viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/scripts/workstation/playwright/playwright-snapshot-refresh@.service

23 lines
871 B
SYSTEMD
Raw Normal View History

workstation: per-user playwright browser MCP for all users, reproducible from git Viktor asked that the playwright browser MCP be available for every devvm user in every directory, with each user running their own server and multiple concurrent sessions per user. Before this, playwright was hand-set-up per user (~/.config/systemd/user/ playwright-mcp.service on 8931/8932/8933) and only wizard was actually wired — emo's and anca's servers ran but their ~/.claude.json had no playwright entry, so their Claude never connected. None of it was reproducible from git (units, refresh script, and the Vault snapshot token lived only in user homes), so a devvm rebuild would silently lose it. This makes it reproducible and fixes the unwired users: - roster_engine.py: sticky per-user PLAYWRIGHT_PORT (PLAYWRIGHT_BASE_PORT=8931, allocated for every roster user incl. the admin), emitted in the derive JSON. - scripts/workstation/playwright/: system-level TEMPLATE units (playwright-mcp@.service + playwright-snapshot-refresh@.{service,timer}, User=%i — system manager, so no systemd --user / linger) + the refresh script. @playwright/mcp pinned to 0.0.76 (avoids the @latest silent-fleet-roll footgun, same rationale as T3_PIN). - setup-devvm.sh: install the templates + script (9e); stage the chrome-service snapshot bearer token from Vault to a root file (8c) — the hourly root reconcile has no Vault token, mirrors the Claude OAuth staging in 8a. - t3-provision-users.sh: install_playwright() (ALL tiers incl. admin) writes PLAYWRIGHT_PORT, seeds the token if-absent, wires the user-scope ~/.claude.json by running `claude mcp add` AS the user (clobber-proof + if-absent, so it fixes existing/new/admin without rewriting a populated config), and enable --now's the instances (idempotent, never restarts a running server). Also hardened the section-1 *.env scan to skip the new playwright-*.env files (no T3_PORT -> grep no-match would abort under set -e -o pipefail). - Docs: chrome-service-snapshot runbook (new Provisioning section + system-unit commands), multi-tenancy.md, and the 2026-06-07 plan Task 2.3. Supersedes the hand-made per-user --user units (one-time idle-gated migration to follow on the live host). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 20:33:47 +00:00
[Unit]
# Per-user oneshot that pulls the warm cookie+localStorage snapshot from
# in-cluster chrome-service into ~/.cache/playwright-shared-storage-state.json,
# which playwright-mcp@%i seeds every new session from. System-level TEMPLATE
# (one instance per user); runs the shared /usr/local/bin script as the user.
Description=Refresh %i's playwright storage-state snapshot from chrome-service
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
User=%i
# Runs as %i, so the script's $HOME-relative paths (token, cache dest) resolve to
# the user's home. $HOME/$USER are set by systemd because User= is set.
ExecStart=/usr/local/bin/playwright-snapshot-refresh
StandardOutput=journal
StandardError=journal
# Don't hang if chrome-service is unreachable — the timer retries next hour.
TimeoutStartSec=60
[Install]
WantedBy=multi-user.target
Reference in a new issue Copy permalink