From c372fe1c868e9a050fcfb02f1d80f7f12f5b63c7 Mon Sep 17 00:00:00 2001
From: Zack Siri <me@zacksiri.dev>
Date: Tue, 20 Feb 2024 15:08:24 +0700
Subject: [PATCH] Configure db for production

---
 config/runtime.exs | 39 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/config/runtime.exs b/config/runtime.exs
index 608afd0..85082cd 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -44,11 +44,40 @@ if config_env() == :prod do
 
   maybe_ipv6 = if System.get_env("ECTO_IPV6") in ~w(true 1), do: [:inet6], else: []
 
-  config :polar, Polar.Repo,
-    # ssl: true,
-    url: database_url,
-    pool_size: String.to_integer(System.get_env("POOL_SIZE") || "10"),
-    socket_options: maybe_ipv6
+  if cacert_pem = System.get_env("DATABASE_CERT_PEM") do
+    %URI{host: db_host} = URI.parse(database_url)
+
+    cacert_options =
+      if cacert_pem do
+        [
+          cacerts:
+            cacert_pem
+            |> X509.from_pem()
+            |> Enum.map(&X509.Certificate.to_der/1)
+        ]
+      else
+        [
+          cacertfile: System.get_env("DATABASE_CERT_PATH") || "/etc/ssl/cert.pem"
+        ]
+      end
+
+    config :instellar, Instellar.Repo,
+      ssl: true,
+      url: database_url,
+      ssl_opts:
+        [
+          verify: :verify_peer,
+          server_name_indication: to_charlist(db_host),
+          customize_hostname_check: [
+            match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+          ]
+        ]
+        |> Keyword.merge(cacert_options)
+  else
+    config :instellar, Instellar.Repo,
+      url: database_url,
+      socket_options: maybe_ipv6
+  end
 
   # The secret key base is used to sign/encrypt cookies and other secrets.
   # A default value is used in config/dev.exs and config/test.exs but you