From f5e53c6b46ad136707bff5c0ca7299c8fce201d8 Mon Sep 17 00:00:00 2001
From: Gregoire Salingue <gregoire@salingue.com>
Date: Tue, 25 Nov 2025 17:35:38 -0600
Subject: [PATCH 1/2] fix: handle ssl connections on postgresql databases

---
 backend/lib/config.js | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/backend/lib/config.js b/backend/lib/config.js
index 7d20fd02d3..22a0be0e96 100644
--- a/backend/lib/config.js
+++ b/backend/lib/config.js
@@ -66,17 +66,29 @@ const configure = () => {
 	const envPostgresHost = process.env.DB_POSTGRES_HOST || null;
 	const envPostgresUser = process.env.DB_POSTGRES_USER || null;
 	const envPostgresName = process.env.DB_POSTGRES_NAME || null;
+	const envPostgresSslMode = process.env.DB_POSTGRES_SSL_MODE || null;
 	if (envPostgresHost && envPostgresUser && envPostgresName) {
 		// we have enough postgres creds to go with postgres
 		logger.info("Using Postgres configuration");
+
+        // knex does not handle ssl enablement other than in the connectionString, so let's use it
+        // this prevents the serivce from starting on databases with self signed certificates
+        // cf https://knexjs.org/guide/#configuration-options
+        port = process.env.DB_POSTGRES_PORT || 5432
+        connectionString = `postgresql://${envPostgresUser}:${process.env.DB_POSTGRES_PASSWORD}@${port}/${envPostgresName}`
+        if (envPostgresSslMode) {
+            connectionString = connectionString + `?ssl=true&sslmode=${envPostgresSslMode}`
+        }
 		instance = {
 			database: {
+                connectionString: connectionString,
 				engine: postgresEngine,
 				host: envPostgresHost,
-				port: process.env.DB_POSTGRES_PORT || 5432,
+				port: port,
 				user: envPostgresUser,
 				password: process.env.DB_POSTGRES_PASSWORD,
 				name: envPostgresName,
+                ssl: envPostgresSslMode ? { rejectUnauthorized: false } : false
 			},
 			keys: getKeys(),
 		};

From 0c4891a0450207160deddf2b6f4fee211711d323 Mon Sep 17 00:00:00 2001
From: Gregoire Salingue <gregoire@salingue.com>
Date: Tue, 25 Nov 2025 17:47:41 -0600
Subject: [PATCH 2/2] fix: allow postgresql to use sslmode

---
 backend/lib/config.js   | 45 +++++++++++++++++------------------------
 docs/src/setup/index.md |  4 ++++
 2 files changed, 23 insertions(+), 26 deletions(-)

diff --git a/backend/lib/config.js b/backend/lib/config.js
index 22a0be0e96..11098f1d87 100644
--- a/backend/lib/config.js
+++ b/backend/lib/config.js
@@ -68,32 +68,25 @@ const configure = () => {
 	const envPostgresName = process.env.DB_POSTGRES_NAME || null;
 	const envPostgresSslMode = process.env.DB_POSTGRES_SSL_MODE || null;
 	if (envPostgresHost && envPostgresUser && envPostgresName) {
-		// we have enough postgres creds to go with postgres
-		logger.info("Using Postgres configuration");
-
-        // knex does not handle ssl enablement other than in the connectionString, so let's use it
-        // this prevents the serivce from starting on databases with self signed certificates
-        // cf https://knexjs.org/guide/#configuration-options
-        port = process.env.DB_POSTGRES_PORT || 5432
-        connectionString = `postgresql://${envPostgresUser}:${process.env.DB_POSTGRES_PASSWORD}@${port}/${envPostgresName}`
-        if (envPostgresSslMode) {
-            connectionString = connectionString + `?ssl=true&sslmode=${envPostgresSslMode}`
-        }
-		instance = {
-			database: {
-                connectionString: connectionString,
-				engine: postgresEngine,
-				host: envPostgresHost,
-				port: port,
-				user: envPostgresUser,
-				password: process.env.DB_POSTGRES_PASSWORD,
-				name: envPostgresName,
-                ssl: envPostgresSslMode ? { rejectUnauthorized: false } : false
-			},
-			keys: getKeys(),
-		};
-		return;
-	}
+        // we have enough postgres creds to go with postgres
+        logger.info("Using Postgres configuration");
+        instance = {
+            database: {
+                engine: postgresEngine,
+                host: envPostgresHost,
+                port: process.env.DB_POSTGRES_PORT || 5432,
+                user: envPostgresUser,
+                password: process.env.DB_POSTGRES_PASSWORD,
+                name: envPostgresName,
+                ssl: envPostgresSslMode ? {
+                    sslmode: envPostgresSslMode,
+                    rejectUnauthorized: envPostgresSslMode === "verify-full" ? true : false,
+                }: false
+            },
+            keys: getKeys(),
+        };
+        return;
+    }
 
 	const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite";
 	logger.info(`Using Sqlite: ${envSqliteFile}`);
diff --git a/docs/src/setup/index.md b/docs/src/setup/index.md
index 998508dddb..f18623020a 100644
--- a/docs/src/setup/index.md
+++ b/docs/src/setup/index.md
@@ -163,6 +163,10 @@ services:
 Custom Postgres schema is not supported, as such `public` will be used.
 
 :::
+### Optional: PostgreSQL SSL
+
+You can enable TLS for the PostgreSQL connection with this environment variable:
+- DB_POSTGRES_SSL_MODE: (default: not set, can accept verify and verify-full)
 
 ## Running on Raspberry PI / ARM devices