From 651549b9492464114834672f70a396915785b31a Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Mon, 15 Dec 2025 16:28:10 +1100
Subject: [PATCH 1/2] Change message about whether it is a meta package or not

---
 enroll/harvest.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/enroll/harvest.py b/enroll/harvest.py
index 306d8af..c07c0ca 100644
--- a/enroll/harvest.py
+++ b/enroll/harvest.py
@@ -488,7 +488,7 @@ def harvest(bundle_dir: str, policy: Optional[SecretPolicy] = None) -> str:
 
         if not pkg_to_etc_paths.get(pkg, []) and not managed:
             notes.append(
-                "No /etc files detected for this package (may be a meta package)."
+                "No /etc files detected for this package."
             )
 
         pkg_snaps.append(

From 4882ddff49ae68bb0138bf46b9e76329588f01b9 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Mon, 15 Dec 2025 16:46:39 +1100
Subject: [PATCH 2/2] Add custom_etc and users last

---
 enroll/harvest.py  |  2 +-
 enroll/manifest.py | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/enroll/harvest.py b/enroll/harvest.py
index c07c0ca..62f130c 100644
--- a/enroll/harvest.py
+++ b/enroll/harvest.py
@@ -392,7 +392,7 @@ def harvest(bundle_dir: str, policy: Optional[SecretPolicy] = None) -> str:
         )
 
     # -------------------------
-    # Manual package roles
+    # Manually installed package roles
     # -------------------------
     manual_pkgs = list_manual_packages()
     # Avoid duplicate roles: if a manual package is already managed by any service role, skip its pkg_<name> role.
diff --git a/enroll/manifest.py b/enroll/manifest.py
index 9f7aea6..b92f59c 100644
--- a/enroll/manifest.py
+++ b/enroll/manifest.py
@@ -149,7 +149,7 @@ users_accounts:
             lines.append(f"    group: {u.get('primary_group')}")
             lines.append("    mode: '0700'")
 
-        # Copy harvested SSH public material (authorized_keys + *.pub)
+        # Copy harvested SSH public material (authorized_keys)
         for mf in managed_files:
             dest = mf["path"]
             src = mf["src_rel"]
@@ -225,7 +225,7 @@ Generated non-system user accounts and SSH public material.
 
         manifested_users_roles.append(role)
 
-        # -------------------------
+    # -------------------------
     # etc_custom role (unowned /etc not already attributed)
     # -------------------------
     if etc_custom_snapshot and etc_custom_snapshot.get("managed_files"):
@@ -439,7 +439,7 @@ Generated from `{unit}`.
         manifested_service_roles.append(role)
 
     # -------------------------
-    # Manual package roles
+    # Manually installed package roles
     # -------------------------
     for pr in package_roles:
         role = pr["role_name"]
@@ -490,7 +490,7 @@ Generated from `{unit}`.
         task_parts: List[str] = []
         task_parts.append(
             f"""---
-- name: Install manual package {pkg}
+- name: Install package {pkg}
   ansible.builtin.apt:
     name: "{{{{ {var_prefix}_packages }}}}"
     state: present
@@ -525,7 +525,7 @@ Generated from `{unit}`.
         notes = pr.get("notes", [])
         readme = f"""# {role}
 
-Generated for manual package `{pkg}`.
+Generated for package `{pkg}`.
 
 ## Managed files
 {os.linesep.join("- " + mf["path"] + " (" + mf["reason"] + ")" for mf in managed_files) or "- (none)"}
@@ -536,7 +536,7 @@ Generated for manual package `{pkg}`.
 ## Notes
 {os.linesep.join("- " + n for n in notes) or "- (none)"}
 
-> Note: package roles do not attempt to restart or enable services automatically.
+> Note: package roles (those not discovered via a systemd service) do not attempt to restart or enable services automatically.
 """
         with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f:
             f.write(readme)
@@ -546,8 +546,8 @@ Generated for manual package `{pkg}`.
     # Playbooks
     _write_playbook(
         os.path.join(out_dir, "playbook.yml"),
-        manifested_users_roles
+        manifested_pkg_roles
+        + manifested_service_roles
         + manifested_etc_custom_roles
-        + manifested_pkg_roles
-        + manifested_service_roles,
+        + manifested_users_roles,
     )