fix(openbao): Correctly use UMask feature, tcp listener and genJqScript

modules/nixos/openbao/default.nix

@@ -81,7 +81,7 @@ in
         ) "consul.service";
 
       restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
-      preStart = genJqSecretsReplacementSnippet (settingsFormat.generate "openbao-settings.json" cfg.settings) "/var/lib/openbao/config.json";
+      preStart = genJqSecretsReplacementSnippet cfg.settings "/var/lib/openbao/config.json";
 
       startLimitIntervalSec = 60;
       startLimitBurst = 3;
@@ -98,7 +98,7 @@ in
         );
         ExecReload = "${getExe' pkgs.coreutils "kill"} -SIGHUP $MAINPID";
         StateDirectory = "openbao";
-        UMask = "0700";
+        UMask = "0077";
         AmbientCapabilities = "cap_ipc_lock";
         KillSignal = "SIGINT";
         LimitCORE = 0;