viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks
History
Viktor Barzin deede6dd11 chrome-service: switch to CDP + persistent profile + hourly snapshot pipeline 
The chrome-service stack ran `playwright launch-server`, which creates
ephemeral browser contexts per `connect()`. Despite the encrypted PVC
mounted at /profile, no chromium user-data ever persisted — only npm
cache + fontconfig. Logging in via noVNC was effectively a no-op.

Refactor:
- Replace launch-server with direct chromium (TCP CDP on :9223 internal),
  fronted by a Python HTTP+WS bridge on :9222 that rewrites the Host
  header to bypass Chrome's hardcoded DNS-rebinding protection (no
  `--remote-allow-hosts` flag exists in stock Chrome 130; verified by
  binary string grep). Bridge also forces Connection: close on HTTP
  responses so Node ws opens a fresh TCP for the WS upgrade rather than
  trying to reuse the dead keep-alive socket.
- Add `--user-data-dir=/profile/chromium-data` so cookies/localStorage
  actually persist on the encrypted PVC.
- New snapshot-server sidecar (stdlib python HTTP) serves
  GET /api/snapshot at chrome.viktorbarzin.me/api/snapshot,
  bearer-token-gated by the existing api_bearer_token.
- New chrome-service-snapshot-harvester CronJob (hourly) connects via
  CDP, dumps storage_state() (cookies + localStorage), writes atomically
  to /profile/snapshots/storage-state.json.
- NetworkPolicy: TCP/9222 (was :3000), TCP/8088 added for traefik.

Caller migration:
- f1-stream: `chromium.connect(ws_url)` → `chromium.connect_over_cdp(cdp_url)`,
  env var CHROME_WS_URL → CHROME_CDP_URL. CHROME_WS_TOKEN dropped (no
  longer used by code; ExternalSecret kept for symmetry with the snapshot
  endpoint).

Dev-box side (out of scope for this commit — see ~/.config/systemd/user/):
- playwright-mcp.service flips to `--isolated --storage-state=...`
  so per-Claude-Code-session ephemeral contexts seed from the snapshot.
- playwright-snapshot-refresh.{service,timer} (hourly) pulls the
  snapshot via the bearer-gated HTTPS endpoint.

Docs updated:
- docs/architecture/chrome-service.md — new architecture diagram + wire protocol.
- docs/runbooks/chrome-service-snapshot.md — day-2 ops (refresh, rotation,
  failure modes, restore).
- stacks/chrome-service/README.md — connect_over_cdp recipe.

