From 6427397486c647f65fef7853c3db0e7b4267f948 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Tue, 22 Aug 2023 19:38:11 +0300
Subject: [PATCH] Do not hardcode sslmode=disable to Postgres connection
 strings - make it configurable

This is backward-compatible with what we had before. We're not changing
the SSL mode - just making it configurable.

Most components are defaulting to `sslmode=disable`, while some
(`matrix-bot-matrix-reminder-bot` and others) do not specify an `sslmode` at all.

We're making sslmode configurable, because certain external Postgres
servers may be configured to require SSL encryption.
In such cases `sslmode=disable` does not work and needs to be changed to
`sslmode=require` or something else (`verify-ca`, `verify-full`, etc).
---
 .../matrix-bot-buscarron/defaults/main.yml     |  3 ++-
 .../matrix-bot-honoroit/defaults/main.yml      |  3 ++-
 .../custom/matrix-bot-maubot/defaults/main.yml |  3 ++-
 .../matrix-bot-postmoogle/defaults/main.yml    |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 .../defaults/main.yml                          |  3 ++-
 roles/custom/matrix-dendrite/defaults/main.yml |  1 +
 .../templates/dendrite/dendrite.yaml.j2        | 18 +++++++++---------
 .../custom/matrix-media-repo/defaults/main.yml |  3 ++-
 .../matrix-sliding-sync/defaults/main.yml      |  3 ++-
 22 files changed, 50 insertions(+), 29 deletions(-)

diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml
index 7a31514b..85cea3f5 100644
--- a/roles/custom/matrix-bot-buscarron/defaults/main.yml
+++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml
@@ -108,8 +108,9 @@ matrix_bot_buscarron_database_password: 'some-password'
 matrix_bot_buscarron_database_hostname: ''
 matrix_bot_buscarron_database_port: 5432
 matrix_bot_buscarron_database_name: 'buscarron'
+matrix_bot_buscarron_database_sslmode: disable
 
-matrix_bot_buscarron_database_connection_string: 'postgres://{{ matrix_bot_buscarron_database_username }}:{{ matrix_bot_buscarron_database_password }}@{{ matrix_bot_buscarron_database_hostname }}:{{ matrix_bot_buscarron_database_port }}/{{ matrix_bot_buscarron_database_name }}?sslmode=disable'
+matrix_bot_buscarron_database_connection_string: 'postgres://{{ matrix_bot_buscarron_database_username }}:{{ matrix_bot_buscarron_database_password }}@{{ matrix_bot_buscarron_database_hostname }}:{{ matrix_bot_buscarron_database_port }}/{{ matrix_bot_buscarron_database_name }}?sslmode={{ matrix_bot_buscarron_database_sslmode }}'
 
 matrix_bot_buscarron_storage_database: "{{
 	{
diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml
index b190c3b7..788b8066 100644
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@@ -105,8 +105,9 @@ matrix_bot_honoroit_database_password: 'some-password'
 matrix_bot_honoroit_database_hostname: ''
 matrix_bot_honoroit_database_port: 5432
 matrix_bot_honoroit_database_name: 'honoroit'
+matrix_bot_honoroit_database_sslmode: disable
 
-matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode=disable'
+matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode={{ matrix_bot_honoroit_database_sslmode }}'
 
 matrix_bot_honoroit_storage_database: "{{
 	{
diff --git a/roles/custom/matrix-bot-maubot/defaults/main.yml b/roles/custom/matrix-bot-maubot/defaults/main.yml
index a31d8191..5b35b9d9 100644
--- a/roles/custom/matrix-bot-maubot/defaults/main.yml
+++ b/roles/custom/matrix-bot-maubot/defaults/main.yml
@@ -31,8 +31,9 @@ matrix_bot_maubot_database_password: ~
 matrix_bot_maubot_database_hostname: ''
 matrix_bot_maubot_database_port: 5432
 matrix_bot_maubot_database_name: matrix_bot_maubot
+matrix_bot_maubot_database_sslmode: disable
 
