feat(opsi): Add opsi

If we want to override RESTART_POLICY we have to
spell it with an underscore and not as
RESTARTPOLICY.

Also TIMEZONE doesn't really exist anymore, it's
PHP_TZ and that is already covered by vars from
Vault so no need to list it separately.

.gitignore

@@ -0,0 +1 @@
+.idea

README.md

@@ -1,3 +1,52 @@
 # remco-docker-config
 
-Provides remco configs and resources to easily set up Docker and Docker Compose environment files
+Provides [remco](https://github.com/HeavyHorst/remco) configs and resources to easily set up Docker and Docker Compose environment files with HashiCorp Vault secrets
+
+# How to run
+
+## Set environment variables
+
+Set these mandatory variables, fill in real values
+```
+# Largely static
+export REMCO_DOCKER_CONFIG='/path/to/this/dir'
+export VAULT_ADDR='https://127.0.0.1:8200/'
+export VAULT_TOKEN='hvs.BerthaIsDeNigrAtinGtHEiMP'
+
+# Changes per container and context
+export DOCKER_FQDN='containers-3.example.net'
+export DOCKER_GROUP_NAME='grafana'
+export DOCKER_CTX='bi_shenyang'
+export VAULT_KEY='/kv/data/for_rbacgroup_remco/docker/'"${DOCKER_GROUP_NAME}"'/'"${DOCKER_CTX}"
+```
+
+Treat `DOCKER_CTX` ("CTX" as in context) as a team name, purpose or scope. If the same Docker application can run multiple times and serve different tenants then `DOCKER_CTX` is what distinguishes one instance from the other. Here `bi_shenyang` indicates for example a Shenyang-based Business Intelligence team.
+
+## Render config files
+Let `remco` generate an environment file
+```
+remco -config config.toml
+```
+
+Output will look somewhat like this (no change needed):
+```
+[INFO]  set backend nodes: backend=vault nodes=["https://127.0.0.1:8200/"] prefix=remco[671145]
+[DEBUG] retrieving keys: backend=vault key_prefix="\"\"" prefix=remco[671145] resource=grafana
+[DEBUG] compiling source template: prefix=remco[671145] resource=grafana template=/tmp/remco-docker-config/templates.d/grafana/fqdn-context.env
+[DEBUG] comparing staged and dest config files: dest=/tmp/remco-docker-config/rendered.d/grafana/containers-3.example.net-bi_shenyang.env prefix=remco[671145] resource=grafana staged=.containers-3.example.net-bi_shenyang.env2016234729
+[DEBUG] target config in sync: config=/tmp/remco-docker-config/rendered.d/grafana/containers-3.example.net-bi_shenyang.env prefix=remco[671145] resource=grafana
+[DEBUG] closing client connection: backend=vault prefix=remco[671145] resource=grafana
+```
+
+Or like this (target file does not have correct content):
+```
+[INFO]  set backend nodes: backend=vault nodes=["https://127.0.0.1:8200/"] prefix=remco[675012]
+[DEBUG] retrieving keys: backend=vault key_prefix="\"\"" prefix=remco[675012] resource=grafana
+[DEBUG] compiling source template: prefix=remco[675012] resource=grafana template=/tmp/remco-docker-config/templates.d/grafana/fqdn-context.env
+[DEBUG] comparing staged and dest config files: dest=/tmp/remco-docker-config/rendered.d/grafana/containers-3.example.net-bi_shenyang.env prefix=remco[675012] resource=grafana staged=.containers-3.example.net-bi_shenyang.env3921647901
+[INFO]  wrong hashsum: config=/tmp/remco-docker-config/rendered.d/grafana/containers-3.example.net-bi_shenyang.env current=da39a3ee5e6b4b0d3255bfef95601890afd80709 new=97aacc05e6ccad77fec95cc5daa4b3cb7ccd03eb prefix=remco[675012] resource=grafana
+[INFO]  target config out of sync: config=/tmp/remco-docker-config/rendered.d/grafana/containers-3.example.net-bi_shenyang.env prefix=remco[675012] resource=grafana
+[DEBUG] overwriting target config: config=/tmp/remco-docker-config/rendered.d/grafana/containers-3.example.net-bi_shenyang.env prefix=remco[675012] resource=grafana
+[INFO]  target config has been updated: config=/tmp/remco-docker-config/rendered.d/grafana/containers-3.example.net-bi_shenyang.env prefix=remco[675012] resource=grafana
+[DEBUG] closing client connection: backend=vault prefix=remco[675012] resource=grafana
+```

config.toml

@@ -0,0 +1,19 @@
+log_level = "debug"
+log_format = "text"
+retries = 0
+
+[[resource]]
+name = "${DOCKER_GROUP_NAME}"
+
+[[resource.template]]
+  src = "${REMCO_DOCKER_CONFIG}/templates.d/${DOCKER_GROUP_NAME}/fqdn_context.env"
+  dst = "${REMCO_DOCKER_CONFIG}/rendered.d/${DOCKER_GROUP_NAME}/${DOCKER_FQDN}_${DOCKER_CTX}.env"
+  make_directories = true
+
+  [resource.backend]
+    [resource.backend.vault]
+      node = "${VAULT_ADDR}"
+      auth_type = "token"
+      auth_token = "${VAULT_TOKEN}"
+      onetime = true
+      keys = ["${VAULT_KEY}"]

