From 128b262050424a7ecc2bc969bb1c5d71ea80d31e Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 25 Aug 2025 16:32:09 +0200 Subject: [PATCH 01/18] feat: add gatekeeper --- flake.lock | 426 --------------------------------------- flake.nix | 16 +- nix/internal/default.nix | 40 ++++ 3 files changed, 55 insertions(+), 427 deletions(-) delete mode 100644 flake.lock create mode 100644 nix/internal/default.nix diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 9d2865e1d..000000000 --- a/flake.lock +++ /dev/null @@ -1,426 +0,0 @@ -{ - "nodes": { - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "nix-fast-build", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "git-hooks": { - "inputs": { - "flake-compat": "flake-compat", - "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "nix-editor": { - "inputs": { - "nixpkgs": "nixpkgs", - "utils": "utils" - }, - "locked": { - "lastModified": 1703105021, - "narHash": "sha256-Ne9NG7x45a8aJyAN+yYWbr/6mQHBVVkwZZ72EZHHRqw=", - "owner": "snowfallorg", - "repo": "nix-editor", - "rev": "b5017f8d61753ce6a3a1a2aa7e474d59146a8ae3", - "type": "github" - }, - "original": { - "owner": "snowfallorg", - "repo": "nix-editor", - "type": "github" - } - }, - "nix-fast-build": { - "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_2", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1749427739, - "narHash": "sha256-Nm0oMqFNRnJsiZYeNChmefmjeVCOzngikpSQhgs7iXI=", - "owner": "Mic92", - "repo": "nix-fast-build", - "rev": "b1dae483ab7d4139a6297e02b6de9e5d30e43d48", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "nix-fast-build", - "type": "github" - } - }, - "nix2container": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_3" - }, - "locked": { - "lastModified": 1708764364, - "narHash": "sha256-+pOtDvmuVTg0Gi58hKDUyrNla5NbyUvt3Xs3gLR0Fws=", - "owner": "nlewo", - "repo": "nix2container", - "rev": "c891f90d2e3c48a6b33466c96e4851e0fc0cf455", - "type": "github" - }, - "original": { - "owner": "nlewo", - "repo": "nix2container", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1675673983, - "narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-go124": { - "locked": { - "lastModified": 1754085309, - "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", - "owner": "Nixos", - "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", - "type": "github" - }, - "original": { - "owner": "Nixos", - "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1750555020, - "narHash": "sha256-/MjivcZIz8dyLOTFdJzS5Yazt2QCePQBh8uZooODaYw=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "6fb7349157ee1bffd053b1fdd454aa74ff7b4aee", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1749411262, - "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1697269602, - "narHash": "sha256-dSzV7Ud+JH4DPVD9od53EgDrxUVQOcSj4KGjggCDVJI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9cb540e9c1910d74a7e10736277f6eb9dff51c81", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1712666087, - "narHash": "sha256-WwjUkWsjlU8iUImbivlYxNyMB1L5YVqE8QotQdL9jWc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "a76c4553d7e741e17f289224eda135423de0491d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1744536153, - "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-parts": "flake-parts", - "flake-utils": "flake-utils", - "git-hooks": "git-hooks", - "nix-editor": "nix-editor", - "nix-fast-build": "nix-fast-build", - "nix2container": "nix2container", - "nixpkgs": "nixpkgs_4", - "nixpkgs-go124": "nixpkgs-go124", - "rust-overlay": "rust-overlay", - "treefmt-nix": "treefmt-nix_2" - } - }, - "rust-overlay": { - "inputs": { - "nixpkgs": "nixpkgs_5" - }, - "locked": { - "lastModified": 1749609482, - "narHash": "sha256-R+Y3tXIUAMosrgo/ynhIUPEONZ+cM0ScbgN7KA8OkoE=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "a17da8deb943e7c8b4151914abbfe33d5a4e5b0d", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nix-fast-build", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1749194973, - "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750931469, - "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix index db14dac9a..ca5d080f2 100644 --- a/flake.nix +++ b/flake.nix @@ -14,17 +14,20 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=dev"; }; outputs = { flake-utils, ... }@inputs: - inputs.flake-parts.lib.mkFlake { inherit inputs; } (_: { + inputs.flake-parts.lib.mkFlake { inherit inputs; } (args: let systems = with flake-utils.lib; [ system.x86_64-linux system.aarch64-linux system.aarch64-darwin ]; + in { + systems = systems; imports = [ nix/apps.nix nix/checks.nix @@ -37,5 +40,16 @@ nix/packages nix/overlays ]; + + packages = builtins.listToAttrs (map (system: + let + pkgs = import inputs.nixpkgs { inherit system; }; + in { + name = system; + value = { + pamModule = inputs.gatekeeper.packages.${system}.default; + }; + }) systems ); + }); } diff --git a/nix/internal/default.nix b/nix/internal/default.nix new file mode 100644 index 000000000..faa96e082 --- /dev/null +++ b/nix/internal/default.nix @@ -0,0 +1,40 @@ +{ + description = "Gatekeeper PAM"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper"; + }; + + outputs = { self, nixpkgs, gatekeeper }: + let + pkgs = import nixpkgs { system = "x86_64-linux"; }; + in { + packages.x86_64-linux.default = pkgs.stdenv.mkDerivation { + pname = "gatekeeper"; + version = "0.1.0"; + + # Use lib/include from your module + buildInputs = [ gatekeeper.packages.x86_64-linux.default ]; + + src = ./.; + }; + }; +} + +{ stdenv, go, gcc, pamModulePackage, ... }: + +stdenv.mkDerivation { + pname = "consumer"; + version = "0.1.0"; + + buildInputs = [ + pamModulePackage # this brings in the .so, headers, etc. + ]; + + buildPhase = '' + echo "Building consumer project..." + ls -lh ${pamModulePackage}/lib/security + ''; +} \ No newline at end of file