[[- /*
# vim: syntax=hcl
# Note: for compatibility, we take env either from .env (when passing the whole context to the template)
# or from . (when only .env is passed as context)
*/ -]]
[[- $env := dict ]]
[[- if and (has . "env") (isKind "map" .env) ]]
  [[- $env = .env ]]
[[- else ]]
  [[- $env = . ]]
[[- end -]]

[[- if gt (keys $env | len) 0 ]]

      # Use a template block instead of env {} so we can fetch values from vault
      template {
        data = <<_EOT
  [[- range $k, $v := $env ]]
    [[- if or (isKind "string" $v) (isKind "number" $v) (isKind "bool" $v) ]]
[[ $k ]]=[[ $v ]]
    [[- else if isKind "map" $v ]]
      [[- if and (has $v "source") (eq $v.source "vault") ]]
[[ $k ]]={{ with secret "[[ if has $v "path" ]][[ $v.path ]][[ else ]][[ $.vault.kv.path ]][[ end ]]" }}{{ [[ $v.key ]] }}{{ end }}
      [[- end ]]
    [[- end ]]
  [[- end ]]
  [[- if and (has . "proxy") .proxy.enabled ]]
    [[- if not (has $env "HTTP_PROXY") ]]
HTTP_PROXY=[[ .proxy.address ]]
    [[- end ]]
    [[- if not (has $env "HTTPS_PROXY") ]]
HTTPS_PROXY=[[ .proxy.address ]]
    [[- end ]]
    [[- if and (has .proxy "no_proxy") (not (has $env "NO_PROXY")) ]]
NO_PROXY=[[ join .proxy.no_proxy "," ]]
    [[- end ]]
  [[- end ]]
_EOT
        destination = "secrets/.env"
        perms       = 400
        env         = true
      }
[[- end ]]