sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/roles/reverse_proxy/ACCESS.md
sjat cb8f924d4b docs(reverse_proxy): service-role SECURITY/VERIFY/ACCESS records (O12) 
reverse_proxy is the first built+applied service role; add the per-service
records CLAUDE.md/ADR-002/008/017/021 require. Add access__*/backup__* data to
defaults as the source of truth (ADR-021/022). reverse_proxy is stateless (ACME
certs re-issue via HTTP-01), so it declares backup__state: false with a reason
rather than a BACKUP.md (ADR-022 convention).

The access__*/backup__* cross-role field names intentionally don't carry the
reverse_proxy__ prefix, so each is marked `# noqa: var-naming[no-role-prefix]`
(ansible-lint has no per-prefix allowlist; rule stays enabled elsewhere).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 19:06:23 +02:00

2 KiB
Raw Permalink Blame History

Access — reverse_proxy (Caddy)

Rendered from the role's access__* data (roles/reverse_proxy/defaults/main.yml) — the source of truth that also drives /check-access. Regenerate from the data; edit the data, not the tables. Host: askari (off-site Hetzner; ADR-007/016).

Access paths

The documented ways in, by tier (rendered from access__*):

Tier Path Invocation
primary wt0 mesh SSH ssh askari (over the NetBird mesh — pending M5; see notes)
secondary LAN/WAN SSH from ubongo ssh ansible@askari (from the control node; Hetzner firewall allows only ubongo's WAN)
container exec + compose docker compose -p reverse_proxy -f /opt/services/reverse_proxy/docker-compose.yml ps / … exec caddy sh
logs docker logs caddy now; Loki labels {service: caddy} once the ADR-018 pipeline lands
admin API n/a — Caddy admin API bound to container localhost :2019, never exposed (access__api.enabled: false)

Break-glass

Mesh-and-LAN-independent fallback for this host's class (recorded, not routine):

  • Hetzner rescue system + Cloud Console (VNC) for askari — boot the rescue image or attach the web console from the Hetzner Cloud panel if SSH is unreachable.

Operational notes

  • Mesh not yet enrolled (M5). Until askari joins the NetBird mesh, the wt0 primary path does not exist — the only SSH route is the secondary one (from ubongo's WAN IP, which the TF-managed Hetzner Cloud Firewall allowlists). Promote wt0 to primary once M5 lands.
  • Caddy wedged / bad config: the Caddyfile is rendered read-only by Ansible; to recover, fix reverse_proxy__routes in group_vars and re-run the role (it reloads Caddy via the handler). To inspect live config: docker exec caddy caddy validate --config /etc/caddy/Caddyfile.
  • Cert issuance failing: check that port 80 is reachable from the internet (HTTP-01 needs it) and watch docker logs caddy for ACME errors before assuming a routing fault.