From 40851fef71c3ab306abfd2288991163f92b9e8d3 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 25 Aug 2025 17:24:07 +0200 Subject: [PATCH 02/18] test: custom flake --- flake.lock | 429 +++++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 10 +- 2 files changed, 434 insertions(+), 5 deletions(-) create mode 100644 flake.lock diff --git a/flake.lock b/flake.lock new file mode 100644 index 000000000..e688331a7 --- /dev/null +++ b/flake.lock @@ -0,0 +1,429 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nix-fast-build", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gatekeeper": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1756134452, + "narHash": "sha256-h66I9Fdr59Vs9J03yFIo2ie98y9Ftgq6u6zHyxHnLU0=", + "ref": "dev", + "rev": "b62c6be7385048488c5a73b749ff7346188ca941", + "revCount": 18, + "type": "git", + "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" + }, + "original": { + "ref": "dev", + "rev": "b62c6be7385048488c5a73b749ff7346188ca941", + "type": "git", + "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1755960406, + "narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nix-editor": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "utils": "utils" + }, + "locked": { + "lastModified": 1703105021, + "narHash": "sha256-Ne9NG7x45a8aJyAN+yYWbr/6mQHBVVkwZZ72EZHHRqw=", + "owner": "snowfallorg", + "repo": "nix-editor", + "rev": "b5017f8d61753ce6a3a1a2aa7e474d59146a8ae3", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "nix-editor", + "type": "github" + } + }, + "nix-fast-build": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs_3", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1756006459, + "narHash": "sha256-J+ogyZPv0myEH32pCn4U2nWbfZs0wGDmJSWoebjChmA=", + "owner": "Mic92", + "repo": "nix-fast-build", + "rev": "d669000b43097c4d1d237be9f32500cd00a5a0a0", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-fast-build", + "type": "github" + } + }, + "nix2container": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1752002763, + "narHash": "sha256-JYAkdZvpdSx9GUoHPArctYMypSONob4DYKRkOubUWtY=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "4f2437f6a1844b843b380d483087ae6d461240ee", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1753939845, + "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "94def634a20494ee057c76998843c015909d6311", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-go124": { + "locked": { + "lastModified": 1754085309, + "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "type": "github" + }, + "original": { + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1753579242, + "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1675673983, + "narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1755963616, + "narHash": "sha256-6yD0ww/S8n+U2uPYcJZ3DRURP8Kx036GRpR2uPNZroE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "73e96df7cff5783f45e21342a75a1540c4eddce4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1748984911, + "narHash": "sha256-fih/mdPI8f1CR+FKMhcsyfFzbARoVDrlxwoa694XIkw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3731ffed14674a8567af4b05575a87adf0b38030", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1756035328, + "narHash": "sha256-vC7SslUBCtdT3T37ZH3PLIWYmTkSeppL5BJJByUjYCM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6b0b1559e918d4f7d1df398ee1d33aeac586d4d6", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1744536153, + "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "gatekeeper": "gatekeeper", + "git-hooks": "git-hooks", + "nix-editor": "nix-editor", + "nix-fast-build": "nix-fast-build", + "nix2container": "nix2container", + "nixpkgs": "nixpkgs_5", + "nixpkgs-go124": "nixpkgs-go124", + "rust-overlay": "rust-overlay", + "treefmt-nix": "treefmt-nix_2" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_6" + }, + "locked": { + "lastModified": 1756089517, + "narHash": "sha256-KGinVKturJFPrRebgvyUB1BUNqf1y9FN+tSJaTPlnFE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "44774c8c83cd392c50914f86e1ff75ef8619f1cd", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nix-fast-build", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1755934250, + "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1755934250, + "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index ca5d080f2..af277c789 100644 --- a/flake.nix +++ b/flake.nix @@ -14,20 +14,20 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=dev"; + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=dev&rev=b62c6be7385048488c5a73b749ff7346188ca941"; }; outputs = { flake-utils, ... }@inputs: - inputs.flake-parts.lib.mkFlake { inherit inputs; } (args: let + inputs.flake-parts.lib.mkFlake { inherit inputs; } (_args: let systems = with flake-utils.lib; [ system.x86_64-linux system.aarch64-linux system.aarch64-darwin ]; - in { + in rec { + - systems = systems; imports = [ nix/apps.nix nix/checks.nix @@ -47,7 +47,7 @@ in { name = system; value = { - pamModule = inputs.gatekeeper.packages.${system}.default; + gatekeeper = inputs.gatekeeper.packages.