From f34bac96f9c528dbdfe0b76f848fa05dc0021774 Mon Sep 17 00:00:00 2001
From: buxm <57507414+buxm@users.noreply.github.com>
Date: Wed, 6 Mar 2024 21:55:05 +0100
Subject: [PATCH 1/3] Added support to connect to DB over TLS (SSL) New env
 variables: DB_SSL=false|true
 MYSQL_ATTR_SSL_CA=null|/path/to/ca/certificates.crt

---
 rootfs/etc/cont-init.d/00-env                | 10 ++++++++++
 rootfs/etc/cont-init.d/10-config.sh          |  8 +++++++-
 rootfs/etc/cont-init.d/13-config-anonaddy.sh |  2 ++
 rootfs/etc/cont-init.d/15-config-postfix.sh  | 10 ++++++++++
 4 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/rootfs/etc/cont-init.d/00-env b/rootfs/etc/cont-init.d/00-env
index 7da2e79..f53d3a9 100755
--- a/rootfs/etc/cont-init.d/00-env
+++ b/rootfs/etc/cont-init.d/00-env
@@ -51,6 +51,16 @@ DB_DATABASE=${DB_DATABASE:-anonaddy}
 #DB_PASSWORD=${DB_PASSWORD:-asupersecretpassword}
 DB_TIMEOUT=${DB_TIMEOUT:-60}
 
+# Add support for DB connection over TLS
+DB_SSL=${DB_SSL:-false}
+if [ "$DB_SSL" = "true" ]; then
+  # if DB TLS connection is enabled, default MYSQL_ATTR_SSL_CA to /etc/ssl/certs/ca-certificates.crt
+  MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA:-/etc/ssl/certs/ca-certificates.crt}
+else
+  # if DB TLS connection is disabled, default MYSQL_ATTR_SSL_CA to null
+  MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA:-}
+fi
+
 REDIS_HOST=${REDIS_HOST:-null}
 #REDIS_PASSWORD=${REDIS_PASSWORD:-null}
 REDIS_PORT=${REDIS_PORT:-6379}
diff --git a/rootfs/etc/cont-init.d/10-config.sh b/rootfs/etc/cont-init.d/10-config.sh
index c5f18ef..a7f17c3 100755
--- a/rootfs/etc/cont-init.d/10-config.sh
+++ b/rootfs/etc/cont-init.d/10-config.sh
@@ -45,7 +45,13 @@ if [ -z "$DB_PASSWORD" ]; then
   echo >&2 "ERROR: Either DB_PASSWORD or DB_PASSWORD_FILE must be defined"
   exit 1
 fi
-dbcmd="mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}""
+
+# Add support for DB connection over TLS
+
+if [ -n "$MYSQL_ATTR_SSL_CA" ]; then
+  SSL_CA_OPTION="--ssl-ca=$MYSQL_ATTR_SSL_CA"
+fi
+dbcmd="mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}" ${SSL_CA_OPTION}"
 
 echo "Waiting ${DB_TIMEOUT}s for database to be ready..."
 counter=1
diff --git a/rootfs/etc/cont-init.d/13-config-anonaddy.sh b/rootfs/etc/cont-init.d/13-config-anonaddy.sh
index f776294..9fd44e8 100755
--- a/rootfs/etc/cont-init.d/13-config-anonaddy.sh
+++ b/rootfs/etc/cont-init.d/13-config-anonaddy.sh
@@ -35,6 +35,8 @@ DB_DATABASE=${DB_DATABASE}
 DB_USERNAME=${DB_USERNAME}
 DB_PASSWORD=${DB_PASSWORD}
 
+MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA}
+
 BROADCAST_DRIVER=log
 CACHE_DRIVER=file
 QUEUE_CONNECTION=sync
diff --git a/rootfs/etc/cont-init.d/15-config-postfix.sh b/rootfs/etc/cont-init.d/15-config-postfix.sh
index 1b2b807..ad81661 100755
--- a/rootfs/etc/cont-init.d/15-config-postfix.sh
+++ b/rootfs/etc/cont-init.d/15-config-postfix.sh
@@ -209,6 +209,16 @@ hosts = ${DB_HOST}:${DB_PORT}
 dbname = ${DB_DATABASE}
 query = SELECT (SELECT 1 FROM usernames WHERE ${QUERY_USERNAMES}) AS usernames, (SELECT 1 FROM domains WHERE domain = '%s' AND domain_verified_at IS NOT NULL) AS domains LIMIT 1;
 EOL
+
+# Add support for DB connection over TLS
+if [ -n "$MYSQL_ATTR_SSL_CA" ]; then
+  cat >>/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf <<EOL
+tls_ciphers = TLSv1.3, TLSv1.2
+tls_CAfile = ${MYSQL_ATTR_SSL_CA}
+tls_verify_cert = yes
+EOL
+fi
+
 chmod o= /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
 chgrp postfix /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
 