-matrix_bot_maubot_database_connection_string: postgres://{{ matrix_bot_maubot_database_username }}:{{ matrix_bot_maubot_database_password }}@{{ matrix_bot_maubot_database_hostname }}:{{ matrix_bot_maubot_database_port }}/{{ matrix_bot_maubot_database_name }}?sslmode=disable
+matrix_bot_maubot_database_connection_string: postgres://{{ matrix_bot_maubot_database_username }}:{{ matrix_bot_maubot_database_password }}@{{ matrix_bot_maubot_database_hostname }}:{{ matrix_bot_maubot_database_port }}/{{ matrix_bot_maubot_database_name }}?sslmode={{ matrix_bot_maubot_database_sslmode }}
 
 matrix_bot_maubot_database_uri: "{{
  	{
diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml
index 0c9db2d7..56882bf1 100644
--- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml
+++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml
@@ -45,8 +45,9 @@ matrix_bot_postmoogle_database_password: 'some-password'
 matrix_bot_postmoogle_database_hostname: ''
 matrix_bot_postmoogle_database_port: 5432
 matrix_bot_postmoogle_database_name: 'postmoogle'
+matrix_bot_postmoogle_database_sslmode: disable
 
-matrix_bot_postmoogle_database_connection_string: 'postgres://{{ matrix_bot_postmoogle_database_username }}:{{ matrix_bot_postmoogle_database_password }}@{{ matrix_bot_postmoogle_database_hostname }}:{{ matrix_bot_postmoogle_database_port }}/{{ matrix_bot_postmoogle_database_name }}?sslmode=disable'
+matrix_bot_postmoogle_database_connection_string: 'postgres://{{ matrix_bot_postmoogle_database_username }}:{{ matrix_bot_postmoogle_database_password }}@{{ matrix_bot_postmoogle_database_hostname }}:{{ matrix_bot_postmoogle_database_port }}/{{ matrix_bot_postmoogle_database_name }}?sslmode={{ matrix_bot_postmoogle_database_sslmode }}'
 
 matrix_bot_postmoogle_storage_database: "{{
 	{
diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
index 2611da8a..b0cf5bc4 100644
--- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
@@ -33,10 +33,11 @@ matrix_appservice_irc_database_password: 'some-password'
 matrix_appservice_irc_database_hostname: ''
 matrix_appservice_irc_database_port: 5432
 matrix_appservice_irc_database_name: matrix_appservice_irc
+matrix_appservice_irc_database_sslmode: disable
 
 # This is just the Postgres connection string, if Postgres is used.
 # Naming clashes with `matrix_appservice_irc_database_connectionString` somewhat.
-matrix_appservice_irc_database_connection_string: 'postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable'
+matrix_appservice_irc_database_connection_string: 'postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode={{ matrix_appservice_irc_database_sslmode }}'
 
 # This is what actually goes into `database.connectionString` for the bridge.
 matrix_appservice_irc_database_connectionString: |-  # noqa var-naming
diff --git a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml
index a3ea586b..d8b10757 100644
--- a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml
@@ -61,10 +61,11 @@ matrix_appservice_slack_database_password: 'some-passsword'
 matrix_appservice_slack_database_hostname: ''
 matrix_appservice_slack_database_port: 5432
 matrix_appservice_slack_database_name: matrix_appservice_slack
+matrix_appservice_slack_database_sslmode: disable
 
 # This is just the Postgres connection string, if Postgres is used.
 # Naming clashes with `matrix_appservice_slack_database_connectionString` somewhat.
-matrix_appservice_slack_database_connection_string: 'postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode=disable'
+matrix_appservice_slack_database_connection_string: 'postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode={{ matrix_appservice_slack_database_sslmode }}'
 
