From ace848b29c69139c0c71385465557dda2b27f83b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 1 Feb 2026 21:10:12 +0100
Subject: [PATCH] vault: replace vault with openbao

---
 services/vault/default.nix | 25 +++++++++++++++++++++++--
 terraform/vms.tf           |  1 +
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/services/vault/default.nix b/services/vault/default.nix
index 41b2ab6..17a7236 100644
--- a/services/vault/default.nix
+++ b/services/vault/default.nix
@@ -1,8 +1,29 @@
 { ... }:
 {
-  services.vault = {
+  services.openbao = {
     enable = true;
 
-    storageBackend = "file";
+    settings = {
+      ui = true;
+
+      storage.file.path = "/var/lib/openbao";
+      listener.default = {
+        type = "tcp";
+        address = "0.0.0.0:8200";
+        tls_cert_file = "/run/credentials/openbao.service/cert.pem";
+        tls_key_file = "/run/credentials/openbao.service/key.pem";
+      };
+      listener.socket = {
+        type = "unix";
+        address = "/run/openbao/openbao.sock";
+      };
+    };
+  };
+
+  systemd.services.openbao.serviceConfig = {
+    LoadCredential = [
+      "key.pem:/var/lib/openbao/key.pem"
+      "cert.pem:/var/lib/openbao/cert.pem"
+    ];
   };
 }
diff --git a/terraform/vms.tf b/terraform/vms.tf
index 73ba143..c36359f 100644
--- a/terraform/vms.tf
+++ b/terraform/vms.tf
@@ -43,6 +43,7 @@ locals {
       cpu_cores = 2
       memory    = 2048
       disk_size = "20G"
+      flake_branch = "vault-setup"  # Bootstrap from this branch instead of master
     }
   }