fixup! vault: implement bootstrap integration

TODO.md

@@ -185,7 +185,7 @@ create-host \
 
 **Current Architecture:**
 ```
-vault.home.2rjus.net (10.69.13.19)
+vault01.home.2rjus.net (10.69.13.19)
   ├─ KV Secrets Engine (ready to replace sops-nix)
   │   ├─ secret/hosts/{hostname}/*
   │   ├─ secret/services/{service}/*
@@ -243,7 +243,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [x] File storage backend
   - [x] Self-signed TLS certificates via LoadCredential
 - [x] Deploy to infrastructure
-  - [x] DNS entry added for vault.home.2rjus.net
+  - [x] DNS entry added for vault01.home.2rjus.net
   - [x] VM deployed via terraform
   - [x] Verified OpenBao running and auto-unsealing
 
@@ -353,7 +353,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [x] Enabled ACME on intermediate CA
   - [x] Created PKI role for `*.home.2rjus.net`
   - [x] Set certificate TTLs (30 day max) and allowed domains
-  - [x] ACME directory: `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory`
+  - [x] ACME directory: `https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory`
 - [ ] Download and distribute root CA certificate
   - [ ] Export root CA: `bao read -field=certificate pki/cert/ca > homelab-root-ca.crt`
   - [ ] Add to NixOS trust store on all hosts via `security.pki.certificateFiles`
@@ -368,7 +368,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [ ] Update service configuration
 - [ ] Migrate hosts from step-ca to OpenBao
   - [ ] Update `system/acme.nix` to use OpenBao ACME endpoint
-  - [ ] Change server to `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory`
+  - [ ] Change server to `https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory`
   - [ ] Test on one host (non-critical service)
   - [ ] Roll out to all hosts via auto-upgrade
 - [ ] Configure SSH CA in OpenBao (optional, future work)