Add ExecStartPre to wait for Zitadel JWT and update flake.lock paths

flakes/secrets-bao/nixos-module.nix

@@ -371,8 +371,10 @@ in
             "network-online.target"
             "zitadel-mint-jwt.service"
           ];
-          wants = [ "network-online.target" ];
-          requires = [ "zitadel-mint-jwt.service" ];
+          wants = [
+            "network-online.target"
+            "zitadel-mint-jwt.service"
+          ];
 
           serviceConfig = {
             Type = "simple";
@@ -382,6 +384,25 @@ in
             RestartSec = "30s";
 
             UMask = "0077";
+            ExecStartPre = pkgs.writeShellScript "openbao-wait-jwt" ''
+              #!/usr/bin/env bash
+              set -euo pipefail
+
+              for i in {1..180}; do
+                if [ -s "${cfg.zitadelJwtPath}" ]; then
+                  jwt="$(cat "${cfg.zitadelJwtPath}")"
+                  # very cheap sanity check: JWT has at least 2 dots
+                  if ${pkgs.gnugrep}/bin/grep -q '\\..*\\.' <<<"$jwt"; then
+                    exit 0
+                  fi
+                fi
+                sleep 1
+              done
+
+              echo "Missing or invalid Zitadel JWT at ${cfg.zitadelJwtPath}" >&2
+              exit 1
+            '';
+
             ExecStart = "${pkgs.openbao}/bin/bao agent -config=${mkAgentConfig}";
           };
         };

hosts/juni/flake.lock

@@ -1310,15 +1310,14 @@
     },
     "secrets-bao": {
       "locked": {
-        "lastModified": 1767590305,
-        "narHash": "sha256-yXJ0TpPqsKznLn6bHpDpeSzIvL7T1lWxxhZ6cmAjqhQ=",
-        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
+        "path": "../../flakes/secrets-bao",
         "type": "path"
       },
       "original": {
-        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
+        "path": "../../flakes/secrets-bao",
         "type": "path"
-      }
+      },
+      "parent": []
     }
   },
   "root": "root",

hosts/lio/flake.lock

@@ -64,11 +64,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1767587784,
-        "narHash": "sha256-xHZwNiDUshkQg1yUu+RFdkFAa8jj0XkAFpZjuUqi0wo=",
+        "lastModified": 1767592562,
+        "narHash": "sha256-MoSZeW3agnrU15NYk6pjfKFbgsXnYoLaOMhsL3zNHD4=",
         "ref": "refs/heads/master",
-        "rev": "effa01310bfe91ef7a39a035f021a0dc4e345e58",
-        "revCount": 1042,
+        "rev": "8b54ce4b3799ac48b2093018504eccad2852c0f7",
+        "revCount": 1050,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },