vault01: enable homelab-deploy listener

Enable vault.enable and homelab.deploy.enable on vault01 so it can receive NATS-based remote deployments. Vault fetches secrets from itself using AppRole after auto-unseal. Add systemd ordering to ensure vault-secret services wait for openbao to be unsealed before attempting to fetch secrets. Also adds vault01 AppRole entry to Terraform. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 17:55:09 +01:00
parent 8791c29402
commit 979040aaf7
2 changed files with 17 additions and 0 deletions
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -101,6 +101,13 @@ locals {
      ]
    }

+    # vault01: Vault server itself (fetches secrets from itself)
+    "vault01" = {
+      paths = [
+        "secret/data/hosts/vault01/*",
+      ]
+    }
+
  }
 }