diff --git a/config/runtime.exs b/config/runtime.exs index a0e5f34c76..c394bf0341 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -89,10 +89,30 @@ config :teslamate, TeslaMate.Repo, database: Util.fetch_env!("DATABASE_NAME", dev: "teslamate_dev", test: "teslamate_test"), hostname: Util.fetch_env!("DATABASE_HOST", all: "localhost"), port: System.get_env("DATABASE_PORT", "5432"), - ssl: System.get_env("DATABASE_SSL", "false") == "true", pool_size: System.get_env("DATABASE_POOL_SIZE", "10") |> String.to_integer(), timeout: System.get_env("DATABASE_TIMEOUT", "60000") |> String.to_integer() +case System.get_env("DATABASE_SSL") do + "true" -> + ca_cert_file = + System.get_env("DATABASE_SSL_CA_CERT_FILE") || raise "DATABASE_SSL_CA_CERT_FILE must be set" + + config :teslamate, TeslaMate.Repo, + ssl: true, + ssl_opts: [ + verify: :verify_peer, + cacertfile: ca_cert_file + ] + + "noverify" -> + config :teslamate, TeslaMate.Repo, + ssl: true, + ssl_opts: [verify: :verify_none] + + _false -> + config :teslamate, TeslaMate.Repo, ssl: false +end + if System.get_env("DATABASE_IPV6") == "true" do config :teslamate, TeslaMate.Repo, socket_options: [:inet6] end diff --git a/website/docs/configuration/environment_variables.md b/website/docs/configuration/environment_variables.md index 91cf3f2460..ecea62346c 100644 --- a/website/docs/configuration/environment_variables.md +++ b/website/docs/configuration/environment_variables.md @@ -16,7 +16,8 @@ TeslaMate accepts the following environment variables for runtime configuration: | **DATABASE_PORT** | Port of the database server | 5432 | | **DATABASE_POOL_SIZE** | Size of the database connection pool | 10 | | **DATABASE_TIMEOUT** | The time in milliseconds to wait for database query calls to finish | 60000 | -| **DATABASE_SSL** | Set to `true` if SSL should be used | false | +| **DATABASE_SSL** | Set to `true` if SSL should be enabled or `noverify` if certificate verification should not be performed. | false | +| **DATABASE_SSL_CA_CERT_FILE** | Path to a file containing PEM-encoded CA certificates (required if `DATABASE_SSL` is set to `true`) | | | **DATABASE_IPV6** | Set to `true` if IPv6 should be used | false | | **VIRTUAL_HOST** | Host part used for generating URLs throughout the app | localhost | | **CHECK_ORIGIN** | Configures whether to check the origin header or not. May be `true` (**recommended**), `false` (_default_) or a comma-separated list of hosts that are allowed (e.g. `https://example.com,//another.com:8080`). Hosts also support wildcards. If `true`, it will check against the host value in `VIRTUAL_HOST`. | false |