From cdbe301b93bfb6ed8634c57e926b843f3ea254b9 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 25 Aug 2025 16:32:09 +0200 Subject: [PATCH 1/9] feat: add pam_jit_pg.so to image Adds https://github.com/supabase/jit-db-gatekeeper to allow for PAM based auth --- ansible/tasks/setup-postgres.yml | 13 ++ ansible/tasks/stage2-setup-postgres.yml | 19 ++ nix/packages/default.nix | 1 + nix/packages/gatekeeper.nix | 42 +++++ testinfra/test_ami_nix.py | 221 ++++++++++++++++++++++++ 5 files changed, 296 insertions(+) create mode 100644 nix/packages/gatekeeper.nix diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 3fcc5796a..16d81c8df 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -175,6 +175,19 @@ group: 'postgres' src: 'files/postgresql_config/conf.d/read_replica.conf' + - name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version in ['psql_15'] }}" + + - name: create placeholder pam config + file: + path: '/etc/pam.d/postgresql' + state: touch + owner: postgres + group: postgres + mode: 0664 + when: not is_psql_15 + # Install extensions before init - name: Install Postgres extensions ansible.builtin.import_tasks: diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index e2217353c..0a1b8cda9 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -155,6 +155,25 @@ path: '/var/lib/postgresql/.nix-profile/bin/' register: 'nix_links' +- name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version == 'psql_15' }}" + +- name: Install gatekeeper if not pg15 + when: + - stage2_nix + - not is_psql_15 + block: + - name: Install gatekeeper from nix binary cache + become: yes + shell: | + sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" + + - name: Create symbolic link for linux-pam to find pam_jit_pg.so + become: yes + shell: | + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so + - name: Create symlinks for Nix files into /usr/lib/postgresql/bin ansible.builtin.file: group: 'postgres' diff --git a/nix/packages/default.nix b/nix/packages/default.nix index 6c9993bc9..f49a8f170 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -41,6 +41,7 @@ github-matrix = pkgs.callPackage ./github-matrix { nix-eval-jobs = inputs'.nix-eval-jobs.packages.default; }; + gatekeeper = pkgs.callPackage ./gatekeeper.nix { inherit inputs pkgs; }; supabase-groonga = pkgs.callPackage ./groonga { }; http-mock-server = pkgs.callPackage ./http-mock-server.nix { }; local-infra-bootstrap = pkgs.callPackage ./local-infra-bootstrap.nix { }; diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix new file mode 100644 index 000000000..8cebdde69 --- /dev/null +++ b/nix/packages/gatekeeper.nix @@ -0,0 +1,42 @@ +{ pkgs, ... }: +let + upstream-src = pkgs.fetchFromGitHub { + owner = "supabase"; + repo = "jit-db-gatekeeper"; + rev = "v1.0.0"; + sha256 = "sha256-C4RPyzpItJrM/FxINpEIKvkYdbfaFXK0hBJe17PpejM="; + }; + + upstream-gatekeeper = pkgs.buildGoModule { + pname = "jit-db-gatekeeper"; + version = "1.0.0"; + + src = upstream-src; + + # Get vendorHash by setting to null first, building, and using error message + vendorHash = null; + + # Environment variables - choose ONE approach + CGO_ENABLED = "1"; + + # Build flags + ldflags = [ + "-s" + "-w" + ]; + }; +in + +pkgs.stdenv.mkDerivation { + pname = "gatekeeper"; + version = "1.0.0"; + + buildInputs = [ upstream-gatekeeper ]; + + dontUnpack = true; + + installPhase = '' + mkdir -p $out/lib/security/ + cp ${upstream-gatekeeper}/pam_jit_pg.so $out/lib/security/ + ''; +} diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py index ceed6c763..083f54458 100644 --- a/testinfra/test_ami_nix.py +++ b/testinfra/test_ami_nix.py @@ -633,6 +633,227 @@ def test_libpq5_version(host): print("✓ libpq5 version is >= 14") +def test_jit_pam_module_installed(host): + """Test that the JIT PAM module (pam_jit_pg.so) is properly installed.""" + # Check PostgreSQL version first + result = run_ssh_command( + host["ssh"], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" + ) + pg_major_version = 15 # Default + if result["succeeded"] and result["stdout"].strip(): + try: + pg_major_version = int(result["stdout"].strip()) + except ValueError: + pass + + # Skip test for PostgreSQL 15 as gatekeeper is not installed for PG15 + if pg_major_version == 15: + print("\nSkipping JIT PAM module test for PostgreSQL 15 (not installed)") + return + + # Check if gatekeeper is installed via Nix + result = run_ssh_command( + host["ssh"], + "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null", + ) + if result["succeeded"]: + print(f"\nJIT PAM module found in Nix profile:\n{result['stdout']}") + else: + print("\nJIT PAM module not found in postgres user's Nix profile") + assert False, "JIT PAM module (pam_jit_pg.so) not found in expected location" + + # Check if the symlink exists in the Linux PAM security directory + result = run_ssh_command( + host["ssh"], + "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5", + ) + if result["succeeded"] and result["stdout"].strip(): + print(f"\nJIT PAM module symlinks found:\n{result['stdout']}") + else: + print("\nNo JIT PAM module symlinks found in /nix/store") + + # Verify the module is a valid shared library + result = run_ssh_command( + host["ssh"], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so" + ) + if result["succeeded"]: + print(f"\nJIT PAM module file type:\n{result['stdout']}") + assert ( + "shared object" in result["stdout"].lower() + or "dynamically linked" in result["stdout"].lower() + ), "JIT PAM module is not a valid shared library" + + print("✓ JIT PAM module is properly installed") + + +def test_pam_postgresql_config(host): + """Test that the PAM configuration for PostgreSQL exists and is properly configured.""" + # Check PostgreSQL version to determine if PAM config should exist + result = run_ssh_command( + host["ssh"], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" + ) + pg_major_version = 15 # Default + if result["succeeded"] and result["stdout"].strip(): + try: + pg_major_version = int(result["stdout"].strip()) + except ValueError: + pass + + print(f"\nPostgreSQL major version: {pg_major_version}") + + # PAM config should exist for non-PostgreSQL 15 versions + if pg_major_version != 15: + # Check if PAM config file exists + result = run_ssh_command(host["ssh"], "ls -la /etc/pam.d/postgresql") + if result["succeeded"]: + print(f"\nPAM config file found:\n{result['stdout']}") + + # Check file permissions + result = run_ssh_command( + host["ssh"], "stat -c '%a %U %G' /etc/pam.d/postgresql" + ) + if result["succeeded"]: + perms = result["stdout"].strip() + print(f"PAM config permissions: {perms}") + # Should be owned by postgres:postgres with 664 permissions + assert ( + "postgres postgres" in perms + ), "PAM config not owned by postgres:postgres" + else: + print("\nPAM config file not found") + assert False, "PAM configuration file /etc/pam.d/postgresql not found" + else: + print("\nSkipping PAM config check for PostgreSQL 15") + # For PostgreSQL 15, the PAM config should NOT exist + result = run_ssh_command(host["ssh"], "test -f /etc/pam.d/postgresql") + if result["succeeded"]: + print("\nWARNING: PAM config exists for PostgreSQL 15 (not expected)") + + print("✓ PAM configuration is properly set up") + + +def test_jit_pam_gatekeeper_profile(host): + """Test that the gatekeeper package is properly installed in the postgres user's Nix profile.""" + # Check PostgreSQL version first + result = run_ssh_command( + host["ssh"], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" + ) + pg_major_version = 15 # Default + if result["succeeded"] and result["stdout"].strip(): + try: + pg_major_version = int(result["stdout"].strip()) + except ValueError: + pass + + # Skip test for PostgreSQL 15 as gatekeeper is not installed for PG15 + if pg_major_version == 15: + print("\nSkipping gatekeeper profile test for PostgreSQL 15 (not installed)") + return + + # Check if