diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
index 058d9087b..16e457641 100644
--- a/.github/workflows/nix-build.yml
+++ b/.github/workflows/nix-build.yml
@@ -52,6 +52,12 @@ jobs:
           sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
         env:
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: Setup SSH for deploy key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.GK_DEPLOY_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan github.com >> ~/.ssh/known_hosts
       - name: Setup cache script
         if: ${{ github.secret_source == 'Actions' }}
         run: |
diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml
index 2fe302488..d2b93816f 100644
--- a/ansible/tasks/setup-postgres.yml
+++ b/ansible/tasks/setup-postgres.yml
@@ -139,6 +139,19 @@
     group: postgres
   when: debpkg_mode or nixpkg_mode
 
+- name: Check if psql_version is psql_15
+  set_fact:
+    is_psql_15: "{{ psql_version in ['psql_15'] }}"
+
+- name: create placeholder pam config
+  file:
+    path: '/etc/pam.d/postgresql'
+    state: touch
+    owner: postgres
+    group: postgres
+    mode: 0664
+  when: (debpkg_mode or nixpkg_mode) and not is_psql_15
+
 # Add pg_hba.conf
 - name: import pg_hba.conf
   template:
diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml
index d3209fc04..a01177980 100644
--- a/ansible/tasks/stage2-setup-postgres.yml
+++ b/ansible/tasks/stage2-setup-postgres.yml
@@ -94,7 +94,26 @@
   shell: |
     sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#{{postgresql_version}}_src"
   when: stage2_nix
-  
+
+- name: Check if psql_version is psql_15
+  set_fact:
+    is_psql_15: "{{ psql_version == 'psql_15' }}"
+    
+- name: Install gatekeeper if not pg15
+  when:
+    - stage2_nix
+    - not is_psql_15
+  block:
+    - name: Install gatekeeper from nix binary cache
+      become: yes
+      shell: |
+        sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper"
+
+    - name: Create symbolic link for linux-pam to find pam_jit_pg.so
+      become: yes
+      shell: |
+        sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so
+
 - name: Set ownership and permissions for /etc/ssl/private
   become: yes
   file:
diff --git a/nix/packages/default.nix b/nix/packages/default.nix
index 342763961..868ce65ca 100644
--- a/nix/packages/default.nix
+++ b/nix/packages/default.nix
@@ -1,6 +1,9 @@
 { self, inputs, ... }:
 {
-  imports = [ ./postgres.nix ];
+  imports = [
+    ./postgres.nix
+    # ./gatekeeper.nix
+  ];
   perSystem =
     {
       inputs',
@@ -34,6 +37,7 @@
           cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { };
           dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; };
           docs = pkgs.callPackage ./docs.nix { };
+          gatekeeper = pkgs.callPackage ./gatekeeper.nix { inherit inputs pkgs; };
           supabase-groonga = pkgs.callPackage ./groonga { };
           local-infra-bootstrap = pkgs.callPackage ./local-infra-bootstrap.nix { };
           migrate-tool = pkgs.callPackage ./migrate-tool.nix { psql_15 = self'.packages."psql_15/bin"; };
diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix
new file mode 100644
index 000000000..5f0fcbc68
--- /dev/null
+++ b/nix/packages/gatekeeper.nix
@@ -0,0 +1,50 @@
+{
+  inputs,
+  system,
+  pkgs,
+  ...
+}:
+let
+  go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24;
+  # Use completely clean nixpkgs without any overlays for gatekeeper
+  #cleanPkgs = inputs.nixpkgs.legacyPackages.${system};
+  buildGoModule = pkgs.buildGoModule.override { go = go124; };
+in
+
+buildGoModule {
+  pname = "gatekeeper";
+  version = "0.1.0";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "supabase";
+    repo = "jit-db-gatekeeper";
+    rev = "refs/heads/main";
+    hash = "sha256-hrYh1dBxk+aN3b/J9mZqk/ZXHmWA/MIqZLVgICT7e90=";
+  };
+
+  vendorHash = "sha256-G9x2TARSJMn30R6ZOlsggxEtn5t2ezWz1YtkLXdYiAE=";
+
+  buildInputs = [
+    pkgs.pam
+  ] ++ pkgs.lib.optionals pkgs.stdenv.isDarwin [ pkgs.darwin.apple_sdk.frameworks.Security ];
+
+  buildPhase = ''
+    runHook preBuild
+    go build -buildmode=c-shared -o pam_jit_pg.so
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/lib/security
+    cp pam_jit_pg.so $out/lib/security/
+    runHook postInstall
+  '';
+
+  meta = with pkgs.lib; {
+    description = "PAM module for JWT authentication with PostgreSQL backend";
+    homepage = "https://github.com/supabase/jit-db-gatekeeper";
+    license = licenses.mit;
+    platforms = platforms.unix;
+  };
+}