mig5/enroll
1
0
Fork 0
Code Issues Pull requests Projects Releases 3 Packages Wiki Activity Actions 6
A tool to detect what exists on a system and generate Ansible configuration of it
11 commits 1 branch 3 tags 450 KiB
Find a file
Miguel Jacq 809f21dd35
Some checks failed
CI / test (push) Failing after 1m55s
Details
Trivy / test (push) Has been cancelled
Details
Lint / test (push) Successful in 30s
Details
CHANGELOG is markdown
2025-12-15 11:58:23 +11:00
.forgejo/workflows Needs systemctl 2025-12-15 11:53:26 +11:00
enroll Changes that make ansible-lint happy. nosec on the subprocess commands 2025-12-15 11:29:08 +11:00
tests Many tweaks 2025-12-15 11:04:54 +11:00
.gitignore Initial commit 2025-12-14 20:53:22 +11:00
CHANGELOG.md CHANGELOG is markdown 2025-12-15 11:58:23 +11:00
enroll.svg Add logo, add AppImage 2025-12-15 11:48:09 +11:00
LICENSE Initial commit 2025-12-14 20:53:22 +11:00
poetry.lock Add logo, add AppImage 2025-12-15 11:48:09 +11:00
pyproject.toml Add logo, add AppImage 2025-12-15 11:48:09 +11:00
README.md Update README.md 2025-12-15 11:56:38 +11:00
release.sh Add logo, add AppImage 2025-12-15 11:48:09 +11:00
tests.sh Remove sudo in tests 2025-12-15 11:57:33 +11:00

README.md

Enroll

Enroll logo

enroll inspects a Linux machine (currently Debian-only) and generates Ansible roles for things it finds running on the machine.

It aims to be optimistic and noninteractive:

  • Detects packages that have been installed
  • Detects Debian package ownership of /etc files using dpkgs local database.
  • Captures config that has changed from packaged defaults (dpkg conffile hashes + package md5sums when available).
  • Also captures service-relevant custom/unowned files under /etc/<service>/... (e.g. drop-in config includes).
  • Defensively excludes likely secrets (path denylist + content sniff + size caps).
  • Captures non-system users that exist on the system, and their SSH public keys
  • Captures miscellaneous /etc files that it can't attribute to a package, and installs it in an etc_custom role
  • Avoids trying to start systemd services that were detected as being Inactive during harvest

Install

AppImage

Download the AppImage file from the Releases page (verify with GPG if you wish, my fingerprint is here, then make it executable and run it:

chmod +x Enroll.AppImage
./Enroll.AppImage

Pip

pip install enroll

Poetry

Clone this repository with git, then:

poetry install
poetry run enroll --help

Usage

On the host (root recommended to harvest as much data as possible):

1. Harvest state/information about the host

enroll harvest --out /tmp/enroll-harvest

2. Generate Ansible manifests (roles/playbook) from that harvest

enroll manifest --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible

Alternatively, do both steps in one shot:

enroll enroll --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible

Then run:

ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml

Notes / Safety

  • enroll skips common sensitive locations like /etc/ssl/private/*, /etc/ssh/ssh_host_*, and files that look like private keys/tokens.
  • It also skips symlinks, binary-ish files, and large files by default.
  • Review each generated roles README before committing it anywhere.
  • It only stores the raw config files. If you want to turn these into Jinja2 templates with dynamic inventory, see my other tool https://git.mig5.net/mig5/jinjaturtle .

Troubleshooting

  • Run as root for the most complete harvest (sudo ...).

Found a bug, have a suggestion?

You can e-mail me (see the pyproject.toml for details) or contact me on the Fediverse:

https://goto.mig5.net/@mig5