gatekeeper is in the postgres user's Nix profile + result = run_ssh_command( + host["ssh"], + "sudo -u postgres nix profile list --json | jq -r '.elements.gatekeeper.storePaths[0]'", + ) + if result["succeeded"] and result["stdout"].strip(): + print(f"\nGatekeeper found in Nix profile:\n{result['stdout']}") + else: + # Try alternative check + result = run_ssh_command( + host["ssh"], + "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate", + ) + if result["succeeded"] and result["stdout"].strip(): + print(f"\nGatekeeper-related files in profile:\n{result['stdout']}") + else: + print("\nGatekeeper not found in postgres user's Nix profile") + # This might be expected if it's installed system-wide instead + + # Check if we can find the gatekeeper derivation + result = run_ssh_command( + host["ssh"], + "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5", + ) + if result["succeeded"] and result["stdout"].strip(): + print(f"\nGatekeeper derivations found:\n{result['stdout']}") + else: + print("\nNo gatekeeper derivations found in /nix/store") + + print("✓ Gatekeeper package installation check completed") + + +def test_jit_pam_module_dependencies(host): + """Test that the JIT PAM module has all required dependencies.""" + # Check PostgreSQL version first + result = run_ssh_command( + host["ssh"], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" + ) + pg_major_version = 15 # Default + if result["succeeded"] and result["stdout"].strip(): + try: + pg_major_version = int(result["stdout"].strip()) + except ValueError: + pass + + # Skip test for PostgreSQL 15 as gatekeeper is not installed for PG15 + if pg_major_version == 15: + print( + "\nSkipping JIT PAM module dependencies test for PostgreSQL 15 (not installed)" + ) + return + + # Check dependencies of the PAM module + result = run_ssh_command( + host["ssh"], + "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null", + ) + if result["succeeded"]: + print(f"\nJIT PAM module dependencies:\n{result['stdout']}") + + # Check for required libraries + required_libs = ["libpam", "libc"] + for lib in required_libs: + if lib not in result["stdout"].lower(): + print(f"WARNING: Required library {lib} not found in dependencies") + + # Check for any missing dependencies + if "not found" in result["stdout"].lower(): + assert False, "JIT PAM module has missing dependencies" + else: + print("\nCould not check JIT PAM module dependencies") + + print("✓ JIT PAM module dependencies are satisfied") + + +def test_jit_pam_postgresql_integration(host): + """Test that PostgreSQL can be configured to use PAM authentication.""" + # Check if PAM is available as an authentication method in PostgreSQL + result = run_ssh_command( + host["ssh"], + "sudo -u postgres psql -c \"SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null", + ) + if result["succeeded"]: + print(f"\nPostgreSQL PAM-related settings:\n{result['stdout']}") + + # Check pg_hba.conf for potential PAM entries (even if not currently active) + result = run_ssh_command( + host["ssh"], + "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'", + ) + if result["succeeded"]: + print(f"\nPAM entries in pg_hba.conf:\n{result['stdout']}") + + # Verify PostgreSQL was compiled with PAM support + result = run_ssh_command( + host["ssh"], + "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'", + ) + if result["succeeded"]: + print(f"\nPostgreSQL PAM compile flags:\n{result['stdout']}") + + print("✓ PostgreSQL PAM integration check completed") + + def test_postgrest_read_only_session_attrs(host): """Test PostgREST with target_session_attrs=read-only and check for session errors.""" # First, check if PostgreSQL is configured for read-only mode From 88106e37d17b7bab32223dc1ced76b98797b7c85 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 12 Dec 2025 13:37:56 +0100 Subject: [PATCH 2/9] fix: go version --- nix/packages/gatekeeper.nix | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 8cebdde69..6d35b5dfa 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -1,21 +1,22 @@ -{ pkgs, ... }: +{ pkgs, inputs, ... }: let - upstream-src = pkgs.fetchFromGitHub { - owner = "supabase"; - repo = "jit-db-gatekeeper"; - rev = "v1.0.0"; - sha256 = "sha256-C4RPyzpItJrM/FxINpEIKvkYdbfaFXK0hBJe17PpejM="; - }; - upstream-gatekeeper = pkgs.buildGoModule { + go124 = inputs.nixpkgs-go124.legacyPackages.