From 4448a30dbcf1d4f9f305c557611bf3895c7ce43e Mon Sep 17 00:00:00 2001
From: Joschua Becker <jb@scolasti.co>
Date: Thu, 5 Feb 2026 13:14:56 +0100
Subject: [PATCH] feat: added ssl option for database

---
 docker-compose.db.yml            |  2 +-
 pnpm-workspace.yaml              |  5 +++++
 src/config/Database.ts           | 14 ++++++++++++++
 src/services/database.service.ts | 20 +++++++++++++++++++-
 4 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 pnpm-workspace.yaml

diff --git a/docker-compose.db.yml b/docker-compose.db.yml
index d5aefb7..76fc9c3 100644
--- a/docker-compose.db.yml
+++ b/docker-compose.db.yml
@@ -18,7 +18,7 @@ services:
       POSTGRES_DB: db
     volumes:
       - pg:/var/lib/postgresql/data
-  
+
   app:
     image: ghcr.io/not-three/api:nightly
     <<: *restart
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
new file mode 100644
index 0000000..e581b6d
--- /dev/null
+++ b/pnpm-workspace.yaml
@@ -0,0 +1,5 @@
+onlyBuiltDependencies:
+  - '@nestjs/core'
+  - '@scarf/scarf'
+  - sqlite3
+  - unrs-resolver
diff --git a/src/config/Database.ts b/src/config/Database.ts
index c29eeda..c88edf3 100644
--- a/src/config/Database.ts
+++ b/src/config/Database.ts
@@ -54,6 +54,20 @@ export class DatabaseConfig {
    */
   database = $str("DATABASE_NAME", "database");
 
+  /**
+   * Use SSL for the database connection.
+   * @default false
+   * @env DATABASE_SSL
+   */
+  ssl = $bool("DATABASE_SSL", false);
+
+  /**
+   * If SSL is used, should the certificate be verified.
+   * @default true
+   * @env DATABASE_SSL_REJECT_UNAUTHORIZED
+   */
+  sslRejectUnauthorized = $bool("DATABASE_SSL_REJECT_UNAUTHORIZED", true);
+
   /**
    * In the rare case that you need to downgrade the database, set this temporarily to true.
    * Be aware that this can lead to data loss. Make sure to have backups.
diff --git a/src/services/database.service.ts b/src/services/database.service.ts
index 467aea0..2f7c571 100644
--- a/src/services/database.service.ts
+++ b/src/services/database.service.ts
@@ -49,9 +49,27 @@ export class DatabaseService
         const dir = resolve(join(process.cwd(), cfg.filename, ".."));
         if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
       }
+
+      const connection: any =
+        cfg.mode === "sqlite3"
+          ? { filename: cfg.filename }
+          : {
+              host: cfg.host,
+              port: cfg.port,
+              user: cfg.user,
+              password: cfg.password,
+              database: cfg.database,
+            };
+
+      if (cfg.mode !== "sqlite3" && cfg.ssl) {
+        connection.ssl = cfg.sslRejectUnauthorized
+          ? true
+          : { rejectUnauthorized: false };
+      }
+
       this.knex = knex({
         client: cfg.mode,
-        connection: cfg,
+        connection,
         useNullAsDefault: true,
       });
       await this.knex.raw("SELECT 1;");