As easilok correctly pointed out in IRC:
- Inside container: Liquidsoap must bind to 0.0.0.0 (all interfaces)
- Security is enforced by Docker port mapping: 127.0.0.1🔢1234
- This prevents external access while allowing container functionality
The docker-compose.yml mapping is what provides security, not the
bind address inside the container.
Credit: easilok for the explanation and fix approach
SECURITY IMPROVEMENTS:
- Liquidsoap telnet now binds to 127.0.0.1 (was 0.0.0.0)
- Only accessible from within the container itself
- Defense in depth: even if another container is compromised
- Liquidsoap now uses ICECAST_SOURCE_PASSWORD environment variable
- Reads from environment.get("ICECAST_SOURCE_PASSWORD")
- Falls back to default for development
- All three streams (MP3, AAC, Low-quality) use same variable
DOCUMENTATION:
- Added comment to icecast.xml explaining environment variable override
- Clarifies that docker-compose.yml environment variables take precedence
This completes the password externalization for all Docker services:
- Icecast: Uses env vars (already done)
- Liquidsoap: Now uses env vars ✅
- PostgreSQL: Uses env vars (already done)
Ref: TODO.org security improvements
CRITICAL SECURITY FIXES:
- Bind all Docker services to localhost only (127.0.0.1)
- Prevents external access to Liquidsoap telnet (port 1234)
- Prevents direct Icecast access without HAproxy (port 8000)
- Secures PostgreSQL port (5432)
DOCKER CHANGES (docker-compose.yml):
- Icecast: 127.0.0.1:8000:8000 (was 8000:8000)
- Liquidsoap: 127.0.0.1🔢1234 (was 1234:1234)
- PostgreSQL: 127.0.0.1:5432:5432 (was 5432:5432)
- All passwords now use environment variables
CONFIG TEMPLATE:
- Added ICECAST_SOURCE_PASSWORD
- Added ICECAST_RELAY_PASSWORD
- Documented all Docker password variables
Addresses TODO items from b612.asteroid.radio deployment:
- Problem 1: Liquidsoap telnet exposed ✅ FIXED
- Problem 2: Icecast binding to 0.0.0.0 ✅ FIXED
This prevents the security issues that forced Fade to shut down
the production server. Services are now only accessible via
HAproxy on the host machine.
Ref: TODO.org lines 25-27
- Add pop-out player window (400x300px) with auto-reconnect on stream errors
- Add queue reordering with up/down buttons in admin panel
- Add 'Load Queue from M3U' functionality
- Remove Play/Stream buttons from track management
- Fix Liquidsoap audio quality issues:
- Remove ReplayGain and compression to prevent pulsing
- Change reload_mode to 'seconds' to prevent playlist exhaustion
- Reduce crossfade to 3 seconds
- Add audio buffering settings for stability
- Add auto-reconnect logic for both front page and pop-out players
- Add 5-second crossfades between tracks
- Use ReplayGain for consistent volume (removed normalize())
- Add audio compression to prevent clipping
- Liquidsoap watches playlist file and reloads every 5 seconds
- Fallback to random playback when queue is empty
- Fix playlist to play all tracks in order
✅ CLIP Template System:
- Created template-utils.lisp with centralized rendering
- Template caching for performance
- render-template-with-plist for consistent API
- Proper CLIP attribute processors (data-text)
- Documentation in docs/CLIP-REFACTORING.org
✅ Admin Dashboard Complete:
- System Status: All 4 indicators working (Server, DB, Liquidsoap, Icecast)
- Music Library: Scan, upload, duplicate detection working
- Track Management: Pagination (20/page, configurable 10/20/50/100)
- Player Control: HTML5 audio player with play/pause/stop
- User Management: Moved to separate /admin/users page
✅ User Management:
- New /admin/users route with dedicated page
- Inline user creation form
- User stats dashboard
- Role management (listener/DJ/admin)
- Activate/deactivate users
- API endpoint /api/users/create
- Tested with curl - all working
✅ Live Stream & Now Playing:
- Fixed: Green 🟢 LIVE STREAM indicator (was red)
- Fixed: Stream quality display matches selected stream (AAC/MP3)
- Now Playing updates every 10s from Icecast
- No HTML rendering bugs - working correctly
✅ Track Library:
- Fixed recursive directory scanning bug
- 64 tracks scanned and in database
- Pagination working perfectly
✅ Front Page & Web Player:
- Station Status shows correct stream quality
- Quality selector updates all displays
- Live stream indicators green
- Now Playing working on all pages
All Templates section items complete [4/4] ✅
- Auto-scan music library on startup to load existing tracks
- Add check-icecast-status() function to query Icecast API
- Add check-liquidsoap-status() function to check Docker container
- Update admin dashboard to show real-time streaming status
- Eliminates need to manually copy files from incoming on every restart
- Add docker/start.sh and docker/stop.sh back to repository
- Update .gitignore to allow these specific Docker utility scripts
- These scripts provide convenient Docker Compose management
- Maintains general *.sh exclusion while allowing essential Docker scripts
- Add *.sh rule to prevent shell scripts from being committed
- Remove previously tracked start.sh and stop.sh from docker directory
- Keep repository clean of local automation scripts
- Update docker-compose to docker compose in start.sh and stop.sh
- Resolves WSL2 compatibility issue with modern Docker installations
- Both scripts now work with Docker Compose V2 syntax
- Add <changeowner> section to fix 'run as root' error
- Remove complex mount configurations, let Docker handle automatically
- Fix log directory path from /var/log/icecast2/ to /var/log/icecast/
- Update docker-compose.yml to use main icecast.xml instead of minimal version
- Remove temporary minimal-icecast.xml workaround file
All three streams now working with clean main configuration:
- asteroid.aac (96kbps AAC - recommended)
- asteroid.mp3 (128kbps MP3 - compatible)
- asteroid-low.mp3 (64kbps MP3 - low bandwidth)
AAC streaming feature is now production-ready with proper Docker integration.