${pkgs.system}.go_1_24; + buildGoModule124 = pkgs.buildGoModule.override { go = go124; }; + + upstream-gatekeeper = buildGoModule124 { pname = "jit-db-gatekeeper"; version = "1.0.0"; - - src = upstream-src; - - # Get vendorHash by setting to null first, building, and using error message + src = pkgs.fetchFromGitHub { + owner = "supabase"; + repo = "jit-db-gatekeeper"; + rev = "v1.0.0"; + sha256 = "sha256-hdy2uaq1igNouCs6GHhRYQADeyWnXZ4+W+4YiyEUtZw="; + }; vendorHash = null; + buildInputs = [ pkgs.pam ]; + # Environment variables - choose ONE approach CGO_ENABLED = "1"; @@ -37,6 +38,6 @@ pkgs.stdenv.mkDerivation { installPhase = '' mkdir -p $out/lib/security/ - cp ${upstream-gatekeeper}/pam_jit_pg.so $out/lib/security/ + cp ${upstream-gatekeeper}/bin/jit-db-gatekeeper $out/lib/security/pam_jit_pg.so ''; } From cfc206498d0e4c47651e2de24a71862c01b58477 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 12 Dec 2025 14:57:17 +0100 Subject: [PATCH 3/9] fix: indenting --- ansible/tasks/stage2-setup-postgres.yml | 34 ++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index 0a1b8cda9..e6c5487ff 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -155,24 +155,24 @@ path: '/var/lib/postgresql/.nix-profile/bin/' register: 'nix_links' -- name: Check if psql_version is psql_15 - set_fact: - is_psql_15: "{{ psql_version == 'psql_15' }}" - -- name: Install gatekeeper if not pg15 - when: - - stage2_nix - - not is_psql_15 - block: - - name: Install gatekeeper from nix binary cache - become: yes - shell: | - sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" + - name: Check if psql_version is psql_15 + set_fact: + is_psql_15: "{{ psql_version == 'psql_15' }}" + + - name: Install gatekeeper if not pg15 + when: + - stage2_nix + - not is_psql_15 + block: + - name: Install gatekeeper from nix binary cache + become: yes + shell: | + sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" - - name: Create symbolic link for linux-pam to find pam_jit_pg.so - become: yes - shell: | - sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so + - name: Create symbolic link for linux-pam to find pam_jit_pg.so + become: yes + shell: | + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so - name: Create symlinks for Nix files into /usr/lib/postgresql/bin ansible.builtin.file: From 9f4188b4b9fe4dde7018bced857a69cdd29287d0 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Sat, 13 Dec 2025 15:22:17 +0100 Subject: [PATCH 4/9] chore: available for release --- ansible/vars.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 53662adb3..695800fd7 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.6.0.022-orioledb" - postgres17: "17.6.1.065" - postgres15: "15.14.1.065" + postgresorioledb-17: "17.6.0.022-orioledb-pam" + postgres17: "17.6.1.065-pam" + postgres15: "15.14.1.065-pam" # Non Postgres Extensions pgbouncer_release: 1.19.0 From 801a652f22afaa2cfd2e5f5bfca32d89c0243c63 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Mon, 15 Dec 2025 14:26:06 +0100 Subject: [PATCH 5/9] fix: block --- ansible/tasks/setup-postgres.yml | 26 ++++++++++--------- ansible/tasks/stage2-setup-postgres.yml | 34 +++++++++++++------------ 2 files changed, 32 insertions(+), 28 deletions(-) diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml index 16d81c8df..c44c8fe24 100644 --- a/ansible/tasks/setup-postgres.yml +++ b/ansible/tasks/setup-postgres.yml @@ -175,18 +175,20 @@ group: 'postgres' src: 'files/postgresql_config/conf.d/read_replica.conf' - - name: Check if psql_version is psql_15 - set_fact: - is_psql_15: "{{ psql_version in ['psql_15'] }}" - - - name: create placeholder pam config - file: - path: '/etc/pam.d/postgresql' - state: touch - owner: postgres - group: postgres - mode: 0664 - when: not is_psql_15 + - name: configure pam + block: + - name: Check if psql_version is psql_15 + ansible.builtin.set_fact: + is_psql_15: "{{ psql_version in ['psql_15'] }}" + + - name: create placeholder pam config + file: + path: '/etc/pam.d/postgresql' + state: touch + owner: postgres + group: postgres + mode: 0664 + when: not is_psql_15 # Install extensions before init - name: Install Postgres extensions diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml index e6c5487ff..e04029b1c 100644 --- a/ansible/tasks/stage2-setup-postgres.yml +++ b/ansible/tasks/stage2-setup-postgres.yml @@ -155,24 +155,26 @@ path: '/var/lib/postgresql/.nix-profile/bin/' register: 'nix_links' - - name: Check if psql_version is psql_15 - set_fact: - is_psql_15: "{{ psql_version == 'psql_15' }}" - - - name: Install gatekeeper if not pg15 - when: - - stage2_nix - - not is_psql_15 + - name: setup gatekeeper block: - - name: Install gatekeeper from nix binary cache - become: yes - shell: | - sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" + - name: Check if psql_version is psql_15 + ansible.builtin.set_fact: + is_psql_15: "{{ psql_version == 'psql_15' }}" - - name: Create symbolic link for linux-pam to find pam_jit_pg.so - become: yes - shell: | - sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so + - name: Install gatekeeper if not pg15 + when: + - stage2_nix + - not is_psql_15 + block: + - name: Install gatekeeper from nix binary cache + become: yes + shell: | + sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper" + + - name: Create symbolic link for linux-pam to find pam_jit_pg.so + become: yes + shell: | + sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so - name: Create symlinks for Nix files into /usr/lib/postgresql/bin ansible.builtin.file: From 578ab44128d52919aa04f8474de5670cc12fe5cb Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 16 Dec 2025 08:24:16 +0100 Subject: [PATCH 6/9] chore: use buildPhase in package --- flake.lock | 107 ++++++++++-------------------------- nix/packages/gatekeeper.nix | 22 +++++--- 2 files changed, 43 insertions(+), 86 deletions(-) diff --git a/flake.lock b/flake.lock index a28edf942..5e9e00ada 100644 --- a/flake.lock +++ b/flake.lock @@ -155,6 +155,27 @@ "type": "github" } }, + "nix-eval-jobs": { + "inputs": { + "flake-parts": "flake-parts_2", + "nix": "nix", + "nixpkgs": "nixpkgs", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1760478325, + "narHash": "sha256-hA+NOH8KDcsuvH7vJqSwk74PyZP3MtvI/l+CggZcnTc=", + "owner": "nix-community", + "repo": "nix-eval-jobs", + "rev": "daa42f9e9c84aeff1e325dd50fda321f53dfd02c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-eval-jobs", + "type": "github" + } + }, "nix-fast-build": { "inputs": { "flake-parts": [ @@ -181,27 +202,6 @@ "type": "github" } }, - "nix-eval-jobs": { - "inputs": { - "flake-parts": "flake-parts_2", - "nix": "nix", - "nixpkgs": "nixpkgs_2", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1760478325, - "narHash": "sha256-hA+NOH8KDcsuvH7vJqSwk74PyZP3MtvI/l+CggZcnTc=", - "owner": "nix-community", - "repo": "nix-eval-jobs", - "rev": "daa42f9e9c84aeff1e325dd50fda321f53dfd02c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-eval-jobs", - "type": "github" - } - }, "nix2container": { "inputs": { "flake-utils": [ @@ -227,18 +227,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1712666087, - "narHash": "sha256-WwjUkWsjlU8iUImbivlYxNyMB1L5YVqE8QotQdL9jWc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "a76c4553d7e741e17f289224eda135423de0491d", - "type": "github" + "lastModified": 