{ pkgs, ... }:
{
  services.openbao = {
    enable = true;

    settings = {
      ui = true;

      storage.file.path = "/var/lib/openbao";
      listener.default = {
        type = "tcp";
        address = "0.0.0.0:8200";
        tls_cert_file = "/run/credentials/openbao.service/cert.pem";
        tls_key_file = "/run/credentials/openbao.service/key.pem";
      };
      listener.socket = {
        type = "unix";
        address = "/run/openbao/openbao.sock";
      };
    };
  };

  systemd.services.openbao = {
    serviceConfig = {
      LoadCredential = [
        "key.pem:/var/lib/openbao/key.pem"
        "cert.pem:/var/lib/openbao/cert.pem"
      ];
      # TPM2-encrypted unseal key (created manually, see setup instructions)
      LoadCredentialEncrypted = [
        "unseal-key:/var/lib/openbao/unseal-key.cred"
      ];
    };

    # Auto-unseal on service start
    postStart = ''
      # Wait for OpenBao to be ready and sealed
      echo "Waiting for OpenBao to be ready..."
      for i in {1..30}; do
        if ${pkgs.curl}/bin/curl -sk https://127.0.0.1:8200/v1/sys/health 2>/dev/null | ${pkgs.jq}/bin/jq -e '.sealed == true' >/dev/null 2>&1; then
          echo "OpenBao is ready and sealed, proceeding with unseal"
          break
        fi
        sleep 1
      done

      # Unseal using the TPM-decrypted key
      if [ -f "$CREDENTIALS_DIRECTORY/unseal-key" ]; then
        echo "Unsealing OpenBao..."
        UNSEAL_KEY=$(cat "$CREDENTIALS_DIRECTORY/unseal-key")
        ${pkgs.openbao}/bin/bao operator unseal -address=https://127.0.0.1:8200 -tls-skip-verify "$UNSEAL_KEY"
        echo "OpenBao unsealed successfully"
      else
        echo "WARNING: Unseal key credential not found, OpenBao remains sealed"
        exit 0  # Don't fail the service, just log the warning
      fi
    '';
  };
}