fixup! vault: implement bootstrap integration

TODO.md

@@ -185,7 +185,7 @@ create-host \
 
 **Current Architecture:**
 ```
-vault.home.2rjus.net (10.69.13.19)
+vault01.home.2rjus.net (10.69.13.19)
   ├─ KV Secrets Engine (ready to replace sops-nix)
   │   ├─ secret/hosts/{hostname}/*
   │   ├─ secret/services/{service}/*
@@ -243,7 +243,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [x] File storage backend
   - [x] Self-signed TLS certificates via LoadCredential
 - [x] Deploy to infrastructure
-  - [x] DNS entry added for vault.home.2rjus.net
+  - [x] DNS entry added for vault01.home.2rjus.net
   - [x] VM deployed via terraform
   - [x] Verified OpenBao running and auto-unsealing
 
@@ -353,7 +353,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [x] Enabled ACME on intermediate CA
   - [x] Created PKI role for `*.home.2rjus.net`
   - [x] Set certificate TTLs (30 day max) and allowed domains
-  - [x] ACME directory: `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory`
+  - [x] ACME directory: `https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory`
 - [ ] Download and distribute root CA certificate
   - [ ] Export root CA: `bao read -field=certificate pki/cert/ca > homelab-root-ca.crt`
   - [ ] Add to NixOS trust store on all hosts via `security.pki.certificateFiles`
@@ -368,7 +368,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [ ] Update service configuration
 - [ ] Migrate hosts from step-ca to OpenBao
   - [ ] Update `system/acme.nix` to use OpenBao ACME endpoint
-  - [ ] Change server to `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory`
+  - [ ] Change server to `https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory`
   - [ ] Test on one host (non-critical service)
   - [ ] Roll out to all hosts via auto-upgrade
 - [ ] Configure SSH CA in OpenBao (optional, future work)

docs/vault-bootstrap-implementation.md

@@ -37,7 +37,7 @@ Phase 4d implements automatic Vault/OpenBao integration for new NixOS hosts, ena
 │ Cloud-init (VM Provisioning)                                │
 │                                                             │
 │  /etc/environment:                                          │
-│    VAULT_ADDR=https://vault.home.2rjus.net:8200            │
+│    VAULT_ADDR=https://vault01.home.2rjus.net:8200            │
 │    VAULT_WRAPPED_TOKEN=hvs.CAES...                         │
 │    VAULT_SKIP_VERIFY=1                                     │
 └─────────────────────────────────────────────────────────────┘
@@ -117,7 +117,7 @@ vault-fetch hosts/monitoring01/grafana /run/secrets/grafana
 ```
 
 **Environment Variables**:
-- `VAULT_ADDR`: Vault server (default: https://vault.home.2rjus.net:8200)
+- `VAULT_ADDR`: Vault server (default: https://vault01.home.2rjus.net:8200)
 - `VAULT_SKIP_VERIFY`: Skip TLS verification (default: 1)
 
 **Error Handling**:
@@ -237,7 +237,7 @@ fi
 write_files:
   - path: /etc/environment
     content: |
-      VAULT_ADDR=https://vault.home.2rjus.net:8200
+      VAULT_ADDR=https://vault01.home.2rjus.net:8200
       VAULT_WRAPPED_TOKEN=${vault_wrapped_token}
       VAULT_SKIP_VERIFY=1
 ```

docs/vault-bootstrap-testing.md

@@ -6,7 +6,7 @@ This guide walks through testing the complete Vault bootstrap workflow implement
 
 Before testing, ensure:
 
-1. **Vault server is running**: vault01 (vault.home.2rjus.net:8200) is accessible
+1. **Vault server is running**: vault01 (vault01.home.2rjus.net:8200) is accessible
 2. **Vault access**: You have a Vault token with admin permissions (set `BAO_TOKEN` env var)
 3. **Terraform installed**: OpenTofu is available in your PATH
 4. **Git repository clean**: All Phase 4d changes are committed to a branch
@@ -172,7 +172,7 @@ tofu apply
 
 **Verify the secret exists:**
 ```bash
-export VAULT_ADDR=https://vault.home.2rjus.net:8200
+export VAULT_ADDR=https://vault01.home.2rjus.net:8200
 export VAULT_SKIP_VERIFY=1
 
 vault kv get secret/hosts/vaulttest01/test-service
@@ -227,7 +227,7 @@ systemctl status vault-secret-test-service.service
 
 journalctl -u vault-secret-test-service.service
 # Should show successful secret fetch:
-# [vault-fetch] Authenticating to Vault at https://vault.home.2rjus.net:8200
+# [vault-fetch] Authenticating to Vault at https://vault01.home.2rjus.net:8200
 # [vault-fetch] Successfully authenticated to Vault
 # [vault-fetch] Fetching secret from path: hosts/vaulttest01/test-service
 # [vault-fetch] Writing secrets to /run/secrets/test-service

hosts/template2/bootstrap.nix

@@ -27,7 +27,7 @@ let
       if [ -n "''${VAULT_WRAPPED_TOKEN:-}" ]; then
         echo "Unwrapping Vault token to get AppRole credentials..."
 
