{ ... }:
{
  services.openbao = {
    enable = true;

    settings = {
      ui = true;

      storage.file.path = "/var/lib/openbao";
      listener.default = {
        type = "tcp";
        address = "0.0.0.0:8200";
        tls_cert_file = "/run/credentials/openbao.service/cert.pem";
        tls_key_file = "/run/credentials/openbao.service/key.pem";
      };
      listener.socket = {
        type = "unix";
        address = "/run/openbao/openbao.sock";
      };
    };
  };

  systemd.services.openbao.serviceConfig = {
    LoadCredential = [
      "key.pem:/var/lib/openbao/key.pem"
      "cert.pem:/var/lib/openbao/cert.pem"
    ];
  };
}