 # This is what actually goes into `database.connectionString` for the bridge.
 matrix_appservice_slack_database_connectionString: |-  # noqa var-naming
diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
index 75e9de55..a18740ad 100644
--- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
+++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
@@ -61,8 +61,9 @@ matrix_beeper_linkedin_database_password: 'some-password'
 matrix_beeper_linkedin_database_hostname: ''
 matrix_beeper_linkedin_database_port: 5432
 matrix_beeper_linkedin_database_name: 'matrix_beeper_linkedin'
+matrix_beeper_linkedin_database_sslmode: disable
 
-matrix_beeper_linkedin_database_connection_string: 'postgresql://{{ matrix_beeper_linkedin_database_username }}:{{ matrix_beeper_linkedin_database_password }}@{{ matrix_beeper_linkedin_database_hostname }}:{{ matrix_beeper_linkedin_database_port }}/{{ matrix_beeper_linkedin_database_name }}?sslmode=disable'
+matrix_beeper_linkedin_database_connection_string: 'postgresql://{{ matrix_beeper_linkedin_database_username }}:{{ matrix_beeper_linkedin_database_password }}@{{ matrix_beeper_linkedin_database_hostname }}:{{ matrix_beeper_linkedin_database_port }}/{{ matrix_beeper_linkedin_database_name }}?sslmode={{ matrix_beeper_linkedin_database_sslmode }}'
 
 matrix_beeper_linkedin_appservice_database_type: "{{
 	{
diff --git a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
index 477f2127..02ec422e 100644
--- a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
+++ b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
@@ -59,8 +59,9 @@ matrix_go_skype_bridge_database_password: 'some-password'
 matrix_go_skype_bridge_database_hostname: ''
 matrix_go_skype_bridge_database_port: 5432
 matrix_go_skype_bridge_database_name: 'matrix_go_skype_bridge'
+matrix_go_skype_bridge_database_sslmode: disable
 
-matrix_go_skype_bridge_database_connection_string: 'postgresql://{{ matrix_go_skype_bridge_database_username }}:{{ matrix_go_skype_bridge_database_password }}@{{ matrix_go_skype_bridge_database_hostname }}:{{ matrix_go_skype_bridge_database_port }}/{{ matrix_go_skype_bridge_database_name }}?sslmode=disable'
+matrix_go_skype_bridge_database_connection_string: 'postgresql://{{ matrix_go_skype_bridge_database_username }}:{{ matrix_go_skype_bridge_database_password }}@{{ matrix_go_skype_bridge_database_hostname }}:{{ matrix_go_skype_bridge_database_port }}/{{ matrix_go_skype_bridge_database_name }}?sslmode={{ matrix_go_skype_bridge_database_sslmode }}'
 
 matrix_go_skype_bridge_appservice_database_type: "{{
 	{
diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
index 1f1e007a..36fd5fef 100644
--- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
@@ -70,8 +70,9 @@ matrix_mautrix_discord_database_password: 'some-password'
 matrix_mautrix_discord_database_hostname: ''
 matrix_mautrix_discord_database_port: 5432
 matrix_mautrix_discord_database_name: 'matrix_mautrix_discord'
+matrix_mautrix_discord_database_sslmode: disable
 
-matrix_mautrix_discord_database_connection_string: 'postgresql://{{ matrix_mautrix_discord_database_username }}:{{ matrix_mautrix_discord_database_password }}@{{ matrix_mautrix_discord_database_hostname }}:{{ matrix_mautrix_discord_database_port }}/{{ matrix_mautrix_discord_database_name }}?sslmode=disable'
+matrix_mautrix_discord_database_connection_string: 'postgresql://{{ matrix_mautrix_discord_database_username }}:{{ matrix_mautrix_discord_database_password }}@{{ matrix_mautrix_discord_database_hostname }}:{{ matrix_mautrix_discord_database_port }}/{{ matrix_mautrix_discord_database_name }}?sslmode={{ matrix_mautrix_discord_database_sslmode }}'
 
 matrix_mautrix_discord_appservice_database_type: "{{
 	{
diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
index 9448dfde..8d5ce244 100644
--- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
@@ -74,8 +74,9 @@ matrix_mautrix_gmessages_database_password: 'some-password'
 matrix_mautrix_gmessages_database_hostname: ''
 matrix_mautrix_gmessages_database_port: 5432
 matrix_mautrix_gmessages_database_name: 'matrix_mautrix_gmessages'
+matrix_mautrix_gmessages_database_sslmode: disable
 
