From d4c272db49704fdc0b7c27dac14fbb0bf43848c5 Mon Sep 17 00:00:00 2001
From: jo <ljonas@riseup.net>
Date: Tue, 11 Apr 2023 19:30:46 +0200
Subject: [PATCH] chore: use a secure dev environment

---
 .gitignore                                    |  1 +
 Makefile                                      | 13 +++-
 dev/certs/.gitkeep                            |  0
 dev/config.yml                                |  3 +
 dev/icecast.xml                               | 61 +++++++++++++++++++
 docker-compose.override.yml                   |  6 ++
 .../development-environment.md                |  1 +
 7 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 dev/certs/.gitkeep
 create mode 100644 dev/icecast.xml

diff --git a/.gitignore b/.gitignore
index 8a6408893..08ed759ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@
 *~
 VERSION
 
+/dev/certs/*
 /dev/playout/*
 
 /website/
diff --git a/Makefile b/Makefile
index 76ae68f62..a237714f6 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,18 @@ setup:
 .env:
 	cp .env.dev .env
 
-dev: .env
+dev-certs:
+	rm -f dev/certs/fake.*
+	openssl req -x509 \
+		-newkey rsa:2048 \
+		-days 365 \
+		-nodes \
+		-subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" \
+		-keyout dev/certs/fake.key \
+		-out dev/certs/fake.crt
+	cat dev/certs/fake.{key,crt} > dev/certs/fake.pem
+
+dev: .env dev-certs
 	DOCKER_BUILDKIT=1 docker-compose build
 	docker-compose run --rm legacy make build
 	docker-compose run --rm api libretime-api migrate
diff --git a/dev/certs/.gitkeep b/dev/certs/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/dev/config.yml b/dev/config.yml
index 03735ebc3..ca86c7613 100644
--- a/dev/config.yml
+++ b/dev/config.yml
@@ -31,6 +31,7 @@ stream:
       - <<: *default_icecast_output
         enabled: true
         mount: main.ogg
+        public_url: https://localhost:8443/main.ogg
         audio:
           format: ogg
           bitrate: 256
@@ -38,6 +39,7 @@ stream:
       - <<: *default_icecast_output
         enabled: true
         mount: main.opus
+        public_url: https://localhost:8443/main.opus
         audio:
           format: opus
           bitrate: 256
@@ -45,6 +47,7 @@ stream:
       - <<: *default_icecast_output
         enabled: true
         mount: main.mp3
+        public_url: https://localhost:8443/main.mp3
         audio:
           format: mp3
           bitrate: 256
diff --git a/dev/icecast.xml b/dev/icecast.xml
new file mode 100644
index 000000000..8a8ea6aea
--- /dev/null
+++ b/dev/icecast.xml
@@ -0,0 +1,61 @@
+<icecast>
+    <location>Earth</location>
+    <admin>icemaster@localhost</admin>
+
+    <limits>
+        <clients>100</clients>
+        <sources>10</sources>
+        <queue-size>524288</queue-size>
+        <client-timeout>30</client-timeout>
+        <header-timeout>15</header-timeout>
+        <source-timeout>10</source-timeout>
+        <burst-on-connect>1</burst-on-connect>
+        <burst-size>65535</burst-size>
+    </limits>
+
+    <authentication>
+        <source-password>hackme</source-password>
+        <relay-password>hackme</relay-password>
+        <admin-user>admin</admin-user>
+        <admin-password>hackme</admin-password>
+    </authentication>
+
+    <hostname>localhost</hostname>
+
+    <listen-socket>
+        <port>8000</port>
+    </listen-socket>
+    <listen-socket>
+        <port>8443</port>
+        <ssl>1</ssl>
+    </listen-socket>
+
+    <http-headers>
+        <header name="Access-Control-Allow-Origin" value="*" />
+    </http-headers>
+
+    <fileserve>1</fileserve>
+
+    <paths>
+        <basedir>/usr/share/icecast</basedir>
+
+        <logdir>/var/log/icecast</logdir>
+        <webroot>/usr/share/icecast/web</webroot>
+        <adminroot>/usr/share/icecast/admin</adminroot>
+
+        <alias source="/" destination="/status.xsl" />
+
+        <ssl-certificate>/certs/fake.pem</ssl-certificate>
+    </paths>
+
+    <logging>
+        <accesslog>access.log</accesslog>
+        <errorlog>-</errorlog>
+        <loglevel>3</loglevel>
+        <logsize>10000</logsize>
+    </logging>
+
+    <security>
+        <chroot>0</chroot>
+    </security>
+</icecast>
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index e3bbc6978..1862056c8 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -72,5 +72,11 @@ services:
       - ./legacy:/var/www/html
 
   icecast:
+    ports:
+      - 8000:8000
+      - 8443:8443
     environment:
       ICECAST_MAX_SOURCES: 10
+    volumes:
+      - ./dev/certs:/certs
+      - ./dev/icecast.xml:/etc/icecast.xml
diff --git a/docs/contributor-manual/development-environment.md b/docs/contributor-manual/development-environment.md
index 44216d3d4..32295c355 100644
--- a/docs/contributor-manual/development-environment.md
+++ b/docs/contributor-manual/development-environment.md
@@ -17,6 +17,7 @@ cp .env.dev .env
 DOCKER_BUILDKIT=1 docker-compose build
 
 # Setup
+make dev-certs
 docker-compose run --rm legacy make build
 docker-compose run --rm api libretime-api migrate