-        VAULT_ADDR="''${VAULT_ADDR:-https://vault.home.2rjus.net:8200}"
+        VAULT_ADDR="''${VAULT_ADDR:-https://vault01.home.2rjus.net:8200}"
 
         # Unwrap the token to get role_id and secret_id
         UNWRAP_RESPONSE=$(curl -sk -X POST \

scripts/create-host/vault_helper.py

@@ -25,7 +25,7 @@ def get_vault_client(vault_addr: Optional[str] = None, vault_token: Optional[str
     """
     # Get Vault address
     if vault_addr is None:
-        vault_addr = os.getenv("BAO_ADDR", "https://vault.home.2rjus.net:8200")
+        vault_addr = os.getenv("BAO_ADDR", "https://vault01.home.2rjus.net:8200")
 
     # Get Vault token
     if vault_token is None:

scripts/vault-fetch/README.md

@@ -45,7 +45,7 @@ If Vault is unreachable or authentication fails:
 
 ## Environment Variables
 
-- `VAULT_ADDR`: Vault server address (default: `https://vault.home.2rjus.net:8200`)
+- `VAULT_ADDR`: Vault server address (default: `https://vault01.home.2rjus.net:8200`)
 - `VAULT_SKIP_VERIFY`: Skip TLS verification (default: `1`)
 
 ## Integration with NixOS

scripts/vault-fetch/vault-fetch.sh

@@ -26,7 +26,7 @@ OUTPUT_DIR="$2"
 CACHE_DIR="${3:-/var/lib/vault/cache/$(basename "$OUTPUT_DIR")}"
 
 # Vault configuration
-VAULT_ADDR="${VAULT_ADDR:-https://vault.home.2rjus.net:8200}"
+VAULT_ADDR="${VAULT_ADDR:-https://vault01.home.2rjus.net:8200}"
 VAULT_SKIP_VERIFY="${VAULT_SKIP_VERIFY:-1}"
 APPROLE_DIR="/var/lib/vault/approle"
 

system/vault-secrets.nix

@@ -124,7 +124,7 @@ in
 
     vaultAddress = mkOption {
       type = types.str;
-      default = "https://vault.home.2rjus.net:8200";
+      default = "https://vault01.home.2rjus.net:8200";
       description = "Vault server address";
     };
 

terraform/vault/README.md

@@ -19,7 +19,7 @@ Manages the following OpenBao resources:
 
 2. **Edit `terraform.tfvars` with your OpenBao credentials:**
    ```hcl
-   vault_address         = "https://vault.home.2rjus.net:8200"
+   vault_address         = "https://vault01.home.2rjus.net:8200"
    vault_token           = "hvs.your-root-token-here"
    vault_skip_tls_verify = true
    ```
@@ -120,7 +120,7 @@ bao write pki_int/config/acme enabled=true
 
 ACME directory endpoint:
 ```
-https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory
 ```
 
 Use with ACME clients (lego, certbot, cert-manager, etc.):
@@ -128,7 +128,7 @@ Use with ACME clients (lego, certbot, cert-manager, etc.):
 # Example with lego
 lego --email admin@home.2rjus.net \
   --dns manual \
-  --server https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory \
+  --server https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory \
   --accept-tos \
   run -d test.home.2rjus.net
 ```
@@ -239,18 +239,18 @@ After deploying this configuration, perform these one-time setup tasks:
 
 ### 1. Enable ACME
 ```bash
-export BAO_ADDR='https://vault.home.2rjus.net:8200'
+export BAO_ADDR='https://vault01.home.2rjus.net:8200'
 export BAO_TOKEN='your-root-token'
 export BAO_SKIP_VERIFY=1
 
 # Configure cluster path (required for ACME)
-bao write pki_int/config/cluster path=https://vault.home.2rjus.net:8200/v1/pki_int
+bao write pki_int/config/cluster path=https://vault01.home.2rjus.net:8200/v1/pki_int
 
 # Enable ACME on intermediate CA
 bao write pki_int/config/acme enabled=true
 
 # Verify ACME is enabled
-curl -k https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+curl -k https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory
 ```
 
 ### 2. Download Root CA Certificate

terraform/vault/pki.tf

@@ -16,7 +16,7 @@
 #
 # 1. ACME (Automated Certificate Management Environment)
 #    - Services fetch certificates automatically using ACME protocol
-#    - ACME directory: https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+#    - ACME directory: https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory
 #    - Enable ACME: bao write pki_int/config/acme enabled=true
 #    - Compatible with cert-manager, lego, certbot, etc.
 #
@@ -149,7 +149,7 @@ locals {
   static_certificates = {
     # Example: Issue a certificate for a specific service
     # "vault" = {
-    #   common_name = "vault.home.2rjus.net"
+    #   common_name = "vault01.home.2rjus.net"
     #   alt_names   = ["vault01.home.2rjus.net"]
     #   ip_sans     = ["10.69.13.19"]
     #   ttl         = "8760h"  # 1 year

terraform/vault/terraform.tfvars.example

@@ -1,6 +1,6 @@
 # Copy this file to terraform.tfvars and fill in your values
 # terraform.tfvars is gitignored to keep credentials safe
 
-vault_address         = "https://vault.home.2rjus.net:8200"
+vault_address         = "https://vault01.home.2rjus.net:8200"
 vault_token           = "hvs.XXXXXXXXXXXXXXXXXXXX"
 vault_skip_tls_verify = true

terraform/vault/variables.tf

@@ -1,7 +1,7 @@
 variable "vault_address" {
   description = "OpenBao server address"
   type        = string
-  default     = "https://vault.home.2rjus.net:8200"
+  default     = "https://vault01.home.2rjus.net:8200"
 }
 
 variable "vault_token" {