38 lines
1.5 KiB
Markdown
38 lines
1.5 KiB
Markdown
# Per-service operational-access record — template
|
|
|
|
Copy this file to `roles/<service>/ACCESS.md` when building a service role (ADR-021).
|
|
It is the per-service **operational-access record**: every documented, verifiable way in
|
|
for troubleshooting. The structured parts are **rendered from the role's `access__*`
|
|
data** (the single source of truth that also drives `/check-access`) — keep the data
|
|
authoritative and regenerate this file rather than hand-editing the tables. The prose
|
|
"Operational notes" tail is hand-written.
|
|
|
|
Delete this preamble in the copy and start from the heading below.
|
|
|
|
---
|
|
|
|
# Access — <service>
|
|
|
|
## Access paths
|
|
|
|
The documented ways in, by tier (rendered from `access__*`):
|
|
|
|
| Tier | Path | Invocation |
|
|
|---|---|---|
|
|
| primary | `wt0` mesh SSH | `ssh <host>` (over the NetBird mesh) |
|
|
| secondary | LAN SSH from `ubongo` | `ssh <host>` (from the control node, LAN address) |
|
|
| — | container exec + compose | `docker compose -p <access__compose_project> -f <access__compose_path> ps` / `exec` |
|
|
| — | logs | Loki query for labels `<access__log.loki_labels>` (Grafana; ADR-018) |
|
|
| — | admin API | `curl -H 'Authorization: …(vault_ref)' <access__api.base_url><health_path>` — or `n/a` |
|
|
|
|
## Break-glass
|
|
|
|
Mesh-and-LAN-independent fallback for this host's class (recorded, not routine):
|
|
|
|
- <Proxmox serial/VNC console for cluster VMs · Hetzner rescue for `askari` · local console for `ubongo`>
|
|
|
|
## Operational notes
|
|
|
|
Prose the data can't capture — service quirks, "if X is wedged, do Y", ordering gotchas.
|
|
|
|
- <none yet>
|