rendered.d/.gitignore

@@ -0,0 +1,2 @@
+/*
+!.gitignore

templates.d/haproxy/fqdn_context.env

@@ -0,0 +1,10 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# Other available defaults
+# RESTARTPOLICY=always

templates.d/hashicorpvault/fqdn_context.env

@@ -0,0 +1,11 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# Other available defaults
+# RESTARTPOLICY=always
+# TIMEZONE=Etc/UTC

templates.d/nginx/fqdn_context.env

@@ -0,0 +1,11 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# Other available defaults
+# RESTARTPOLICY=always
+# TIMEZONE=Etc/UTC

templates.d/nginx_rtmp/fqdn_context.env

@@ -0,0 +1,16 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# Other available defaults
+# ALPINE_VERSION=latest
+# EXTERNAL_CONTAINER_PORT=1935
+# INTERNAL_CONTAINER_PORT=1935
+# NGINX_RTMP_GIT_URL=https://github.com/arut/nginx-rtmp-module
+# NGINX_RTMP_GIT_NAME=nginx-rtmp-module
+# RESTARTPOLICY=unless-stopped
+# TIMEZONE=Etc/UTC

templates.d/openldap/fqdn_context.env

@@ -0,0 +1,18 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# For logging details and setup instructions you may want to
+# check https://www.openldap.org/doc/admin26/slapdconfig.html
+#
+# Stats log connections/operations/results (this is the default):
+# LDAP_LOGLEVEL=256
+# Or enable all log levels:
+# LDAP_LOGLEVEL=-1
+
+# Other available defaults
+# A_RESTART_POLICY=unless-stopped

templates.d/opsi/fqdn_context.env

@@ -0,0 +1,10 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# Other available defaults
+# RESTARTPOLICY=always

templates.d/paperless_ngx/fqdn_context.env

@@ -0,0 +1,15 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# Other available defaults
+# USERMAP_UID=1000
+# USERMAP_GID=1000
+# PAPERLESS_FORCE_SCRIPT_NAME=/PATHPREFIX
+# PAPERLESS_STATIC_URL=/PATHPREFIX/static/ # trailing slash required
+# RESTARTPOLICY=unless-stopped
+# TIMEZONE=Etc/UTC

templates.d/rundeck/fqdn_context.env

@@ -0,0 +1,21 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# Other available defaults
+# RESTARTPOLICY=always
+#
+# Defaults to "warn"
+# Can be for example debug, info, warn, error
+# RUNDECK_LOGGING_LOGLEVEL_DEFAULT=debug
+# RUNDECK_LOGGING_LOGLEVEL_ROOT=debug
+# RUNDECK_LOGGING_LOGLEVEL_HIBERNATE=debug
+# RUNDECK_LOGGING_LOGLEVEL_SPRING=debug
+# RUNDECK_LOGGING_LOGLEVEL_SPRINGBEAN=debug
+# RUNDECK_LOGGING_LOGLEVEL_INTERNALS=debug
+# RUNDECK_LOGGING_LOGLEVEL_GRAILS=debug
+# RUNDECK_LOGGING_LOGLEVEL_JETTY=debug

templates.d/signal_cli_rest_api/fqdn_context.env

@@ -0,0 +1,13 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+# Only when MODE is not "json-rpc":
+# AUTO_RECEIVE_SCHEDULE=0 22 * * *
+
+# Other available defaults
+# RESTARTPOLICY=unless-stopped
+# TIMEZONE=Etc/UTC

templates.d/snipeit/fqdn_context.env

@@ -0,0 +1,13 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+# Set to true when needed for temporary debugging
+APP_DEBUG=false
+
+# Other available defaults
+# RESTARTPOLICY=unless-stopped
+# TIMEZONE=Etc/UTC

templates.d/traccar/fqdn_context.env

@@ -0,0 +1,11 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# Other available defaults
+# RESTARTPOLICY=always
+# TIMEZONE=Etc/UTC

templates.d/tt-rss/fqdn_context.env

@@ -0,0 +1,34 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# RESTARTPOLICY=always
+
+# Other available defaults from https://tt-rss.org/wiki/InstallationNotes/:
+
+# Run FPM under this UID/GID.
+# OWNER_UID=1000
+# OWNER_GID=1000
+
+# FPM settings.
+# PHP_WORKER_MAX_CHILDREN=5
+# PHP_WORKER_MEMORY_LIMIT=256M
+
+# Auto create another user (in addition to built-in admin) unless it already exists.
+# *_USER_ACCESS_LEVEL:
+# -2 - forbidden to login
+# -1 - readonly
+#  0 - default user
+# 10 - admin
+# AUTO_CREATE_USER=
+# AUTO_CREATE_USER_PASS=
+# AUTO_CREATE_USER_ACCESS_LEVEL=0
+
+# Other config.php defines
+# TTRSS_PLUGINS=auth_internal,auth_remote
+# TTRSS_SESSION_COOKIE_LIFETIME=2592000
+# TTRSS_FORCE_ARTICLE_PURGE=30

templates.d/zabbixserver/fqdn_context.env

@@ -0,0 +1,10 @@
+{% set VAULT_KEY = getenv("VAULT_KEY") %}
+# This file is maintained by remco and populated with data from HashiCorp
+# Vault. Changes not done in Vault will be reverted when file gets rendered.
+
+{% for key in ls(VAULT_KEY|add:"/data") %}
+{{key}}={{ getv(VAULT_KEY|add:"/data/"|add:key) }}
+{% endfor %}
+
+# When needed for temporary debugging
+# ZBX_DEBUGLEVEL=4