1.5 KiB
Per-service operational-access record — template
Copy this file to roles/<service>/ACCESS.md when building a service role (ADR-021).
It is the per-service operational-access record: every documented, verifiable way in
for troubleshooting. The structured parts are rendered from the role's access__*
data (the single source of truth that also drives /check-access) — keep the data
authoritative and regenerate this file rather than hand-editing the tables. The prose
"Operational notes" tail is hand-written.
Delete this preamble in the copy and start from the heading below.
Access —
Access paths
The documented ways in, by tier (rendered from access__*):
| Tier | Path | Invocation |
|---|---|---|
| primary | wt0 mesh SSH |
ssh <host> (over the NetBird mesh) |
| secondary | LAN SSH from ubongo |
ssh <host> (from the control node, LAN address) |
| — | container exec + compose | docker compose -p <access__compose_project> -f <access__compose_path> ps / exec |
| — | logs | Loki query for labels <access__log.loki_labels> (Grafana; ADR-018) |
| — | admin API | curl -H 'Authorization: …(vault_ref)' <access__api.base_url><health_path> — or n/a |
Break-glass
Mesh-and-LAN-independent fallback for this host's class (recorded, not routine):
- <Proxmox serial/VNC console for cluster VMs · Hetzner rescue for
askari· local console forubongo>
Operational notes
Prose the data can't capture — service quirks, "if X is wedged, do Y", ordering gotchas.