# OpenBao Service Module

NixOS service module for OpenBao (open-source Vault fork) with TPM2-based auto-unsealing.

## Features

- TLS-enabled TCP listener on `0.0.0.0:8200`
- Unix socket listener at `/run/openbao/openbao.sock`
- File-based storage at `/var/lib/openbao`
- TPM2 auto-unseal on service start

## Configuration

The module expects:
- TLS certificate: `/var/lib/openbao/cert.pem`
- TLS private key: `/var/lib/openbao/key.pem`
- TPM2-encrypted unseal key: `/var/lib/openbao/unseal-key.cred`

Certificates are loaded via systemd `LoadCredential`, and the unseal key via `LoadCredentialEncrypted`.

## Setup

For initial setup and configuration instructions, see:
- **Auto-unseal setup**: `/docs/vault/auto-unseal.md`
- **Terraform configuration**: `/terraform/vault/README.md`

## Usage

```bash
# Check seal status
bao status

# Manually seal (for maintenance)
bao operator seal

# Service will auto-unseal on restart
systemctl restart openbao
```