From 46d091e82e85f12b2c9cc12821a30b6110c723f6 Mon Sep 17 00:00:00 2001 From: sjat Date: Tue, 9 Jun 2026 17:36:28 +0200 Subject: [PATCH] docs(access): add ACCESS.md service record template Co-Authored-By: Claude Sonnet 4.6 --- docs/access/service-access-template.md | 38 ++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 docs/access/service-access-template.md diff --git a/docs/access/service-access-template.md b/docs/access/service-access-template.md new file mode 100644 index 0000000..0a83947 --- /dev/null +++ b/docs/access/service-access-template.md @@ -0,0 +1,38 @@ +# Per-service operational-access record — template + +Copy this file to `roles//ACCESS.md` when building a service role (ADR-021). +It is the per-service **operational-access record**: every documented, verifiable way in +for troubleshooting. The structured parts are **rendered from the role's `access__*` +data** (the single source of truth that also drives `/check-access`) — keep the data +authoritative and regenerate this file rather than hand-editing the tables. The prose +"Operational notes" tail is hand-written. + +Delete this preamble in the copy and start from the heading below. + +--- + +# Access — + +## Access paths + +The mesh-reachable ways in, by tier (rendered from `access__*`): + +| Tier | Path | Invocation | +|---|---|---| +| primary | `wt0` mesh SSH | `ssh ` (over the NetBird mesh) | +| secondary | LAN SSH from `ubongo` | `ssh ` (from the control node, LAN address) | +| — | container exec + compose | `docker compose -p -f ps` / `exec` | +| — | logs | Loki query for labels `` (Grafana; ADR-018) | +| — | admin API | `curl -H 'Authorization: …(vault_ref)' ` — or `n/a` | + +## Break-glass + +Mesh-and-LAN-independent fallback for this host's class (recorded, not routine): + +- + +## Operational notes + +Prose the data can't capture — service quirks, "if X is wedged, do Y", ordering gotchas. + +-