infra: set up OpenBao instance for pipeline secrets

About this issue

At the moment, manual migration is required for pipeline secrets added before the instance setup, so we are putting this ticket as a notice for anyone using the service. The plan would be running it separately from Nest to minimize downtime risk and the toil of manually unlocking the server after a server restart. I expect this to be enabled on the knot server around December 10-12 to allow me to find where to host it.

Prior art / Additional resources

To be added.