${system}.default; }; }) systems ); From b0e5b90b2b9fd3cf191b160d853611cfdf501aa4 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 25 Aug 2025 15:24:52 -0400 Subject: [PATCH 03/18] feat: use gatekeeper package from upstream private repo --- flake.lock | 206 +++++++++++++++++++++++------------- flake.nix | 18 +--- nix/internal/default.nix | 40 ------- nix/packages/default.nix | 5 +- nix/packages/gatekeeper.nix | 11 ++ 5 files changed, 148 insertions(+), 132 deletions(-) delete mode 100644 nix/internal/default.nix create mode 100644 nix/packages/gatekeeper.nix diff --git a/flake.lock b/flake.lock index e688331a7..e7cd62b51 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -21,11 +21,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -42,11 +42,11 @@ ] }, "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -59,6 +59,24 @@ "inputs": { "systems": "systems" }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, "locked": { "lastModified": 1731533236, "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", @@ -73,22 +91,43 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "gatekeeper": { "inputs": { - "nixpkgs": "nixpkgs" + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1756134452, - "narHash": "sha256-h66I9Fdr59Vs9J03yFIo2ie98y9Ftgq6u6zHyxHnLU0=", - "ref": "dev", - "rev": "b62c6be7385048488c5a73b749ff7346188ca941", - "revCount": 18, + "lastModified": 1756149255, + "narHash": "sha256-WRD0VUjACeXkhlCXtiR+8NCs+lk03DA4wCooxCiqgRg=", + "ref": "sam/add-flake-parts", + "rev": "34ba4a222c15b2480b837bbb3076508f36c9296f", + "revCount": 21, "type": "git", "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" }, "original": { - "ref": "dev", - "rev": "b62c6be7385048488c5a73b749ff7346188ca941", + "ref": "sam/add-flake-parts", + "rev": "34ba4a222c15b2480b837bbb3076508f36c9296f", "type": "git", "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" } @@ -102,11 +141,11 @@ ] }, "locked": { - "lastModified": 1755960406, - "narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -138,7 +177,7 @@ }, "nix-editor": { "inputs": { - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "utils": "utils" }, "locked": { @@ -158,15 +197,15 @@ "nix-fast-build": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1756006459, - "narHash": "sha256-J+ogyZPv0myEH32pCn4U2nWbfZs0wGDmJSWoebjChmA=", + "lastModified": 1749427739, + "narHash": "sha256-Nm0oMqFNRnJsiZYeNChmefmjeVCOzngikpSQhgs7iXI=", "owner": "Mic92", "repo": "nix-fast-build", - "rev": "d669000b43097c4d1d237be9f32500cd00a5a0a0", + "rev": "b1dae483ab7d4139a6297e02b6de9e5d30e43d48", "type": "github" }, "original": { @@ -177,14 +216,15 @@ }, "nix2container": { "inputs": { - "nixpkgs": "nixpkgs_4" + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1752002763, - "narHash": "sha256-JYAkdZvpdSx9GUoHPArctYMypSONob4DYKRkOubUWtY=", + "lastModified": 1708764364, + "narHash": "sha256-+pOtDvmuVTg0Gi58hKDUyrNla5NbyUvt3Xs3gLR0Fws=", "owner": "nlewo", "repo": "nix2container", - "rev": "4f2437f6a1844b843b380d483087ae6d461240ee", + "rev": "c891f90d2e3c48a6b33466c96e4851e0fc0cf455", "type": "github" }, "original": { @@ -195,15 +235,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1753939845, - "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", - "owner": "NixOS", + "lastModified": 1675673983, + "narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "94def634a20494ee057c76998843c015909d6311", + "rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -227,11 +267,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1753579242, - "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "lastModified": 1750555020, + "narHash": "sha256-/MjivcZIz8dyLOTFdJzS5Yazt2QCePQBh8uZooODaYw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "rev": "6fb7349157ee1bffd053b1fdd454aa74ff7b4aee", "type": "github" }, "original": { @@ -242,27 +282,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1675673983, - "narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1755963616, - "narHash": "sha256-6yD0ww/S8n+U2uPYcJZ3DRURP8Kx036GRpR2uPNZroE=", + "lastModified": 1749411262, + "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "73e96df7cff5783f45e21342a75a1540c4eddce4", + "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", "type": "github" }, "original": { @@ -272,13 +296,13 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { - "lastModified": 1748984911, - "narHash": "sha256-fih/mdPI8f1CR+FKMhcsyfFzbARoVDrlxwoa694XIkw=", + "lastModified": 1697269602, + "narHash": "sha256-dSzV7Ud+JH4DPVD9od53EgDrxUVQOcSj4KGjggCDVJI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3731ffed14674a8567af4b05575a87adf0b38030", + "rev": "9cb540e9c1910d74a7e10736277f6eb9dff51c81", "type": "github" }, "original": { @@ -287,13 +311,13 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { - "lastModified": 1756035328, - "narHash": "sha256-vC7SslUBCtdT3T37ZH3PLIWYmTkSeppL5BJJByUjYCM=", + "lastModified": 1712666087, + "narHash": "sha256-WwjUkWsjlU8iUImbivlYxNyMB1L5YVqE8QotQdL9jWc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6b0b1559e918d4f7d1df398ee1d33aeac586d4d6", + "rev": "a76c4553d7e741e17f289224eda135423de0491d", "type": "github" }, "original": { @@ -303,7 +327,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1744536153, "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", @@ -328,7 +352,7 @@ "nix-editor": "nix-editor", "nix-fast-build": "nix-fast-build", "nix2container": "nix2container", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "nixpkgs-go124": "nixpkgs-go124", "rust-overlay": "rust-overlay", "treefmt-nix": "treefmt-nix_2" @@ -336,14 +360,14 @@ }, "rust-overlay": { "inputs": { - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1756089517, - "narHash": "sha256-KGinVKturJFPrRebgvyUB1BUNqf1y9FN+tSJaTPlnFE=", + "lastModified": 1749609482, + "narHash": "sha256-R+Y3tXIUAMosrgo/ynhIUPEONZ+cM0ScbgN7KA8OkoE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "44774c8c83cd392c50914f86e1ff75ef8619f1cd", + "rev": "a17da8deb943e7c8b4151914abbfe33d5a4e5b0d", "type": "github" }, "original": { @@ -367,6 +391,36 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -375,11 +429,11 @@ ] }, "locked": { - "lastModified": 1755934250, - "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", + "lastModified": 1749194973, + "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", + "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", "type": "github" }, "original": { @@ -395,11 +449,11 @@ ] }, "locked": { - "lastModified": 1755934250, - "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", + "lastModified": 