bitcoinmatex / vault-to-config
Nette CLI app: renders a Latte configuration template using secrets from HashiCorp Vault and generates NEON for deployment.
Maintainers
Package info
github.com/Bitcoinmatex/vault-to-config
Type:project
pkg:composer/bitcoinmatex/vault-to-config
Requires
- php: >=8.1
- ext-json: *
- latte/latte: ^3.0
- nette/bootstrap: ^3.2
- nette/neon: ^3.4
- nette/robot-loader: ^4.0
- symfony/console: ^6.4
- symfony/http-client: ^6.4
- tracy/tracy: ^2.10
Requires (Dev)
- nette/tester: ^2.4
- phpstan/extension-installer: ^1.4
- phpstan/phpstan: ^2.0.4
- phpstan/phpstan-nette: ^2.0
- slevomat/coding-standard: ^8.16
- squizlabs/php_codesniffer: ^3.11
- symfony/thanks: ^1
This package is not auto-updated.
Last update: 2026-06-13 11:06:25 UTC
README
A CLI tool (a classic Nette application: Bootstrap + DI container, Latte, Symfony Console) that:
- reads secrets from HashiCorp Vault based on the environment (HTTP API, KV v1/v2),
- injects them as variables into a Latte template,
- validates the output as NEON and writes e.g.
local.neonfor deploying any Nette application.
Download
composer create-project bitcoinmatex/vault-to-config
cd vault-to-config
./install.sh
Usage
export VAULT_TOKEN="hvs.****" php bin/console compile:latte <environment> <input.latte> <output.neon>
For example:
bin/console compile:latte prod examples/config.latte config/local.neon --dry-run
Environment variables
| Variable | Default | Meaning |
|---|---|---|
VAULT_TOKEN |
(required) | Vault token (X-Vault-Token). Not logged. |
VAULT_ADDR |
https://127.0.0.1:8200 |
Vault address. |
VAULT_KV_MOUNT |
secret |
KV mount. |
VAULT_KV_VERSION |
2 |
KV engine version (1 or 2). |
VAULT_SECRET_PATH |
{env} |
Path template under the mount; {env} = 1st arg. |
VAULT_NAMESPACE |
(optional) | Vault Enterprise namespace. |
Each one also has a flag: --vault-addr, --mount, --kv-version, --secret-path.
Path and layering
The path is relative to under the mount (the client inserts /data/ for KV v2 itself).
{env} is replaced by the environment. You can merge multiple comma-separated paths
(later ones override earlier):
export VAULT_SECRET_PATH="apps/myapp/common,apps/myapp/{env}" # KV v2 reads: secret/data/apps/myapp/common + secret/data/apps/myapp/prod
Latte template
The template starts with {contentType text} (if missing, it is added automatically -> no HTML
escaping). Available variables:
{$environment}- the environment,{$vault['key']}- any key (even with dashes),{$key}- shorthand, if the name is a valid PHP identifier,- the
|neonfilter - safely encodes the value as a NEON scalar (quotes + escaping). It is recommended for all values from Vault:password: {$db_password|neon}.
Security / compliance
- Secret values are never logged - verbose (
-v) prints only the key names. (DORA art. 9/11 - audit trail without sensitive data.) - The output has
0640permissions and is in.gitignore; delete it after deploy on CI. - NEON is validated before writing - a template error never reaches production.
- Diagnostics go to stderr, the payload (
--dry-run) to stdout.