Modernize infrastructure and code

[SplittyDev]

This PR modernizes the current deployment flows.

Deployment

• Added new production-ready docker-compose.yml with caddy and health checks
• Added hdrop-env cli for interactive env file generation (includes non-interactive mode as well)
• Renamed old docker-compose.yml to docker-compose.dev.yml (to be phased out)
• Updated postgres and node dependencies
• Updated backend Dockerfile with a cleaner multi-stage build process
• Updated all build processes to use Node 25

Container Hardening

General

• Added init: true to all services to spawn them through an init process
• Added read_only: true to all services except postgres
• Added cap_drop: [ALL] to all services except postgres (caddy adds back NET_BIND_SERVICE)
• Added security_opt: [no-new-privileges:true] to all services
• Added highly restrictive tmpfs entries to all services, with noexec,nosuid,nodev
• Added log rotation and log size limits to all services to reduce DoS attack surface
• Used specific major versions for all services (caddy:2-alpine, postgres:18-alpine, prom/prometheus:v3)
• Made config files readonly (Caddyfile, prometheus)
• Isolated db and metrics networks using internal: true
• Prevented empty postgres password from being set
• Extended .dockerignore files to include keys, secrets and package manager artifacts

caddy

• Set permitted cross-domain policies to none
• Set cross-origin opener policy to same-origin
• Included object-src: none and upgrade-insecure-requests in CSP

hdrop-server

• Fixed CPU burn through endless metrics update loop
• Migrated from node:25-alpine to alpine:3.23
• Migrated to unprivileged user for binary execution
• Changed port from 80 to 3000
• Removed PM2 dependency

Frontend

• Fixed NextJS 16 issues with favicon
• Fixed some type declarations regarding buffers
• Fixed some issues with fallback values for missing or empty env values
• Fixed React state update cascades through misuse of useEffect
• Updated NextJS and other dependencies

Backend

• Updated sha3 dependency to 0.11 and added hex crate for digest formatting
• Updated axum routes to use the new curly-brace format introduced in axum 0.8
• Updated dependencies within existing semver ranges

CI

• Updated workflows to use actions/checkout@v6
• Updated workflows to use actions/setup-node@v6
• Updated node matrix from [20, 21] to [24, 25]

[Copilot]

Pull request overview

This PR modernizes hdrop’s deployment and runtime setup by introducing a production-focused Docker Compose stack (with Caddy reverse proxy), adding a Rust utility to generate production .env files, and tightening a number of web crypto typings and dependency versions.

Changes:

• Added hdrop-env (Rust) to generate production .env files interactively or via flags.
• Reworked Docker Compose: production-oriented docker-compose.yml, added docker-compose.dev.yml, and introduced a Caddy reverse proxy + security headers.
• Updated build/runtime dependencies and containers (Node base images, Rust crates), plus web crypto typing adjustments.

Reviewed changes

Copilot reviewed 19 out of 21 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
hdrop-web-next/src/crypto/Sha256.ts	Type assertion adjustment for WebCrypto digest input.
hdrop-web-next/src/crypto/Pbkdf2.ts	Switched env fallback logic to treat empty strings as “unset”.
hdrop-web-next/src/crypto/CryptoHelper.ts	Switched env fallback logic for byte-length env vars.
hdrop-web-next/src/crypto/Base64.ts	Updated decode return typing and slicing behavior.
hdrop-web-next/src/crypto/AesGcm.ts	Narrowed encrypt/decrypt input types; added BufferSource casts for params.
hdrop-web-next/src/components/Header.tsx	Env var fallback logic adjustment for app name.
hdrop-web-next/src/app/favicon.ico	Added favicon asset.
hdrop-web-next/Dockerfile.development	Bumped Node base image to 25-alpine.
hdrop-web-next/Dockerfile	Bumped Node base image to 25-alpine; normalized PATH env syntax.
hdrop-server/src/server/hdrop_server.rs	Adjusted route parameter syntax to {access_token}.
hdrop-server/infra/entrypoint.sh	Updated PM2 command to run installed server binary path.
hdrop-server/Dockerfile	Introduced multi-stage build; moved runtime to Alpine node image; copied compiled binaries.
hdrop-env/src/main.rs	New CLI tool to generate production .env with validation and tests.
hdrop-env/Cargo.toml	New crate manifest for hdrop-env.
hdrop-db/Cargo.toml	Updated sha3 dependency.
docker-compose.yml	Production compose stack with Caddy + env-driven configuration and volumes.
docker-compose.dev.yml	New dev-only compose file (localstack/postgres, ports exposed).
caddy/Caddyfile	New reverse proxy + security headers + upload size limit configuration.
README.md	Added production environment generation/deploy instructions.
Cargo.toml	Added hdrop-env to the Rust workspace.
Cargo.lock	Dependency lockfile updates due to new crate and upgrades.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.