1750931469, + "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", + "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index af277c789..202c176c5 100644 --- a/flake.nix +++ b/flake.nix @@ -14,19 +14,18 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=dev&rev=b62c6be7385048488c5a73b749ff7346188ca941"; + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; + gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { flake-utils, ... }@inputs: - inputs.flake-parts.lib.mkFlake { inherit inputs; } (_args: let + inputs.flake-parts.lib.mkFlake { inherit inputs; } (_: { systems = with flake-utils.lib; [ system.x86_64-linux system.aarch64-linux system.aarch64-darwin ]; - in rec { - imports = [ nix/apps.nix @@ -40,16 +39,5 @@ nix/packages nix/overlays ]; - - packages = builtins.listToAttrs (map (system: - let - pkgs = import inputs.nixpkgs { inherit system; }; - in { - name = system; - value = { - gatekeeper = inputs.gatekeeper.packages.${system}.default; - }; - }) systems ); - }); } diff --git a/nix/internal/default.nix b/nix/internal/default.nix deleted file mode 100644 index faa96e082..000000000 --- a/nix/internal/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - description = "Gatekeeper PAM"; - - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper"; - }; - - outputs = { self, nixpkgs, gatekeeper }: - let - pkgs = import nixpkgs { system = "x86_64-linux"; }; - in { - packages.x86_64-linux.default = pkgs.stdenv.mkDerivation { - pname = "gatekeeper"; - version = "0.1.0"; - - # Use lib/include from your module - buildInputs = [ gatekeeper.packages.x86_64-linux.default ]; - - src = ./.; - }; - }; -} - -{ stdenv, go, gcc, pamModulePackage, ... }: - -stdenv.mkDerivation { - pname = "consumer"; - version = "0.1.0"; - - buildInputs = [ - pamModulePackage # this brings in the .so, headers, etc. - ]; - - buildPhase = '' - echo "Building consumer project..." - ls -lh ${pamModulePackage}/lib/security - ''; -} \ No newline at end of file diff --git a/nix/packages/default.nix b/nix/packages/default.nix index 342763961..9dc92e86c 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -1,6 +1,9 @@ { self, inputs, ... }: { - imports = [ ./postgres.nix ]; + imports = [ + ./postgres.nix + ./gatekeeper.nix + ]; perSystem = { inputs', diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix new file mode 100644 index 000000000..6c9298210 --- /dev/null +++ b/nix/packages/gatekeeper.nix @@ -0,0 +1,11 @@ +{ inputs, ... }: +{ + perSystem = + { system, pkgs, ... }: + let + go124 = inputs.nixpkgs-go124.legacyPackages.${pkgs.system}.go_1_24; + in + { + packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; + }; +} From 3e6a537c5365ac545571d4471f44c09c281a36da Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 13:08:21 +0200 Subject: [PATCH 04/18] chore: add overlay --- ansible/tasks/setup-postgres.yml | 15 +++++++++++++++ nix/overlays/default.nix | 9 +++++++++ 2 files changed, 24 insertions(+) diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 2fe302488..9cfbfbeda 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -139,6 +139,21 @@ group: postgres when: debpkg_mode or nixpkg_mode +- name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version in ['psql_15'] }}" + +- name: create placeholder pam config + file: + path: '/etc/pam.d/{{ item }}' + state: touch + owner: postgres + group: postgres + mode: 0664 + with_items: + - 'postgresql' + when: (debpkg_mode or nixpkg_mode) and not is_psql_15 + # Add pg_hba.conf - name: import pg_hba.conf template: diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index f6eda4243..1254468b9 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -51,5 +51,14 @@ buildPgrxExtension_0_14_3 = prev.buildPgrxExtension.override { cargo-pgrx = final.cargo-pgrx.cargo-pgrx_0_14_3; }; + + # place the gatekeeper module in the expected libpam location + gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default; + linux-pam = prev.linux-pam.overrideAttrs (old: { + postInstall = (old.postInstall or "") + '' + mkdir -p $out/lib/security + cp ${final.gatekeeper}/lib/security/pam_jwt_pg.so $out/lib/security/ + ''; + }); }; } From 07162ca66f0b5c6c1b5ec5499a641173621a6b47 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 13:26:02 +0200 Subject: [PATCH 05/18] chore: add deploy_key for gk repo --- .github/workflows/nix-build.yml | 6 ++++++ nix/overlays/default.nix | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index 058d9087b..16e457641 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -52,6 +52,12 @@ jobs: sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()" env: NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }} + - name: Setup SSH for deploy key + run: | + mkdir -p ~/.ssh + echo "${{ secrets.GK_DEPLOY_KEY }}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + ssh-keyscan github.com >> ~/.ssh/known_hosts - name: Setup cache script if: ${{ github.secret_source == 'Actions' }} run: | diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 1254468b9..5febccf92 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -57,7 +57,7 @@ linux-pam = prev.linux-pam.overrideAttrs (old: { postInstall = (old.postInstall or "") + '' mkdir -p $out/lib/security - cp ${final.gatekeeper}/lib/security/pam_jwt_pg.so $out/lib/security/ + cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ ''; }); }; From 60485e41e9e4bac26f4b612fbbb9eb1914aa933c Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 16:48:11 +0200 Subject: [PATCH 06/18] fix: fmt and go version, hopefully --- nix/overlays/default.nix | 10 ++++++---- nix/packages/gatekeeper.nix | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 5febccf92..4f1e52cf8 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -55,10 +55,12 @@ # place the gatekeeper module in the expected libpam location gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default; linux-pam = prev.linux-pam.overrideAttrs (old: { - postInstall = (old.postInstall or "") + '' - mkdir -p $out/lib/security - cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ - ''; + postInstall = + (old.postInstall or "") + + '' + mkdir -p $out/lib/security + cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ + ''; }); }; } diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 6c9298210..266bf5f80 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,9 +1,9 @@ { inputs, ... }: { perSystem = - { system, pkgs, ... }: + { system, ... }: let - go124 = inputs.nixpkgs-go124.legacyPackages.