-matrix_mautrix_gmessages_database_connection_string: 'postgresql://{{ matrix_mautrix_gmessages_database_username }}:{{ matrix_mautrix_gmessages_database_password }}@{{ matrix_mautrix_gmessages_database_hostname }}:{{ matrix_mautrix_gmessages_database_port }}/{{ matrix_mautrix_gmessages_database_name }}?sslmode=disable'
+matrix_mautrix_gmessages_database_connection_string: 'postgresql://{{ matrix_mautrix_gmessages_database_username }}:{{ matrix_mautrix_gmessages_database_password }}@{{ matrix_mautrix_gmessages_database_hostname }}:{{ matrix_mautrix_gmessages_database_port }}/{{ matrix_mautrix_gmessages_database_name }}?sslmode={{ matrix_mautrix_gmessages_database_sslmode }}'
 
 matrix_mautrix_gmessages_appservice_database_type: "{{
 	{
diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
index 2b6c7752..5266e25c 100644
--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@@ -66,8 +66,9 @@ matrix_mautrix_slack_database_password: 'some-password'
 matrix_mautrix_slack_database_hostname: ''
 matrix_mautrix_slack_database_port: 5432
 matrix_mautrix_slack_database_name: 'matrix_mautrix_slack'
+matrix_mautrix_slack_database_sslmode: disable
 
-matrix_mautrix_slack_database_connection_string: 'postgresql://{{ matrix_mautrix_slack_database_username }}:{{ matrix_mautrix_slack_database_password }}@{{ matrix_mautrix_slack_database_hostname }}:{{ matrix_mautrix_slack_database_port }}/{{ matrix_mautrix_slack_database_name }}?sslmode=disable'
+matrix_mautrix_slack_database_connection_string: 'postgresql://{{ matrix_mautrix_slack_database_username }}:{{ matrix_mautrix_slack_database_password }}@{{ matrix_mautrix_slack_database_hostname }}:{{ matrix_mautrix_slack_database_port }}/{{ matrix_mautrix_slack_database_name }}?sslmode={{ matrix_mautrix_slack_database_sslmode }}'
 
 matrix_mautrix_slack_appservice_database_type: "{{
 	{
diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
index fb11bc69..9f630f51 100644
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -74,8 +74,9 @@ matrix_mautrix_whatsapp_database_password: 'some-password'
 matrix_mautrix_whatsapp_database_hostname: ''
 matrix_mautrix_whatsapp_database_port: 5432
 matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp'
+matrix_mautrix_whatsapp_database_sslmode: disable
 
-matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}?sslmode=disable'
+matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}?sslmode={{ matrix_mautrix_whatsapp_database_sslmode }}'
 
 matrix_mautrix_whatsapp_appservice_database_type: "{{
 	{
diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml
index be691157..90ad2f0f 100644
--- a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml
@@ -69,8 +69,9 @@ matrix_mx_puppet_discord_database_password: ~
 matrix_mx_puppet_discord_database_hostname: ''
 matrix_mx_puppet_discord_database_port: 5432
 matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord
+matrix_mx_puppet_discord_database_sslmode: disable
 
-matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode=disable'
+matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode={{ matrix_mx_puppet_discord_database_sslmode }}'
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml
index ca9d7668..c176c6eb 100644
--- a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml
@@ -65,8 +65,9 @@ matrix_mx_puppet_groupme_database_password: ~
 matrix_mx_puppet_groupme_database_hostname: ''
 matrix_mx_puppet_groupme_database_port: 5432
 matrix_mx_puppet_groupme_database_name: matrix_mx_puppet_groupme
+matrix_mx_puppet_groupme_database_sslmode: disable
 
