chore: install gatekeeper with ansible

staaldraad · samrose · commit 04a64f128b26 · 2025-09-12T14:30:56.000-04:00
diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml
@@ -145,13 +145,11 @@
 
 - name: create placeholder pam config
   file:
-    path: '/etc/pam.d/{{ item }}'
+    path: '/etc/pam.d/postgresql'
     state: touch
     owner: postgres
     group: postgres
     mode: 0664
-  with_items:
-    - 'postgresql'
   when: (debpkg_mode or nixpkg_mode) and not is_psql_15
 
 # Add pg_hba.conf
diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml
@@ -94,7 +94,25 @@
   shell: |
     sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#{{postgresql_version}}_src"
   when: stage2_nix
-  
+
+- name: Check psql_version and install gatekeeper if not pg15
+  block:
+    - name: Check if psql_version is psql_15
+      set_fact:
+        is_psql_15: "{{ psql_version == 'psql_15' }}"
+
+    - name: Install gatekeeper from nix binary cache
+      become: yes
+      shell: |
+        sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper"
+      when: stage2_nix and not is_psql_15
+
+    - name: Create symbolic link for linux-pam to find pam_jit_pg.so
+      shell: >
+        sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.s
+      become: yes
+      when: stage2_nix and not is_psql_15
+
 - name: Set ownership and permissions for /etc/ssl/private
   become: yes
   file:
diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix
@@ -30,14 +30,14 @@ buildGoModule {
 
   buildPhase = ''
     runHook preBuild
-    go build -buildmode=c-shared -o pam_jwt_pg.so
+    go build -buildmode=c-shared -o pam_jit_pg.so
     runHook postBuild
   '';
 
   installPhase = ''
     runHook preInstall
     mkdir -p $out/lib/security
-    cp pam_jwt_pg.so $out/lib/security/
+    cp pam_jit_pg.so $out/lib/security/
     runHook postInstall
   '';
 
