mig5/enroll.sh
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add docs about --ask-key-passphrase and --ssh-key-passphrase-env
All checks were successful
CI / test (push) Successful in 1m44s
Details

Browse source
This commit is contained in:
Miguel Jacq 2026-02-17 10:56:56 +11:00
parent 481a0c05a0
commit bbd0400132
Signed by: mig5
GPG key ID: 59B3F0C24135C6A9
2 changed files with 13 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/content/_index.html
View file

@ -200,7 +200,7 @@ enroll single-shot \
--out ./ansible \ --out ./ansible \
--fqdn myhost.example.com</code></pre> --fqdn myhost.example.com</code></pre>
</div> </div>
<div class="smallprint mt-3">If you don't want/need sudo on the remote host, add <code>--no-sudo</code> (expect a less complete harvest).</div> <div class="smallprint mt-3">If you don't want/need sudo on the remote host, add <code>--no-sudo</code> (expect a less complete harvest). For remote sudo prompts use <code>--ask-become-pass</code>/<code>-K</code>. If your SSH private key is encrypted, use <code>--ask-key-passphrase</code> (interactive) or <code>--ssh-key-passphrase-env ENV_VAR</code> (non-interactive/CI).</div>
</div> </div>
<div class="tab-pane fade" id="qs3" role="tabpanel" aria-labelledby="qs3-tab"> <div class="tab-pane fade" id="qs3" role="tabpanel" aria-labelledby="qs3-tab">

13
src/content/docs.html
View file

@ -108,6 +108,7 @@ description: "How Enroll works: harvest, manifest, modes, and configuration."
<li>In terms of safety measures: it doesn't traverse into symlinks, and it has an 'IgnorePolicy' that makes it ignore most binary files (except GPG binary keys used with apt) - though if you specify certain paths with <code>--include-path</code> and use <code>--dangerous</code>, it will skip some policy statements such as what types of content to ignore.</li> <li>In terms of safety measures: it doesn't traverse into symlinks, and it has an 'IgnorePolicy' that makes it ignore most binary files (except GPG binary keys used with apt) - though if you specify certain paths with <code>--include-path</code> and use <code>--dangerous</code>, it will skip some policy statements such as what types of content to ignore.</li>
<li>It will skip files that are too large, and it also currently has a hardcoded cap of the number of files that it will harvest (4000 for <code>/etc</code>, <code>/usr/local/etc</code> and <code>/usr/local/bin</code>, and 500 files per 'role'), to avoid unintentional 'runaway' situations.</li> <li>It will skip files that are too large, and it also currently has a hardcoded cap of the number of files that it will harvest (4000 for <code>/etc</code>, <code>/usr/local/etc</code> and <code>/usr/local/bin</code>, and 500 files per 'role'), to avoid unintentional 'runaway' situations.</li>
<li>If you are using the 'remote' mode to harvest, and your remote user requires a password for sudo, you can pass in <code>--ask-become-pass</code> (or <code>-K</code>) and it will prompt for the password. If you forget, and remote requires password for sudo, it'll still fall back to prompting for a password, but will be a bit slower to do so.</li> <li>If you are using the 'remote' mode to harvest, and your remote user requires a password for sudo, you can pass in <code>--ask-become-pass</code> (or <code>-K</code>) and it will prompt for the password. If you forget, and remote requires password for sudo, it'll still fall back to prompting for a password, but will be a bit slower to do so.</li>
<li>If your SSH private key is encrypted, use <code>--ask-key-passphrase</code> to prompt up-front, or <code>--ssh-key-passphrase-env ENV_VAR</code> for non-interactive/CI runs. If neither is provided and Enroll detects an encrypted key in an interactive session, it will prompt on-demand. (The two key-passphrase flags are mutually exclusive.)</li>
</ul> </ul>
<div class="alert alert-secondary mt-3 mb-0"> <div class="alert alert-secondary mt-3 mb-0">
@ -186,7 +187,15 @@ description: "How Enroll works: harvest, manifest, modes, and configuration."
<span class="prompt">$</span> enroll single-shot --remote-host myhost.example.com --remote-user myuser \ <span class="prompt">$</span> enroll single-shot --remote-host myhost.example.com --remote-user myuser \
--harvest /tmp/enroll-harvest --out /tmp/enroll-ansible \ --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible \
--fqdn myhost.example.com</code></pre> --fqdn myhost.example.com
# Encrypted SSH key examples:
<span class="prompt">$</span> enroll harvest --remote-host myhost.example.com --remote-user myuser \
--ask-key-passphrase --out /tmp/enroll-harvest
<span class="prompt">$</span> export ENROLL_SSH_KEY_PASSPHRASE='correct horse battery staple'
<span class="prompt">$</span> enroll harvest --remote-host myhost.example.com --remote-user myuser \
--ssh-key-passphrase-env ENROLL_SSH_KEY_PASSPHRASE --out /tmp/enroll-harvest</code></pre>
</div> </div>
<div class="alert alert-secondary mt-3"> <div class="alert alert-secondary mt-3">
<div class="fw-semibold">Tip</div> <div class="fw-semibold">Tip</div>
@ -194,6 +203,8 @@ description: "How Enroll works: harvest, manifest, modes, and configuration."
<br /> <br />
<div class="small mb-0">If your remote user requires a password for sudo, pass <code>--ask-become-pass</code> or <code>-K</code> and you'll be prompted to enter the password. If you forget, Enroll will still prompt for the password if it detects it's needed, but will be slightly slower to do so.</div> <div class="small mb-0">If your remote user requires a password for sudo, pass <code>--ask-become-pass</code> or <code>-K</code> and you'll be prompted to enter the password. If you forget, Enroll will still prompt for the password if it detects it's needed, but will be slightly slower to do so.</div>
<br /> <br />
<div class="small mb-0">If your SSH private key is encrypted, use <code>--ask-key-passphrase</code> to prompt up-front. For non-interactive/CI runs, use <code>--ssh-key-passphrase-env ENV_VAR</code>. If neither is set and Enroll detects an encrypted key in an interactive session, it'll still prompt on-demand.</div>
<br />
<div class="small mb-0">If your remote host requires additional SSH configuration that you've defined in your <code>~/.ssh/config</code>, pass <code>--remote-ssh-config ~/.ssh/config</code>. Enroll will understand how to translate the Host alias, IdentityFile, ProxyCommand, ConnectTimeout and AddressFamily values. You must still pass a value for <code>--remote-host</code> that matches the <code>Host</code> value of the entry in the SSH config file.</div> <div class="small mb-0">If your remote host requires additional SSH configuration that you've defined in your <code>~/.ssh/config</code>, pass <code>--remote-ssh-config ~/.ssh/config</code>. Enroll will understand how to translate the Host alias, IdentityFile, ProxyCommand, ConnectTimeout and AddressFamily values. You must still pass a value for <code>--remote-host</code> that matches the <code>Host</code> value of the entry in the SSH config file.</div>
</div> </div>
</section> </section>