778237740a
Add ability to gracefully handle an encrypted private key for SSH (can be forced or automated with an env var too)
CI / test (push) Successful in 8m22s
Lint / test (push) Successful in 32s
Trivy / test (push) Successful in 24s
2026-02-17 10:35:51 +11:00
1856e3a79d
Add support for AddressFamily and ConnectTimeout in the .ssh/config when using --remote-ssh-config.
2026-01-16 10:58:39 +11:00
f5eaac9f75
Support --remote-ssh-config [path-to-ssh-config] as an argument in case extra params are required beyond --remote-port or --remote-user.
...
CI / test (push) Successful in 8m18s
Lint / test (push) Successful in 33s
Trivy / test (push) Successful in 25s
Note: `--remote-host` must still be set, but it can be an 'alias' represented by the 'Host' value in the ssh config.
2026-01-13 21:56:28 +11:00
5754ef1aad
Add interactive output when 'enroll diff --enforce' is invoking Ansible.
CI / test (push) Successful in 8m18s
Lint / test (push) Successful in 32s
Trivy / test (push) Successful in 24s
2026-01-11 10:01:16 +11:00
ebd30247d1
Add --enforce mode to enroll diff and add --ignore-package-versions
...
CI / test (push) Failing after 1m48s
Lint / test (push) Successful in 32s
Trivy / test (push) Successful in 22s
If there is diff detected between the two harvests, and it can
enforce restoring the state from the older harvest, it will
manifest the state and apply it with ansible. Only the specific
roles that had diffed will be applied (via the new tags capability).
`--ignore-package-versions` will skip reporting when packages are
upgraded/downgraded in the diff.
2026-01-10 10:51:41 +11:00
9a249cc973
Initial pass at an --enforce mode for enroll diff, to manifest and restore state of old harvest if ansible is on the PATH
CI / test (push) Successful in 8m13s
Lint / test (push) Successful in 33s
Trivy / test (push) Successful in 23s
2026-01-10 09:50:28 +11:00
ca3d958a96
Add --exclude-path to enroll diff command
...
CI / test (push) Failing after 1m45s
Lint / test (push) Successful in 31s
Trivy / test (push) Successful in 23s
So that you can ignore certain churn from the diff
(stuff you still wanted to harvest as a baseline but don't care if it changes day to day)
2026-01-10 08:56:35 +11:00
8daed96b7c
Attempt to generate Jinja2 templates of systemd unit files and Postfix main.cf (now that JinjaTurtle supports it)
CI / test (push) Successful in 8m13s
Lint / test (push) Successful in 31s
Trivy / test (push) Successful in 23s
2026-01-06 12:47:12 +11:00
66d032d981
Introduce 'enroll validate' to check a harvest meets the schema spec and isn't lacking artifacts or contains orphaned ones
CI / test (push) Failing after 1m47s
Lint / test (push) Successful in 31s
Trivy / test (push) Successful in 23s
2026-01-05 21:17:50 +11:00
d3fdfc9ef7
Manage certain symlinks e.g for apache2/nginx sites-enabled and so on
Lint / test (push) Waiting to run
Trivy / test (push) Waiting to run
CI / test (push) Has been cancelled
2026-01-05 16:29:21 +11:00
91ec1b8791
Ignore files ending in - in the /etc/ dir e.g /etc/shadow-
CI / test (push) Failing after 1m43s
Lint / test (push) Successful in 32s
Trivy / test (push) Successful in 23s
2026-01-05 15:48:17 +11:00
b5e32770a3
Ignore files that end with a tilde (probably backup files generated by editors)
2026-01-05 15:23:45 +11:00
a1433d645f
Capture other files in the user's home directory
...
CI / test (push) Failing after 1m57s
Lint / test (push) Successful in 32s
Trivy / test (push) Successful in 27s
Such as `.bashrc`, `.bash_aliases`, `.profile`, if these files differ from the `/etc/skel` defaults
2026-01-05 15:02:22 +11:00
e68ec0bffc
More test coverage
2026-01-05 14:27:56 +11:00
24cedc8c8d
Centralise the cron and logrotate stuff into their respective roles.
...
CI / test (push) Successful in 7m52s
Lint / test (push) Successful in 30s
Trivy / test (push) Successful in 23s
We had a bit of duplication between roles based on harvest discovery.