${pkgs.system}.go_1_24; + go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; in { packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; From 5a0dbf1370db5044590abd98968a766ec3d711b1 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 17:25:56 +0200 Subject: [PATCH 07/18] fix: fmt and go version, hopefully --- flake.lock | 8 ++++---- flake.nix | 2 +- nix/packages/gatekeeper.nix | 10 +++++++++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index e7cd62b51..2a4459802 100644 --- a/flake.lock +++ b/flake.lock @@ -251,17 +251,17 @@ }, "nixpkgs-go124": { "locked": { - "lastModified": 1754085309, - "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", + "lastModified": 1756125398, + "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=", "owner": "Nixos", "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", "type": "github" }, "original": { "owner": "Nixos", "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 202c176c5..441672652 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 266bf5f80..02b4903fd 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -3,7 +3,15 @@ perSystem = { system, ... }: let - go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; + + go124 = + let + candidate = inputs.nixpkgs-go124.legacyPackages.${system}; + in + if candidate ? go_1_24 then + candidate.go_1_24 + else + throw "❌ nixpkgs-go124.${system} does not provide go_1_24!"; in { packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; From 96d965ae2ac793f9856b5c3baa17ae3ea5954167 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 26 Aug 2025 18:08:23 +0200 Subject: [PATCH 08/18] fix: pass go override in overlays --- nix/overlays/default.nix | 4 +++- nix/packages/gatekeeper.nix | 9 +-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 4f1e52cf8..5bc1051b0 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -53,7 +53,9 @@ }; # place the gatekeeper module in the expected libpam location - gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default; + gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default.override { + go = self.inputs.nixpkgs-go124.legacyPackages.${final.system}.go_1_24; + }; linux-pam = prev.linux-pam.overrideAttrs (old: { postInstall = (old.postInstall or "") diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 02b4903fd..9fdce18a1 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -4,14 +4,7 @@ { system, ... }: let - go124 = - let - candidate = inputs.nixpkgs-go124.legacyPackages.${system}; - in - if candidate ? go_1_24 then - candidate.go_1_24 - else - throw "❌ nixpkgs-go124.${system} does not provide go_1_24!"; + go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; in { packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; From c98fbc03a69dcc285441f8985c847603ed9422bf Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Wed, 27 Aug 2025 09:01:19 +0200 Subject: [PATCH 09/18] fix: pass go override in overlays --- nix/overlays/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 5bc1051b0..854914210 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -53,9 +53,7 @@ }; # place the gatekeeper module in the expected libpam location - gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default.override { - go = self.inputs.nixpkgs-go124.legacyPackages.${final.system}.go_1_24; - }; + gatekeeper = self.packages.${final.system}.gatekeeper; linux-pam = prev.linux-pam.overrideAttrs (old: { postInstall = (old.postInstall or "") From 1dfd426037ea92f76ad9b10c85a1df7930e98dab Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 10:40:03 -0400 Subject: [PATCH 10/18] feat: package gatekeeper in this package set --- flake.lock | 46 ++++--------------------------------- flake.nix | 6 +++-- nix/overlays/default.nix | 2 +- nix/packages/gatekeeper.nix | 41 ++++++++++++++++++++++++++++++--- 4 files changed, 47 insertions(+), 48 deletions(-) diff --git a/flake.lock b/flake.lock index 2a4459802..5afaace67 100644 --- a/flake.lock +++ b/flake.lock @@ -77,24 +77,6 @@ "inputs": { "systems": "systems_2" }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_3" - }, "locked": { "lastModified": 1694529238, "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", @@ -109,13 +91,8 @@ "type": "github" } }, - "gatekeeper": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ] - }, + "gatekeeper-src": { + "flake": false, "locked": { "lastModified": 1756149255, "narHash": "sha256-WRD0VUjACeXkhlCXtiR+8NCs+lk03DA4wCooxCiqgRg=", @@ -216,7 +193,7 @@ }, "nix2container": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -347,7 +324,7 @@ "inputs": { "flake-parts": "flake-parts", "flake-utils": "flake-utils", - "gatekeeper": "gatekeeper", + "gatekeeper-src": "gatekeeper-src", "git-hooks": "git-hooks", "nix-editor": "nix-editor", "nix-fast-build": "nix-fast-build", @@ -406,21 +383,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 441672652..60655abb6 100644 --- a/flake.nix +++ b/flake.nix @@ -14,8 +14,10 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; - gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; + gatekeeper-src = { + url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; + flake = false; + }; }; outputs = diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 854914210..1fe1f38e2 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -59,7 +59,7 @@ (old.postInstall or "") + '' mkdir -p $out/lib/security - cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ + cp ${self.packages.