Merge remote-tracking branch 'origin/master'

stacks/chrome-service/files/chrome/Dockerfile

@@ -0,0 +1,27 @@
+# chrome-service browser image (ADR-0002, infra-owned, built off-infra on GHA).
+#
+# The Playwright base provides Xvfb + every browser runtime dep + fonts. On top
+# we install REAL Google Chrome for its licensed proprietary codecs (H.264/AAC):
+# the bundled open-source Chromium ships with those codecs COMPILED OUT, so
+# H.264/AAC video (Instagram Reels, X, most .mp4) fails in the noVNC view with
+# MEDIA_ERR_SRC_NOT_SUPPORTED. Swapping libffmpeg.so does NOT help (Playwright's
+# Chromium has the codecs compiled out, not just the lib stripped), and Chrome
+# for Testing is also codec-less — only google-chrome-stable carries them.
+#
+# main.tf launches /opt/google/chrome/chrome instead of the bundled
+# /ms-playwright/chromium-*/chrome. connect_over_cdp callers (tripit fare scrape,
+# homelab browser, snapshot-harvester) attach to whatever Chrome runs here.
+FROM mcr.microsoft.com/playwright:v1.48.0-noble
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends wget gnupg ca-certificates \
+ && wget -qO- https://dl.google.com/linux/linux_signing_key.pub \
+      | gpg --dearmor -o /usr/share/keyrings/google-chrome.gpg \
+ && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \
+      > /etc/apt/sources.list.d/google-chrome.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends google-chrome-stable \
+ && rm -rf /var/lib/apt/lists/*
+
+# Fail the build if Chrome isn't runnable / the path moved.
+RUN /opt/google/chrome/chrome --version

stacks/chrome-service/main.tf

@@ -178,8 +178,12 @@ resource "kubernetes_deployment" "chrome_service" {
         }
 
         container {
-          name              = "chrome-service"
-          image             = local.image
+          name = "chrome-service"
+          # Real Google Chrome (Playwright base + google-chrome-stable) for
+          # proprietary H.264/AAC codecs — see files/chrome/Dockerfile. The
+          # snapshot sidecars still use local.python_image (playwright minor
+          # pin) and connect_over_cdp; verified compatible with this Chrome.
+          image             = "ghcr.io/viktorbarzin/chrome-service-browser:latest"
           image_pull_policy = "IfNotPresent"
 
           # Direct chromium launch (NOT `playwright launch-server`). Reason:
@@ -203,16 +207,16 @@ resource "kubernetes_deployment" "chrome_service" {
           args = [
             <<-EOT
             set -e
-            # Locate chromium in the Microsoft image. The path is
-            # /ms-playwright/chromium-XXXX/chrome-linux/chrome where XXXX
-            # is the playwright-pinned build; resolve at runtime so a minor
-            # bump of the image doesn't break the launch line.
-            CHROMIUM=$(find /ms-playwright -maxdepth 4 -name 'chrome' -type f -executable -path '*/chrome-linux/*' 2>/dev/null | head -1)
-            if [ -z "$CHROMIUM" ]; then
-              echo "ERROR: chromium binary not found under /ms-playwright" >&2
+            # Real Google Chrome (proprietary H.264/AAC codecs) baked into the
+            # chrome-service-browser image at a fixed path — so H.264 video
+            # (Reels) plays in the noVNC view. The bundled Chromium under
+            # /ms-playwright lacks those codecs (MEDIA_ERR_SRC_NOT_SUPPORTED).
+            CHROMIUM=/opt/google/chrome/chrome
+            if [ ! -x "$CHROMIUM" ]; then
+              echo "ERROR: google-chrome not found at $CHROMIUM (wrong image?)" >&2
               exit 1
             fi
-            echo "[chrome-service] using chromium: $CHROMIUM"
+            echo "[chrome-service] using browser: $($CHROMIUM --version 2>/dev/null || echo "$CHROMIUM")"
 
             # -listen tcp enables localhost:6099 so the noVNC sidecar can
             # attach over the pod's shared network ns (Ubuntu 24.04