Enroll inspects a Debian-like or RedHat-like Linux machine, harvests the state that matters, and generates Ansible roles and playbooks from the captured bundle.
enroll harvest --out ./harvestenroll manifest --harvest ./harvest --out ./ansibleansible-galaxy collection install -r ./ansible/requirements.yml./ansible → playbook.yml, roles/, requirements.yml ./ansible + --fqdn → playbooks/<fqdn>.yml + inventory/host_vars/...
--target puppet or --target salt are from an experimental branch and no longer match the CLI.Enroll is built around a small pipeline: capture first, render later, validate before you trust the output.
--dangerous.--fqdn mode.--no-common-roles to keep one generated role per package or unit.--fqdn moves host-specific state into Ansible inventory and implies --no-common-roles.--sops stores harvests and generated manifests as encrypted tarballs for safer at-rest storage.Start with a local safe-mode harvest, inspect the generated output, then run Ansible when you are ready.
$ enroll harvest --out /tmp/enroll-harvest
$ enroll validate /tmp/enroll-harvest
$ enroll manifest --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible
$ cd /tmp/enroll-ansible
$ ansible-galaxy collection install -r requirements.yml
$ ansible-playbook -i "localhost," -c local playbook.yml --check$ enroll harvest \
--remote-host host.example.net \
--remote-user admin \
--remote-ssh-config ~/.ssh/config \
--out /tmp/enroll-harvest
$ enroll manifest --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible --fqdn host.example.net$ enroll harvest --out /srv/enroll/baseline
$ enroll harvest --out /srv/enroll/current
$ enroll diff --old /srv/enroll/baseline --new /srv/enroll/current --format markdown --ignore-package-versionsManual packages, service-linked packages, systemd enable/running state, and service-relevant changed or custom config.
Changed package conffiles, unowned service files, miscellaneous /etc, APT/DNF/YUM config, selected symlinks, and explicit include paths.
Non-system users, SSH public keys, Flatpak/Snap state, Docker/Podman images, writable sysctls, and fallback iptables/ipset state when persistent files are absent.
Enroll avoids obvious secrets by default, validates harvest structure, freezes directory bundles into private temp trees before manifesting, rejects unknown SSH host keys, and warns when a root PATH looks unsafe.
It cannot prove that a structurally valid harvest is semantically safe. Only apply manifests generated from harvests whose provenance you trust.
--dangerous only when you intentionally want to bypass likely-secret checks. Pair it with --sops or another appropriate at-rest encryption workflow whenever there is any doubt.