feat: add TLS connection support for Redis and PostgreSQL (#950)

- Add 10 env vars for Redis/PostgreSQL TLS (REDIS_SSL, REDIS_SSL_VERIFY, REDIS_SSL_CA_CERT, REDIS_SSL_CERT, REDIS_SSL_KEY, POSTGRES_SSL, POSTGRES_SSL_MODE, POSTGRES_SSL_CA_CERT, POSTGRES_SSL_CERT, POSTGRES_SSL_KEY)
- Propagate SSL params to all Redis connection points: RedisClient, stream view, PubSub, client manager, Celery broker/result backend, Django Channels, and pre-Django startup scripts
- Add Celery SSL config via URL query string params (required by Kombu's internal URL parsing)
- Add PostgreSQL sslmode and certificate options to DATABASES config
- Add startup validation: cert file existence, URL scheme conflict detection, TLS status logging
- Add TLS error hints to Redis connection failure messages
- Add Connection Security panel in System Settings (modular mode only) showing encryption, verification, and mTLS status
- Add PG client key permission fix in web and celery entrypoints for Docker Desktop compatibility (0777 to 0600)
- Add TLS env var passthrough in entrypoint for su - login shells
- Document TLS env vars in modular docker-compose.yml
- Change env_mode from dev/prod to actual DISPATCHARR_ENV value for modular mode detection
This commit is contained in:
None 2026-03-21 17:24:09 -05:00
parent 874f5fce6a
commit b30a24e2fb
16 changed files with 540 additions and 48 deletions

View file

@ -36,6 +36,23 @@ if [ "$USE_LEGACY_NUMPY" = "true" ]; then
fi
fi
# Fix TLS client key permissions for PostgreSQL (same issue as web entrypoint).
# libpq requires 0600 but Docker Desktop mounts files as 0777.
if [ -n "${POSTGRES_SSL_KEY:-}" ] && [ -f "$POSTGRES_SSL_KEY" ]; then
_key_perms=$(stat -c '%a' "$POSTGRES_SSL_KEY" 2>/dev/null)
if [ "$_key_perms" != "600" ] && [ "$_key_perms" != "640" ]; then
_fixed_key="/data/.pg-client-celery.key"
cp "$POSTGRES_SSL_KEY" "$_fixed_key"
chmod 600 "$_fixed_key"
# Match ownership to the user running Celery if running as root
if [ "$(id -u)" = "0" ] && [ -n "${PUID:-}" ]; then
chown "${PUID}:${PGID:-$PUID}" "$_fixed_key"
fi
export POSTGRES_SSL_KEY="$_fixed_key"
echo "Fixed PostgreSQL client key permissions (${_key_perms} → 600)"
fi
fi
# Wait for migrations to complete
# Uses 'migrate --check' which exits 0 only when all migrations are applied,
# and exits 1 on unapplied migrations OR connection errors (safe either way)