chore: enable tls connection to postgres on newer otp versions (#5)

kitsteam · Dec 25, 2023 · a2087a2 · a2087a2
1 parent 279a795
commit a2087a2
Show file tree

Hide file tree

Showing 6 changed files with 68 additions and 28 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,8 +10,8 @@ on:
 
 env:
   NODE_VERSION: "18.12.1"
-  OTP_VERSION: "26.0.2"
-  ELIXIR_VERSION: "1.15.2"
+  OTP_VERSION: "26.2.1"
+  ELIXIR_VERSION: "1.15.7"
 
 jobs:
   build_deps:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,7 +14,14 @@ name: Create and publish a Docker image
 on:
   release:
     types: [published]
-
+  push:
+    branches: ["main"]
+  pull_request_target:
+        types: 
+            - opened
+        branches:
+            - main
+
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}

diff --git a/Dockerfile b/Dockerfile
@@ -12,9 +12,9 @@
 #   - https://pkgs.org/ - resource for finding needed packages
 #   - Ex: hexpm/elixir:1.14.0-erlang-24.3.4-debian-bullseye-20210902-slim
 #
-ARG ELIXIR_VERSION=1.15.2
-ARG OTP_VERSION=26.0.2
-ARG DEBIAN_VERSION=bullseye-20230612-slim
+ARG ELIXIR_VERSION=1.15.7
+ARG OTP_VERSION=26.2.1
+ARG DEBIAN_VERSION=bullseye-20231009-slim
 
 ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
 ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"
@@ -116,9 +116,9 @@ RUN mix release
 
 # start a new build stage so that the final image will only contain
 # the compiled release and other runtime necessities
-FROM production_builder as production
+FROM ${RUNNER_IMAGE} as production
 
-RUN apt-get update -y && apt-get install -y libstdc++6 postgresql-client openssl libncurses5 locales \
+RUN apt-get update -y && apt-get install -y ca-certificates libstdc++6 postgresql-client openssl libncurses5 locales \
   && apt-get clean && rm -f /var/lib/apt/lists/*_*
 
 # Set the locale

diff --git a/config/runtime.exs b/config/runtime.exs
@@ -30,6 +30,28 @@ if config_env() != :test do
 end
 
 if config_env() == :prod do
+  unless System.get_env("DATABASE_HOST") do
+    Logger.warn(
+      "Environment variable DATABASE_HOST is missing, e.g. DATABASE_HOST=localhost or DATABASE_HOST=postgres"
+    )
+  end
+
+  unless System.get_env("DATABASE_NAME") do
+    Logger.warn("Environment variable DATABASE_NAME is missing, e.g. DATABASE_NAME=wordcharts")
+  end
+
+  unless System.get_env("DATABASE_USER") do
+    Logger.warn(
+      "Environment variable DATABASE_USER is missing, e.g. DATABASE_USER=wordcharts_user"
+    )
+  end
+
+  unless System.get_env("DATABASE_USER_PASSWORD") do
+    Logger.warn(
+      "Environment variable DATABASE_USER_PASSWORD is missing, e.g. DATABASE_USER_PASSWORD=wordcharts_user_password"
+    )
+  end
+
   database_url =
     System.get_env("DATABASE_URL") ||
       raise """
@@ -40,10 +62,23 @@ if config_env() == :prod do
   maybe_ipv6 = if System.get_env("ECTO_IPV6"), do: [:inet6], else: []
 
   config :wordcharts, Wordcharts.Repo,
-    # ssl: true,
-    url: database_url,
-    pool_size: String.to_integer(System.get_env("POOL_SIZE") || "10"),
-    socket_options: maybe_ipv6
+    database: System.get_env("DATABASE_NAME"),
+    hostname: System.get_env("DATABASE_HOST"),
+    password: System.get_env("DATABASE_USER_PASSWORD"),
+    username: System.get_env("DATABASE_USER"),
+    pool_size: String.to_integer(System.get_env("POOL_SIZE", "10")),
+    port: String.to_integer(System.get_env("DATABASE_PORT", "5432")),
+    ssl: System.get_env("DATABASE_SSL", "true") == "true",
+    socket_options: maybe_ipv6,
+    ssl_opts: [verify: :verify_peer,
+               cacerts: :public_key.cacerts_get(),
+               versions: [:"tlsv1.3"],
+               depth: 3,
+               server_name_indication: String.to_charlist(System.get_env("DATABASE_HOST")),
+               customize_hostname_check: [
+                match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+               ]
+              ]
 
   # The secret key base is used to sign/encrypt cookies and other secrets.
   # A default value is used in config/dev.exs and config/test.exs but you

diff --git a/mix.exs b/mix.exs
@@ -35,14 +35,14 @@ defmodule Wordcharts.MixProject do
       {:phoenix, "1.7.7"},
       {:phoenix_ecto, "4.4.2"},
       {:ecto_sql, "3.10.1"},
-      {:postgrex, "0.17.1"},
+      {:postgrex, "0.17.4"},
       {:phoenix_html, "3.3.1"},
       {:phoenix_view, "2.0.2"},
       {:phoenix_live_reload, "1.4.1", only: :dev},
       {:phoenix_live_view, "0.19.3"},
       {:floki, "0.34.3", only: :test},
       {:phoenix_live_dashboard, "0.8.0"},
-      {:esbuild, "~> 0.4", runtime: Mix.env() == :dev},
+      {:esbuild, "0.8.1", runtime: Mix.env() == :dev},
       {:swoosh, "1.11.2"},
       {:telemetry_metrics, "0.6.1"},
       {:telemetry_poller, "1.0.0"},