Add --sops mode to encrypt harvest and manifest data at rest (especially useful if using --dangerous)

CHANGELOG.md

@@ -5,8 +5,12 @@
    harvest, albeit you'll end up with less useful data (same as if running `enroll harvest` on a machine without
    sudo)
  * Add `--dangerous` flag to capture even sensitive data (use at your own risk!)
+ * Add `--sops` flag which makes the harvest and the manifest 'out' data encrypted as a single SOPS data file.
+   This would make `--dangerous` a little bit safer, if your intention is just to store the Ansible manifest
+   in git or somewhere similar for disaster-recovery purposes (e.g encrypted at rest for safe-keeping).
  * Do a better job at capturing other config files in `/etc/<package>/` even if that package doesn't normally
    ship or manage those files.
+ * Don't collect files ending in `.log`
 
 # 0.0.5
 
@@ -17,7 +21,7 @@
    of the same role. Use 'single site' mode (no `--fqdn`) if you want more readable,
    self-contained roles (in which case, store each manifested output in its own
    repo per server)
- * Generate an ansible.cfg if not present, to support host_vars plugin and other params,
+ * Generate an ansible.cfg if not present, to support `host_vars` plugin and other params,
    when using `--fqdn` mode
  * Be more permissive with files that we previously thought contained secrets (ignore commented lines)
 
@@ -34,10 +38,10 @@
 # 0.0.2
 
  * Merge pkg_ and roles created based on file/service detection
- * Avoid idempotency issue with users (password_lock)
+ * Avoid idempotency issue with users (`password_lock`)
  * Rename subcommands/args ('export' is now 'enroll', '--bundle' is now '--harvest') 
  * Don't try and start systemd services that were Inactive at harvest time
- * Capture miscellaneous files in /etc under their own etc_custom role, but not backup files
+ * Capture miscellaneous files in /etc under their own `etc_custom` role, but not backup files
  * Add tests
  * Various other bug fixes