{ ... }:
{
  services.openbao = {
    enable = true;

    settings = {
      ui = true;

      storage.file.path = "/var/lib/openbao";
      listener.default = {
        type = "tcp";
        address = "0.0.0.0:8200";
        tls_cert_file = "/var/openbao/cert.pem";
        tls_key_file = "/var/openbao/key.pem";
      };
      listener.socket = {
        type = "unix";
        address = "/run/openbao/openbao.sock";
      };
    };
  };
}