New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the use of SSL connections to the postgres database. #1256
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Hello, can you add the environment variable to |
I believe that ssl settings can be included in the connection string itself. I would prefer if the ssl settings were read from that instead of a separate/additional env variable. Did you look at the package/method mentioned in #902? |
Done |
I did but I am not very familiar with typescript. I was reading this: https://node-postgres.com/features/ssl If I understand correctly we don't use a connectionstring at the moment. I couldn't get something like below to work:
However I did find a neater way of implementing what I already did. Please see latest commit. |
That's probably good enough for now and we can refactor to a connection string in another PR. |
Okay :) What is the main advantage of a connection string? I would have thought it is a bit more fragile as you are building a string. |
You would not manually construct it like that, but instead let the user
provide the whole thing. They aren't restriced by the options we choose to
provide values for, etc. So remove all the env variables and use only
DB_URL instead.
…On Thu, Jan 5, 2023, 7:18 PM Hammer ***@***.***> wrote:
Okay :) What is the main advantage of a connection string? I would have
thought it is a bit more fragile as you are building a string.
If it gets refactored to a connection string then I think it needs to be
able to ignore untrusted CA's and add custom CA's.
—
Reply to this email directly, view it on GitHub
<#1256 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABBCE5B7AED6PVGTDD35S5LWQ5QEVANCNFSM6AAAAAATRMVEZY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Look at all these options that would "just work" |
That sounds like a better approach 👍 |
This does work for the local environment however it requires a bit more work to remove all the dependencies on the existing DB env vars. I think that is probably why it doesn't quite work with my external postgres.
Another PR to refactor would be good. |
I think supporting both an URL and the existing env vars would be best, for backwards compatability and maximum versatility. A choice to make there is whether we want to allow both at the same time - in the library we're using, any options that are set explicitly will override those from the connection URL. I think there are two options there:
Option 1 would be the easiest, and I expect it'd be fine to ignore the other env vars, at the cost of a little bit of flexibility. fwiw: I think removing the hardcoded defaults is probably a good idea either way. The default |
@bo0tzz I have got the URL string working now so can implement option 1 as a connection string seems to be the preferred way. |
I have now changed it to use a DB URL. A few questions:
The validation still looks for these env variables even if we set the DB_URL and they are ignored. I have just added a warning not to remove them in the env.example file.
The env variables are still used by the docker container in the docker-compose file to set the passwords etc. If you are setting the DB_URL anyway you are unlikely to be using that container anyway. Just wanted to flag it. I think this is ready now. |
Looks better. We can make the validation conditional. So connection string OR the other ones. Also, the config merge can probably be simplified a bit by still having one exported base option that merges in a second one that's set using a ternary. So like
|
Here's an example of dynamic validation: immich/server/libs/common/src/config/app.config.ts Lines 19 to 45 in d3c35ec
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few small nits from me. Thank you :)
Should all be resolved now. Where do we change the documentation for the new DB_URL? |
It doesn't look like we have a dedicated page for environment variables yet, just the env file copy/pasted here: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks!
Unfortunately I can't get my build environment working properly so not able to run tests locally etc. I must be missing something. Is there any setup instructions to get everything installed etc? |
https://immich.app/docs/developer/setup should help |
Thanks for the link but I have been looking at that. Make dev works fine. I am struggling with getting npm install to work.
|
You need to run the command on the docker container itself. So something like: docker exec -it immich_server bash Then Similar to https://immich.app/docs/features/server-commands#examples |
…ad of the env variables
Right okay; doing that works fine. I just thought that was for testing the application manually in the browser etc. All tests etc pass so fingers crossed it is okay now. Just rebased the fork as it was getting redis errors (from previous rebase) and it is clean. |
Is the docker login something I have missed? |
Nope, no worries. @alextran1502 can you take another look at this? |
Hello,
fixes #902
Just throwing it out there, I have never coded in typescript before so wasn't exactly sure what I was doing as I code mainly in python/C.
I tweaked the code slightly so allow untrusted SSL connections or no SSL. I tested it with the docker-compose-dev deployment and also changing the environment parameters to point to my crunchydata postgres instance within K8s (which requires SSL). It all seemed to work.
I have made this a draft as I am not sure if this is a good way of doing it and I haven't changed/written any tests for it.
PS. I haven't tested immich yet as I am migrating stuff to K8s and want to deploy it there but it looks very promising; exactly what I have been looking for! Thank you for creating this.