Design spec at docs/superpowers/specs/2026-06-04-playwright-per-session-browser-design.md.
2026-06-05 09:19:10 +00:00
..
_template ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks 2026-05-10 18:53:49 +00:00
actualbudget infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
affine infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
authentik keel+anubis: extend sweep to non-V2 raw deployments; fix anubis replicas validation 2026-05-29 06:02:24 +00:00
beads-server keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
blog infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
broker-sync broker-sync: unsuspend broker-sync-imap (IE structurally skipped at code level now) 2026-05-27 17:57:26 +00:00
calico security(wave1): W1.6 expand observation from recruiter-responder pilot → tier 3+4 (82 namespaces) 2026-05-19 22:14:16 +00:00
changedetection infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
chrome-service chrome-service: switch to CDP + persistent profile + hourly snapshot pipeline 2026-06-05 09:19:10 +00:00
city-guesser infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
claude-agent-service feat(claude-agent-service): seed nextcloud-todos planner + exec agents 2026-06-05 09:19:09 +00:00
claude-memory infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
cloudflared cloudflared: fix tunnel origin .200 -> Traefik svc DNS (full-site 502 outage) [ci skip] 2026-06-01 21:22:05 +00:00
cnpg cnpg: bump webhook-cert renewal threshold 7d -> 30d 2026-05-22 15:00:41 +00:00
coturn infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
crowdsec crowdsec: pin image to v1.7.8 + remove ENROLL_KEY, CAPI restored 2026-05-24 11:11:29 +00:00
cyberchef infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
dashy infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
dawarich infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
dbaas feat(nextcloud-todos): Phase 4 IaC — service stack, Vault role, DB bootstrap, OpenClaw plugin, monitoring 2026-06-05 09:19:10 +00:00
descheduler infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
diun infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
ebook2audiobook infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
ebooks keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
echo infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
excalidraw infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
external-secrets infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
f1-stream chrome-service: switch to CDP + persistent profile + hourly snapshot pipeline 2026-06-05 09:19:10 +00:00
fire-planner fire-planner: LLM_MODEL env var → qwen3vl-4b default (fits in current GPU headroom; immich-ml is holding ~10GB) 2026-06-01 19:50:41 +00:00
forgejo infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
freedify infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
freshrss infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
frigate infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
grampsweb infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
hackmd infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
headscale keel: enroll 15 critical-path namespaces for digest-only auto-update 2026-05-17 12:13:22 +00:00
health infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
hermes-agent hermes-agent: gate PVC on parked flag (clears PVCStuckPending) 2026-05-31 15:19:28 +00:00
homepage infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
immich immich: fix slow context search — prewarm clip_index + latency alert/healthcheck 2026-06-05 09:19:07 +00:00
infra infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
infra-maintenance [infra] Sweep dns_config ignore_changes across all pod-owning resources [ci skip] 2026-04-18 21:19:48 +00:00
insta2spotify keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
instagram-poster keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
isponsorblocktv infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
job-hunter job-hunter: weekly above-target Slack alert CronJob 2026-06-02 20:49:42 +00:00
jsoncrack infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
k8s-dashboard revert(k8s-dashboard): restore forward-auth ingress (apiserver OIDC unresolved) 2026-06-05 09:19:10 +00:00
k8s-portal Bucket A retrigger + Bucket D enrollment (5 module-nested stacks) 2026-05-16 23:10:38 +00:00
k8s-version-upgrade k8s-version-upgrade: ignore IngressTTFBCritical in halt-on-alert check 2026-05-24 01:10:44 +00:00
keel keel: re-enable with policy=patch (semver-bounded) + fix CI deny-privileged 2026-05-26 19:06:51 +00:00
kms infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
kured kured: fix sentinel-gate OOM — 256Mi limit + self-restart leak guard 2026-05-31 14:49:04 +00:00
kyverno kyverno: strip orphaned keel.sh/match-tag fleet-wide (image-swap fix) 2026-06-01 19:50:41 +00:00
linkwarden infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
llama-cpp kms: revert files accidentally bundled into the docs commit 2026-06-01 10:36:49 +00:00
local-path keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
mailserver keel+anubis: extend sweep to non-V2 raw deployments; fix anubis replicas validation 2026-05-29 06:02:24 +00:00
matrix infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
meshcentral infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
metallb keel: enroll 11 more namespaces (operators + critical infra) 2026-05-17 20:59:14 +00:00
metrics-server keel: enroll 15 critical-path namespaces for digest-only auto-update 2026-05-17 12:13:22 +00:00
