CRITICAL SECURITY FIXES:
- Bind all Docker services to localhost only (127.0.0.1)
- Prevents external access to Liquidsoap telnet (port 1234)
- Prevents direct Icecast access without HAproxy (port 8000)
- Secures PostgreSQL port (5432)
DOCKER CHANGES (docker-compose.yml):
- Icecast: 127.0.0.1:8000:8000 (was 8000:8000)
- Liquidsoap: 127.0.0.1🔢1234 (was 1234:1234)
- PostgreSQL: 127.0.0.1:5432:5432 (was 5432:5432)
- All passwords now use environment variables
CONFIG TEMPLATE:
- Added ICECAST_SOURCE_PASSWORD
- Added ICECAST_RELAY_PASSWORD
- Documented all Docker password variables
Addresses TODO items from b612.asteroid.radio deployment:
- Problem 1: Liquidsoap telnet exposed ✅ FIXED
- Problem 2: Icecast binding to 0.0.0.0 ✅ FIXED
This prevents the security issues that forced Fade to shut down
the production server. Services are now only accessible via
HAproxy on the host machine.
Ref: TODO.org lines 25-27
SECURITY FIXES:
- Remove hardcoded Icecast admin password from codebase
- Implement environment-based configuration system
- Add configuration validation and warnings
NEW FILES:
- config.lisp: Centralized configuration management
- config.template.env: Documented configuration template
- SECURITY-CONFIG-CHANGES.org: Complete change documentation
CHANGES:
- asteroid.asd: Add config.lisp to system
- asteroid.lisp: Replace defparameter with config system
- frontend-partials.lisp: Use config for Icecast credentials
Addresses TODO items:
- Problem 4: Templates no longer advertise default passwords
- Server runtime configuration: All config parameterized
Breaking change: Production deployments MUST set ICECAST_ADMIN_PASSWORD
via environment variable.
Tested on b612.asteroid.radio production server - configuration system
works correctly with environment variables.
Ref: TODO.org lines 24-43
glenneth