fixup! vault: implement bootstrap integration

TODO.md

@@ -185,7 +185,7 @@ create-host \
 
 **Current Architecture:**
 ```
-vault.home.2rjus.net (10.69.13.19)
+vault01.home.2rjus.net (10.69.13.19)
   ├─ KV Secrets Engine (ready to replace sops-nix)
   │   ├─ secret/hosts/{hostname}/*
   │   ├─ secret/services/{service}/*
@@ -243,7 +243,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [x] File storage backend
   - [x] Self-signed TLS certificates via LoadCredential
 - [x] Deploy to infrastructure
-  - [x] DNS entry added for vault.home.2rjus.net
+  - [x] DNS entry added for vault01.home.2rjus.net
   - [x] VM deployed via terraform
   - [x] Verified OpenBao running and auto-unsealing
 
@@ -353,7 +353,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [x] Enabled ACME on intermediate CA
   - [x] Created PKI role for `*.home.2rjus.net`
   - [x] Set certificate TTLs (30 day max) and allowed domains
-  - [x] ACME directory: `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory`
+  - [x] ACME directory: `https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory`
 - [ ] Download and distribute root CA certificate
   - [ ] Export root CA: `bao read -field=certificate pki/cert/ca > homelab-root-ca.crt`
   - [ ] Add to NixOS trust store on all hosts via `security.pki.certificateFiles`
@@ -368,7 +368,7 @@ vault.home.2rjus.net (10.69.13.19)
   - [ ] Update service configuration
 - [ ] Migrate hosts from step-ca to OpenBao
   - [ ] Update `system/acme.nix` to use OpenBao ACME endpoint
-  - [ ] Change server to `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory`
+  - [ ] Change server to `https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory`
   - [ ] Test on one host (non-critical service)
   - [ ] Roll out to all hosts via auto-upgrade
 - [ ] Configure SSH CA in OpenBao (optional, future work)

docs/vault-bootstrap-implementation.md

@@ -37,7 +37,7 @@ Phase 4d implements automatic Vault/OpenBao integration for new NixOS hosts, ena
 │ Cloud-init (VM Provisioning)                                │
 │                                                             │
 │  /etc/environment:                                          │
-│    VAULT_ADDR=https://vault.home.2rjus.net:8200            │
+│    VAULT_ADDR=https://vault01.home.2rjus.net:8200            │
 │    VAULT_WRAPPED_TOKEN=hvs.CAES...                         │
 │    VAULT_SKIP_VERIFY=1                                     │
 └─────────────────────────────────────────────────────────────┘
@@ -117,7 +117,7 @@ vault-fetch hosts/monitoring01/grafana /run/secrets/grafana
 ```
 
 **Environment Variables**:
-- `VAULT_ADDR`: Vault server (default: https://vault.home.2rjus.net:8200)
+- `VAULT_ADDR`: Vault server (default: https://vault01.home.2rjus.net:8200)
 - `VAULT_SKIP_VERIFY`: Skip TLS verification (default: 1)
 
 **Error Handling**:
@@ -237,7 +237,7 @@ fi
 write_files:
   - path: /etc/environment
     content: |
-      VAULT_ADDR=https://vault.home.2rjus.net:8200
+      VAULT_ADDR=https://vault01.home.2rjus.net:8200
       VAULT_WRAPPED_TOKEN=${vault_wrapped_token}
       VAULT_SKIP_VERIFY=1
 ```

docs/vault-bootstrap-testing.md

@@ -6,7 +6,7 @@ This guide walks through testing the complete Vault bootstrap workflow implement
 
 Before testing, ensure:
 
-1. **Vault server is running**: vault01 (vault.home.2rjus.net:8200) is accessible
+1. **Vault server is running**: vault01 (vault01.home.2rjus.net:8200) is accessible
 2. **Vault access**: You have a Vault token with admin permissions (set `BAO_TOKEN` env var)
 3. **Terraform installed**: OpenTofu is available in your PATH
 4. **Git repository clean**: All Phase 4d changes are committed to a branch
@@ -172,7 +172,7 @@ tofu apply
 
 **Verify the secret exists:**
 ```bash
-export VAULT_ADDR=https://vault.home.2rjus.net:8200
+export VAULT_ADDR=https://vault01.home.2rjus.net:8200
 export VAULT_SKIP_VERIFY=1
 