Arguably some crons/logrotate scripts are specific to other packages,
but it helps to go to one place to find them all. We'll apply these
roles last in the playbook, to give an opportunity for all other
packages / non-system users to have been installed already.
2026-01-05 12:01:25 +11:00
59674d4660
Introduce enroll explain
...
CI / test (push) Failing after 1m45s
Lint / test (push) Successful in 31s
Trivy / test (push) Successful in 23s
A tool to analyze and explain what's in (or not in) a harvest and why.
2026-01-05 10:16:44 +11:00
a2be708a31
Support for remote hosts that require password for sudo.
...
Lint / test (push) Waiting to run
Trivy / test (push) Waiting to run
CI / test (push) Has been cancelled
Introduce --ask-become-pass or -K to support password-required sudo on remote hosts, just like Ansible.
It will also fall back to this prompt if a password is required but the arg wasn't passed in.
With thanks to slhck from HN for the initial patch, advice and feedback.
2026-01-04 20:49:10 +11:00
824010b2ab
Several bug fixes and prep for 0.2.2
...
CI / test (push) Failing after 1m40s
Lint / test (push) Successful in 31s
Trivy / test (push) Successful in 24s
- Fix stat() of parent directory so that we set directory perms correct on --include paths.
- Set pty for remote calls when sudo is required, to help systems with limits on sudo without pty
2026-01-03 11:39:57 +11:00
c88405ef01
Ensure directories in the tree of anything included with --include are defined in the state and manifest so we make dirs before we try to create files
2026-01-02 21:10:32 +11:00
781efef467
Don't accidentally add extra_paths role to usr_local_custom list, resulting in extra_paths appearing twice in manifested playbook
2026-01-02 20:19:47 +11:00
f01603dac4
Better attribution of config files to parent service/role (not systemd helpers)
CI / test (push) Successful in 4m51s
Lint / test (push) Successful in 27s
Trivy / test (push) Successful in 15s
2025-12-29 17:19:59 +11:00
081739fd19
Fix tests
CI / test (push) Successful in 5m7s
Lint / test (push) Successful in 29s
Trivy / test (push) Successful in 18s
2025-12-29 16:35:21 +11:00
043802e800
Refactor state structure and capture versions of packages
2025-12-29 16:10:27 +11:00
984b0fa81b
Add ability to enroll RH-style systems (DNF5/DNF/RPM)
CI / test (push) Successful in 5m9s
Lint / test (push) Successful in 27s
Trivy / test (push) Successful in 17s
2025-12-29 14:59:34 +11:00
ad2abed612
Add version CLI arg
2025-12-29 14:29:11 +11:00
8c19473e18
Fix an attribution bug for certain files ending up in the wrong package/role.
CI / test (push) Successful in 5m2s
Lint / test (push) Successful in 29s
Trivy / test (push) Successful in 21s
2025-12-28 18:37:14 +11:00
921801caa6
0.1.6
CI / test (push) Successful in 5m24s
Lint / test (push) Successful in 30s
Trivy / test (push) Successful in 16s
2025-12-28 15:32:40 +11:00
8c6b51be3e
Manage apt stuff in its own role, not in etc_custom
Lint / test (push) Waiting to run
Trivy / test (push) Waiting to run
CI / test (push) Has been cancelled
2025-12-28 09:39:14 +11:00
303c1b0dd8
Consolidate logrotate and cron files into their main service/package roles if they exist. Standardise on MAX_FILES_CAP in one place
2025-12-28 09:30:21 +11:00
054a6192d1
Capture more singletons in /etc and avoid apt duplication
Lint / test (push) Waiting to run
Trivy / test (push) Waiting to run
CI / test (push) Has been cancelled
2025-12-27 19:02:22 +11:00
9641637d4d
Add support for an enroll.ini config file to store arguments per subcommand, to avoid having to remember them all for repetitive executions.
Lint / test (push) Waiting to run
Trivy / test (push) Waiting to run
CI / test (push) Has been cancelled
2025-12-20 18:24:46 +11:00
240e79706f
Allow the user to add extra paths to harvest, or
...