${final.system}.gatekeeper}/lib/security/*.so $out/lib/security/ ''; }); }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 9fdce18a1..0c94de3dc 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,12 +1,47 @@ { inputs, ... }: { perSystem = - { system, ... }: + { system, pkgs, ... }: let - go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; + # Use completely clean nixpkgs without any overlays for gatekeeper + cleanPkgs = inputs.nixpkgs.legacyPackages.${system}; + buildGoModule = cleanPkgs.buildGoModule.override { go = go124; }; in { - packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; + packages.gatekeeper = buildGoModule { + pname = "gatekeeper"; + version = "0.1.0"; + + src = inputs.gatekeeper-src; + + vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; + + buildInputs = + [ cleanPkgs.pam ] + ++ cleanPkgs.lib.optionals cleanPkgs.stdenv.isDarwin [ + cleanPkgs.darwin.apple_sdk.frameworks.Security + ]; + + buildPhase = '' + runHook preBuild + go build -buildmode=c-shared -o pam_jwt_pg.so + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out/lib/security + cp pam_jwt_pg.so $out/lib/security/ + runHook postInstall + ''; + + meta = with pkgs.lib; { + description = "PAM module for JWT authentication with PostgreSQL backend"; + homepage = "https://github.com/supabase/jit-db-gatekeeper"; + license = licenses.mit; + platforms = platforms.unix; + }; + }; }; } From 70206f2469381a9f442999bee6bdb1db38d6190f Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 11:15:31 -0400 Subject: [PATCH 11/18] fix: update source of go 1.24 nixpkgs --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 5afaace67..2c650b127 100644 --- a/flake.lock +++ b/flake.lock @@ -228,17 +228,17 @@ }, "nixpkgs-go124": { "locked": { - "lastModified": 1756125398, - "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=", + "lastModified": 1754085309, + "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", "owner": "Nixos", "repo": "nixpkgs", - "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", "type": "github" }, "original": { "owner": "Nixos", "repo": "nixpkgs", - "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 60655abb6..c1d0d4dac 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; gatekeeper-src = { url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; flake = false; From 5299f9d975350117a453578874a29a68652bc653 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 11:53:53 -0400 Subject: [PATCH 12/18] Revert "fix: update source of go 1.24 nixpkgs" This reverts commit 70206f2469381a9f442999bee6bdb1db38d6190f. --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 2c650b127..5afaace67 100644 --- a/flake.lock +++ b/flake.lock @@ -228,17 +228,17 @@ }, "nixpkgs-go124": { "locked": { - "lastModified": 1754085309, - "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", + "lastModified": 1756125398, + "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=", "owner": "Nixos", "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", "type": "github" }, "original": { "owner": "Nixos", "repo": "nixpkgs", - "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", "type": "github" } }, diff --git a/flake.nix b/flake.nix index c1d0d4dac..60655abb6 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; gatekeeper-src = { url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; flake = false; From d57e9e59d3e7eed625cb9197668154d4e0213803 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 11:53:56 -0400 Subject: [PATCH 13/18] Revert "feat: package gatekeeper in this package set" This reverts commit 1dfd426037ea92f76ad9b10c85a1df7930e98dab. --- flake.lock | 46 +++++++++++++++++++++++++++++++++---- flake.nix | 6 ++--- nix/overlays/default.nix | 2 +- nix/packages/gatekeeper.nix | 41 +++------------------------------ 4 files changed, 48 insertions(+), 47 deletions(-) diff --git a/flake.lock b/flake.lock index 5afaace67..2a4459802 100644 --- a/flake.lock +++ b/flake.lock @@ -77,6 +77,24 @@ "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1694529238, "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", @@ -91,8 +109,13 @@ "type": "github" } }, - "gatekeeper-src": { - "flake": false, + "gatekeeper": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, "locked": { "lastModified": 1756149255, "narHash": "sha256-WRD0VUjACeXkhlCXtiR+8NCs+lk03DA4wCooxCiqgRg=", @@ -193,7 +216,7 @@ }, "nix2container": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -324,7 +347,7 @@ "inputs": { "flake-parts": "flake-parts", "flake-utils": "flake-utils", - "gatekeeper-src": "gatekeeper-src", + "gatekeeper": "gatekeeper", "git-hooks": "git-hooks", "nix-editor": "nix-editor", "nix-fast-build": "nix-fast-build", @@ -383,6 +406,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 60655abb6..441672652 100644 --- a/flake.nix +++ b/flake.nix @@ -14,10 +14,8 @@ git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; - gatekeeper-src = { - url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; - flake = false; - }; + gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; + gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 1fe1f38e2..854914210 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -59,7 +59,7 @@ (old.postInstall or "") + '' mkdir -p $out/lib/security - cp ${self.packages.${final.system}.gatekeeper}/lib/security/*.so $out/lib/security/ + cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ ''; }); }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 0c94de3dc..9fdce18a1 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,47 +1,12 @@ { inputs, ... }: { perSystem = - { system, pkgs, ... }: + { system, ... }: let + go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; - # Use completely clean nixpkgs without any overlays for gatekeeper - cleanPkgs = inputs.nixpkgs.legacyPackages.