Allow psql client certificate authentication

docs/configuration.md

@@ -86,6 +86,36 @@ changed here.
 
     Default is `prefer`.
 
+`PAPERLESS_DBSSLROOTCERT=<ca-path>`
+
+: SSL root certificate path
+
+    See [the official documentation about
+    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    Changes path of `root.crt`.
+
+    Defaults to unset, using the documented path in the home directory.
+
+`PAPERLESS_DBSSLCERT=<client-cert-path>`
+
+: SSL client certificate path
+
+    See [the official documentation about
+    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    Changes path of `postgresql.crt`.
+
+    Defaults to unset, using the documented path in the home directory.
+
+`PAPERLESS_DBSSLKEY=<client-cert-key>`
+
+: SSL client key path
+
+    See [the official documentation about
+    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    Changes path of `postgresql.key`.
+
+    Defaults to unset, using the documented path in the home directory.
+
 `PAPERLESS_DB_TIMEOUT=<float>`
 
 : Amount of time for a database connection to wait for the database to

src/paperless/settings.py

@@ -509,7 +509,12 @@ if os.getenv("PAPERLESS_DBHOST"):
 
     else:  # Default to PostgresDB
         engine = "django.db.backends.postgresql_psycopg2"
-        options = {"sslmode": os.getenv("PAPERLESS_DBSSLMODE", "prefer")}
+        options = {
+            "sslmode": os.getenv("PAPERLESS_DBSSLMODE", "prefer"),
+            "sslrootcert": os.getenv("PAPERLESS_DBSSLROOTCERT", None),
+            "sslcert": os.getenv("PAPERLESS_DBSSLCERT", None),
+            "sslkey": os.getenv("PAPERLESS_DBSSLKEY", None),
+        }
 
     DATABASES["default"]["ENGINE"] = engine
     DATABASES["default"]["OPTIONS"].update(options)