CI / test (push) Successful in 5m31s
Lint / test (push) Successful in 34s
Trivy / test (push) Successful in 19s
paths to ignore, using `--exclude-path` and
`--include-path` arguments.
2025-12-20 17:47:00 +11:00
4660a0703e
Include files from /usr/local/bin and /usr/local/etc in harvest (assuming they aren't binaries or symlinks) and store in usr_local_custom role, similar to etc_custom.
CI / test (push) Successful in 5m43s
Lint / test (push) Successful in 30s
Trivy / test (push) Successful in 19s
2025-12-18 17:11:04 +11:00
b5d2b99174
Add diff mode
CI / test (push) Successful in 5m14s
Lint / test (push) Successful in 30s
Trivy / test (push) Successful in 23s
2025-12-18 14:59:51 +11:00
a235028f3b
black
CI / test (push) Successful in 5m38s
Lint / test (push) Successful in 27s
Trivy / test (push) Successful in 21s
2025-12-18 13:34:37 +11:00
62ec8e8b1b
Silence bandit paranoia on certain lines
CI / test (push) Successful in 5m24s
Lint / test (push) Failing after 29s
Trivy / test (push) Successful in 20s
2025-12-17 19:05:07 +11:00
33b1176800
Add --sops mode to encrypt harvest and manifest data at rest (especially useful if using --dangerous)
CI / test (push) Successful in 5m35s
Lint / test (push) Failing after 29s
Trivy / test (push) Successful in 18s
2025-12-17 18:51:40 +11:00
6a36a9d2d5
Remote mode and dangerous flag, other tweaks
...
* Add remote mode for harvesting a remote machine via a local workstation (no need to install enroll remotely)
Optionally use `--no-sudo` if you don't want the remote user to have passwordless sudo when conducting the
harvest, albeit you'll end up with less useful data (same as if running `enroll harvest` on a machine without
sudo)
* Add `--dangerous` flag to capture even sensitive data (use at your own risk!)
* Do a better job at capturing other config files in `/etc/<package>/` even if that package doesn't normally
ship or manage those files.
2025-12-17 17:02:16 +11:00
026416d158
Fix tests
CI / test (push) Successful in 5m36s
Lint / test (push) Successful in 27s
Trivy / test (push) Successful in 21s
2025-12-16 20:48:08 +11:00
f40b9d834d
black and pyflakes3
2025-12-16 20:15:21 +11:00
f255ba566c
biiiiig refactor to support jinjaturtle and multi site mode
2025-12-16 20:14:20 +11:00
e4be7f5975
Rename secrets to ignore as it does more than secrets
CI / test (push) Successful in 5m35s
Lint / test (push) Successful in 27s
Trivy / test (push) Successful in 17s
2025-12-15 17:03:28 +11:00
4882ddff49
Add custom_etc and users last
CI / test (push) Successful in 5m5s
Lint / test (push) Failing after 28s
Trivy / test (push) Successful in 18s
2025-12-15 16:46:39 +11:00
651549b949
Change message about whether it is a meta package or not
2025-12-15 16:28:10 +11:00
d8fb33f0d0
hmm
CI / test (push) Successful in 4m58s
Lint / test (push) Successful in 29s
Trivy / test (push) Successful in 18s
2025-12-15 13:23:11 +11:00
019f6bf6f3
Attempt fix for unit name
CI / test (push) Failing after 4m44s
Lint / test (push) Successful in 27s
Trivy / test (push) Successful in 21s
2025-12-15 12:49:50 +11:00
c6f174dd55
fix...
CI / test (push) Failing after 4m43s
Lint / test (push) Successful in 27s
Trivy / test (push) Successful in 21s
2025-12-15 12:34:26 +11:00
ac0c884c39
Another fix for systemd unit file
CI / test (push) Failing after 1m37s
Lint / test (push) Failing after 28s
Trivy / test (push) Successful in 19s
2025-12-15 12:28:21 +11:00
2eecb73a49
Ensure we only try to enable service if the unit file existed
CI / test (push) Failing after 2m0s
Lint / test (push) Successful in 31s
Trivy / test (push) Successful in 18s
2025-12-15 12:18:26 +11:00
4cdc78915f
Changes that make ansible-lint happy. nosec on the subprocess commands
2025-12-15 11:29:08 +11:00
