Examples

Copy/paste recipes

Practical flows you can adapt to your environment.

Enroll a single host (local)
$ enroll harvest --out /tmp/enroll-harvest
$ enroll manifest --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible
$ ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml

Great for "make this box reproducible" or building a golden role set.

Enroll a remote host (over SSH)
$ enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest
$ enroll manifest --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible

No need to manually run commands on the server - your bundle lands locally.

Fleets: multi-site output
$ fqdn="$(hostname -f)"
$ enroll single-shot --remote-host "$fqdn" --remote-user myuser \
  --out /tmp/enroll-ansible --fqdn "$fqdn"
$ ansible-playbook /tmp/enroll-ansible/playbooks/"$fqdn".yml

Shared roles + host inventory keeps one host's differences from breaking another.

Drift detection with enroll diff
$ enroll diff --old /path/to/harvestA --new /path/to/harvestB --format markdown
$ enroll diff --old /path/to/golden --new /path/to/current \
  --webhook https://example.net/webhook \
  --webhook-format json \
  --webhook-header 'X-Enroll-Secret: ...' \
  --exit-code

Use it in cron or CI to alert on change.

Safe harvesting (default)

Enroll tries to avoid likely secrets. If you need to capture "everything", treat the output as sensitive and plan secure storage.

$ enroll harvest --out /tmp/enroll-harvest
$ enroll harvest --out /tmp/enroll-harvest --include-path '/home/*/.bashrc'
Encrypt bundles at rest (SOPS)

Produce a single encrypted file for harvest and/or manifest output.

$ enroll harvest --out /tmp/enroll-harvest --sops <FINGERPRINT>
$ enroll manifest --harvest /tmp/enroll-harvest/harvest.tar.gz.sops \
  --out /tmp/enroll-ansible --sops <FINGERPRINT>