 vault kv get secret/hosts/vaulttest01/test-service
@@ -227,7 +227,7 @@ systemctl status vault-secret-test-service.service
 
 journalctl -u vault-secret-test-service.service
 # Should show successful secret fetch:
-# [vault-fetch] Authenticating to Vault at https://vault.home.2rjus.net:8200
+# [vault-fetch] Authenticating to Vault at https://vault01.home.2rjus.net:8200
 # [vault-fetch] Successfully authenticated to Vault
 # [vault-fetch] Fetching secret from path: hosts/vaulttest01/test-service
 # [vault-fetch] Writing secrets to /run/secrets/test-service
@@ -307,13 +307,24 @@ tofu apply
 ```
 ❌ **Expected**: Bootstrap fails with message about expired token
 
-**Fix:**
+**Fix (Option 1 - Regenerate token only):**
 ```bash
+# Only regenerates the wrapped token, preserves all other configuration
+nix run .#create-host -- --hostname vaulttest01 --regenerate-token
+cd terraform
+tofu apply
+```
+
+**Fix (Option 2 - Full regeneration with --force):**
+```bash
+# Overwrites entire host configuration (including any manual changes)
 nix run .#create-host -- --hostname vaulttest01 --force
 cd terraform
 tofu apply
 ```
 
+**Recommendation**: Use `--regenerate-token` to avoid losing manual configuration changes.
+
 ### Scenario 6: Already-Used Wrapped Token
 Try to deploy the same VM twice without regenerating token.
 

hosts/template2/bootstrap.nix

@@ -27,7 +27,7 @@ let
       if [ -n "''${VAULT_WRAPPED_TOKEN:-}" ]; then
         echo "Unwrapping Vault token to get AppRole credentials..."
 
-        VAULT_ADDR="''${VAULT_ADDR:-https://vault.home.2rjus.net:8200}"
+        VAULT_ADDR="''${VAULT_ADDR:-https://vault01.home.2rjus.net:8200}"
 
         # Unwrap the token to get role_id and secret_id
         UNWRAP_RESPONSE=$(curl -sk -X POST \
@@ -109,7 +109,7 @@ in
       RemainAfterExit = true;
       ExecStart = "${bootstrap-script}/bin/nixos-bootstrap";
 
-      # Read environment variables from /run/cloud-init-env (set by cloud-init)
+      # Read environment variables from cloud-init (set by cloud-init write_files)
       EnvironmentFile = "-/run/cloud-init-env";
 
       # Logging to journald

scripts/create-host/create_host.py

@@ -48,6 +48,7 @@ def main(
     dry_run: bool = typer.Option(False, "--dry-run", help="Preview changes without creating files"),
     force: bool = typer.Option(False, "--force", help="Overwrite existing host configuration"),
     skip_vault: bool = typer.Option(False, "--skip-vault", help="Skip Vault configuration and token generation"),
+    regenerate_token: bool = typer.Option(False, "--regenerate-token", help="Only regenerate Vault wrapped token (no other changes)"),
 ) -> None:
     """
     Create a new NixOS host configuration.
@@ -60,6 +61,51 @@ def main(
         ctx.get_help()
         sys.exit(1)
 
+    # Get repository root
+    repo_root = get_repo_root()
+
+    # Handle token regeneration mode
+    if regenerate_token:
+        # Validate that incompatible options aren't used
+        if force or dry_run or skip_vault:
+            console.print("[bold red]Error:[/bold red] --regenerate-token cannot be used with --force, --dry-run, or --skip-vault\n")
+            sys.exit(1)
+        if ip or cpu != 2 or memory != 2048 or disk != "20G":
+            console.print("[bold red]Error:[/bold red] --regenerate-token only regenerates the token. Other options (--ip, --cpu, --memory, --disk) are ignored.\n")
+            console.print("[yellow]Tip:[/yellow] Use without those options, or use --force to update the entire configuration.\n")
+            sys.exit(1)
+
+        try:
+            console.print(f"\n[bold blue]Regenerating Vault token for {hostname}...[/bold blue]")
+
+            # Validate hostname exists
+            host_dir = repo_root / "hosts" / hostname
+            if not host_dir.exists():
+                console.print(f"[bold red]Error:[/bold red] Host {hostname} does not exist")
+                console.print(f"Host directory not found: {host_dir}")
+                sys.exit(1)
+
+            # Generate new wrapped token
+            wrapped_token = generate_wrapped_token(hostname, repo_root)
+
+            # Update only the wrapped token in vms.tf
+            add_wrapped_token_to_vm(hostname, wrapped_token, repo_root)
+            console.print("[green]✓[/green] Regenerated and updated wrapped token in terraform/vms.tf")
+