${system}; - buildGoModule = cleanPkgs.buildGoModule.override { go = go124; }; in { - packages.gatekeeper = buildGoModule { - pname = "gatekeeper"; - version = "0.1.0"; - - src = inputs.gatekeeper-src; - - vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; - - buildInputs = - [ cleanPkgs.pam ] - ++ cleanPkgs.lib.optionals cleanPkgs.stdenv.isDarwin [ - cleanPkgs.darwin.apple_sdk.frameworks.Security - ]; - - buildPhase = '' - runHook preBuild - go build -buildmode=c-shared -o pam_jwt_pg.so - runHook postBuild - ''; - - installPhase = '' - runHook preInstall - mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ - runHook postInstall - ''; - - meta = with pkgs.lib; { - description = "PAM module for JWT authentication with PostgreSQL backend"; - homepage = "https://github.com/supabase/jit-db-gatekeeper"; - license = licenses.mit; - platforms = platforms.unix; - }; - }; + packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; }; } From 9ca620bd9c4b0216a9ef81720d3085d65a624c35 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 28 Aug 2025 15:38:13 -0400 Subject: [PATCH 14/18] fix: clean up nix flake and lock, drop overlay --- flake.lock | 67 +++---------------------------------- flake.nix | 4 +-- nix/overlays/default.nix | 11 ------ nix/packages/default.nix | 3 +- nix/packages/gatekeeper.nix | 58 ++++++++++++++++++++++++++------ 5 files changed, 56 insertions(+), 87 deletions(-) diff --git a/flake.lock b/flake.lock index 2a4459802..9d2865e1d 100644 --- a/flake.lock +++ b/flake.lock @@ -77,24 +77,6 @@ "inputs": { "systems": "systems_2" }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_3" - }, "locked": { "lastModified": 1694529238, "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", @@ -109,29 +91,6 @@ "type": "github" } }, - "gatekeeper": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756149255, - "narHash": "sha256-WRD0VUjACeXkhlCXtiR+8NCs+lk03DA4wCooxCiqgRg=", - "ref": "sam/add-flake-parts", - "rev": "34ba4a222c15b2480b837bbb3076508f36c9296f", - "revCount": 21, - "type": "git", - "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" - }, - "original": { - "ref": "sam/add-flake-parts", - "rev": "34ba4a222c15b2480b837bbb3076508f36c9296f", - "type": "git", - "url": "ssh://git@github.com/supabase/jit-db-gatekeeper" - } - }, "git-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -216,7 +175,7 @@ }, "nix2container": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -251,17 +210,17 @@ }, "nixpkgs-go124": { "locked": { - "lastModified": 1756125398, - "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=", + "lastModified": 1754085309, + "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", "owner": "Nixos", "repo": "nixpkgs", - "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", "type": "github" }, "original": { "owner": "Nixos", "repo": "nixpkgs", - "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", "type": "github" } }, @@ -347,7 +306,6 @@ "inputs": { "flake-parts": "flake-parts", "flake-utils": "flake-utils", - "gatekeeper": "gatekeeper", "git-hooks": "git-hooks", "nix-editor": "nix-editor", "nix-fast-build": "nix-fast-build", @@ -406,21 +364,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 441672652..db14dac9a 100644 --- a/flake.nix +++ b/flake.nix @@ -13,9 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs-go124.url = "github:Nixos/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5"; - gatekeeper.url = "git+ssh://git@github.com/supabase/jit-db-gatekeeper?ref=sam/add-flake-parts&rev=34ba4a222c15b2480b837bbb3076508f36c9296f"; - gatekeeper.inputs.nixpkgs.follows = "nixpkgs"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; }; outputs = diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix index 854914210..f6eda4243 100644 --- a/nix/overlays/default.nix +++ b/nix/overlays/default.nix @@ -51,16 +51,5 @@ buildPgrxExtension_0_14_3 = prev.buildPgrxExtension.override { cargo-pgrx = final.cargo-pgrx.cargo-pgrx_0_14_3; }; - - # place the gatekeeper module in the expected libpam location - gatekeeper = self.packages.${final.system}.gatekeeper; - linux-pam = prev.linux-pam.overrideAttrs (old: { - postInstall = - (old.postInstall or "") - + '' - mkdir -p $out/lib/security - cp ${final.gatekeeper}/lib/security/*.so $out/lib/security/ - ''; - }); }; } diff --git a/nix/packages/default.nix b/nix/packages/default.nix index 9dc92e86c..868ce65ca 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -2,7 +2,7 @@ { imports = [ ./postgres.nix - ./gatekeeper.nix + # ./gatekeeper.nix ]; perSystem = { @@ -37,6 +37,7 @@ cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { }; dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; }; docs = pkgs.callPackage ./docs.nix { }; + gatekeeper = pkgs.callPackage ./gatekeeper.nix { inherit inputs pkgs; }; supabase-groonga = pkgs.callPackage ./groonga { }; local-infra-bootstrap = pkgs.callPackage ./local-infra-bootstrap.nix { }; migrate-tool = pkgs.callPackage ./migrate-tool.nix { psql_15 = self'.packages."psql_15/bin"; }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 9fdce18a1..8b88e0e32 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,12 +1,50 @@ -{ inputs, ... }: { - perSystem = - { system, ... }: - let - - go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; - in - { - packages.gatekeeper = inputs.gatekeeper.lib.${system}.makeGatekeeper { go = go124; }; - }; + inputs, + system, + pkgs, + ... +}: +let + go124 = inputs.nixpkgs-go124.legacyPackages.${system}.go_1_24; + # Use completely clean nixpkgs without any overlays for gatekeeper + #cleanPkgs = inputs.nixpkgs.legacyPackages.