><code id="ex-grouping"># Default single-site mode: combine packages/services by package Section where possible
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target ansible --out /tmp/enroll-ansible

# Keep output split more literally by discovered package/service role
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target ansible --out /tmp/enroll-ansible-raw --no-common-roles

# --fqdn also disables common grouping because host data must remain isolated
<span class="prompt">$</span> enroll manifest --harvest /tmp/enroll-harvest --target salt --out /tmp/enroll-salt --fqdn "$(hostname -f)"</code></pre>
          </div>
          <p class="small text-secondary mt-2 mb-0">Grouping keeps first-pass output manageable. Use <code>--no-common-roles</code> when you prefer more direct one-role-per-package/service output.</p>
        </div>
      </div>

      <div class="col-lg-6">
        <div class="feature-card p-4 h-100">
          <div class="fw-semibold mb-2">Drift detection with <code>enroll diff</code></div>
          <div class="codeblock terminal">
            <button class="btn btn-sm btn-outline-secondary copy-btn" data-copy-target="#ex-diff"><i class="bi bi-clipboard"></i> Copy</button>
            <pre class="mb-0"><code id="ex-diff"><span class="prompt">$</span> enroll diff --old /path/to/harvestA --new /path/to/harvestB \
  --format markdown \
  --exclude-path /var/anacron \
  --ignore-package-versions

<span class="prompt">$</span> enroll diff --old /path/to/golden --new /path/to/current \
  --webhook https://example.net/webhook \
  --webhook-format json \
  --webhook-header 'X-Enroll-Secret: ...' \
  --ignore-package-versions \
  --exit-code</code></pre>
          </div>
          <p class="small text-secondary mt-2 mb-0">Use it in cron, systemd timers, or CI to alert on change.</p>
        </div>
      </div>

      <div class="col-lg-6">
        <div class="feature-card p-4 h-100">
          <div class="fw-semibold mb-2">Explain a harvest with <code>enroll explain</code></div>
          <div class="codeblock terminal">
            <button class="btn btn-sm btn-outline-secondary copy-btn" data-copy-target="#ex-explain"><i class="bi bi-clipboard"></i> Copy</button>
            <pre class="mb-0"><code id="ex-explain"><span class="prompt">$</span> enroll explain /tmp/enroll-harvest

# machine-readable reasons, examples, and inventory breakdown
<span class="prompt">$</span> enroll explain /tmp/enroll-harvest --format json | jq .

# encrypted bundle
<span class="prompt">$</span> enroll explain /var/lib/enroll/harvest.tar.gz.sops --sops</code></pre>
          </div>
          <p class="small text-secondary mt-2 mb-0">Great for answering “why did it include/exclude that file?” before you generate a manifest.</p>
        </div>
      </div>

      <div class="col-lg-6">
        <div class="feature-card p-4 h-100">
          <div class="fw-semibold mb-2">Enforce the previous state with <code>enroll diff --enforce</code></div>
          <div class="codeblock terminal">
            <button class="btn btn-sm btn-outline-secondary copy-btn" data-copy-target="#ex-enforce"><i class="bi bi-clipboard"></i> Copy</button>
            <pre class="mb-0"><code id="ex-enforce"><span class="prompt">$</span> enroll diff \
  --old /path/to/harvestA \
  --new /path/to/harvestB \
  --enforce \
  --format json</code></pre>
          </div>
          <p class="small text-secondary mt-2 mb-0">Enforcement currently uses generated Ansible and <code>ansible-playbook</code> on <code>PATH</code>, even if you also use Puppet or Salt for normal manifest output.</p>
        </div>
      </div>

      <div class="col-lg-6">
        <div class="feature-card p-4 h-100">
          <div class="fw-semibold mb-2">Encrypt bundles at rest with SOPS</div>
          <div class="codeblock terminal">
            <button class="btn btn-sm btn-outline-secondary copy-btn" data-copy-target="#ex-sops"><i class="bi bi-clipboard"></i> Copy</button>
            <pre class="mb-0"><code id="ex-sops"><span class="prompt">$</span> enroll harvest --dangerous --out /tmp/harvest \
  --sops &lt;FINGERPRINT&gt;

<span class="prompt">$</span> enroll manifest --harvest /tmp/harvest/harvest.tar.gz.sops \
  --target salt \
  --out /tmp/enroll-salt \
  --sops &lt;FINGERPRINT&gt;</code></pre>
          </div>
          <p class="small text-secondary mt-2 mb-0">Use this if you intend to store harvests/manifests long term or if you harvested with <code>--dangerous</code>.</p>
        </div>
      </div>
    </div>

  </div>
</main>