system: replace writeShellScript with writeShellApplication

Convert remaining writeShellScript usages to writeShellApplication for
shellcheck validation and strict bash options.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

services/monitoring/prometheus.nix

@@ -7,42 +7,44 @@ let
   autoScrapeConfigs = monLib.generateScrapeConfigs self externalTargets;
 
   # Script to fetch AppRole token for Prometheus to use when scraping OpenBao metrics
-  fetchOpenbaoToken = pkgs.writeShellScript "fetch-openbao-token" ''
-    set -euo pipefail
+  fetchOpenbaoToken = pkgs.writeShellApplication {
+    name = "fetch-openbao-token";
+    runtimeInputs = [ pkgs.curl pkgs.jq ];
+    text = ''
+      VAULT_ADDR="https://vault01.home.2rjus.net:8200"
+      APPROLE_DIR="/var/lib/vault/approle"
+      OUTPUT_FILE="/run/secrets/prometheus/openbao-token"
 
-    VAULT_ADDR="https://vault01.home.2rjus.net:8200"
-    APPROLE_DIR="/var/lib/vault/approle"
-    OUTPUT_FILE="/run/secrets/prometheus/openbao-token"
+      # Read AppRole credentials
+      if [ ! -f "$APPROLE_DIR/role-id" ] || [ ! -f "$APPROLE_DIR/secret-id" ]; then
+        echo "AppRole credentials not found at $APPROLE_DIR" >&2
+        exit 1
+      fi
 
-    # Read AppRole credentials
-    if [ ! -f "$APPROLE_DIR/role-id" ] || [ ! -f "$APPROLE_DIR/secret-id" ]; then
-      echo "AppRole credentials not found at $APPROLE_DIR" >&2
-      exit 1
-    fi
+      ROLE_ID=$(cat "$APPROLE_DIR/role-id")
+      SECRET_ID=$(cat "$APPROLE_DIR/secret-id")
 
-    ROLE_ID=$(cat "$APPROLE_DIR/role-id")
-    SECRET_ID=$(cat "$APPROLE_DIR/secret-id")
+      # Authenticate to Vault
+      AUTH_RESPONSE=$(curl -sf -k -X POST \
+        -d "{\"role_id\":\"$ROLE_ID\",\"secret_id\":\"$SECRET_ID\"}" \
+        "$VAULT_ADDR/v1/auth/approle/login")
 
-    # Authenticate to Vault
-    AUTH_RESPONSE=$(${pkgs.curl}/bin/curl -sf -k -X POST \
-      -d "{\"role_id\":\"$ROLE_ID\",\"secret_id\":\"$SECRET_ID\"}" \
-      "$VAULT_ADDR/v1/auth/approle/login")
+      # Extract token
+      VAULT_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.auth.client_token')
+      if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
+        echo "Failed to extract Vault token from response" >&2
+        exit 1
+      fi
 
-    # Extract token
-    VAULT_TOKEN=$(echo "$AUTH_RESPONSE" | ${pkgs.jq}/bin/jq -r '.auth.client_token')
-    if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
-      echo "Failed to extract Vault token from response" >&2
-      exit 1
-    fi
+      # Write token to file
+      mkdir -p "$(dirname "$OUTPUT_FILE")"
+      echo -n "$VAULT_TOKEN" > "$OUTPUT_FILE"
+      chown prometheus:prometheus "$OUTPUT_FILE"
+      chmod 0400 "$OUTPUT_FILE"
 
-    # Write token to file
-    mkdir -p "$(dirname "$OUTPUT_FILE")"
-    echo -n "$VAULT_TOKEN" > "$OUTPUT_FILE"
-    chown prometheus:prometheus "$OUTPUT_FILE"
-    chmod 0400 "$OUTPUT_FILE"
-
-    echo "Successfully fetched OpenBao token"
-  '';
+      echo "Successfully fetched OpenBao token"
+    '';
+  };
 in
 {
   # Systemd service to fetch AppRole token for Prometheus OpenBao scraping