+            console.print("\n[bold green]✓ Token regenerated successfully![/bold green]")
+            console.print(f"\n[yellow]⚠️[/yellow]  Token expires in 24 hours")
+            console.print(f"[yellow]⚠️[/yellow]  Deploy the VM within 24h or regenerate token again\n")
+
+            console.print("[bold cyan]Next steps:[/bold cyan]")
+            console.print(f"  cd terraform && tofu apply")
+            console.print(f"  # Then redeploy VM to pick up new token\n")
+
+            return
+
+        except Exception as e:
+            console.print(f"\n[bold red]Error regenerating token:[/bold red] {e}\n")
+            sys.exit(1)
+
     try:
         # Build configuration
         config = HostConfig(
@@ -70,9 +116,6 @@ def main(
             disk=disk,
         )
 
-        # Get repository root
-        repo_root = get_repo_root()
-
         # Validate configuration
         console.print("\n[bold blue]Validating configuration...[/bold blue]")
 

scripts/create-host/vault_helper.py

@@ -25,7 +25,7 @@ def get_vault_client(vault_addr: Optional[str] = None, vault_token: Optional[str
     """
     # Get Vault address
     if vault_addr is None:
-        vault_addr = os.getenv("BAO_ADDR", "https://vault.home.2rjus.net:8200")
+        vault_addr = os.getenv("BAO_ADDR", "https://vault01.home.2rjus.net:8200")
 
     # Get Vault token
     if vault_token is None:

scripts/vault-fetch/README.md

@@ -45,7 +45,7 @@ If Vault is unreachable or authentication fails:
 
 ## Environment Variables
 
-- `VAULT_ADDR`: Vault server address (default: `https://vault.home.2rjus.net:8200`)
+- `VAULT_ADDR`: Vault server address (default: `https://vault01.home.2rjus.net:8200`)
 - `VAULT_SKIP_VERIFY`: Skip TLS verification (default: `1`)
 
 ## Integration with NixOS

scripts/vault-fetch/vault-fetch.sh

@@ -26,7 +26,7 @@ OUTPUT_DIR="$2"
 CACHE_DIR="${3:-/var/lib/vault/cache/$(basename "$OUTPUT_DIR")}"
 
 # Vault configuration
-VAULT_ADDR="${VAULT_ADDR:-https://vault.home.2rjus.net:8200}"
+VAULT_ADDR="${VAULT_ADDR:-https://vault01.home.2rjus.net:8200}"
 VAULT_SKIP_VERIFY="${VAULT_SKIP_VERIFY:-1}"
 APPROLE_DIR="/var/lib/vault/approle"
 

system/vault-secrets.nix

@@ -124,7 +124,7 @@ in
 
     vaultAddress = mkOption {
       type = types.str;
-      default = "https://vault.home.2rjus.net:8200";
+      default = "https://vault01.home.2rjus.net:8200";
       description = "Vault server address";
     };
 

terraform/cloud-init.tf

@@ -15,7 +15,7 @@ resource "proxmox_cloud_init_disk" "ci" {
   #cloud-config
   ssh_authorized_keys:
     - ${each.value.ssh_public_key}
-  ${each.value.flake_branch != null || each.value.vault_wrapped_token != null ? <<-FILES
+${each.value.flake_branch != null || each.value.vault_wrapped_token != null ? <<-FILES
   write_files:
     - path: /run/cloud-init-env
       content: |
@@ -23,12 +23,12 @@ resource "proxmox_cloud_init_disk" "ci" {
         NIXOS_FLAKE_BRANCH=${each.value.flake_branch}
         %{~ endif ~}
         %{~ if each.value.vault_wrapped_token != null ~}
-        VAULT_ADDR=https://vault.home.2rjus.net:8200
+        VAULT_ADDR=https://vault01.home.2rjus.net:8200
         VAULT_WRAPPED_TOKEN=${each.value.vault_wrapped_token}
         VAULT_SKIP_VERIFY=1
         %{~ endif ~}
       permissions: '0600'
-  FILES
+FILES
 : ""}
   EOT
 

terraform/vault/README.md

@@ -19,7 +19,7 @@ Manages the following OpenBao resources:
 
 2. **Edit `terraform.tfvars` with your OpenBao credentials:**
    ```hcl
-   vault_address         = "https://vault.home.2rjus.net:8200"
+   vault_address         = "https://vault01.home.2rjus.net:8200"
    vault_token           = "hvs.your-root-token-here"
    vault_skip_tls_verify = true
    ```
@@ -120,7 +120,7 @@ bao write pki_int/config/acme enabled=true
 
 ACME directory endpoint:
 ```
-https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory
 ```
 
 Use with ACME clients (lego, certbot, cert-manager, etc.):
@@ -128,7 +128,7 @@ Use with ACME clients (lego, certbot, cert-manager, etc.):
 # Example with lego
 lego --email admin@home.2rjus.net \
   --dns manual \
-  --server https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory \
+  --server https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory \
   --accept-tos \
   run -d test.home.2rjus.net
 ```
@@ -239,18 +239,18 @@ After deploying this configuration, perform these one-time setup tasks:
 
