add agent-browser + BW browser auth sync for netty

- Add chromium to netty system packages - Add home/agent-browser.nix: configures agent-browser to use nix chromium headless, installs via npm on first activation (Linux only) - Add scripts/sync-bw-browser-auth.sh: imports all BW login items into agent-browser encrypted auth vault via --password-stdin - Add just sync-browser-auth target
2026-04-15 06:04:42 +00:00 · 2026-04-01 23:43:11 -04:00 · 2026-04-01 23:43:11 -04:00 · 1af47c9a5c
commit 1af47c9a5c
parent c3fb0fc358
5 changed files with 120 additions and 0 deletions
--- a/home/agent-browser.nix
+++ b/home/agent-browser.nix
@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  hostConfig,
+  ...
+}:
+lib.mkIf (!hostConfig.isDarwin) {
+  # agent-browser user-level config: point at nix chromium, run headless
+  home.file.".agent-browser/config.json".text = builtins.toJSON {
+    executablePath = "${pkgs.chromium}/bin/chromium";
+    args = "--no-sandbox,--disable-gpu,--disable-dev-shm-usage";
+  };
+
+  # Install agent-browser globally via npm at activation time
+  home.activation.installAgentBrowser = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+    export PATH="${
+      lib.makeBinPath [
+        pkgs.nodejs_22
+        pkgs.coreutils
+      ]
+    }:$PATH"
+
+    if ! command -v agent-browser >/dev/null 2>&1; then
+      npm install -g agent-browser 2>/dev/null || true
+    fi
+  '';
+}
--- a/home/common.nix
+++ b/home/common.nix
@ -3,6 +3,7 @@
  _module.args.theme = import ../lib/theme.nix { inherit config; };

  imports = [
+    ./agent-browser.nix
    ./bat.nix
    ./eza.nix
    ./claude.nix
--- a/hosts/netty/configuration.nix
+++ b/hosts/netty/configuration.nix
@ -108,6 +108,7 @@ in
  virtualisation.docker.enable = true;

  environment.systemPackages = packageSets.extras ++ [
+    pkgs.chromium
    pkgs.php
  ];

--- a/3
+++ b/3
@ -28,5 +28,8 @@ secrets-sync:
  ./scripts/render-bw-shell-secrets.sh
  ./scripts/restore-bw-files.sh

+sync-browser-auth:
+  ./scripts/sync-bw-browser-auth.sh
+
 switch-netty:
  ssh root@netty "nixos-rebuild switch --flake github:harivansh-afk/nix#netty --refresh"
--- a/scripts/sync-bw-browser-auth.sh
+++ b/scripts/sync-bw-browser-auth.sh
@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+set -euo pipefail
+export NODE_NO_WARNINGS=1
+
+if ! command -v bw >/dev/null 2>&1; then
+  echo "bw is not installed" >&2
+  exit 1
+fi
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "jq is not installed" >&2
+  exit 1
+fi
+
+if ! command -v agent-browser >/dev/null 2>&1; then
+  echo "agent-browser is not installed" >&2
+  exit 1
+fi
+
+if [[ "${BW_SESSION:-}" == "" ]]; then
+  echo 'BW_SESSION is not set. Run: export BW_SESSION="$(bw unlock --raw)"' >&2
+  exit 1
+fi
+
+bw sync --session "${BW_SESSION}" >/dev/null 2>&1 || true
+
+items_json="$(bw list items --session "${BW_SESSION}")"
+
+# type 1 = login items; filter to those with a username, password, and at least one URI
+login_items="$(printf '%s' "${items_json}" | jq -c '
+  [.[] | select(
+    .type == 1 and
+    .login.username != null and
+    .login.username != "" and
+    .login.password != null and
+    .login.password != "" and
+    (.login.uris // []) | length > 0
+  )]
+')"
+
+count="$(printf '%s' "${login_items}" | jq 'length')"
+printf 'Found %d login items with credentials and URIs\n' "${count}"
+
+imported=0
+skipped=0
+failed=0
+
+printf '%s' "${login_items}" | jq -c '.[]' | while IFS= read -r item; do
+  name="$(printf '%s' "${item}" | jq -r '.name')"
+  username="$(printf '%s' "${item}" | jq -r '.login.username')"
+  password="$(printf '%s' "${item}" | jq -r '.login.password')"
+  uri="$(printf '%s' "${item}" | jq -r '.login.uris[0].uri')"
+
+  # Sanitize name for use as agent-browser profile name:
+  # keep only alphanumeric, hyphens, underscores; collapse runs; truncate
+  safe_name="$(printf '%s' "${name}" | tr -cs 'A-Za-z0-9_-' '-' | sed 's/^-//;s/-$//' | head -c 64)"
+
+  if [[ -z "${safe_name}" ]]; then
+    printf 'SKIP (empty name after sanitize): %s\n' "${name}"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  # Skip items whose URI is not an http(s) URL
+  case "${uri}" in
+    http://*|https://*)
+      ;;
+    *)
+      printf 'SKIP (non-http URI): %s -> %s\n' "${name}" "${uri}"
+      skipped=$((skipped + 1))
+      continue
+      ;;
+  esac
+
+  if printf '%s' "${password}" | agent-browser auth save "${safe_name}" \
+       --url "${uri}" \
+       --username "${username}" \
+       --password-stdin >/dev/null 2>&1; then
+    printf 'OK: %s (%s)\n' "${safe_name}" "${uri}"
+    imported=$((imported + 1))
+  else
+    printf 'FAIL: %s (%s)\n' "${safe_name}" "${uri}" >&2
+    failed=$((failed + 1))
+  fi
+done
+
+printf '\nDone. imported=%d skipped=%d failed=%d\n' "${imported}" "${skipped}" "${failed}"