-matrix_mx_puppet_groupme_database_connection_string: 'postgresql://{{ matrix_mx_puppet_groupme_database_username }}:{{ matrix_mx_puppet_groupme_database_password }}@{{ matrix_mx_puppet_groupme_database_hostname }}:{{ matrix_mx_puppet_groupme_database_port }}/{{ matrix_mx_puppet_groupme_database_name }}?sslmode=disable'
+matrix_mx_puppet_groupme_database_connection_string: 'postgresql://{{ matrix_mx_puppet_groupme_database_username }}:{{ matrix_mx_puppet_groupme_database_password }}@{{ matrix_mx_puppet_groupme_database_hostname }}:{{ matrix_mx_puppet_groupme_database_port }}/{{ matrix_mx_puppet_groupme_database_name }}?sslmode={{ matrix_mx_puppet_groupme_database_sslmode }}'
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml
index 0f6dd443..638d1558 100644
--- a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml
@@ -59,8 +59,9 @@ matrix_mx_puppet_instagram_database_password: ~
 matrix_mx_puppet_instagram_database_hostname: ''
 matrix_mx_puppet_instagram_database_port: 5432
 matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram
+matrix_mx_puppet_instagram_database_sslmode: disable
 
-matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode=disable'
+matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode={{ matrix_mx_puppet_instagram_database_sslmode }}'
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml
index b428c40b..9e79465d 100644
--- a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml
@@ -73,8 +73,9 @@ matrix_mx_puppet_slack_database_password: ~
 matrix_mx_puppet_slack_database_hostname: ''
 matrix_mx_puppet_slack_database_port: 5432
 matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack
+matrix_mx_puppet_slack_database_sslmode: disable
 
-matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode=disable'
+matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode={{ matrix_mx_puppet_slack_database_sslmode }}'
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml
index 9efedb13..e9a03c89 100644
--- a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml
@@ -65,8 +65,9 @@ matrix_mx_puppet_steam_database_password: ~
 matrix_mx_puppet_steam_database_hostname: ''
 matrix_mx_puppet_steam_database_port: 5432
 matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam
+matrix_mx_puppet_steam_database_sslmode: disable
 
-matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode=disable'
+matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode={{ matrix_mx_puppet_steam_database_sslmode }}'
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml
index 8e5e82f0..932c3462 100644
--- a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml
@@ -74,8 +74,9 @@ matrix_mx_puppet_twitter_database_password: ~
 matrix_mx_puppet_twitter_database_hostname: ''
 matrix_mx_puppet_twitter_database_port: 5432
 matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter
+matrix_mx_puppet_twitter_database_sslmode: disable
 
-matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode=disable'
+matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode={{ matrix_mx_puppet_twitter_database_sslmode }}'
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml
index 5cfbfe15..b18f396d 100644
--- a/roles/custom/matrix-dendrite/defaults/main.yml
+++ b/roles/custom/matrix-dendrite/defaults/main.yml
@@ -156,6 +156,7 @@ matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:
 matrix_dendrite_database_hostname: ""
 matrix_dendrite_database_user: "dendrite"
 matrix_dendrite_database_password: "itsasecret"
+matrix_dendrite_database_sslmode: disable
 matrix_dendrite_federation_api_database: "dendrite_federationapi"
 matrix_dendrite_key_server_database: "dendrite_keyserver"
 matrix_dendrite_media_api_database: "dendrite_mediaapi"
diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2
index 3c1e56e5..2ca9b062 100644
--- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2
+++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2
@@ -223,7 +223,7 @@ federation_api:
   external_api:
     listen: http://0.0.0.0:8072
   database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federation_api_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federation_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
     max_open_conns: 10
     max_idle_conns: 2
     conn_max_lifetime: -1
@@ -266,7 +266,7 @@ key_server:
     listen: http://0.0.0.0:7779
     connect: http://key_server:7779
   database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_key_server_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_key_server_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
     max_open_conns: 10
     max_idle_conns: 2
     conn_max_lifetime: -1
@@ -279,7 +279,7 @@ media_api:
   external_api:
     listen: http://0.0.0.0:8074
   database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_media_api_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_media_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
     max_open_conns: 10
     max_idle_conns: 2
     conn_max_lifetime: -1
@@ -318,7 +318,7 @@ mscs:
   # - msc2946    (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)
   mscs: []
   database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
     max_open_conns: 5
     max_idle_conns: 2
     conn_max_lifetime: -1
@@ -329,7 +329,7 @@ room_server:
     listen: http://0.0.0.0:7770
     connect: http://room_server:7770
   database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
     max_open_conns: 10
     max_idle_conns: 2
     conn_max_lifetime: -1
@@ -342,7 +342,7 @@ sync_api:
   external_api:
     listen: http://0.0.0.0:8073
   database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_sync_api_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_sync_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
     max_open_conns: 10
     max_idle_conns: 2
     conn_max_lifetime: -1
@@ -376,7 +376,7 @@ user_api:
     listen: http://0.0.0.0:7781
     connect: http://user_api:7781
   account_database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_user_api_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_user_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
     max_open_conns: 10
     max_idle_conns: 2
     conn_max_lifetime: -1
@@ -394,7 +394,7 @@ push_server:
     listen: http://localhost:7782
     connect: http://localhost:7782
   database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_push_server_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_push_server_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
     max_open_conns: 10
     max_idle_conns: 2
     conn_max_lifetime: -1
@@ -403,7 +403,7 @@ push_server:
 #
 relay_api:
   database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_relay_api_database }}?sslmode=disable
+    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_relay_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }}
 
 # Configuration for Opentracing.
 # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml
index 312e0258..488289d1 100644
--- a/roles/custom/matrix-media-repo/defaults/main.yml
+++ b/roles/custom/matrix-media-repo/defaults/main.yml
@@ -112,9 +112,10 @@ matrix_media_repo_database_password: "your_password"
 matrix_media_repo_database_hostname: "{{ devture_postgres_identifier }}"
 matrix_media_repo_database_port: 5432
 matrix_media_repo_database_name: "matrix_media_repo"
+matrix_media_repo_database_sslmode: disable
 
 # Currently only "postgres" is supported.
-matrix_media_repo_database_postgres: "postgres://{{ matrix_media_repo_database_username }}:{{ matrix_media_repo_database_password }}@{{ matrix_media_repo_database_hostname }}:{{ matrix_media_repo_database_port }}/{{ matrix_media_repo_database_name }}?sslmode=disable"
+matrix_media_repo_database_postgres: "postgres://{{ matrix_media_repo_database_username }}:{{ matrix_media_repo_database_password }}@{{ matrix_media_repo_database_hostname }}:{{ matrix_media_repo_database_port }}/{{ matrix_media_repo_database_name }}?sslmode={{ matrix_media_repo_database_sslmode }}"
 
 # The database pooling options
 
diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml
index 97301597..c0347d2f 100644
--- a/roles/custom/matrix-sliding-sync/defaults/main.yml
+++ b/roles/custom/matrix-sliding-sync/defaults/main.yml
@@ -82,10 +82,11 @@ matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_ur
 matrix_sliding_sync_environment_variable_syncv3_secret: ''
 
 # Controls the SYNCV3_DB environment variable
-matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode=disable'
+matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode={{ matrix_sliding_sync_database_sslmode }}'
 
 matrix_sliding_sync_database_username: 'matrix_sliding_sync'
 matrix_sliding_sync_database_password: ''
 matrix_sliding_sync_database_hostname: ''
 matrix_sliding_sync_database_port: 5432
 matrix_sliding_sync_database_name: 'matrix_sliding_sync'
+matrix_sliding_sync_database_sslmode: disable