Add SSL Support for MariaDB (#3444)

* Add ssl options for mariadb

* Add ssl mode for mariadb

Add ssl mode as documented in https://mysqlclient.readthedocs.io/user_guide.html#functions-and-attributes

* run linting over settings.py

* Add docs for SSL mode with MariaDB

---------

Co-authored-by: shamoon <4887959+shamoon@users.noreply.github.com>

docs/configuration.md

@@ -83,21 +83,29 @@ changed here.
 
 `PAPERLESS_DBSSLMODE=<mode>`
 
-: SSL mode to use when connecting to PostgreSQL.
+: SSL mode to use when connecting to PostgreSQL or MariaDB.
 
     See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
 
-    Default is `prefer`.
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-mode).
+
+    *Note*: SSL mode values differ between PostgreSQL and MariaDB.
+
+    Default is `prefer` for PostgreSQL and `PREFERRED` for MariaDB.
 
 `PAPERLESS_DBSSLROOTCERT=<ca-path>`
 
 : SSL root certificate path
 
     See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
     Changes path of `root.crt`.
 
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-ca).
+
     Defaults to unset, using the documented path in the home directory.
 
 `PAPERLESS_DBSSLCERT=<client-cert-path>`
@@ -105,7 +113,11 @@ changed here.
 : SSL client certificate path
 
     See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-cert).
+
     Changes path of `postgresql.crt`.
 
     Defaults to unset, using the documented path in the home directory.
@@ -115,7 +127,11 @@ changed here.
 : SSL client key path
 
     See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-key).
+
     Changes path of `postgresql.key`.
 
     Defaults to unset, using the documented path in the home directory.

src/paperless/settings.py

@@ -506,7 +506,16 @@ if os.getenv("PAPERLESS_DBHOST"):
     # Leave room for future extensibility
     if os.getenv("PAPERLESS_DBENGINE") == "mariadb":
         engine = "django.db.backends.mysql"
-        options = {"read_default_file": "/etc/mysql/my.cnf", "charset": "utf8mb4"}
+        options = {
+            "read_default_file": "/etc/mysql/my.cnf",
+            "charset": "utf8mb4",
+            "ssl": {
+                "ssl_mode": os.getenv("PAPERLESS_DBSSLMODE", "PREFERRED"),
+                "ca": os.getenv("PAPERLESS_DBSSLROOTCERT", None),
+                "cert": os.getenv("PAPERLESS_DBSSLCERT", None),
+                "key": os.getenv("PAPERLESS_DBSSLKEY", None),
+            },
+        }
 
         # Silence Django error on old MariaDB versions.
         # VARCHAR can support > 255 in modern versions