mig5/enroll
1
0
Fork 0
Code Issues Pull requests Projects Releases 11 Packages Wiki Activity Actions

Update enroll harvest

Miguel Jacq 2025-12-17 22:34:32 -06:00
parent ca2a278241
commit 06572f140e
1 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

16
enroll-harvest.md

@ -1,6 +1,6 @@
# enroll harvest # enroll harvest
Harvest system/service/package/config/user state from a Debian host into a “harvest bundle” (`state.json` plus harvested file artifacts). Harvest system/service/package/config/user state from a Debian host into a "harvest bundle" (`state.json` plus harvested file artifacts).
--- ---
@ -44,16 +44,16 @@ Behavior depends on whether youre in **plain** or **SOPS** mode:
- **SOPS mode (`--sops ...`)** - **SOPS mode (`--sops ...`)**
- `--out` may be: - `--out` may be:
- a **directory** the file `harvest.tar.gz.sops` is created inside it - a **directory** - the file `harvest.tar.gz.sops` is created inside it
- a **file path** that exact file is written - a **file path** - that exact file is written
- If omitted, `enroll` writes into a secure per-user cache dir (see below). - If omitted, `enroll` writes into a secure per-user cache dir (see below).
### `--dangerous` ### `--dangerous`
Harvest files more aggressively. Harvest files more aggressively.
This disables the built-in “likely secret” safety checks, including: This disables the built-in "likely secret" safety checks, including:
- denylisted paths (e.g. `/etc/shadow`, `/etc/ssl/private/*`, `/etc/ssh/ssh_host_*`, `/etc/letsencrypt/*`) - denylisted paths (e.g. `/etc/shadow`, `/etc/ssl/private/*`, `/etc/ssh/ssh_host_*`, `/etc/letsencrypt/*`)
- heuristic content scanning for common secret patterns (private keys, “password=”, “token”, “secret”, etc.) - heuristic content scanning for common secret patterns (`PRIVATE KEY`, "password=", "token", "secret", etc.)
- some other conservative skipping logic - some other conservative skipping logic
**Use with care**, especially in plaintext mode. **Use with care**, especially in plaintext mode.
@ -83,7 +83,7 @@ SSH port. Default is `22`.
#### `--no-sudo` #### `--no-sudo`
Dont use sudo on the remote host. Dont use sudo on the remote host.
This may cause a **partial harvest** (missing files/metadata) if the SSH user cant read everything. This may cause a **partial harvest** (missing files/metadata) if the SSH user can't read everything.
--- ---
@ -108,14 +108,14 @@ Each run gets a timestamped directory with an unpredictable suffix, e.g.
## Runtime notes / expectations ## Runtime notes / expectations
- **Root recommended:** If not running as root (or remote sudo is disabled), `enroll` may miss files or correct ownership/mode metadata. - **Root recommended:** If not running as root (or remote sudo is disabled), `enroll` may miss files or correct ownership/mode metadata.
- **Symlinks/binaries/large files:** Harvesting skips files that are symlinks, “binary-like”, or above a size cap (unless you use `--dangerous`, which relaxes some checks). - **Symlinks/binaries/large files:** Harvesting skips files that are symlinks, "binary-like", or above a size cap (unless you use `--dangerous`, which relaxes some checks).
- **Output is deterministic-enough to diff:** The bundle is designed so comparing two harvests is meaningful (via `enroll diff`). - **Output is deterministic-enough to diff:** The bundle is designed so comparing two harvests is meaningful (via `enroll diff`).
--- ---
## Permutations (valid combinations) ## Permutations (valid combinations)
Below are the common “flag permutations” youll typically use. Below are the common "flag permutations" youll typically use.
### Local harvest, plaintext (safe) ### Local harvest, plaintext (safe)
```bash ```bash