 ### 1. Enable ACME
 ```bash
-export BAO_ADDR='https://vault.home.2rjus.net:8200'
+export BAO_ADDR='https://vault01.home.2rjus.net:8200'
 export BAO_TOKEN='your-root-token'
 export BAO_SKIP_VERIFY=1
 
 # Configure cluster path (required for ACME)
-bao write pki_int/config/cluster path=https://vault.home.2rjus.net:8200/v1/pki_int
+bao write pki_int/config/cluster path=https://vault01.home.2rjus.net:8200/v1/pki_int
 
 # Enable ACME on intermediate CA
 bao write pki_int/config/acme enabled=true
 
 # Verify ACME is enabled
-curl -k https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+curl -k https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory
 ```
 
 ### 2. Download Root CA Certificate

terraform/vault/pki.tf

@@ -16,7 +16,7 @@
 #
 # 1. ACME (Automated Certificate Management Environment)
 #    - Services fetch certificates automatically using ACME protocol
-#    - ACME directory: https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+#    - ACME directory: https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory
 #    - Enable ACME: bao write pki_int/config/acme enabled=true
 #    - Compatible with cert-manager, lego, certbot, etc.
 #
@@ -149,7 +149,7 @@ locals {
   static_certificates = {
     # Example: Issue a certificate for a specific service
     # "vault" = {
-    #   common_name = "vault.home.2rjus.net"
+    #   common_name = "vault01.home.2rjus.net"
     #   alt_names   = ["vault01.home.2rjus.net"]
     #   ip_sans     = ["10.69.13.19"]
     #   ttl         = "8760h"  # 1 year

terraform/vault/terraform.tfvars.example

@@ -1,6 +1,6 @@
 # Copy this file to terraform.tfvars and fill in your values
 # terraform.tfvars is gitignored to keep credentials safe
 
-vault_address         = "https://vault.home.2rjus.net:8200"
+vault_address         = "https://vault01.home.2rjus.net:8200"
 vault_token           = "hvs.XXXXXXXXXXXXXXXXXXXX"
 vault_skip_tls_verify = true

terraform/vault/variables.tf

@@ -1,7 +1,7 @@
 variable "vault_address" {
   description = "OpenBao server address"
   type        = string
-  default     = "https://vault.home.2rjus.net:8200"
+  default     = "https://vault01.home.2rjus.net:8200"
 }
 
 variable "vault_token" {

terraform/vms.tf

@@ -51,6 +51,7 @@ locals {
       memory    = 2048
       disk_size = "20G"
       flake_branch = "vault-bootstrap-integration"
+      vault_wrapped_token = "s.aLlvvgIX4RegyBZKwnDIplJ4"
     }
   }