From 878a140f0afb88f0f048f4047617943101bbc2cb Mon Sep 17 00:00:00 2001
From: danthonywalker <email@danniewalker.com>
Date: Thu, 2 Jan 2025 23:03:10 -0600
Subject: [PATCH] Add PostgreSQL SSL

---
 Dockerfile                | 34 +++++++++++++++++-----------------
 README.md                 |  2 ++
 src/shared/environment.ts |  2 ++
 src/shared/postgresql.ts  | 10 ++++++++++
 4 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ce245f8..5dc7ef5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,33 +1,33 @@
-FROM node:20.8.0 as base
+FROM node:20.8.0 AS base
 WORKDIR /pedestrian
 # Install Chrome dependencies for puppeteer
 RUN apt-get update \
-    && apt-get install -y wget gnupg \
-    && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
-    && sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \
-    && apt-get update \
-    && apt-get install -y google-chrome-stable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst fonts-freefont-ttf libxss1 \
-      --no-install-recommends \
-    && rm -rf /var/lib/apt/lists/* \
-    # Add puppeteer user for Chrome sandbox
-    && groupadd -r pptruser \
-    && useradd -r -g pptruser -G audio,video pptruser \
-    && mkdir -p /home/pptruser/Downloads \
-    && chown -R pptruser:pptruser /home/pptruser \
-    && chown -R pptruser:pptruser /pedestrian
+  && apt-get install -y wget gnupg \
+  && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
+  && sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \
+  && apt-get update \
+  && apt-get install -y google-chrome-stable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst fonts-freefont-ttf libxss1 \
+  --no-install-recommends \
+  && rm -rf /var/lib/apt/lists/* \
+  # Add puppeteer user for Chrome sandbox
+  && groupadd -r pptruser \
+  && useradd -r -g pptruser -G audio,video pptruser \
+  && mkdir -p /home/pptruser/Downloads \
+  && chown -R pptruser:pptruser /home/pptruser \
+  && chown -R pptruser:pptruser /pedestrian
 # Use puppeteer user for Chrome sandbox
 USER pptruser
 COPY package*.json ./
 
-FROM base as build
+FROM base AS build
 # Install runtime and build dependencies
 RUN npm ci
 # Copy source code into current image
 COPY . .
 # Test source code
 RUN npm test \
-    # Build source code
-    && npm run build
+  # Build source code
+  && npm run build
 
 FROM base
 # Install runtime dependencies
diff --git a/README.md b/README.md
index e02e410..6fdce99 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,8 @@ Required environment variables must be configured in a `.env` file at the projec
 | POSTGRESQL_DATABASE  | ❌       | db            |                                                                                                        |
 | POSTGRESQL_USER      | ❌       | user          |                                                                                                        |
 | POSTGRESQL_PASSWORD  | ❌       | password      |                                                                                                        |
+| POSTGRESQL_SSL       | ❌       | false         |                                                                                                        |
+| POSTGRESQL_SSL_CA    | ❌       | ./ca.crt      |                                                                                                        |
 | PROJECT_NAME         | ❌       | Pedestrian    |                                                                                                        |
 | REDIS_HOST           | ❌       | redis         |                                                                                                        |
 | REDIS_PORT           | ❌       | 6379          |                                                                                                        |
diff --git a/src/shared/environment.ts b/src/shared/environment.ts
index d157dde..26f3886 100644
--- a/src/shared/environment.ts
+++ b/src/shared/environment.ts
@@ -21,6 +21,8 @@ export default {
   PostgresqlHost: env.POSTGRESQL_HOST ?? "postgres",
   PostgresqlPassword: env.POSTGRESQL_PASSWORD ?? "password",
   PostgresqlPort: Number(env.POSTGRESQL_PORT ?? 5432),
+  PostgresqlSsl: env.POSTGRESQL_SSL === true.toString(),
+  PostgresqlSslCa: env.POSTGRESQL_SSL_CA ?? "./ca.crt",
   PostgresqlUser: env.POSTGRESQL_USER ?? "user",
   ProjectName: env.PROJECT_NAME ?? "Pedestrian",
   RedisCluster: env.REDIS_CLUSTER === true.toString(),
diff --git a/src/shared/postgresql.ts b/src/shared/postgresql.ts
index b22551d..5b872eb 100644
--- a/src/shared/postgresql.ts
+++ b/src/shared/postgresql.ts
@@ -1,5 +1,6 @@
 import type { PoolClient } from "pg";
 
+import * as fs from "node:fs";
 import { Pool } from "pg";
 import { Histogram } from "prom-client";
 
@@ -22,11 +23,20 @@ const databaseRequestDuration = new Histogram({
 });
 // endregion
 
+let postgresqlSsl;
+if (Environment.PostgresqlSsl) {
+  const caFile = fs.readFileSync(Environment.PostgresqlSslCa);
+  postgresqlSsl = {
+    ca: caFile.toString(),
+  };
+}
+
 const postgresql = new Pool({
   database: Environment.PostgresqlDatabase,
   host: Environment.PostgresqlHost,
   password: Environment.PostgresqlPassword,
   port: Environment.PostgresqlPort,
+  ssl: postgresqlSsl,
   user: Environment.PostgresqlUser,
 });