feat: allow for postgres ssl connections

[JGaudette]

We use RDS and require an ssl connection in our environment. This PR still defaults the ssl mode to false for backwards compatibility, but also introduced an environment variable to overwrite that and enable SSL mode on the postgres connection.

Summary by CodeRabbit

• Chores
  • PostgreSQL SSL configuration is now configurable through environment variables, enabling flexible database connection security settings across different deployment environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

@JGaudette is attempting to deploy a commit to the goldflag's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

The PR adds PostgreSQL SSL configuration support to the application by introducing a new POSTGRES_SSL environment variable across configuration files and updating database connection initialization to conditionally enable SSL based on this variable's value.

Changes

Cohort / File(s)	Summary
Environment and Docker Configuration \.env\.example, docker-compose.cloud.yml	Added new POSTGRES_SSL environment variable with default value of false to support SSL configuration for PostgreSQL connections.
Database Connection Setup server/drizzle.config.ts, server/src/db/postgres/postgres.ts	Updated SSL configuration to be conditionally applied based on the POSTGRES_SSL environment variable, converting the string value to a boolean (=== "true").

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify the POSTGRES_SSL environment variable is properly defined and propagated across all deployment environments
• Confirm the boolean conversion logic (=== "true") is consistently applied in both configuration files

Poem

🐰 Through database tunnels, secure we go,
SSL shields on the Postgres flow,
A config twist, now variables dance,
Encryption's sure—a cryptographic prance! 🔒

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: allow for postgres ssl connections' directly and accurately summarizes the main change: adding support for SSL connections to PostgreSQL via environment configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.env.example (1)

26-26: Consider reordering for consistency.

The static analysis tool suggests placing POSTGRES_SSL before POSTGRES_USER to maintain alphabetical ordering within the PostgreSQL configuration section.

Apply this diff to reorder the keys:

 # PostgreSQL Database Configuration
 POSTGRES_DB=analytics
+POSTGRES_SSL=false
 POSTGRES_USER=frog
 POSTGRES_PASSWORD=frog
-POSTGRES_SSL=false

server/drizzle.config.ts (1)

16-16: Simplify the boolean expression.

The ternary operator is redundant since the equality check already returns a boolean.

Apply this diff to simplify:

-    ssl: process.env.POSTGRES_SSL === "true" ? true : false,
+    ssl: process.env.POSTGRES_SSL === "true",

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 331e5c8 and a1990dd.

📒 Files selected for processing (4)

• .env.example (1 hunks)
• docker-compose.cloud.yml (1 hunks)
• docs/src/content/self-hosting-advanced.mdx (1 hunks)
• server/drizzle.config.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

{client,server}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

{client,server}/**/*.{ts,tsx}: Use TypeScript with strict typing throughout both client and server
Use try/catch blocks with specific error types for error handling
Use camelCase for variables and functions, PascalCase for components and types
Group imports by external, then internal, and sort alphabetically within groups

Files:

• server/drizzle.config.ts

server/**/*

📄 CodeRabbit inference engine (CLAUDE.md)

Backend: Use Fastify, Drizzle ORM (Postgres), ClickHouse, and Zod

Files:

• server/drizzle.config.ts

🪛 dotenv-linter (3.3.0)

.env.example

[warning] 26-26: [UnorderedKey] The POSTGRES_SSL key should go before the POSTGRES_USER key

(UnorderedKey)

🔇 Additional comments (2)

docs/src/content/self-hosting-advanced.mdx (1)

70-70: LGTM!

The documentation correctly reflects the new POSTGRES_SSL environment variable with the appropriate default value for backwards compatibility.

docker-compose.cloud.yml (1)

89-89: LGTM!

The environment variable is correctly configured with a sensible default, maintaining backwards compatibility while allowing SSL to be enabled when needed.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

server/src/db/postgres/postgres.ts (1)

15-15: Simplify the redundant ternary expression.

