fix: [nomad-step-0] S0.3 — install vault + systemd auto-unseal + vault-init.sh (dev-persisted seal) (#823)

Adds the Vault half of the factory-dev-box bringup, landed but not started
(per the install-but-don't-start pattern used for nomad in #822):

- lib/init/nomad/install.sh — now also installs vault from the shared
  HashiCorp apt repo. VAULT_VERSION pinned (1.18.5). Fast-path skips apt
  entirely when both binaries are at their pins; partial upgrades only
  touch the package that drifted.

- nomad/vault.hcl — single-node config: file storage backend at
  /var/lib/vault/data, localhost listener on :8200, ui on, mlock kept on.
  No TLS / HA / audit yet; those land in later steps.

- lib/init/nomad/systemd-vault.sh — writes /etc/systemd/system/vault.service
  (Type=notify, ExecStartPost auto-unseals from /etc/vault.d/unseal.key,
  CAP_IPC_LOCK granted for mlock), deploys nomad/vault.hcl to
  /etc/vault.d/, creates /var/lib/vault/data (0700 root), enables the
  unit without starting it. Idempotent via content-compare.

- lib/init/nomad/vault-init.sh — first-run init: spawns a temporary
  `vault server` if not already reachable, runs operator-init with
  key-shares=1/threshold=1, persists unseal.key + root.token (0400 root),
  unseals once in-process, shuts down the temp server. Re-run detects
  initialized + unseal.key present → no-op. Initialized but key missing
  is a hard failure (can't recover).

lib/hvault.sh already defaults VAULT_TOKEN to /etc/vault.d/root.token
when the env var is absent, so no change needed there.

Seal model: the single unseal key lives on disk; seal-key theft equals
vault theft. Factory-dev-box-acceptable tradeoff — avoids running a
second Vault to auto-unseal the first.

Blocks S0.4 (#824).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

nomad/vault.hcl

@@ -0,0 +1,41 @@
+# =============================================================================
+# nomad/vault.hcl — Single-node Vault configuration (dev-persisted seal)
+#
+# Part of the Nomad+Vault migration (S0.3, issue #823). Deployed to
+# /etc/vault.d/vault.hcl on the factory dev box.
+#
+# Seal model: the single unseal key lives on disk at /etc/vault.d/unseal.key
+# (0400 root) and is read by systemd ExecStartPost on every boot. This is
+# the factory-dev-box-acceptable tradeoff — seal-key theft equals vault
+# theft, but we avoid running a second Vault to auto-unseal the first.
+#
+# This is a factory dev-box baseline — TLS, HA, Raft storage, and audit
+# devices are deliberately absent. Storage is the `file` backend (single
+# node only). Listener is localhost-only, so no external TLS is needed.
+# =============================================================================
+
+# File storage backend — single-node only, no HA, no raft. State lives in
+# /var/lib/vault/data which is created (root:root 0700) by
+# lib/init/nomad/systemd-vault.sh before the unit starts.
+storage "file" {
+  path = "/var/lib/vault/data"
+}
+
+# Localhost-only listener. TLS is disabled because all callers are on the
+# same box — flipping this to tls_disable=false is an audit-worthy change
+# paired with cert provisioning.
+listener "tcp" {
+  address     = "127.0.0.1:8200"
+  tls_disable = true
+}
+
+# mlock prevents Vault's in-memory secrets from being swapped to disk. We
+# keep it enabled; the systemd unit grants CAP_IPC_LOCK so mlock() succeeds.
+disable_mlock = false
+
+# Advertised API address — used by Vault clients on this host. Matches
+# the listener above.
+api_addr = "http://127.0.0.1:8200"
+
+# UI on by default — same bind as listener, no TLS (localhost only).
+ui = true