- Increase sources limit from 2 to 5 in icecast.xml
- Add explicit mount configurations for asteroid.aac and asteroid-low.mp3
- Configure proper stream metadata and settings for each mount point
This should resolve the 403 Forbidden errors for AAC and low quality streams.
- Keep original savonet/liquidsoap:792d8bf (Liquidsoap 2.4.1+git)
- Original image already includes FDK-AAC encoder support
- No need to downgrade to v2.2.5
- Update documentation to reflect correct information
The original 792d8bf commit corresponds to Liquidsoap 2.4.1+git which
already has liquidsoap.build_config.optionals.fdkaac available.
- Add AAC 96kbps stream via %fdkaac encoder in Liquidsoap
- Update Docker image to savonet/liquidsoap:v2.2.5 for AAC support
- Add stream quality selector to front page and player page
- Enable real-time switching between AAC/MP3 formats
- Set AAC as recommended default for better quality/bandwidth ratio
- Add comprehensive documentation in AAC-STREAMING.md
Stream URLs:
- http://localhost:8000/asteroid.aac (96kbps AAC - recommended)
- http://localhost:8000/asteroid.mp3 (128kbps MP3 - compatible)
- http://localhost:8000/asteroid-low.mp3 (64kbps MP3 - low bandwidth)
Benefits:
- 25% bandwidth reduction vs equivalent MP3 quality
- Better audio quality at same bitrate
- Modern streaming standard used by major platforms
- Add live stream integration to both front page and player page
- Add /api/icecast-status endpoint to fetch real-time stream data
- Add drakma dependency for HTTP requests to Icecast
- Fix JavaScript errors on player page with proper error handling
- Add auto-updating 'Now Playing' info every 10 seconds
- Update .gitignore to preserve docker/music/ directory structure
- Add .gitkeep to maintain docker/music/ folder in repository
- Improve user experience with separate public/registered user flows
Integration now complete:
- Front page: Public live stream access
- Player page: Live stream + playlist management for registered users
- Real-time metadata from Icecast JSON API
- Graceful error handling for missing stream backend
## Docker Infrastructure Improvements
- **Liquidsoap Upgrade**: Updated to latest savonet/liquidsoap:792d8bf tag
- **Port Configuration**: Resolved port conflicts, standardized on port 8000 for streaming
- **Service Integration**: Docker Icecast (8000) + Asteroid web app (8080) architecture
- **Script Updates**: Fixed docker-compose commands for legacy compatibility
- **Documentation**: Comprehensive updates to setup-complete.org with correct URLs
## User Management System Fixes
- **Database Field Handling**: Fixed list vs string format inconsistencies in RADIANCE i-lambdalite
- **Authentication Flow**: Resolved "string designator" errors in user initialization
- **Admin Creation**: Fixed default admin user detection and creation logic
- **Session Management**: Proper handling of user ID storage and retrieval
## Web Interface Improvements
- **Navigation Routes**: Fixed /player/ → /player route mismatch
- **Link Consistency**: All navigation links now match defined routes
- **Template Integration**: Proper CLIP template processing with corrected data types
## Configuration Management
- **RADIANCE Config**: Fixed r-simple-wsessions typo in startup modules
- **Domain Setup**: Added "asteroid" domain to RADIANCE configuration
- **Service Dependencies**: Proper module loading order and error handling
## System Integration
- **Dual-Port Architecture**: Streaming (8000) + Web Interface (8080) separation
- **Service Status**: Integration points for Docker service monitoring
- **Audio Pipeline**: Liquidsoap → Icecast → Web Player workflow established
## Testing & Validation
- **Stream Verification**: Confirmed http://localhost:8000/asteroid.mp3 streaming
- **Web Access**: Validated http://localhost:8080/asteroid/ interface
- **User Authentication**: Tested login/logout and admin panel access
- **Database Operations**: Verified track metadata and user management
This commit establishes a fully functional internet radio streaming platform
with containerized audio services and integrated web management interface.
- Add complete Docker Compose setup with official Liquidsoap image (savonet/liquidsoap:v2.2.5)
- Add Icecast2 streaming server configuration
- Create dual quality streams (128kbps and 64kbps MP3)
- Add comprehensive documentation in Org format
- Add simple start/stop scripts for easy management
- Update .gitignore to exclude music files and Docker artifacts
- Remove old shell scripts (moved to ~/asteroid-scripts/)
- System-agnostic solution works on any Docker-capable system
This provides a complete streaming solution that works consistently across
all platforms, including Arch Linux where Liquidsoap packages may not be available.
glenneth
Luis Pereira