Skip to content

update Spliit expense sharing app v1.19.1 #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BookJJun-IJ wants to merge 2 commits into
base: main
Choose a base branch
from
Open

update Spliit expense sharing app v1.19.1 #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2f309b9
update Spliit expense sharing app
BookJJun-IJ Apr 13, 2026
0dbe02b
fix spliit and add rationale.md
BookJJun-IJ Jun 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 7 additions & 11 deletions Apps/Spliit/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
name: spliit
services:
nginxhashlock:
image: ghcr.io/yundera/nginx-hash-lock:latest
image: ghcr.io/yundera/nginx-hash-lock:1.0.7
container_name: spliit-nginxhashlock
restart: unless-stopped
user: "root"
user: "0:0"
environment:
AUTH_HASH: $AUTH_HASH
BACKEND_HOST: "spliit"
Expand All @@ -31,15 +31,12 @@ services:
cpu_shares: 80
networks:
- pcs
privileged: true
cap_add:
- SYS_ADMIN
- NET_ADMIN

db:
image: postgres:16-alpine
image: postgres:16.13-alpine
container_name: spliit-db
user: 0:0
user: "0:0"
cpu_shares: 50
environment:
POSTGRES_DB: spliit
POSTGRES_USER: postgres
Expand All @@ -59,15 +56,14 @@ services:
image: ghcr.io/spliit-app/spliit:1.19.0
container_name: spliit
restart: unless-stopped
user: "0:0"
cpu_shares: 50
environment:
TZ: $TZ
POSTGRES_PRISMA_URL: postgresql://postgres:$APP_DEFAULT_PASSWORD@db:5432/spliit
POSTGRES_URL_NON_POOLING: postgresql://postgres:$APP_DEFAULT_PASSWORD@db:5432/spliit
networks:
- pcs
cap_add:
- SYS_ADMIN
- NET_ADMIN
deploy:
resources:
limits:
Expand Down
23 changes: 23 additions & 0 deletions Apps/Spliit/rationale.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Spliit — Rationale

## What deviation / exception is being requested
All three services run as `user: 0:0` (root). The nginx-hash-lock sidecar gates web access with a hash-based authentication layer.

## Why it is necessary
- **spliit**: The Node.js application runs Prisma database migrations on startup, which requires write access to the working directory. Running as non-root causes migration failures.
- **db (PostgreSQL)**: Requires root for database initialization and file ownership in `/var/lib/postgresql/data`. Standard practice for PostgreSQL containers.
- **nginxhashlock**: The nginx-hash-lock sidecar needs root to bind to port 80 and configure nginx.

## Security mitigations in place
- All volumes map exclusively to `/DATA/AppData/$AppID/` — no access to user directories
- No privileged mode on any service
- Memory limits on all services (128M nginx, 512M db, 1G app)
- Web access gated by nginx-hash-lock sidecar (hash-based authentication)
- Database credentials use `$APP_DEFAULT_PASSWORD` (not hardcoded)

## Alternatives considered and rejected
- `user: $PUID:$PGID` — Prisma migrations fail without root; PostgreSQL init requires root for data directory ownership

## Data protection
- PostgreSQL data persists in `/DATA/AppData/$AppID/pgdata/`
- Data survives uninstall/reinstall