security: Liquidsoap now uses environment variable for Icecast password

SECURITY IMPROVEMENTS: - Liquidsoap telnet now binds to 127.0.0.1 (was 0.0.0.0) - Only accessible from within the container itself - Defense in depth: even if another container is compromised - Liquidsoap now uses ICECAST_SOURCE_PASSWORD environment variable - Reads from environment.get("ICECAST_SOURCE_PASSWORD") - Falls back to default for development - All three streams (MP3, AAC, Low-quality) use same variable DOCUMENTATION: - Added comment to icecast.xml explaining environment variable override - Clarifies that docker-compose.yml environment variables take precedence This completes the password externalization for all Docker services: - Icecast: Uses env vars (already done) - Liquidsoap: Now uses env vars ✅ - PostgreSQL: Uses env vars (already done) Ref: TODO.org security improvements
2025-11-03 20:06:50 +03:00 · 2025-11-03 20:06:50 +03:00 · dbe9a06247
parent ed39646ad2
commit dbe9a06247
2 changed files with 13 additions and 4 deletions
--- a/docker/asteroid-radio-docker.liq
+++ b/docker/asteroid-radio-docker.liq
@ -15,9 +15,14 @@ settings.frame.audio.channels.set(2)
 settings.audio.converter.samplerate.libsamplerate.quality.set("best")

 # Enable telnet server for remote control
+# Bind to 127.0.0.1 for security (only accessible from within container)
 settings.server.telnet.set(true)
 settings.server.telnet.port.set(1234)
-settings.server.telnet.bind_addr.set("0.0.0.0")
+settings.server.telnet.bind_addr.set("127.0.0.1")
+
+# Get Icecast source password from environment variable
+# Falls back to default if not set (for development)
+icecast_password = environment.get("ICECAST_SOURCE_PASSWORD", default="H1tn31EhsyLrfRmo")

 # Create playlist source from generated M3U file
 # This file is managed by Asteroid's stream control system
@ -65,7 +70,7 @@ output.icecast(
  %mp3(bitrate=128),
  host="icecast",  # Docker service name
  port=8000,
-  password="H1tn31EhsyLrfRmo",
+  password=icecast_password,
  mount="asteroid.mp3",
  name="Asteroid Radio",
  description="Music for Hackers - Streaming from the Asteroid",
@ -80,7 +85,7 @@ output.icecast(
  %fdkaac(bitrate=96),
  host="icecast",
  port=8000,
-  password="H1tn31EhsyLrfRmo",
+  password=icecast_password,
  mount="asteroid.aac",
  name="Asteroid Radio (AAC)",
  description="Music for Hackers - High efficiency AAC stream",
@ -95,7 +100,7 @@ output.icecast(
  %mp3(bitrate=64),
  host="icecast",
  port=8000,
-  password="H1tn31EhsyLrfRmo",
+  password=icecast_password,
  mount="asteroid-low.mp3",
  name="Asteroid Radio (Low Quality)",
  description="Music for Hackers - Low bandwidth stream",
--- a/docker/icecast.xml
+++ b/docker/icecast.xml
@ -14,6 +14,10 @@
    </limits>

    <authentication>
+        <!-- NOTE: These passwords are OVERRIDDEN by environment variables in docker-compose.yml
+             Set ICECAST_SOURCE_PASSWORD, ICECAST_ADMIN_PASSWORD, and ICECAST_RELAY_PASSWORD
+             in your environment or .env file for production deployments.
+             These defaults are only used if environment variables are not set. -->
        <source-password>H1tn31EhsyLrfRmo</source-password>
        <relay-password>asteroid_relay_2024</relay-password>
        <admin-user>admin</admin-user>