fix: 7317 support pg ssl

config/default.yaml

@@ -80,7 +80,12 @@ trust_proxy:
 database:
   hostname: '127.0.0.1'
   port: 5432
-  ssl: false
+  ssl_settings: 
+    enabled: false
+    reject_unauthorized: false
+    ca: '/absolute/path/to/server-certificates/root.crt'
+    cert: '/absolute/path/to/client-certificates/postgresql.crt'
+    key: '/absolute/path/to/client-key/postgresql.key'
   suffix: '_dev'
   username: 'peertube'
   password: 'peertube'

config/production.yaml.example

@@ -78,7 +78,12 @@ trust_proxy:
 database:
   hostname: '127.0.0.1'
   port: 5432
-  ssl: false
+  ssl_settings: 
+    enabled: false
+    reject_unauthorized: false
+    ca: '/absolute/path/to/server-certificates/root.crt'
+    cert: '/absolute/path/to/client-certificates/postgresql.crt'
+    key: '/absolute/path/to/client-key/postgresql.key'
   suffix: '_prod'
   username: 'peertube'
   password: 'peertube'

server/core/initializers/config.ts

@@ -37,7 +37,25 @@ const CONFIG = {
     DBNAME: config.has('database.name') ? config.get<string>('database.name') : 'peertube' + config.get<string>('database.suffix'),
     HOSTNAME: config.get<string>('database.hostname'),
     PORT: config.get<number>('database.port'),
-    SSL: config.get<boolean>('database.ssl'),
+    SSL_SETTINGS: {
+      get ENABLED () {
+        return config.has('database.ssl_settings.enabled') ? config.get<boolean>('database.ssl_settings.enabled') : false
+      },
+      get REJECT_UNAUTHORIZED () {
+        return config.has('database.ssl_settings.reject_unauthorized') 
+          ? config.get<boolean>('database.ssl_settings.reject_unauthorized') 
+          : false
+      },
+      get CA() {
+        return config.has('database.ssl_settings.ca') ? config.get<string>('database.ssl_settings.ca') : null
+      },
+      get CERT() {
+        return config.has('database.ssl_settings.cert') ? config.get<string>('database.ssl_settings.cert') : null
+      },
+      get KEY() {
+        return config.has('database.ssl_settings.key') ? config.get<string>('database.ssl_settings.key') : null
+      }
+    },
     USERNAME: config.get<string>('database.username'),
     PASSWORD: config.get<string>('database.password'),
     POOL: {

server/core/initializers/database.ts

@@ -33,6 +33,7 @@ import { LocalVideoViewerWatchSectionModel } from '@server/models/view/local-vid
 import { LocalVideoViewerModel } from '@server/models/view/local-video-viewer.js'
 import { WatchedWordsListModel } from '@server/models/watched-words/watched-words-list.js'
 import pg from 'pg'
+import { readFileSync } from 'fs'
 import { QueryTypes, Transaction } from 'sequelize'
 import { Sequelize as SequelizeTypescript } from 'sequelize-typescript'
 import { logger } from '../helpers/logger.js'
@@ -85,11 +86,18 @@ const poolMax = CONFIG.DATABASE.POOL.MAX
 
 let dialectOptions: any = {}
 
-if (CONFIG.DATABASE.SSL) {
-  dialectOptions = {
-    ssl: {
-      rejectUnauthorized: false
-    }
+if (CONFIG.DATABASE.SSL_SETTINGS.ENABLED) {
+  // For reference: https://node-postgres.com/features/ssl
+  dialectOptions = { ssl: { rejectUnauthorized: CONFIG.DATABASE.SSL_SETTINGS.REJECT_UNAUTHORIZED } }
+
+  if (CONFIG.DATABASE.SSL_SETTINGS.CA) {
+    dialectOptions.ssl.ca = readFileSync(CONFIG.DATABASE.SSL_SETTINGS.CA, { encoding: 'utf8' })
+  }
+  if (CONFIG.DATABASE.SSL_SETTINGS.CERT) {
+    dialectOptions.ssl.cert = readFileSync(CONFIG.DATABASE.SSL_SETTINGS.CERT, { encoding: 'utf8' })
+  }
+  if (CONFIG.DATABASE.SSL_SETTINGS.KEY) {
+    dialectOptions.ssl.key = readFileSync(CONFIG.DATABASE.SSL_SETTINGS.KEY, { encoding: 'utf8' }) 
   }
 }