diff --git a/docs/docs/install/environment-variables.md b/docs/docs/install/environment-variables.md
index e11547d240..c853a873ab 100644
--- a/docs/docs/install/environment-variables.md
+++ b/docs/docs/install/environment-variables.md
@@ -80,6 +80,7 @@ Information on the current workers can be found [here](/docs/administration/jobs
| `DB_USERNAME` | Database user | `postgres` | server, database<sup>\*1</sup> |
| `DB_PASSWORD` | Database password | `postgres` | server, database<sup>\*1</sup> |
| `DB_DATABASE_NAME` | Database name | `immich` | server, database<sup>\*1</sup> |
+| `DB_SSL_MODE` | Database SSL mode | | server |
| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`pgvector`, `pgvecto.rs`]) | `pgvecto.rs` | server |
| `DB_SKIP_MIGRATIONS` | Whether to skip running migrations on startup (one of [`true`, `false`]) | `false` | server |
diff --git a/server/src/dtos/env.dto.ts b/server/src/dtos/env.dto.ts
index 6c238252a6..7f0df8abb9 100644
--- a/server/src/dtos/env.dto.ts
+++ b/server/src/dtos/env.dto.ts
@@ -1,6 +1,6 @@
import { Transform, Type } from 'class-transformer';
import { IsEnum, IsInt, IsString } from 'class-validator';
-import { ImmichEnvironment, LogLevel } from 'src/enum';
+import { DatabaseSslMode, ImmichEnvironment, LogLevel } from 'src/enum';
import { IsIPRange, Optional, ValidateBoolean } from 'src/validation';
export class EnvDto {
@@ -142,6 +142,10 @@ export class EnvDto {
@ValidateBoolean({ optional: true })
DB_SKIP_MIGRATIONS?: boolean;
+ @IsEnum(DatabaseSslMode)
+ @Optional()
+ DB_SSL_MODE?: DatabaseSslMode;
+
@IsString()
@Optional()
DB_URL?: string;
diff --git a/server/src/enum.ts b/server/src/enum.ts
index 4e725e1c13..a9ea285c24 100644
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -610,3 +610,11 @@ export enum OAuthTokenEndpointAuthMethod {
CLIENT_SECRET_POST = 'client_secret_post',
CLIENT_SECRET_BASIC = 'client_secret_basic',
}
+
+export enum DatabaseSslMode {
+ Disable = 'disable',
+ Allow = 'allow',
+ Prefer = 'prefer',
+ Require = 'require',
+ VerifyFull = 'verify-full',
+}
diff --git a/server/src/repositories/config.repository.spec.ts b/server/src/repositories/config.repository.spec.ts
index 9e9ed71191..143892fdd0 100644
--- a/server/src/repositories/config.repository.spec.ts
+++ b/server/src/repositories/config.repository.spec.ts
@@ -23,6 +23,7 @@ const resetEnv = () => {
'DB_USERNAME',
'DB_PASSWORD',
'DB_DATABASE_NAME',
+ 'DB_SSL_MODE',
'DB_SKIP_MIGRATIONS',
'DB_VECTOR_EXTENSION',
@@ -92,6 +93,17 @@ describe('getEnv', () => {
});
});
+ it('should validate DB_SSL_MODE', () => {
+ process.env.DB_SSL_MODE = 'invalid';
+ expect(() => getEnv()).toThrowError('Invalid environment variables: DB_SSL_MODE');
+ });
+
+ it('should accept a valid DB_SSL_MODE', () => {
+ process.env.DB_SSL_MODE = 'prefer';
+ const { database } = getEnv();
+ expect(database.config).toMatchObject(expect.objectContaining({ ssl: 'prefer' }));
+ });
+
it('should allow skipping migrations', () => {
process.env.DB_SKIP_MIGRATIONS = 'true';
const { database } = getEnv();
diff --git a/server/src/repositories/config.repository.ts b/server/src/repositories/config.repository.ts
index 9b88a78e6b..9b3e406437 100644
--- a/server/src/repositories/config.repository.ts
+++ b/server/src/repositories/config.repository.ts
@@ -193,6 +193,7 @@ const getEnv = (): EnvData => {
username: dto.DB_USERNAME || 'postgres',
password: dto.DB_PASSWORD || 'postgres',
database: dto.DB_DATABASE_NAME || 'immich',
+ ssl: dto.DB_SSL_MODE || undefined,
};
return {
diff --git a/server/src/types.ts b/server/src/types.ts
index d18ef297ef..2f5bfad02c 100644
--- a/server/src/types.ts
+++ b/server/src/types.ts
@@ -2,6 +2,7 @@ import { SystemConfig } from 'src/config';
import {
AssetType,
DatabaseExtension,
+ DatabaseSslMode,
ExifOrientation,
ImageFormat,
JobName,
@@ -380,6 +381,7 @@ export type DatabaseConnectionParts = {
username: string;
password: string;
database: string;
+ ssl?: DatabaseSslMode;
};
export type DatabaseConnectionParams = DatabaseConnectionURL | DatabaseConnectionParts;
diff --git a/server/src/utils/database.ts b/server/src/utils/database.ts
index b44ea5da46..985605eb07 100644
--- a/server/src/utils/database.ts
+++ b/server/src/utils/database.ts
@@ -17,7 +17,7 @@ import { parse } from 'pg-connection-string';
import postgres, { Notice } from 'postgres';
import { columns, Exif, Person } from 'src/database';
import { DB } from 'src/db';
-import { AssetFileType, DatabaseExtension } from 'src/enum';
+import { AssetFileType, DatabaseExtension, DatabaseSslMode } from 'src/enum';
import { TimeBucketSize } from 'src/repositories/asset.repository';
import { AssetSearchBuilderOptions } from 'src/repositories/search.repository';
import { DatabaseConnectionParams, VectorExtension } from 'src/types';
@@ -35,7 +35,7 @@ export const asPostgresConnectionConfig = (params: DatabaseConnectionParams) =>
username: params.username,
password: params.password,
database: params.database,
- ssl: undefined,
+ ssl: params.ssl === DatabaseSslMode.Disable ? false : params.ssl,
};
}