The expression process.env.POSTGRES_SSL === "true" ? true : false can be simplified.

Apply this diff to simplify:

-  ssl: process.env.POSTGRES_SSL === "true" ? true : false,
+  ssl: process.env.POSTGRES_SSL === "true",

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a1990dd and 2d308ce.

📒 Files selected for processing (1)

• server/src/db/postgres/postgres.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

{client,server}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

{client,server}/**/*.{ts,tsx}: Use TypeScript with strict typing throughout both client and server
Use try/catch blocks with specific error types for error handling
Use camelCase for variables and functions, PascalCase for components and types
Group imports by external, then internal, and sort alphabetically within groups

Files:

• server/src/db/postgres/postgres.ts

server/**/*

📄 CodeRabbit inference engine (CLAUDE.md)

Backend: Use Fastify, Drizzle ORM (Postgres), ClickHouse, and Zod

Files:

• server/src/db/postgres/postgres.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Consider SSL certificate validation for production environments.

While enabling SSL with ssl: true encrypts the connection, it doesn't validate the server's certificate by default. For production environments like RDS, you should verify the server certificate to prevent man-in-the-middle attacks.

Consider using an object configuration for SSL to enable certificate validation:

-  ssl: process.env.POSTGRES_SSL === "true" ? true : false,
+  ssl: process.env.POSTGRES_SSL === "true" ? { rejectUnauthorized: true } : false,

Note: RDS instances typically require certificate validation. If you need to provide a custom CA certificate, the postgres library also supports:

ssl: {
  rejectUnauthorized: true,
  ca: fs.readFileSync('/path/to/ca-certificate.crt').toString(),
}

🤖 Prompt for AI Agents

In server/src/db/postgres/postgres.ts around line 15, the SSL option is
currently set as a boolean which enables encryption but does not enforce server
certificate validation; change the ssl option to an object that sets
rejectUnauthorized: true for production (e.g., when NODE_ENV === "production" or
POSTGRES_SSL === "true") and, if required by your RDS setup, load a CA bundle
from a configured path (read the CA file with fs.readFileSync and pass it as
ca); ensure you conditionally construct this object (or leave ssl: false for
non-SSL envs), and add the needed fs import and error handling for missing CA
file.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.env.example (2)

26-26: Reorder POSTGRES_SSL to maintain alphabetical ordering within the PostgreSQL section.

The POSTGRES_SSL variable should appear before POSTGRES_USER to maintain alphabetical consistency within the PostgreSQL Database Configuration section.

Apply this diff to fix the ordering:

 # PostgreSQL Database Configuration
 POSTGRES_DB=analytics
 POSTGRES_USER=frog
 POSTGRES_PASSWORD=frog
-POSTGRES_SSL=false
+POSTGRES_SSL=false

Reorganized section:

 # PostgreSQL Database Configuration
 POSTGRES_DB=analytics
 POSTGRES_PASSWORD=frog
 POSTGRES_SSL=false
 POSTGRES_USER=frog

---

22-26: Add a clarifying comment for the new POSTGRES_SSL variable.

Developers reading the .env.example may benefit from understanding what this variable controls and why it defaults to false. A brief inline comment would improve clarity.

Apply this diff to add a descriptive comment:

 # PostgreSQL Database Configuration
 POSTGRES_DB=analytics
+POSTGRES_PASSWORD=frog
+POSTGRES_SSL=false
+# Set to true to enable SSL (required for some environments like RDS; disabled by default for backwards compatibility)
 POSTGRES_USER=frog
-POSTGRES_PASSWORD=frog
-POSTGRES_SSL=false

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2d308ce and d5e15d0.

📒 Files selected for processing (1)

• .env.example (1 hunks)

🧰 Additional context used

🪛 dotenv-linter (4.0.0)

.env.example

[warning] 26-26: [UnorderedKey] The POSTGRES_SSL key should go before the POSTGRES_USER key

(UnorderedKey)