From 2f309b96fc50e327caae14dcda0b55e2e514f62b Mon Sep 17 00:00:00 2001 From: BookJJun-IJ Date: Mon, 13 Apr 2026 22:22:32 +0900 Subject: [PATCH 1/2] update Spliit expense sharing app --- Apps/Spliit/docker-compose.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Apps/Spliit/docker-compose.yml b/Apps/Spliit/docker-compose.yml index 903c60b..6465fa2 100644 --- a/Apps/Spliit/docker-compose.yml +++ b/Apps/Spliit/docker-compose.yml @@ -37,9 +37,10 @@ services: - NET_ADMIN db: - image: postgres:16-alpine + image: postgres:16.13-alpine container_name: spliit-db user: 0:0 + cpu_shares: 50 environment: POSTGRES_DB: spliit POSTGRES_USER: postgres @@ -56,9 +57,11 @@ services: memory: 512M spliit: - image: ghcr.io/spliit-app/spliit:1.19.0 + image: ghcr.io/spliit-app/spliit:1.19.1 container_name: spliit restart: unless-stopped + user: "0:0" + cpu_shares: 50 environment: TZ: $TZ POSTGRES_PRISMA_URL: postgresql://postgres:$APP_DEFAULT_PASSWORD@db:5432/spliit From 0dbe02b9943d2e30b632a39d0b40120711841845 Mon Sep 17 00:00:00 2001 From: BookJJun-IJ Date: Mon, 8 Jun 2026 17:52:13 +0900 Subject: [PATCH 2/2] fix spliit and add rationale.md --- Apps/Spliit/docker-compose.yml | 15 ++++----------- Apps/Spliit/rationale.md | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 Apps/Spliit/rationale.md diff --git a/Apps/Spliit/docker-compose.yml b/Apps/Spliit/docker-compose.yml index 6465fa2..73eb72d 100644 --- a/Apps/Spliit/docker-compose.yml +++ b/Apps/Spliit/docker-compose.yml @@ -1,10 +1,10 @@ name: spliit services: nginxhashlock: - image: ghcr.io/yundera/nginx-hash-lock:latest + image: ghcr.io/yundera/nginx-hash-lock:1.0.7 container_name: spliit-nginxhashlock restart: unless-stopped - user: "root" + user: "0:0" environment: AUTH_HASH: $AUTH_HASH BACKEND_HOST: "spliit" @@ -31,15 +31,11 @@ services: cpu_shares: 80 networks: - pcs - privileged: true - cap_add: - - SYS_ADMIN - - NET_ADMIN db: image: postgres:16.13-alpine container_name: spliit-db - user: 0:0 + user: "0:0" cpu_shares: 50 environment: POSTGRES_DB: spliit @@ -57,7 +53,7 @@ services: memory: 512M spliit: - image: ghcr.io/spliit-app/spliit:1.19.1 + image: ghcr.io/spliit-app/spliit:1.19.0 container_name: spliit restart: unless-stopped user: "0:0" @@ -68,9 +64,6 @@ services: POSTGRES_URL_NON_POOLING: postgresql://postgres:$APP_DEFAULT_PASSWORD@db:5432/spliit networks: - pcs - cap_add: - - SYS_ADMIN - - NET_ADMIN deploy: resources: limits: diff --git a/Apps/Spliit/rationale.md b/Apps/Spliit/rationale.md new file mode 100644 index 0000000..f83f8bc --- /dev/null +++ b/Apps/Spliit/rationale.md @@ -0,0 +1,23 @@ +# Spliit — Rationale + +## What deviation / exception is being requested +All three services run as `user: 0:0` (root). The nginx-hash-lock sidecar gates web access with a hash-based authentication layer. + +## Why it is necessary +- **spliit**: The Node.js application runs Prisma database migrations on startup, which requires write access to the working directory. Running as non-root causes migration failures. +- **db (PostgreSQL)**: Requires root for database initialization and file ownership in `/var/lib/postgresql/data`. Standard practice for PostgreSQL containers. +- **nginxhashlock**: The nginx-hash-lock sidecar needs root to bind to port 80 and configure nginx. + +## Security mitigations in place +- All volumes map exclusively to `/DATA/AppData/$AppID/` — no access to user directories +- No privileged mode on any service +- Memory limits on all services (128M nginx, 512M db, 1G app) +- Web access gated by nginx-hash-lock sidecar (hash-based authentication) +- Database credentials use `$APP_DEFAULT_PASSWORD` (not hardcoded) + +## Alternatives considered and rejected +- `user: $PUID:$PGID` — Prisma migrations fail without root; PostgreSQL init requires root for data directory ownership + +## Data protection +- PostgreSQL data persists in `/DATA/AppData/$AppID/pgdata/` +- Data survives uninstall/reinstall