From dbe9a06247eb02387f5fe4dba3250d03e7f55aa6 Mon Sep 17 00:00:00 2001
From: glenneth <glennt40@gmail.com>
Date: Mon, 3 Nov 2025 20:06:50 +0300
Subject: [PATCH] security: Liquidsoap now uses environment variable for
 Icecast password
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SECURITY IMPROVEMENTS:
- Liquidsoap telnet now binds to 127.0.0.1 (was 0.0.0.0)
  - Only accessible from within the container itself
  - Defense in depth: even if another container is compromised

- Liquidsoap now uses ICECAST_SOURCE_PASSWORD environment variable
  - Reads from environment.get("ICECAST_SOURCE_PASSWORD")
  - Falls back to default for development
  - All three streams (MP3, AAC, Low-quality) use same variable

DOCUMENTATION:
- Added comment to icecast.xml explaining environment variable override
- Clarifies that docker-compose.yml environment variables take precedence

This completes the password externalization for all Docker services:
- Icecast: Uses env vars (already done)
- Liquidsoap: Now uses env vars ✅
- PostgreSQL: Uses env vars (already done)

Ref: TODO.org security improvements
---
 docker/asteroid-radio-docker.liq | 13 +++++++++----
 docker/icecast.xml               |  4 ++++
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/docker/asteroid-radio-docker.liq b/docker/asteroid-radio-docker.liq
index 953b67e..b3cf6e2 100644
--- a/docker/asteroid-radio-docker.liq
+++ b/docker/asteroid-radio-docker.liq
@@ -15,9 +15,14 @@ settings.frame.audio.channels.set(2)
 settings.audio.converter.samplerate.libsamplerate.quality.set("best")
 
 # Enable telnet server for remote control
+# Bind to 127.0.0.1 for security (only accessible from within container)
 settings.server.telnet.set(true)
 settings.server.telnet.port.set(1234)
-settings.server.telnet.bind_addr.set("0.0.0.0")
+settings.server.telnet.bind_addr.set("127.0.0.1")
+
+# Get Icecast source password from environment variable
+# Falls back to default if not set (for development)
+icecast_password = environment.get("ICECAST_SOURCE_PASSWORD", default="H1tn31EhsyLrfRmo")
 
 # Create playlist source from generated M3U file
 # This file is managed by Asteroid's stream control system
@@ -65,7 +70,7 @@ output.icecast(
   %mp3(bitrate=128),
   host="icecast",  # Docker service name
   port=8000,
-  password="H1tn31EhsyLrfRmo",
+  password=icecast_password,
   mount="asteroid.mp3",
   name="Asteroid Radio",
   description="Music for Hackers - Streaming from the Asteroid",
@@ -80,7 +85,7 @@ output.icecast(
   %fdkaac(bitrate=96),
   host="icecast",
   port=8000,
-  password="H1tn31EhsyLrfRmo",
+  password=icecast_password,
   mount="asteroid.aac",
   name="Asteroid Radio (AAC)",
   description="Music for Hackers - High efficiency AAC stream",
@@ -95,7 +100,7 @@ output.icecast(
   %mp3(bitrate=64),
   host="icecast",
   port=8000,
-  password="H1tn31EhsyLrfRmo",
+  password=icecast_password,
   mount="asteroid-low.mp3",
   name="Asteroid Radio (Low Quality)",
   description="Music for Hackers - Low bandwidth stream",
diff --git a/docker/icecast.xml b/docker/icecast.xml
index 5746a35..4477c63 100644
--- a/docker/icecast.xml
+++ b/docker/icecast.xml
@@ -14,6 +14,10 @@
     </limits>
 
     <authentication>
+        <!-- NOTE: These passwords are OVERRIDDEN by environment variables in docker-compose.yml
+             Set ICECAST_SOURCE_PASSWORD, ICECAST_ADMIN_PASSWORD, and ICECAST_RELAY_PASSWORD
+             in your environment or .env file for production deployments.
+             These defaults are only used if environment variables are not set. -->
         <source-password>H1tn31EhsyLrfRmo</source-password>
         <relay-password>asteroid_relay_2024</relay-password>
         <admin-user>admin</admin-user>