Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add icecast config #28

Closed
wants to merge 4 commits into from
Closed

add icecast config #28

wants to merge 4 commits into from

Conversation

theycallmemac
Copy link
Member

@theycallmemac theycallmemac commented Feb 8, 2020

To test this, add 136.206.15.3 dcufm.redbrick.dcu.ie to your /etc/hosts and goto dcufm.redbrick.dcu.ie:8002. Would prefer if this ran on just dcufm.redbrick.dcu.ie so please suggest if any changes can be made in the config to fix this.

You can test this out using butt (broadcast using this tool) but there isn't much need.

If this gets approved please leave merging this one to me because I need to go up and ensure it works in DCUfm.

When merged this PR closes #6

@d-fens
Copy link

d-fens commented Feb 9, 2020

" Would prefer if this ran on just dcufm.redbrick.dcu.ie so please suggest if any changes can be made in the config to fix this."

Can this not be reverse proxied and the host changed to something internally listening on a local port while the nginx/apache whatever proxies to this.

For the icecase piece, since the listening piece would return a different response, you can https://httpd.apache.org/docs/2.4/mod/mod_substitute.html and replace the response content.

@butlerx
Copy link
Member

butlerx commented Feb 9, 2020

have we confirmed with dcufm what port they connect to?
I've not touched icecast in a while but I do remember weirdness in apache proxy
there should already be an apache proxy though

services/icecast.nix Show resolved Hide resolved
services/icecast.nix Outdated Show resolved Hide resolved
@butlerx
Copy link
Member

butlerx commented Feb 9, 2020

http://lists.xiph.org/pipermail/icecast/2004-July/007384.html This email outlines the issue but no solution

@theycallmemac
Copy link
Member Author

Regarding reverse proxy @benmcmahon100 commented this on the issue a while back #6 (comment)

@butlerx
Copy link
Member

butlerx commented Feb 10, 2020

currently, dcufm appears to be on its own ip and bound to port 80 on that ip. i believe this is the better route to go

Name:   dcufm.redbrick.dcu.ie
Address: 136.206.15.74

@theycallmemac
Copy link
Member Author

Where can we put this?

Once it's done and I switch it to port 80 I can just switch the DNS and they should be okay. I'll still test it out though.

Copy link
Member

@m1cr0man m1cr0man left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 other things:

  • Is it possible that we can test putting this behind a HTTPS proxy and seeing if butt handles the connection upgrade (ie connect on port 80) correctly?
  • The problem with using lib.fileContents to read the password files is that the config for the service will be world readable inside the nix store, which is easy to find through find /nix/store -name icecast. The usual solution to this problem is to read the necessary secrets at runtime (ie with the SystemD service), and do part of the templating in the service init. This is usually covered by the module author but it seems the icecast module writer was lazy. For the sake of keeping things secure I'd like us to do something like this. I can't think of examples of this outside of gitea but I can certainly find one. Without this any user that can ssh to the box running icecast (admin or not) will be able to read the passwords in its config which is not ideal.

services/icecast.nix Outdated Show resolved Hide resolved
services/icecast.nix Show resolved Hide resolved
services/icecast.nix Outdated Show resolved Hide resolved
@theycallmemac
Copy link
Member Author

2 other things:

* Is it possible that we can test putting this behind a HTTPS proxy and seeing if butt handles the connection upgrade (ie connect on port 80) correctly?

I'm just getting around to reading this now - yes I can try this out and see if butt handles it.

* The problem with using lib.fileContents to read the password files is that the config for the service will be world readable inside the nix store, which is easy to find through `find /nix/store -name icecast`. The usual solution to this problem is to read the necessary secrets at runtime (ie with the SystemD service), and do part of the templating in the service init. This is usually covered by the module author but it seems the icecast module writer was lazy. For the sake of keeping things secure I'd like us to do something like this. I can't think of examples of this outside of gitea but I can certainly find one. Without this any user that can ssh to the box running icecast (admin or not) will be able to read the passwords in its config which is not ideal.

Yes I think we've had some conversation about this before. Could be best to introduce a vault service to write them before services start.

@butlerx
Copy link
Member

butlerx commented Feb 19, 2020

https://github.com/markuslindenberg/icecast_exporter <- lets get some metrics

@theycallmemac
Copy link
Member Author

theycallmemac commented Feb 20, 2020

Took longer than expected but I've tested this now. The central Icecast config works, I'll make all requested changes above to it.

I'll take care of anything related to apache. This will exist at dcufm.redbrick.dcu.ie on port 80 on it's own IP as it currently does, that way we just need to switch DNS and they should see no real difference.

@theycallmemac
Copy link
Member Author

theycallmemac commented Feb 24, 2020

Important point here - when this gets merged (whenever that is) leave the merge and subsequent redeploy to me, want to make sure all runs smoothly in FM on their side too.

theycallmemac and others added 4 commits November 14, 2020 21:29
Icecast hates proxies, and proxies hate it. It's not totally
HTTP compliant. It also uses Yellow Pages as a directory for
publically findable podcasts
@m1cr0man m1cr0man removed their request for review July 29, 2023 16:43
@wizzdom wizzdom closed this Apr 2, 2024
@wizzdom wizzdom deleted the icecast branch April 2, 2024 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

convert and migrate icecast
5 participants