monitoring immich: fix slow context search — prewarm clip_index + latency alert/healthcheck 2026-06-05 09:19:07 +00:00
n8n infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
navidrome infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
netbox infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
networking-toolbox infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
nextcloud infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
nextcloud-todos feat(nextcloud-todos): Phase 4 IaC — service stack, Vault role, DB bootstrap, OpenClaw plugin, monitoring 2026-06-05 09:19:10 +00:00
nfs-csi keel: enroll 11 more namespaces (operators + critical infra) 2026-05-17 20:59:14 +00:00
nodelocal-dns [dns] NodeLocal DNSCache — deploy DaemonSet to all nodes (WS C) 2026-04-19 15:46:41 +00:00
novelapp infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
ntfy infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
nvidia keel: belt-and-suspenders opt-out for mysql/redis/nvidia-exporter 2026-05-26 21:53:10 +00:00
onlyoffice infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
openclaw feat(nextcloud-todos): Phase 4 IaC — service stack, Vault role, DB bootstrap, OpenClaw plugin, monitoring 2026-06-05 09:19:10 +00:00
osm_routing infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
owntracks infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
paperless-mcp keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
paperless-ngx infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
payslip-ingest keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
phpipam keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
platform infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
plotting-book infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
poison-fountain infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
postiz postiz: adopt drifted resources into TF state; exclude stuck Helm release 2026-05-30 14:36:07 +00:00
priority-pass priority-pass: bump image_tag to 63e118c3 [ci skip] 2026-06-05 09:19:09 +00:00
privatebin infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
proxmox-csi cloud-init: hands-off k8s worker provisioning + 5 bug fixes 2026-05-26 11:52:00 +00:00
pvc-autoresizer [infra] Suppress Goldilocks vpa-update-mode label drift on all namespaces [ci skip] 2026-04-18 21:15:27 +00:00
rbac feat(rbac): apiserver multi-issuer OIDC via structured AuthenticationConfiguration 2026-06-05 09:19:09 +00:00
real-estate-crawler infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
recruiter-responder keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
redis redis: revert 3-node Sentinel HA to single standalone instance [ci skip] 2026-05-30 17:49:43 +00:00
reloader infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
resume infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
reverse-proxy keel: enroll 15 critical-path namespaces for digest-only auto-update 2026-05-17 12:13:22 +00:00
rybbit infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
sealed-secrets keel: enroll 11 more namespaces (operators + critical infra) 2026-05-17 20:59:14 +00:00
send infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
servarr mam-farming: migrate data volume proxmox-lvm → NFS 2026-06-05 09:19:09 +00:00
shadowsocks infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
speedtest infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
status-page status-page: disable pusher CronJob to stop sdc write storm 2026-05-26 21:40:14 +00:00
stirling-pdf infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
t3code t3code: ingress -> devvm dispatch+autopair (retire in-cluster nginx) 2026-06-02 19:24:30 +00:00
tandoor infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
technitium technitium: CoreDNS rewrite forgejo.viktorbarzin.me -> Traefik ClusterIP 2026-06-04 07:34:30 +00:00
terminal infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
tor-proxy infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
trading-bot infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
traefik traefik: bot-block-proxy buffer 256k + document the real HTTP/2 limit 2026-06-01 15:15:27 +00:00
travel_blog infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
tripit feat(tripit): linked-email verification (SMTP + confirm carve-out) [ci skip] 2026-06-05 09:19:09 +00:00
tuya-bridge infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
uptime-kuma feat(nextcloud-todos): Phase 4 IaC — service stack, Vault role, DB bootstrap, OpenClaw plugin, monitoring 2026-06-05 09:19:10 +00:00
url infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
vault feat(nextcloud-todos): Phase 4 IaC — service stack, Vault role, DB bootstrap, OpenClaw plugin, monitoring 2026-06-05 09:19:10 +00:00
vaultwarden keel: sweep KEEL_LIFECYCLE_V1 + per-container KEEL_IGNORE_IMAGE across enrolled workloads 2026-05-28 23:09:30 +00:00
vpa keel: enroll 11 more namespaces (operators + critical infra) 2026-05-17 20:59:14 +00:00
wealthfolio infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
webhook_handler infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
whisper infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
wireguard keel: enroll 15 critical-path namespaces for digest-only auto-update 2026-05-17 12:13:22 +00:00
woodpecker infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00
xray xray: drop dead vless ingress + pin Service target_port 2026-05-24 01:13:54 +00:00
ytdlp infra: untrack generated backend.tf (stale PG creds + .200 literal) [CI SKIP] 2026-06-03 10:52:46 +00:00