docs(access): add ACCESS.md service record template

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09 17:36:28 +02:00 · 2026-06-09 17:36:28 +02:00 · 46d091e82e
commit 46d091e82e
parent f8098c2e15
1 changed files with 38 additions and 0 deletions
--- a/docs/access/service-access-template.md
+++ b/docs/access/service-access-template.md
@ -0,0 +1,38 @@
+# Per-service operational-access record — template
+
+Copy this file to `roles/<service>/ACCESS.md` when building a service role (ADR-021).
+It is the per-service **operational-access record**: every documented, verifiable way in
+for troubleshooting. The structured parts are **rendered from the role's `access__*`
+data** (the single source of truth that also drives `/check-access`) — keep the data
+authoritative and regenerate this file rather than hand-editing the tables. The prose
+"Operational notes" tail is hand-written.
+
+Delete this preamble in the copy and start from the heading below.
+
+---
+
+# Access — <service>
+
+## Access paths
+
+The mesh-reachable ways in, by tier (rendered from `access__*`):
+
+| Tier | Path | Invocation |
+|---|---|---|
+| primary | `wt0` mesh SSH | `ssh <host>` (over the NetBird mesh) |
+| secondary | LAN SSH from `ubongo` | `ssh <host>` (from the control node, LAN address) |
+| — | container exec + compose | `docker compose -p <access__compose_project> -f <access__compose_path> ps` / `exec` |
+| — | logs | Loki query for labels `<access__log.loki_labels>` (Grafana; ADR-018) |
+| — | admin API | `curl -H 'Authorization: …(vault_ref)' <access__api.base_url><health_path>` — or `n/a` |
+
+## Break-glass
+
+Mesh-and-LAN-independent fallback for this host's class (recorded, not routine):
+
+- <Proxmox serial/VNC console for cluster VMs · Hetzner rescue for `askari` · local console for `ubongo`>
+
+## Operational notes
+
+Prose the data can't capture — service quirks, "if X is wedged, do Y", ordering gotchas.
+
+- <none yet>