${system}; + buildGoModule = pkgs.buildGoModule.override { go = go124; }; +in + +buildGoModule { + pname = "gatekeeper"; + version = "0.1.0"; + + src = pkgs.fetchFromGitHub { + owner = "supabase"; + repo = "jit-db-gatekeeper"; + rev = "refs/heads/main"; + hash = "sha256-hrYh1dBxk+aN3b/J9mZqk/ZXHmWA/MIqZLVgICT7e90="; + }; + + vendorHash = "sha256-G9x2TARSJMn30R6ZOlsggxEtn5t2ezWz1YtkLXdYiAE="; + + buildInputs = [ + pkgs.pam + ] ++ pkgs.lib.optionals pkgs.stdenv.isDarwin [ pkgs.darwin.apple_sdk.frameworks.Security ]; + + buildPhase = '' + runHook preBuild + go build -buildmode=c-shared -o pam_jwt_pg.so + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out/lib/security + cp pam_jwt_pg.so $out/lib/security/ + runHook postInstall + ''; + + meta = with pkgs.lib; { + description = "PAM module for JWT authentication with PostgreSQL backend"; + homepage = "https://github.com/supabase/jit-db-gatekeeper"; + license = licenses.mit; + platforms = platforms.unix; + }; } From 43363e25a1559f9fd9a994cf6c93e0023c36a772 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 13:29:18 +0200 Subject: [PATCH 15/18] chore: install gatekeeper with ansible --- ansible/tasks/setup-postgres.yml | 4 +--- ansible/tasks/stage2-setup-postgres.yml | 20 +++++++++++++++++++- nix/packages/gatekeeper.nix | 4 ++-- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 9cfbfbeda..d2b93816f 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -145,13 +145,11 @@ - name: create placeholder pam config file: - path: '/etc/pam.d/{{ item }}' + path: '/etc/pam.d/postgresql' state: touch owner: postgres group: postgres mode: 0664 - with_items: - - 'postgresql' when: (debpkg_mode or nixpkg_mode) and not is_psql_15 # Add pg_hba.conf diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index d3209fc04..a0615d771 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -94,7 +94,25 @@ shell: | sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#{{postgresql_version}}_src" when: stage2_nix - + +- name: Check psql_version and install gatekeeper if not pg15 + block: + - name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version == 'psql_15' }}" + + - name: Install gatekeeper from nix binary cache + become: yes + shell: | + sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" + when: stage2_nix and not is_psql_15 + + - name: Create symbolic link for linux-pam to find pam_jit_pg.so + shell: > + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.s + become: yes + when: stage2_nix and not is_psql_15 + - name: Set ownership and permissions for /etc/ssl/private become: yes file: diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 8b88e0e32..5f0fcbc68 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -30,14 +30,14 @@ buildGoModule { buildPhase = '' runHook preBuild - go build -buildmode=c-shared -o pam_jwt_pg.so + go build -buildmode=c-shared -o pam_jit_pg.so runHook postBuild ''; installPhase = '' runHook preInstall mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ + cp pam_jit_pg.so $out/lib/security/ runHook postInstall ''; From 64f76c0acbb1a49630f7e2fce4d35fb252a12188 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 16:40:24 +0200 Subject: [PATCH 16/18] fix: smallest typo --- ansible/tasks/stage2-setup-postgres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index a0615d771..af29bd7fd 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -109,7 +109,7 @@ - name: Create symbolic link for linux-pam to find pam_jit_pg.so shell: > - sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.s + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so become: yes when: stage2_nix and not is_psql_15 From c0955684a74dcf656f17ee744dc0d6fdab3f72eb Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 18:49:05 +0200 Subject: [PATCH 17/18] Apply suggestion from @hunleyd Co-authored-by: Douglas J Hunley --- ansible/tasks/stage2-setup-postgres.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index af29bd7fd..6ab095e16 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -95,23 +95,24 @@ sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#{{postgresql_version}}_src" when: stage2_nix -- name: Check psql_version and install gatekeeper if not pg15 +- name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version == 'psql_15' }}" + +- name: Install gatekeeper if not pg15 + when: + - stage2_nix + - not is_pgsql_15 block: - - name: Check if psql_version is psql_15 - set_fact: - is_psql_15: "{{ psql_version == 'psql_15' }}" - - - name: Install gatekeeper from nix binary cache + - name: Install gatekeeper from nix binary cache become: yes shell: | sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" - when: stage2_nix and not is_psql_15 - name: Create symbolic link for linux-pam to find pam_jit_pg.so shell: > sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so become: yes - when: stage2_nix and not is_psql_15 - name: Set ownership and permissions for /etc/ssl/private become: yes From fdd95c8fff5458dd352683835ea4a8a62f7e1349 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 20:32:54 +0200 Subject: [PATCH 18/18] fix: syntax error --- ansible/tasks/stage2-setup-postgres.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index 6ab095e16..a01177980 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -102,17 +102,17 @@ - name: Install gatekeeper if not pg15 when: - stage2_nix - - not is_pgsql_15 + - not is_psql_15 block: - - name: Install gatekeeper from nix binary cache + - name: Install gatekeeper from nix binary cache become: yes shell: | sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" - name: Create symbolic link for linux-pam to find pam_jit_pg.so - shell: > - sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so become: yes + shell: | + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so - name: Set ownership and permissions for /etc/ssl/private become: yes