monitoring: use AppRole token for OpenBao metrics scraping

Instead of creating a long-lived Vault token in Terraform (which gets
invalidated when Terraform recreates it), monitoring01 now uses its
existing AppRole credentials to fetch a fresh token for Prometheus.

Changes:
- Add prometheus-metrics policy to monitoring01's AppRole
- Remove vault_token.prometheus_metrics resource from Terraform
- Remove openbao-token KV secret from Terraform
- Add systemd service to fetch AppRole token on boot
- Add systemd timer to refresh token every 30 minutes

This ensures Prometheus always has a valid token without depending on
Terraform state or manual intervention.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

services/monitoring/prometheus.nix

@@ -1,21 +1,77 @@
-{ self, lib, ... }:
+{ self, lib, pkgs, ... }:
 let
   monLib = import ../../lib/monitoring.nix { inherit lib; };
   externalTargets = import ./external-targets.nix;
 
   nodeExporterTargets = monLib.generateNodeExporterTargets self externalTargets;
   autoScrapeConfigs = monLib.generateScrapeConfigs self externalTargets;
+
+  # Script to fetch AppRole token for Prometheus to use when scraping OpenBao metrics
+  fetchOpenbaoToken = pkgs.writeShellScript "fetch-openbao-token" ''
+    set -euo pipefail
+
+    VAULT_ADDR="https://vault01.home.2rjus.net:8200"
+    APPROLE_DIR="/var/lib/vault/approle"
+    OUTPUT_FILE="/run/secrets/prometheus/openbao-token"
+
+    # Read AppRole credentials
+    if [ ! -f "$APPROLE_DIR/role-id" ] || [ ! -f "$APPROLE_DIR/secret-id" ]; then
+      echo "AppRole credentials not found at $APPROLE_DIR" >&2
+      exit 1
+    fi
+
+    ROLE_ID=$(cat "$APPROLE_DIR/role-id")
+    SECRET_ID=$(cat "$APPROLE_DIR/secret-id")
+
+    # Authenticate to Vault
+    AUTH_RESPONSE=$(${pkgs.curl}/bin/curl -sf -k -X POST \
+      -d "{\"role_id\":\"$ROLE_ID\",\"secret_id\":\"$SECRET_ID\"}" \
+      "$VAULT_ADDR/v1/auth/approle/login")
+
+    # Extract token
+    VAULT_TOKEN=$(echo "$AUTH_RESPONSE" | ${pkgs.jq}/bin/jq -r '.auth.client_token')
+    if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
+      echo "Failed to extract Vault token from response" >&2
+      exit 1
+    fi
+
+    # Write token to file
+    mkdir -p "$(dirname "$OUTPUT_FILE")"
+    echo -n "$VAULT_TOKEN" > "$OUTPUT_FILE"
+    chown prometheus:prometheus "$OUTPUT_FILE"
+    chmod 0400 "$OUTPUT_FILE"
+
+    echo "Successfully fetched OpenBao token"
+  '';
 in
 {
-  # OpenBao token for scraping metrics
-  vault.secrets.openbao-token = {
-    secretPath = "hosts/monitoring01/openbao-token";
-    extractKey = "token";
-    outputDir = "/run/secrets/prometheus/openbao-token";
-    mode = "0400";
-    owner = "prometheus";
-    services = [ "prometheus" ];
+  # Systemd service to fetch AppRole token for Prometheus OpenBao scraping
+  # The token is used to authenticate when scraping /v1/sys/metrics
+  systemd.services.prometheus-openbao-token = {
+    description = "Fetch OpenBao token for Prometheus metrics scraping";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    before = [ "prometheus.service" ];
+    requiredBy = [ "prometheus.service" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = fetchOpenbaoToken;
+      RemainAfterExit = true;
+    };
   };
+
+  # Timer to periodically refresh the token (AppRole tokens have 1-hour TTL)
+  systemd.timers.prometheus-openbao-token = {
+    description = "Refresh OpenBao token for Prometheus";
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "5min";
+      OnUnitActiveSec = "30min";
+      RandomizedDelaySec = "5min";
+    };
+  };
+
   services.prometheus = {
     enable = true;
     # syntax-only check because we use external credential files (e.g., openbao-token)