boma/roles/reverse_proxy/ACCESS.md
sjat cb8f924d4b docs(reverse_proxy): service-role SECURITY/VERIFY/ACCESS records (O12)
reverse_proxy is the first built+applied service role; add the per-service
records CLAUDE.md/ADR-002/008/017/021 require. Add access__*/backup__* data to
defaults as the source of truth (ADR-021/022). reverse_proxy is stateless (ACME
certs re-issue via HTTP-01), so it declares backup__state: false with a reason
rather than a BACKUP.md (ADR-022 convention).

The access__*/backup__* cross-role field names intentionally don't carry the
reverse_proxy__ prefix, so each is marked `# noqa: var-naming[no-role-prefix]`
(ansible-lint has no per-prefix allowlist; rule stays enabled elsewhere).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 19:06:23 +02:00

37 lines
2 KiB
Markdown

# Access — reverse_proxy (Caddy)
Rendered from the role's `access__*` data (`roles/reverse_proxy/defaults/main.yml`) —
the source of truth that also drives `/check-access`. Regenerate from the data; edit the
data, not the tables. Host: `askari` (off-site Hetzner; ADR-007/016).
## Access paths
The documented ways in, by tier (rendered from `access__*`):
| Tier | Path | Invocation |
|---|---|---|
| primary | `wt0` mesh SSH | `ssh askari` (over the NetBird mesh — pending M5; see notes) |
| secondary | LAN/WAN SSH from `ubongo` | `ssh ansible@askari` (from the control node; Hetzner firewall allows only ubongo's WAN) |
| — | container exec + compose | `docker compose -p reverse_proxy -f /opt/services/reverse_proxy/docker-compose.yml ps` / `… exec caddy sh` |
| — | logs | `docker logs caddy` now; Loki labels `{service: caddy}` once the ADR-018 pipeline lands |
| — | admin API | n/a — Caddy admin API bound to container localhost `:2019`, never exposed (`access__api.enabled: false`) |
## Break-glass
Mesh-and-LAN-independent fallback for this host's class (recorded, not routine):
- **Hetzner rescue system + Cloud Console** (VNC) for `askari` — boot the rescue image
or attach the web console from the Hetzner Cloud panel if SSH is unreachable.
## Operational notes
- **Mesh not yet enrolled (M5).** Until `askari` joins the NetBird mesh, the `wt0`
primary path does not exist — the only SSH route is the secondary one (from `ubongo`'s
WAN IP, which the TF-managed Hetzner Cloud Firewall allowlists). Promote `wt0` to
primary once M5 lands.
- **Caddy wedged / bad config:** the Caddyfile is rendered read-only by Ansible; to
recover, fix `reverse_proxy__routes` in `group_vars` and re-run the role (it reloads
Caddy via the handler). To inspect live config: `docker exec caddy caddy validate
--config /etc/caddy/Caddyfile`.
- **Cert issuance failing:** check that port 80 is reachable from the internet (HTTP-01
needs it) and watch `docker logs caddy` for ACME errors before assuming a routing fault.