mig5/enroll
1
0
Fork 0
Code Issues Pull requests Projects Releases 18 Packages Wiki Activity Actions

Allow the user to add extra paths to harvest, or
All checks were successful
CI / test (push) Successful in 5m31s
Details
Lint / test (push) Successful in 34s
Details
Trivy / test (push) Successful in 19s
Details

Browse source 
paths to ignore, using `--exclude-path` and
`--include-path` arguments.
This commit is contained in:
Miguel Jacq 2025-12-20 17:47:00 +11:00
parent 25add369dc
commit 240e79706f
Signed by: mig5
GPG key ID: 59B3F0C24135C6A9
9 changed files with 687 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

26
README.md
View file

@ -69,6 +69,7 @@ Harvest state about a host and write a harvest bundle.
- Changed-from-default config (plus related custom/unowned files under service dirs)
- Non-system users + SSH public keys
- Misc `/etc` that cant be attributed to a package (`etc_custom` role)
- Optional user-specified extra files/dirs via `--include-path` (emitted as an `extra_paths` role at manifest time)
**Common flags**
- Remote harvesting:
@ -79,6 +80,14 @@ Harvest state about a host and write a harvest bundle.
- `--dangerous`: disables secret-safety checks (see “Sensitive data” below)
- Encrypt bundles at rest:
- `--sops <FINGERPRINT...>`: writes a single encrypted `harvest.tar.gz.sops` instead of a plaintext directory
- Path selection (include/exclude):
- `--include-path <PATTERN>` (repeatable): add extra files/dirs to harvest (even from locations normally ignored, like `/home`). Still subject to secret-safety checks unless `--dangerous`.
- `--exclude-path <PATTERN>` (repeatable): skip files/dirs even if they would normally be harvested.
- Pattern syntax:
- plain path: matches that file; directories match the directory + everything under it
- glob (default): supports `*` and `**` (prefix with `glob:` to force)
- regex: prefix with `re:` or `regex:`
- Precedence: excludes win over includes.
---
@ -227,6 +236,23 @@ enroll harvest --out /tmp/enroll-harvest
enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest
```
### Include paths (`--include-path`)
```bash
# Add a few dotfiles from /home (still secret-safe unless --dangerous)
enroll harvest --out /tmp/enroll-harvest --include-path '/home/*/.bashrc' --include-path '/home/*/.profile'
```
### Exclude paths (`--exclude-path`)
```bash
# Skip specific /usr/local/bin entries (or patterns)
enroll harvest --out /tmp/enroll-harvest --exclude-path '/usr/local/bin/docker-*' --exclude-path '/usr/local/bin/some-tool'
```
### Regex include
```bash
enroll harvest --out /tmp/enroll-harvest --include-path 're:^/home/[^/]+/\.config/myapp/.*$'
```
### `--dangerous`
```bash
enroll harvest --out /tmp/enroll-harvest --dangerous