diff --git a/backend/lib/config.js b/backend/lib/config.js index 7d20fd02d3..11098f1d87 100644 --- a/backend/lib/config.js +++ b/backend/lib/config.js @@ -66,22 +66,27 @@ const configure = () => { const envPostgresHost = process.env.DB_POSTGRES_HOST || null; const envPostgresUser = process.env.DB_POSTGRES_USER || null; const envPostgresName = process.env.DB_POSTGRES_NAME || null; + const envPostgresSslMode = process.env.DB_POSTGRES_SSL_MODE || null; if (envPostgresHost && envPostgresUser && envPostgresName) { - // we have enough postgres creds to go with postgres - logger.info("Using Postgres configuration"); - instance = { - database: { - engine: postgresEngine, - host: envPostgresHost, - port: process.env.DB_POSTGRES_PORT || 5432, - user: envPostgresUser, - password: process.env.DB_POSTGRES_PASSWORD, - name: envPostgresName, - }, - keys: getKeys(), - }; - return; - } + // we have enough postgres creds to go with postgres + logger.info("Using Postgres configuration"); + instance = { + database: { + engine: postgresEngine, + host: envPostgresHost, + port: process.env.DB_POSTGRES_PORT || 5432, + user: envPostgresUser, + password: process.env.DB_POSTGRES_PASSWORD, + name: envPostgresName, + ssl: envPostgresSslMode ? { + sslmode: envPostgresSslMode, + rejectUnauthorized: envPostgresSslMode === "verify-full" ? true : false, + }: false + }, + keys: getKeys(), + }; + return; + } const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite"; logger.info(`Using Sqlite: ${envSqliteFile}`); diff --git a/docs/src/setup/index.md b/docs/src/setup/index.md index 998508dddb..f18623020a 100644 --- a/docs/src/setup/index.md +++ b/docs/src/setup/index.md @@ -163,6 +163,10 @@ services: Custom Postgres schema is not supported, as such `public` will be used. ::: +### Optional: PostgreSQL SSL + +You can enable TLS for the PostgreSQL connection with this environment variable: +- DB_POSTGRES_SSL_MODE: (default: not set, can accept verify and verify-full) ## Running on Raspberry PI / ARM devices