machines/nix/systems/aarch64-linux/security.kaareskovgaard.net/README.md

After creating the instance

Open https://vault.kaareskovgaard.net and initialize OpenBAO. Remember to get some sort of auto unsealing set up afterwards, currently this is implemented with a cronjob on TrueNAS. Doing it this way allows various certificates to continue getting issued, even as OpenBAO gets sealed (due to auto updates).

After this, run the post provisioning script to initialize the various OpenBAO parts needed. Then nix run '.#bitwarden-to-vault can transfer the needed Bitwarden secrets to vault.