secrets: migrate all hosts from sops to OpenBao vault

Replace sops-nix secrets with OpenBao vault secrets across all hosts.
Hardcode root password hash, add extractKey option to vault-secrets
module, update Terraform with secrets/policies for all hosts, and
create AppRole provisioning playbook.

Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01
Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/approle.tf

@@ -25,17 +25,66 @@ locals {
     #   ]
     # }
 
-    # TODO: actually use this policy
     "ha1" = {
       paths = [
         "secret/data/hosts/ha1/*",
+        "secret/data/shared/backup/*",
       ]
     }
 
-    # TODO: actually use this policy
     "monitoring01" = {
       paths = [
         "secret/data/hosts/monitoring01/*",
+        "secret/data/shared/backup/*",
+        "secret/data/shared/nats/*",
+      ]
+    }
+
+    # Wave 1: hosts with no service secrets (only need vault.enable for future use)
+    "nats1" = {
+      paths = [
+        "secret/data/hosts/nats1/*",
+      ]
+    }
+
+    "jelly01" = {
+      paths = [
+        "secret/data/hosts/jelly01/*",
+      ]
+    }
+
+    "pgdb1" = {
+      paths = [
+        "secret/data/hosts/pgdb1/*",
+      ]
+    }
+
+    # Wave 3: DNS servers
+    "ns1" = {
+      paths = [
+        "secret/data/hosts/ns1/*",
+        "secret/data/shared/dns/*",
+      ]
+    }
+
+    "ns2" = {
+      paths = [
+        "secret/data/hosts/ns2/*",
+        "secret/data/shared/dns/*",
+      ]
+    }
+
+    # Wave 4: http-proxy
+    "http-proxy" = {
+      paths = [
+        "secret/data/hosts/http-proxy/*",
+      ]
+    }
+
+    # Wave 5: nix-cache01
+    "nix-cache01" = {
+      paths = [
+        "secret/data/hosts/nix-cache01/*",
       ]
     }
   }