From 6f03c115c9531afc080328f3b11894bfeac45c86 Mon Sep 17 00:00:00 2001
From: buxm <57507414+buxm@users.noreply.github.com>
Date: Wed, 6 Mar 2024 22:22:40 +0100
Subject: [PATCH 2/3] README: Added description of env variables used to
 connect to DB over TLS/SSL

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index efa1e53..2234b75 100644
--- a/README.md
+++ b/README.md
@@ -135,6 +135,8 @@ Image: anonaddy/anonaddy:latest
 * `DB_USERNAME`: MySQL user (default `anonaddy`)
 * `DB_PASSWORD`: MySQL password
 * `DB_TIMEOUT`: Time in seconds after which we stop trying to reach the MySQL server (useful for clusters, default `60`)
+* `DB_SSL`: `true` to connect to MySQL over TLS/SSL (default `false`)
+* `MYSQL_ATTR_SSL_CA`: the certificate authority (CA) chain file that can verify MySQL server's certificate, when connecting over TLS/SSL (default `/etc/ssl/certs/ca-certificates.crt`, containing public CA's roots of trust, if `DB_SSL=true`, otherwise empty). If your MySQL server's certificate was generated using a private CA, mount your CA's certificate file on the container (e.g. `/host/path/to/ca.pem:/etc/certificates/my-ca.pem`) and point `MYSQL_ATTR_SSL_CA` to that file on the container (e.g. `MYSQL_ATTR_SSL_CA=/etc/certificates/my-ca.pem`). **Note:** setting `MYSQL_ATTR_SSL_CA` to a custom value automatically enforces connecting to MySQL over TLS/SSL, even if `DB_SSL` is set to `false`.
 
 > **Note**
 >

From 7e65d11afc44485df5d56971a9a2bb1d2d02e6cf Mon Sep 17 00:00:00 2001
From: buxm <57507414+buxm@users.noreply.github.com>
Date: Wed, 6 Mar 2024 22:37:59 +0100
Subject: [PATCH 3/3] README: improved explanation of variables used to connect
 to MySQL over TLS/SSL

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 2234b75..2295d75 100644
--- a/README.md
+++ b/README.md
@@ -135,8 +135,8 @@ Image: anonaddy/anonaddy:latest
 * `DB_USERNAME`: MySQL user (default `anonaddy`)
 * `DB_PASSWORD`: MySQL password
 * `DB_TIMEOUT`: Time in seconds after which we stop trying to reach the MySQL server (useful for clusters, default `60`)
-* `DB_SSL`: `true` to connect to MySQL over TLS/SSL (default `false`)
-* `MYSQL_ATTR_SSL_CA`: the certificate authority (CA) chain file that can verify MySQL server's certificate, when connecting over TLS/SSL (default `/etc/ssl/certs/ca-certificates.crt`, containing public CA's roots of trust, if `DB_SSL=true`, otherwise empty). If your MySQL server's certificate was generated using a private CA, mount your CA's certificate file on the container (e.g. `/host/path/to/ca.pem:/etc/certificates/my-ca.pem`) and point `MYSQL_ATTR_SSL_CA` to that file on the container (e.g. `MYSQL_ATTR_SSL_CA=/etc/certificates/my-ca.pem`). **Note:** setting `MYSQL_ATTR_SSL_CA` to a custom value automatically enforces connecting to MySQL over TLS/SSL, even if `DB_SSL` is set to `false`.
+* `DB_SSL`: set this to `true` to connect to MySQL over TLS/SSL (default `false`)
+* `MYSQL_ATTR_SSL_CA`: the certificate authority (CA) chain file that can verify MySQL server's certificate, when connecting over TLS/SSL. If `DB_SSL=true` this variable's default is `/etc/ssl/certs/ca-certificates.crt`, containing public CAs' roots of trust from the container image base; if `DB_SSL=false` this variable is empty by default. If MySQL server's certificate was generated using a private CA, mount the CA's certificate file in the container (e.g. `/host/path/to/ca.pem:/etc/certificates/my-ca.pem`) and point `MYSQL_ATTR_SSL_CA` to that file in the container (e.g. `MYSQL_ATTR_SSL_CA=/etc/certificates/my-ca.pem`). **Warning:** setting `MYSQL_ATTR_SSL_CA` to a custom value enforces connecting to MySQL over TLS/SSL regardless of the value of `DB_SSL`.
 
 > **Note**
 >