From b7864972994067e890ac0ec77ce44c473f221e2a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 19 Feb 2026 17:55:49 -0800
Subject: [PATCH] Working on k8s

---
 .github/workflows/saas.yml           | 35 ++++++++++++++++++++++++++++
 Dockerfile                           |  8 +++++++
 server/private/lib/readConfigFile.ts | 16 ++++++-------
 server/private/lib/redis.ts          | 24 ++++++++++++-------
 4 files changed, 67 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/saas.yml b/.github/workflows/saas.yml
index 5db7aa2f..93e5d198 100644
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -56,6 +56,41 @@ jobs:
             - name: Checkout code
               uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
+            - name: Download MaxMind GeoLite2 databases
+              env:
+                MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
+              run: |
+                echo "Downloading MaxMind GeoLite2 databases..."
+
+                # Download GeoLite2-Country
+                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
+                  -o GeoLite2-Country.tar.gz
+
+                # Download GeoLite2-ASN
+                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
+                  -o GeoLite2-ASN.tar.gz
+
+                # Extract the .mmdb files
+                tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
+                tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
+
+                # Verify files exist
+                if [ ! -f "GeoLite2-Country.mmdb" ]; then
+                  echo "ERROR: Failed to download GeoLite2-Country.mmdb"
+                  exit 1
+                fi
+
+                if [ ! -f "GeoLite2-ASN.mmdb" ]; then
+                  echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
+                  exit 1
+                fi
+
+                # Clean up tar files
+                rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
+
+                echo "MaxMind databases downloaded successfully"
+                ls -lh GeoLite2-*.mmdb
+
             - name: Monitor storage space
               run: |
                   THRESHOLD=75
diff --git a/Dockerfile b/Dockerfile
index 4830067e..12c519b7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -49,6 +49,14 @@ COPY server/db/ios_models.json ./dist/ios_models.json
 COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public
 
+# Copy MaxMind databases for SaaS builds
+ARG BUILD=oss
+RUN mkdir -p ./maxmind
+
+# This is only for saas
+COPY --from=builder-dev /app/GeoLite2-Country.mmdb ./maxmind/GeoLite2-Country.mmdb
+COPY --from=builder-dev /app/GeoLite2-ASN.mmdb ./maxmind/GeoLite2-ASN.mmdb
+
 # OCI Image Labels - Build Args for dynamic values
 ARG VERSION="dev"
 ARG REVISION=""
diff --git a/server/private/lib/readConfigFile.ts b/server/private/lib/readConfigFile.ts
index e5efa498..a9de84e8 100644
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -72,15 +72,15 @@ export const privateConfigSchema = z.object({
                         db: z.int().nonnegative().optional().default(0)
                     })
                 )
+                .optional(),
+            tls: z
+                .object({
+                    rejectUnauthorized: z
+                        .boolean()
+                        .optional()
+                        .default(true)
+                })
                 .optional()
-            // tls: z
-            //     .object({
-            //         reject_unauthorized: z
-            //             .boolean()
-            //             .optional()
-            //             .default(true)
-            //     })
-            //     .optional()
         })
         .optional(),
     gerbil: z
diff --git a/server/private/lib/redis.ts b/server/private/lib/redis.ts
index 49cd4c61..69f563b4 100644
--- a/server/private/lib/redis.ts
+++ b/server/private/lib/redis.ts
@@ -108,11 +108,15 @@ class RedisManager {
             port: redisConfig.port!,
             password: redisConfig.password,
             db: redisConfig.db
-            // tls: {
-            //     rejectUnauthorized:
-            //         redisConfig.tls?.reject_unauthorized || false
-            // }
         };
+        
+        // Enable TLS if configured (required for AWS ElastiCache in-transit encryption)
+        if (redisConfig.tls) {
+            opts.tls = {
+                rejectUnauthorized: redisConfig.tls.rejectUnauthorized ?? true
+            };
+        }
+        
         return opts;
     }
 
@@ -130,11 +134,15 @@ class RedisManager {
             port: replica.port!,
             password: replica.password,
             db: replica.db || redisConfig.db
-            // tls: {
-            //     rejectUnauthorized:
-            //         replica.tls?.reject_unauthorized || false
-            // }
         };
+        
+        // Enable TLS if configured (required for AWS ElastiCache in-transit encryption)
+        if (redisConfig.tls) {
+            opts.tls = {
+                rejectUnauthorized: redisConfig.tls.rejectUnauthorized ?? true
+            };
+        }
+        
         return opts;
     }