--- title: "Examples" html_title: "Enroll Examples" description: "Copy/paste recipes for Enroll: one host, fleets, drift detection, and safe storage." ---
Examples

Copy/paste recipes

Practical flows you can adapt to your environment.

Enroll a single host (local)
$ enroll harvest --out /tmp/enroll-harvest
$ enroll manifest --harvest /tmp/enroll-harvest \
  --out /tmp/enroll-ansible
$ ansible-playbook -i "localhost," -c local \
  /tmp/enroll-ansible/playbook.yml --diff --check

Great for "make this box reproducible" or building a golden role set.

Enroll a remote host (over SSH)
$ enroll harvest \
  --remote-host myhost.example.com \
  --remote-user myuser \
  --out /tmp/enroll-harvest
$ enroll manifest \
  --harvest /tmp/enroll-harvest \
  --out /tmp/enroll-ansible

No need to manually run commands on the server - your bundle lands locally. If your remote user needs a password for sudo, pass in --ask-become-pass or -K, just like in Ansible. If you don't want to use sudo, pass --no-sudo, but your harvest may contain less data.

Fleets: multi-site output
$ fqdn="$(hostname -f)"
$ enroll single-shot --remote-host "$fqdn" \
  --remote-user myuser \
  --out /tmp/enroll-ansible \
  --fqdn "$fqdn"
$ ansible-playbook "/tmp/enroll-ansible/playbooks/${fqdn}.yml"

Shared roles + host inventory keeps one host's differences from breaking another.

Drift detection with enroll diff
$ enroll diff --old /path/to/harvestA   --new /path/to/harvestB   --format markdown   --exclude-path /var/anacron   --ignore-package-versions
$ enroll diff --old /path/to/golden --new /path/to/current \
  --webhook https://example.net/webhook  \
  --webhook-format json \
  --webhook-header 'X-Enroll-Secret: ...'  \
   --ignore-package-versions --exit-code

Use it in cron or CI to alert on change.

Explain a harvest with enroll explain
$ enroll explain /tmp/enroll-harvest

# machine-readable (reasons, examples, inventory breakdown)
$ enroll explain /tmp/enroll-harvest --format json | jq .

# encrypted bundle
$ enroll explain /var/lib/enroll/harvest.tar.gz.sops --sops

Great for answering "why did it include/exclude that file?" before you generate a manifest.

Enforce the previous state with enroll diff --enforce
$ enroll diff \
  --old /path/to/harvestA \
  --new /path/to/harvestB \
  --enforce \
  --format json

Enforcing the old harvest will restore its files/perms, missing packages, changed services or users, if ansible-playbook is on the PATH.

Safe harvesting (default)

Enroll tries to avoid harvesting files that might contain secrets. If you need to capture "everything", pass --dangerous and treat the output as sensitive.

You can still control what gets collected and what doesn't by using --include and --exclude flags.

$ enroll harvest --dangerous --out /tmp/enroll-harvest
Encrypt bundles at rest (SOPS)

Produce a single encrypted file for harvest and/or manifest output (requires SOPS to be installed).

This is especially a good idea if you are using --dangerous, which might sweep up secrets (see above).

$ enroll harvest --dangerous --out /tmp/harvest \
  --sops <FINGERPRINT>
$ enroll manifest --harvest /tmp/harvest/harvest.tar.gz.sops \
  --out /tmp/enroll-ansible --sops <FINGERPRINT>