mig5/enroll
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions
A tool to detect what exists on a system and generate Ansible configuration of it
9 commits 1 branch 2 tags 425 KiB
Find a file
Miguel Jacq d50f1505bb
Update README.md
2025-12-15 11:56:38 +11:00
.forgejo/workflows Needs systemctl 2025-12-15 11:53:26 +11:00
enroll Changes that make ansible-lint happy. nosec on the subprocess commands 2025-12-15 11:29:08 +11:00
tests Many tweaks 2025-12-15 11:04:54 +11:00
.gitignore Initial commit 2025-12-14 20:53:22 +11:00
CHANGELOG.txt Many tweaks 2025-12-15 11:04:54 +11:00
enroll.svg Add logo, add AppImage 2025-12-15 11:48:09 +11:00
LICENSE Initial commit 2025-12-14 20:53:22 +11:00
poetry.lock Add logo, add AppImage 2025-12-15 11:48:09 +11:00
pyproject.toml Add logo, add AppImage 2025-12-15 11:48:09 +11:00
README.md Update README.md 2025-12-15 11:56:38 +11:00
release.sh Add logo, add AppImage 2025-12-15 11:48:09 +11:00
tests.sh Add ansible-lint in tests 2025-12-15 11:29:19 +11:00

README.md

Enroll

Enroll logo

enroll inspects a Linux machine (currently Debian-only) and generates Ansible roles for things it finds running on the machine.

It aims to be optimistic and noninteractive:

  • Detects packages that have been installed
  • Detects Debian package ownership of /etc files using dpkgs local database.
  • Captures config that has changed from packaged defaults (dpkg conffile hashes + package md5sums when available).
  • Also captures service-relevant custom/unowned files under /etc/<service>/... (e.g. drop-in config includes).
  • Defensively excludes likely secrets (path denylist + content sniff + size caps).
  • Captures non-system users that exist on the system, and their SSH public keys
  • Captures miscellaneous /etc files that it can't attribute to a package, and installs it in an etc_custom role
  • Avoids trying to start systemd services that were detected as being Inactive during harvest

Install

AppImage

Download the AppImage file from the Releases page (verify with GPG if you wish, my fingerprint is here, then make it executable and run it:

chmod +x Enroll.AppImage
./Enroll.AppImage

Pip

pip install enroll

Poetry

Clone this repository with git, then:

poetry install
poetry run enroll --help

Usage

On the host (root recommended to harvest as much data as possible):

1. Harvest state/information about the host

enroll harvest --out /tmp/enroll-harvest

2. Generate Ansible manifests (roles/playbook) from that harvest

enroll manifest --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible

Alternatively, do both steps in one shot:

enroll enroll --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible

Then run:

ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml

Notes / Safety

  • enroll skips common sensitive locations like /etc/ssl/private/*, /etc/ssh/ssh_host_*, and files that look like private keys/tokens.
  • It also skips symlinks, binary-ish files, and large files by default.
  • Review each generated roles README before committing it anywhere.
  • It only stores the raw config files. If you want to turn these into Jinja2 templates with dynamic inventory, see my other tool https://git.mig5.net/mig5/jinjaturtle .

Troubleshooting

  • Run as root for the most complete harvest (sudo ...).

Found a bug, have a suggestion?

You can e-mail me (see the pyproject.toml for details) or contact me on the Fediverse:

https://goto.mig5.net/@mig5