# Per-service operational-access record — template Copy this file to `roles//ACCESS.md` when building a service role (ADR-021). It is the per-service **operational-access record**: every documented, verifiable way in for troubleshooting. The structured parts are **rendered from the role's `access__*` data** (the single source of truth that also drives `/check-access`) — keep the data authoritative and regenerate this file rather than hand-editing the tables. The prose "Operational notes" tail is hand-written. Delete this preamble in the copy and start from the heading below. --- # Access — ## Access paths The documented ways in, by tier (rendered from `access__*`): | Tier | Path | Invocation | |---|---|---| | primary | `wt0` mesh SSH | `ssh ` (over the NetBird mesh) | | secondary | LAN SSH from `ubongo` | `ssh ` (from the control node, LAN address) | | — | container exec + compose | `docker compose -p -f ps` / `exec` | | — | logs | Loki query for labels `` (Grafana; ADR-018) | | — | admin API | `curl -H 'Authorization: …(vault_ref)' ` — or `n/a` | ## Break-glass Mesh-and-LAN-independent fallback for this host's class (recorded, not routine): - ## Operational notes Prose the data can't capture — service quirks, "if X is wedged, do Y", ordering gotchas. -