diff --git a/enroll-harvest.md b/enroll-harvest.md index fb247b6..3197d9d 100644 --- a/enroll-harvest.md +++ b/enroll-harvest.md @@ -1,6 +1,6 @@ # enroll harvest -Harvest system/service/package/config/user state from a Debian host into a “harvest bundle” (`state.json` plus harvested file artifacts). +Harvest system/service/package/config/user state from a Debian host into a "harvest bundle" (`state.json` plus harvested file artifacts). --- @@ -44,16 +44,16 @@ Behavior depends on whether you’re in **plain** or **SOPS** mode: - **SOPS mode (`--sops ...`)** - `--out` may be: - - a **directory** → the file `harvest.tar.gz.sops` is created inside it - - a **file path** → that exact file is written + - a **directory** - the file `harvest.tar.gz.sops` is created inside it + - a **file path** - that exact file is written - If omitted, `enroll` writes into a secure per-user cache dir (see below). ### `--dangerous` Harvest files more aggressively. -This disables the built-in “likely secret” safety checks, including: +This disables the built-in "likely secret" safety checks, including: - denylisted paths (e.g. `/etc/shadow`, `/etc/ssl/private/*`, `/etc/ssh/ssh_host_*`, `/etc/letsencrypt/*`) -- heuristic content scanning for common secret patterns (private keys, “password=”, “token”, “secret”, etc.) +- heuristic content scanning for common secret patterns (`PRIVATE KEY`, "password=", "token", "secret", etc.) - some other conservative skipping logic **Use with care**, especially in plaintext mode. @@ -83,7 +83,7 @@ SSH port. Default is `22`. #### `--no-sudo` Don’t use sudo on the remote host. -This may cause a **partial harvest** (missing files/metadata) if the SSH user can’t read everything. +This may cause a **partial harvest** (missing files/metadata) if the SSH user can't read everything. --- @@ -108,14 +108,14 @@ Each run gets a timestamped directory with an unpredictable suffix, e.g. ## Runtime notes / expectations - **Root recommended:** If not running as root (or remote sudo is disabled), `enroll` may miss files or correct ownership/mode metadata. -- **Symlinks/binaries/large files:** Harvesting skips files that are symlinks, “binary-like”, or above a size cap (unless you use `--dangerous`, which relaxes some checks). +- **Symlinks/binaries/large files:** Harvesting skips files that are symlinks, "binary-like", or above a size cap (unless you use `--dangerous`, which relaxes some checks). - **Output is deterministic-enough to diff:** The bundle is designed so comparing two harvests is meaningful (via `enroll diff`). --- ## Permutations (valid combinations) -Below are the common “flag permutations” you’ll typically use. +Below are the common "flag permutations" you’ll typically use. ### Local harvest, plaintext (safe) ```bash