chore: use a secure dev environment

2023-04-11 19:30:46 +02:00 · 2023-04-11 19:30:46 +02:00 · d4c272db49
parent edf96ac5fc
commit d4c272db49
7 changed files with 84 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,6 +8,7 @@
 *~
 VERSION

+/dev/certs/*
 /dev/playout/*

 /website/
--- a/13
+++ b/13
@ -10,7 +10,18 @@ setup:
 .env:
 	cp .env.dev .env

-dev: .env
+dev-certs:
+	rm -f dev/certs/fake.*
+	openssl req -x509 \
+		-newkey rsa:2048 \
+		-days 365 \
+		-nodes \
+		-subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" \
+		-keyout dev/certs/fake.key \
+		-out dev/certs/fake.crt
+	cat dev/certs/fake.{key,crt} > dev/certs/fake.pem
+
+dev: .env dev-certs
 	DOCKER_BUILDKIT=1 docker-compose build
 	docker-compose run --rm legacy make build
 	docker-compose run --rm api libretime-api migrate
--- a/dev/certs/.gitkeep
+++ b/dev/certs/.gitkeep
--- a/dev/config.yml
+++ b/dev/config.yml
@ -31,6 +31,7 @@ stream:
      - <<: *default_icecast_output
        enabled: true
        mount: main.ogg
+        public_url: https://localhost:8443/main.ogg
        audio:
          format: ogg
          bitrate: 256
@ -38,6 +39,7 @@ stream:
      - <<: *default_icecast_output
        enabled: true
        mount: main.opus
+        public_url: https://localhost:8443/main.opus
        audio:
          format: opus
          bitrate: 256
@ -45,6 +47,7 @@ stream:
      - <<: *default_icecast_output
        enabled: true
        mount: main.mp3
+        public_url: https://localhost:8443/main.mp3
        audio:
          format: mp3
          bitrate: 256
--- a/dev/icecast.xml
+++ b/dev/icecast.xml
@ -0,0 +1,61 @@
+<icecast>
+    <location>Earth</location>
+    <admin>icemaster@localhost</admin>
+
+    <limits>
+        <clients>100</clients>
+        <sources>10</sources>
+        <queue-size>524288</queue-size>
+        <client-timeout>30</client-timeout>
+        <header-timeout>15</header-timeout>
+        <source-timeout>10</source-timeout>
+        <burst-on-connect>1</burst-on-connect>
+        <burst-size>65535</burst-size>
+    </limits>
+
+    <authentication>
+        <source-password>hackme</source-password>
+        <relay-password>hackme</relay-password>
+        <admin-user>admin</admin-user>
+        <admin-password>hackme</admin-password>
+    </authentication>
+
+    <hostname>localhost</hostname>
+
+    <listen-socket>
+        <port>8000</port>
+    </listen-socket>
+    <listen-socket>
+        <port>8443</port>
+        <ssl>1</ssl>
+    </listen-socket>
+
+    <http-headers>
+        <header name="Access-Control-Allow-Origin" value="*" />
+    </http-headers>
+
+    <fileserve>1</fileserve>
+
+    <paths>
+        <basedir>/usr/share/icecast</basedir>
+
+        <logdir>/var/log/icecast</logdir>
+        <webroot>/usr/share/icecast/web</webroot>
+        <adminroot>/usr/share/icecast/admin</adminroot>
+
+        <alias source="/" destination="/status.xsl" />
+
+        <ssl-certificate>/certs/fake.pem</ssl-certificate>
+    </paths>
+
+    <logging>
+        <accesslog>access.log</accesslog>
+        <errorlog>-</errorlog>
+        <loglevel>3</loglevel>
+        <logsize>10000</logsize>
+    </logging>
+
+    <security>
+        <chroot>0</chroot>
+    </security>
+</icecast>
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@ -72,5 +72,11 @@ services:
      - ./legacy:/var/www/html

  icecast:
+    ports:
+      - 8000:8000
+      - 8443:8443
    environment:
      ICECAST_MAX_SOURCES: 10
+    volumes:
+      - ./dev/certs:/certs
+      - ./dev/icecast.xml:/etc/icecast.xml
--- a/docs/contributor-manual/development-environment.md
+++ b/docs/contributor-manual/development-environment.md
@ -17,6 +17,7 @@ cp .env.dev .env
 DOCKER_BUILDKIT=1 docker-compose build

 # Setup
+make dev-certs
 docker-compose run --rm legacy make build
 docker-compose run --rm api libretime-api migrate