Skip to main content

fraiseql_server/server_config/
tls.rs

1//! TLS configuration types for server and database connections.
2
3use std::path::PathBuf;
4
5use serde::{Deserialize, Serialize};
6
7use super::defaults::{
8    default_clickhouse_https, default_elasticsearch_https, default_postgres_ssl_mode,
9    default_redis_ssl, default_tls_min_version, default_verify_certs,
10};
11
12/// GraphQL IDE/playground tool to use.
13#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
14#[serde(rename_all = "kebab-case")]
15#[non_exhaustive]
16pub enum PlaygroundTool {
17    /// `GraphiQL` - the classic GraphQL IDE.
18    GraphiQL,
19    /// Apollo Sandbox - Apollo's embeddable GraphQL IDE (default).
20    ///
21    /// Apollo Sandbox offers a better UX with features like:
22    /// - Query collections and history
23    /// - Schema documentation explorer
24    /// - Variables and headers panels
25    /// - Operation tracing
26    #[default]
27    ApolloSandbox,
28}
29
30/// TLS server configuration for HTTPS and secure connections.
31#[derive(Debug, Clone, Serialize, Deserialize)]
32pub struct TlsServerConfig {
33    /// Enable TLS for HTTP/gRPC endpoints.
34    pub enabled: bool,
35
36    /// Path to TLS certificate file (PEM format).
37    pub cert_path: PathBuf,
38
39    /// Path to TLS private key file (PEM format).
40    pub key_path: PathBuf,
41
42    /// Require client certificate (mTLS) for all connections.
43    #[serde(default)]
44    pub require_client_cert: bool,
45
46    /// Path to CA certificate for validating client certificates (for mTLS).
47    #[serde(default)]
48    pub client_ca_path: Option<PathBuf>,
49
50    /// Minimum TLS version ("1.2" or "1.3", default: "1.2").
51    #[serde(default = "default_tls_min_version")]
52    pub min_version: String,
53}
54
55/// Database TLS configuration for encrypted database connections.
56#[derive(Debug, Clone, Serialize, Deserialize)]
57pub struct DatabaseTlsConfig {
58    /// PostgreSQL SSL mode: disable, allow, prefer, require, verify-ca, verify-full.
59    #[serde(default = "default_postgres_ssl_mode")]
60    pub postgres_ssl_mode: String,
61
62    /// Enable TLS for Redis connections (use rediss:// protocol).
63    #[serde(default = "default_redis_ssl")]
64    pub redis_ssl: bool,
65
66    /// Enable HTTPS for `ClickHouse` connections.
67    #[serde(default = "default_clickhouse_https")]
68    pub clickhouse_https: bool,
69
70    /// Enable HTTPS for Elasticsearch connections.
71    #[serde(default = "default_elasticsearch_https")]
72    pub elasticsearch_https: bool,
73
74    /// Verify server certificates for HTTPS connections.
75    #[serde(default = "default_verify_certs")]
76    pub verify_certificates: bool,
77
78    /// Path to CA certificate bundle for verifying server certificates.
79    #[serde(default)]
80    pub ca_bundle_path: Option<PathBuf>,
81}