diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 1ea41b5..8dec5f8 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -35,6 +35,7 @@
       "dgn-web"
       "django-apps"
       "extranix"
+      "openbao"
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"
diff --git a/modules/nixos/openbao/default.nix b/modules/nixos/openbao/default.nix
new file mode 100644
index 0000000..e5c2209
--- /dev/null
+++ b/modules/nixos/openbao/default.nix
@@ -0,0 +1,116 @@
+# SPDX-FileCopyrightText: 2025 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: MIT
+
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  ...
+}:
+
+let
+  inherit (lib)
+    optional
+    mkEnableOption
+    mkOption
+    mkIf
+    mkPackageOption
+    getExe'
+    getExe
+    hasAttrByPath
+    ;
+
+  inherit (utils) escapeSystemdExecArgs genJqSecretsReplacementSnippet;
+
+  inherit (lib.types) submodule str listOf;
+
+  cfg = config.services.openbao;
+
+  settingsFormat = pkgs.formats.json { };
+in
+{
+  options = {
+    services.openbao = {
+      enable = mkEnableOption "OpenBao daemon";
+
+      package = mkPackageOption pkgs "openbao" { };
+
+      settings = mkOption {
+        description = ''
+          Settings of OpenBao.
+
+          See [documentation](https://openbao.org/docs/configuration/) for more details.
+        '';
+        type = submodule {
+          freeformType = settingsFormat.type;
+          options = {
+            listener.tcp.address = mkOption {
+              type = str;
+              default = "127.0.0.1:8200";
+              description = ''
+                The address the OpenBao daemon will listen to.
+              '';
+            };
+          };
+        };
+      };
+
+      extraArgs = mkOption {
+        type = listOf str;
+        default = [ ];
+        description = ''
+          Additional arguments given to OpenBao
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.openbao ];
+
+    systemd.services.openbao = {
+      description = "OpenBao server daemon";
+
+      wantedBy = [ "multi-user.target" ];
+      after =
+        [ "network.target" ]
+        ++ optional (
+          config.services.consul.enable && (hasAttrByPath [ "storage" "consul" ] cfg.settings)
+        ) "consul.service";
+
+      restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
+      preStart = genJqSecretsReplacementSnippet (settingsFormat.generate "openbao-settings.json" cfg.settings) "/var/lib/openbao/config.json";
+
+      startLimitIntervalSec = 60;
+      startLimitBurst = 3;
+      serviceConfig = {
+        DynamicUser = true;
+        ExecStart = escapeSystemdExecArgs (
+          [
+            (getExe cfg.package)
+            "server"
+            "-config"
+            "/var/lib/openbao/config.json"
+          ]
+          ++ cfg.extraArgs
+        );
+        ExecReload = "${getExe' pkgs.coreutils "kill"} -SIGHUP $MAINPID";
+        StateDirectory = "openbao";
+        UMask = "0700";
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectSystem = "full";
+        ProtectHome = "read-only";
+        AmbientCapabilities = "cap_ipc_lock";
+        NoNewPrivileges = true;
+        LimitCORE = 0;
+        KillSignal = "SIGINT";
+        TimeoutStopSec = "30s";
+        Restart = "on-failure";
+      };
+    };
+  };
+
+}
diff --git a/patches/default.nix b/patches/default.nix
index 2c49d07..0782472 100644
--- a/patches/default.nix
+++ b/patches/default.nix
@@ -34,6 +34,12 @@ in
     # Kanidm memberless groups provisionning
     (local ./nixpkgs/07-kanidm-groups-module.patch)
     (local ./nixpkgs/08-kanidm-groups-pkgs.patch)
+
+    # OpenBAO
+    #  openbao: init at 2.0.3
+    (npr 354366 "sha256-hnGmwmkGeGY6fwZ3L3HSvUX5A5ZpxgslzfmSs1UowdA=")
+    #  openbao: 2.1.0 -> 2.1.1
+    (npr 375706 "sha256-BQ4O/ub4tivf4cKb7flTpzC7T/4pIQuyEGOwfD12gco=")
   ];
 
   "nixos-unstable" = [