Enroll a single host (local)
$ enroll harvest --out /tmp/enroll-harvest
$ enroll manifest --harvest /tmp/enroll-harvest \
--out /tmp/enroll-ansible
$ ansible-playbook -i "localhost," -c local \
/tmp/enroll-ansible/playbook.yml --diff --checkGreat for "make this box reproducible" or building a golden role set.
Enroll a remote host (over SSH)
$ enroll harvest \
--remote-host myhost.example.com \
--remote-user myuser \
--out /tmp/enroll-harvest
$ enroll manifest \
--harvest /tmp/enroll-harvest \
--out /tmp/enroll-ansibleNo need to manually run commands on the server - your bundle lands locally.
Fleets: multi-site output
$ fqdn="$(hostname -f)"
$ enroll single-shot --remote-host "$fqdn" \
--remote-user myuser \
--out /tmp/enroll-ansible \
--fqdn "$fqdn"
$ ansible-playbook "/tmp/enroll-ansible/playbooks/${fqdn}.yml"Shared roles + host inventory keeps one host's differences from breaking another.
Drift detection with
enroll diff$ enroll diff \
--old /path/to/harvestA \
--new /path/to/harvestB \
--format markdown
$ enroll diff --old /path/to/golden --new /path/to/current \
--webhook https://example.net/webhook \
--webhook-format json \
--webhook-header 'X-Enroll-Secret: ...' \
--exit-codeUse it in cron or CI to alert on change.
Safe harvesting (default)
Enroll tries to avoid harvesting files that might contain secrets. If you need to capture "everything", pass --dangerous and treat the output as sensitive.
You can still control what gets collected and what doesn't by using --include and --exclude flags.
$ enroll harvest --dangerous --out /tmp/enroll-harvest Encrypt bundles at rest (SOPS)
Produce a single encrypted file for harvest and/or manifest output (requires SOPS to be installed).
This is especially a good idea if you are using --dangerous, which might sweep up secrets (see above).
$ enroll harvest --dangerous --out /tmp/harvest \
--sops <FINGERPRINT>
$ enroll manifest --harvest /tmp/harvest/harvest.tar.gz.sops \
--out /tmp/enroll-ansible --sops <FINGERPRINT>