diff --git a/nixos/systems/blowhole/consul.nix b/nixos/systems/blowhole/consul.nix
index 538b86d..8e047fe 100644
--- a/nixos/systems/blowhole/consul.nix
+++ b/nixos/systems/blowhole/consul.nix
@@ -26,8 +26,9 @@ in
     };
   };
 
-  systemd.services.hashicorp-consul.unitConfig = {
-    ConditionPathExists = "/run/secrets/consul.json";
+  systemd.services."hashicorp-consul" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
   };
 
   services.hashicorp.consul = {
diff --git a/nixos/systems/blowhole/default.nix b/nixos/systems/blowhole/default.nix
index bd5a705..a07d9e4 100644
--- a/nixos/systems/blowhole/default.nix
+++ b/nixos/systems/blowhole/default.nix
@@ -63,6 +63,30 @@ in
             ];
           };
 
+          systemd.services.vault-unsealed = {
+            description = "Check whether the local Vault instance is unsealed and fail if not.";
+            path = with pkgs; [ getent vault ];
+
+            unitConfig = {
+              StartLimitInterval = 0;
+            };
+
+            serviceConfig = {
+              Restart = "always";
+              RestartSec = 30;
+            };
+
+            script = ''
+              export VAULT_ADDR="https://vault.in.redalder.org:8200/"
+
+              while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ]
+              do
+                sleep 30
+              done
+              exit 2
+            '';
+          };
+
           system.stateVersion = "21.05";
         });
   };
diff --git a/nixos/systems/blowhole/hostapd.nix b/nixos/systems/blowhole/hostapd.nix
index 9b23fd2..45282fc 100644
--- a/nixos/systems/blowhole/hostapd.nix
+++ b/nixos/systems/blowhole/hostapd.nix
@@ -31,8 +31,9 @@ in
     destination = "/run/secrets/hostapd_wpa_psk";
   };
 
-  systemd.services.hostapd.unitConfig = {
-    ConditionPathExists = "/run/secrets/hostapd_wpa_psk";
+  systemd.services."hostapd" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
   };
 
   services.hostapd = {
diff --git a/nixos/systems/blowhole/klipper.nix b/nixos/systems/blowhole/klipper.nix
index c659372..a96dcfa 100644
--- a/nixos/systems/blowhole/klipper.nix
+++ b/nixos/systems/blowhole/klipper.nix
@@ -45,6 +45,9 @@ in
 
   systemd.services."container@klipper" = {
     restartIfChanged = lib.mkForce false;
+
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
   };
 
   containers.klipper = {
diff --git a/nixos/systems/blowhole/monitoring.nix b/nixos/systems/blowhole/monitoring.nix
index 5166d56..9a6a743 100644
--- a/nixos/systems/blowhole/monitoring.nix
+++ b/nixos/systems/blowhole/monitoring.nix
@@ -205,6 +205,11 @@ in
     };
 
 
+  systemd.services."hashicorp-envoy-telegraf" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
+  };
+
   ## There is no way to say, hey, listen on localhost. The listeners option is missing the `address` field
   ## and the `name` field so it's impossible to configure....
   services.hashicorp-envoy.telegraf = {
@@ -235,6 +240,11 @@ in
     extraConsulArgs = [ "-ignore-envoy-compatibility" ];
   };
 
+  systemd.services."telegraf-magic" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
+  };
+
   services.telegraf-magic = {
     enable = true;
     settings = {
@@ -324,7 +334,12 @@ in
     fsType = "zfs";
   };
 
-  systemd.services."container@monitor".serviceConfig.LimitNOFILE = "infinity";
+  systemd.services."container@monitor" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
+
+    serviceConfig.LimitNOFILE = "infinity";
+  };
 
   # TODO: split interface name and container name, i.e. rewrite the container module....... again
   containers.monitor = {
diff --git a/nixos/systems/blowhole/nomad.nix b/nixos/systems/blowhole/nomad.nix
index 0fc1c69..9308647 100644
--- a/nixos/systems/blowhole/nomad.nix
+++ b/nixos/systems/blowhole/nomad.nix
@@ -28,6 +28,11 @@ in
     };
   };
 
+  systemd.services."hashicorp-nomad" = {
+    requires = [ "vault-unsealed.service" ];
+    after = [ "vault-unsealed.service" ];
+  };
+
   services.hashicorp.nomad = {
     enable = true;
 
diff --git a/nixos/systems/blowhole/vault-agent.nix b/nixos/systems/blowhole/vault-agent.nix
index e45f4d7..26a4648 100644
--- a/nixos/systems/blowhole/vault-agent.nix
+++ b/nixos/systems/blowhole/vault-agent.nix
@@ -17,6 +17,9 @@ in
       {
         preStart = "systemd-tmpfiles --create " + config;
         postStop = "systemd-tmpfiles --clean " + config;
+
+        requires = [ "vault-unsealed.service" ];
+        after = [ "vault-unsealed.service" ];
       };
 
   services.hashicorp.vault-agent = {