Icecast-KH + Liquidsoap stack: /live + /test mounts, separate creds, TLS front

[anneoneone]

Goal

Stand up the target relay (Icecast-KH + Liquidsoap) on the Hetzner box in parallel with NMS, behind a flag. The /test mount is the server-side test instance (req #2). Phase 2 of #164.

Tasks

• Deploy Icecast-KH (not stock Xiph Icecast — stock froze ~3k listeners in benchmarks; KH ~30k). Containerized, on its own port.
• Deploy Liquidsoap 2.4.4 (skip 2.4.3 — shared-encoder crash). Playout: fallback(track_sensitive=false, [live, playlist, single]) so dead air auto-fills. Apply blank.strip to the live branch ONLY; do NOT pair blank.strip with mksafe on the same source (liquidsoap #3439/#3474) — make the whole fallback safe by ending the list with a single.
• Two mounts: /live (production) and /test (broadcaster-only preview), each with separate source credentials. This replaces the hardcoded stream-io key and gives per-namespace auth.
• Codec: Opus primary mount (best quality/bitrate, browser-native) + an MP3 fallback mount for legacy players.
• TLS / mixed content: the public site is HTTPS (GitHub Pages), so a plain http:// mount is blocked as mixed content. Terminate HTTPS at nginx/Caddy in front of Icecast. (Mandatory, not optional.)

Acceptance

curl https://<host>/status-json.xsl returns mount stats over HTTPS; /live and /test each accept a source with their own credentials; NMS still serves production untouched.

Depends on

Phase-0 spike (#164) — peak-listener count + NMS version pin.

---

Parent: #164 (Phase 2).

[anneoneone]

Phase-2 setup runbook landed: docs/stream-rework/phase-2-icecast-runbook.md (PR #189).

Covers standing up Icecast-KH + Liquidsoap with a parallel /test.mp3 mount, zero disruption to the live HLS/FLV listeners. Key points from the Phase-0 spike (#168) are baked in: zero backend changes for the parallel run (Liquidsoap pulls rtmp://127.0.0.1:1935/live/stream-io locally from NMS 2.4.9), MP3-only mount (confirmed iOS listeners — Opus/Ogg would lock them out), and iOS Safari playback of /test.mp3 is the validation gate. Hand-off notes for #174 (Liquidsoap producer) and #175 (broadcaster preview player) are in the doc.