fix: allow postgresql to use sslmode

Gregoire Salingue · Gregoire Salingue · commit 1b7545015a0d · 2025-11-25T18:03:31.000-06:00
diff --git a/backend/lib/config.js b/backend/lib/config.js
@@ -68,32 +68,31 @@ const configure = () => {
 	const envPostgresName = process.env.DB_POSTGRES_NAME || null;
 	const envPostgresSslMode = process.env.DB_POSTGRES_SSL_MODE || null;
 	if (envPostgresHost && envPostgresUser && envPostgresName) {
-		// we have enough postgres creds to go with postgres
-		logger.info("Using Postgres configuration");
-
-        // knex does not handle ssl enablement other than in the connectionString, so let's use it
-        // this prevents the serivce from starting on databases with self signed certificates
-        // cf https://knexjs.org/guide/#configuration-options
-        port = process.env.DB_POSTGRES_PORT || 5432
-        connectionString = `postgresql://${envPostgresUser}:${process.env.DB_POSTGRES_PASSWORD}@${port}/${envPostgresName}`
+        // we have enough postgres creds to go with postgres
+        logger.info("Using Postgres configuration");
+        sslconfig = {
+            rejectUnauthorized: false
+        }
         if (envPostgresSslMode) {
-            connectionString = connectionString + `?ssl=true&sslmode=${envPostgresSslMode}`
+            sslconfig.sslmode = envPostgresSslMode
         }
-		instance = {
-			database: {
-                connectionString: connectionString,
-				engine: postgresEngine,
-				host: envPostgresHost,
-				port: port,
-				user: envPostgresUser,
-				password: process.env.DB_POSTGRES_PASSWORD,
-				name: envPostgresName,
-                ssl: envPostgresSslMode ? { rejectUnauthorized: false } : false
-			},
-			keys: getKeys(),
-		};
-		return;
-	}
+        if (envPostgresSslMode === "verify-full") {
+            sslconfig.rejectUnauthorized = true
+        }
+        instance = {
+            database: {
+                engine: postgresEngine,
+                host: envPostgresHost,
+                port: port,
+                user: envPostgresUser,
+                password: process.env.DB_POSTGRES_PASSWORD,
+                name: envPostgresName,
+                ssl: envPostgresSslMode ? sslconfig : false
+            },
+            keys: getKeys(),
+        };
+        return;
+    }
 
 	const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite";
 	logger.info(`Using Sqlite: ${envSqliteFile}`);
diff --git a/docs/src/setup/index.md b/docs/src/setup/index.md
@@ -163,6 +163,10 @@ services:
 Custom Postgres schema is not supported, as such `public` will be used.
 
 :::
+### Optional: PostgreSQL SSL
+
+You can enable TLS for the PostgreSQL connection with this environment variable:
+- DB_POSTGRES_SSL_MODE: (default: not set, can accept verify and verify-full)
 
 ## Running on Raspberry PI / ARM devices
 
