feat(database): allow enforcing of SSL for database connection

Several ways devised to implement this easily. Most logical is to enforce this
feature only when actually running in production, but this does not work well
when using CI for testing. So a `TYPEORM_SSL_ENABLED` environment variable
provides more configuration flexibility (so you can also test this locally).

Originally, the path to the CA certificates file was hardcoded. However, this
does not allow for flexibility on non-standard platforms that store it in a
different location or specific requirements from the environment. As such, the
`TYPEORM_SSL_CACERTS` has been introduced to handle that.

.env.example

@@ -16,6 +16,8 @@ TYPEORM_USERNAME=
 TYPEORM_PASSWORD=
 TYPEORM_SYNCHRONIZE=true
 TYPEORM_LOGGING=false
+TYPEORM_SSL_ENABLED=false
+TYPEORM_SSL_CACERTS=/etc/ssl/certs/ca-certificates.crt
 
 SPOTIFY_ENABLE=false
 SPOTIFY_CLIENT_ID=

src/database.ts

@@ -1,4 +1,5 @@
 import { DataSource } from 'typeorm';
+import fs from 'fs';
 import ServerSetting from './modules/server-settings/server-setting';
 import { Entities as BaseEntities } from './modules/root/entities';
 import { Entities as AuthEntities } from './modules/auth/entities';
@@ -14,6 +15,13 @@ const dataSource = new DataSource({
   type: process.env.TYPEORM_CONNECTION as any,
   username: process.env.TYPEORM_USERNAME,
   password: process.env.TYPEORM_PASSWORD,
+  ...(process.env.TYPEORM_SSL_ENABLED === 'true' && process.env.TYPEORM_SSL_CACERTS
+    ? {
+        ssl: {
+          ca: fs.readFileSync(process.env.TYPEORM_SSL_CACERTS),
+        },
+      }
+    : {}),
   synchronize: process.env.TYPEORM_SYNCHRONIZE === 'true',
   logging: process.env.TYPEORM_LOGGING === 'true',
   extra: {