Host specific env with tags

Allow hosts to be tagged so we can have host specific env variables.

We might want host specific env variables for things like datacenter
specific tags or testing GC settings on a specific host.

Right now you either need to set up a separate role, or have the app
be host aware.

Now you can define tag env variables and assign those to hosts.

For example:
```
servers:
  - 1.1.1.1
  - 1.1.1.2: tag1
  - 1.1.1.2: tag2
  - 1.1.1.3: [ tag1, tag2 ]
env_tags:
  tag1:
    ENV1: value1
  tag2:
    ENV2: value2
```

The tag env supports the full env format, allowing you to set secret and
clear values.

test/integration/docker/deployer/app/.env.erb

@@ -1 +1,2 @@
 SECRET_TOKEN='1234 with "中文"'
+SECRET_TAG='TAGME'

test/integration/docker/deployer/app/config/deploy.yml

@@ -2,13 +2,20 @@ service: app
 image: app
 servers:
   - vm1
-  - vm2
+  - vm2: [ tag1, tag2 ]
 env:
   clear:
     CLEAR_TOKEN: 4321
+    CLEAR_TAG: ""
     HOST_TOKEN: "${HOST_TOKEN}"
   secret:
     - SECRET_TOKEN
+env_tags:
+  tag1:
+    CLEAR_TAG: tagged
+  tag2:
+    secret:
+      - SECRET_TAG
 asset_path: /usr/share/nginx/html/versions
 
 registry:

test/integration/main_test.rb

@@ -3,8 +3,7 @@ require_relative "integration_test"
 class MainTest < IntegrationTest
   test "envify, deploy, redeploy, rollback, details and audit" do
     kamal :envify
-    assert_local_env_file "SECRET_TOKEN='1234 with \"中文\"'"
-    assert_remote_env_file "SECRET_TOKEN=1234 with \"中文\""
+    assert_env_files
     remove_local_env_file
 
     first_version = latest_app_version
@@ -14,9 +13,7 @@ class MainTest < IntegrationTest
     kamal :deploy
     assert_app_is_up version: first_version
     assert_hooks_ran "pre-connect", "pre-build", "pre-deploy", "post-deploy"
-    assert_env :CLEAR_TOKEN, "4321", version: first_version
-    assert_env :HOST_TOKEN, "abcd", version: first_version
-    assert_env :SECRET_TOKEN, "1234 with \"中文\"", version: first_version
+    assert_envs version: first_version
 
     second_version = update_app_rev
 
@@ -97,16 +94,38 @@ class MainTest < IntegrationTest
       assert_equal contents, deployer_exec("cat .env", capture: true)
     end
 
-    def assert_env(key, value, version:)
-      assert_equal "#{key}=#{value}", docker_compose("exec vm1 docker exec app-web-#{version} env | grep #{key}", capture: true)
+    def assert_envs(version:)
+      assert_env :CLEAR_TOKEN, "4321", version: version, vm: :vm1
+      assert_env :HOST_TOKEN, "abcd", version: version, vm: :vm1
+      assert_env :SECRET_TOKEN, "1234 with \"中文\"", version: version, vm: :vm1
+      assert_no_env :CLEAR_TAG, version: version, vm: :vm1
+      assert_no_env :SECRET_TAG, version: version, vm: :vm11
+      assert_env :CLEAR_TAG, "tagged", version: version, vm: :vm2
+      assert_env :SECRET_TAG, "TAGME", version: version, vm: :vm2
+    end
+
+    def assert_env(key, value, vm:, version:)
+      assert_equal "#{key}=#{value}", docker_compose("exec #{vm} docker exec app-web-#{version} env | grep #{key}", capture: true)
+    end
+
+    def assert_no_env(key, vm:, version:)
+      assert_raises(RuntimeError, /exit 1/) do
+        docker_compose("exec #{vm} docker exec app-web-#{version} env | grep #{key}", capture: true)
+      end
+    end
+
+    def assert_env_files
+      assert_local_env_file "SECRET_TOKEN='1234 with \"中文\"'\nSECRET_TAG='TAGME'"
+      assert_remote_env_file "SECRET_TOKEN=1234 with \"中文\"", vm: :vm1
+      assert_remote_env_file "SECRET_TOKEN=1234 with \"中文\"\nSECRET_TAG=TAGME", vm: :vm2
     end
 
     def remove_local_env_file
       deployer_exec("rm .env")
     end
 
-    def assert_remote_env_file(contents)
-      assert_equal contents, docker_compose("exec vm1 cat /root/.kamal/env/roles/app-web.env", capture: true)
+    def assert_remote_env_file(contents, vm:)
+      assert_equal contents, docker_compose("exec #{vm} cat /root/.kamal/env/roles/app-web.env", capture: true)
     end
 
     def assert_no_remote_env_file