1.9 KiB
1.9 KiB
Enroll
enroll inspects a Linux machine (currently Debian-only) and generates Ansible roles for things it finds running on the machine.
It aims to be optimistic and noninteractive:
- Detects packages that have been installed
- Detects Debian package ownership of
/etcfiles using dpkg’s local database. - Captures config that has changed from packaged defaults (dpkg conffile hashes + package md5sums when available).
- Also captures service-relevant custom/unowned files under
/etc/<service>/...(e.g. drop-in config includes). - Defensively excludes likely secrets (path denylist + content sniff + size caps).
- Captures non-system users that exist on the system, and their SSH public keys
Install (Poetry)
poetry install
poetry run enroll --help
Usage
On the host (root recommended):
1. Generate a bundle of state/information about the host
sudo poetry run enroll harvest --out /tmp/enroll-bundle
2. Generate Ansible manifests (roles/playbook) from that bundle
sudo poetry run enroll manifest --bundle /tmp/enroll-bundle --out /tmp/enroll-ansible
Alternatively, do both steps in one shot:
sudo poetry run enroll export --bundle /tmp/enroll-bundle --out /tmp/enroll-ansible
Then run:
ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml
Notes / Safety
- enroll skips common sensitive locations like
/etc/ssl/private/*,/etc/ssh/ssh_host_*, and files that look like private keys/tokens. - It also skips symlinks, binary-ish files, and large files by default.
- Review each generated role’s README before committing it anywhere.
- It only stores the raw config files. If you want to turn these into Jinja2 templates with dynamic inventory, see my other tool https://git.mig5.net/mig5/jinjaturtle .
Troubleshooting
- Run as root for the most complete harvest (
sudo ...).