From 979040aaf7e24bc51e9094e539cf62b589b09c35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sat, 7 Feb 2026 17:55:09 +0100
Subject: [PATCH] vault01: enable homelab-deploy listener

Enable vault.enable and homelab.deploy.enable on vault01 so it can
receive NATS-based remote deployments. Vault fetches secrets from
itself using AppRole after auto-unseal.

Add systemd ordering to ensure vault-secret services wait for openbao
to be unsealed before attempting to fetch secrets.

Also adds vault01 AppRole entry to Terraform.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 hosts/vault01/configuration.nix | 10 ++++++++++
 terraform/vault/approle.tf      |  7 +++++++
 2 files changed, 17 insertions(+)

diff --git a/hosts/vault01/configuration.nix b/hosts/vault01/configuration.nix
index 1b1faef..4f4d53d 100644
--- a/hosts/vault01/configuration.nix
+++ b/hosts/vault01/configuration.nix
@@ -62,6 +62,16 @@
   # Or disable the firewall altogether.
   networking.firewall.enable = false;
 
+  # Vault fetches secrets from itself (after unseal)
+  vault.enable = true;
+  homelab.deploy.enable = true;
+
+  # Ensure vault-secret services wait for openbao to be unsealed
+  systemd.services.vault-secret-homelab-deploy-nkey = {
+    after = [ "openbao.service" ];
+    wants = [ "openbao.service" ];
+  };
+
   system.stateVersion = "25.11"; # Did you read the comment?
 }
 
diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf
index 6719dff..721a88d 100644
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -101,6 +101,13 @@ locals {
       ]
     }
 
+    # vault01: Vault server itself (fetches secrets from itself)
+    "vault01" = {
+      paths = [
+        "secret/data/hosts/vault01/*",
+      ]
+    }
+
   }
 }