315532800, + "narHash": "sha256-vhAtaRMIQiEghARviANBmSnhGz9Qf2IQJ+nQgsDXnVs=", + "rev": "c12c63cd6c5eb34c7b4c3076c6a99e00fcab86ec", + "type": "tarball", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre877036.c12c63cd6c5e/nixexprs.tar.xz" }, "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://nixos.org/channels/nixpkgs-unstable/nixexprs.tar.xz" } }, "nixpkgs-go124": { @@ -289,34 +286,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 315532800, - "narHash": "sha256-vhAtaRMIQiEghARviANBmSnhGz9Qf2IQJ+nQgsDXnVs=", - "rev": "c12c63cd6c5eb34c7b4c3076c6a99e00fcab86ec", - "type": "tarball", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre877036.c12c63cd6c5e/nixexprs.tar.xz" - }, - "original": { - "type": "tarball", - "url": "https://nixos.org/channels/nixpkgs-unstable/nixexprs.tar.xz" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1697269602, - "narHash": "sha256-dSzV7Ud+JH4DPVD9od53EgDrxUVQOcSj4KGjggCDVJI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9cb540e9c1910d74a7e10736277f6eb9dff51c81", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { "locked": { "lastModified": 1712666087, "narHash": "sha256-WwjUkWsjlU8iUImbivlYxNyMB1L5YVqE8QotQdL9jWc=", @@ -332,32 +301,16 @@ "type": "github" } }, - "nixpkgs_5": { - "locked": { - "lastModified": 1744536153, - "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "flake-parts": "flake-parts", "flake-utils": "flake-utils", "git-hooks": "git-hooks", "nix-editor": "nix-editor", + "nix-eval-jobs": "nix-eval-jobs", "nix-fast-build": "nix-fast-build", "nix2container": "nix2container", - "nixpkgs": "nixpkgs", - "nix-eval-jobs": "nix-eval-jobs", + "nixpkgs": "nixpkgs_2", "nixpkgs-go124": "nixpkgs-go124", "nixpkgs-pgbackrest": "nixpkgs-pgbackrest", "rust-overlay": "rust-overlay", diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 6d35b5dfa..6d78cacf3 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -17,14 +17,18 @@ let buildInputs = [ pkgs.pam ]; - # Environment variables - choose ONE approach - CGO_ENABLED = "1"; - - # Build flags - ldflags = [ - "-s" - "-w" - ]; + buildPhase = '' + runHook preBuild + go build -buildmode=c-shared -o pam_jit_pg.so + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out/lib/security + cp pam_jit_pg.so $out/lib/security/ + runHook postInstall + ''; }; in @@ -38,6 +42,6 @@ pkgs.stdenv.mkDerivation { installPhase = '' mkdir -p $out/lib/security/ - cp ${upstream-gatekeeper}/bin/jit-db-gatekeeper $out/lib/security/pam_jit_pg.so + cp ${upstream-gatekeeper}/lib/security/pam_jit_pg.so $out/lib/security/pam_jit_pg.so ''; } From 2ccbc5ffe896205f7c3297a45a073fb8e12d93f7 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 16 Dec 2025 11:15:09 +0100 Subject: [PATCH 7/9] chore: rebase and bump version string --- ansible/vars.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 695800fd7..2e9cd0d92 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.6.0.022-orioledb-pam" - postgres17: "17.6.1.065-pam" - postgres15: "15.14.1.065-pam" + postgresorioledb-17: "17.6.0.023-orioledb" + postgres17: "17.6.1.066" + postgres15: "15.14.1.066" # Non Postgres Extensions pgbouncer_release: 1.19.0 From 410cf2e2e68d754043c3715e5d30bc841d082342 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 16 Dec 2025 11:59:40 +0100 Subject: [PATCH 8/9] chore: bump gatekeeper version --- nix/packages/gatekeeper.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 6d78cacf3..26aec3bab 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -6,12 +6,12 @@ let upstream-gatekeeper = buildGoModule124 { pname = "jit-db-gatekeeper"; - version = "1.0.0"; + version = "1.0.1"; src = pkgs.fetchFromGitHub { owner = "supabase"; repo = "jit-db-gatekeeper"; - rev = "v1.0.0"; - sha256 = "sha256-hdy2uaq1igNouCs6GHhRYQADeyWnXZ4+W+4YiyEUtZw="; + rev = "v1.0.1"; + sha256 = "sha256-4xSqQnuBYPZU6kl2LVnZbCBLCPUMKyZkezq2mPYox6k"; }; vendorHash = null; @@ -34,7 +34,7 @@ in pkgs.stdenv.mkDerivation { pname = "gatekeeper"; - version = "1.0.0"; + version = "1.0.1"; buildInputs = [ upstream-gatekeeper ]; From 462d6b1fd7089de2994c7fa46c947dd86c6e8371 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 16 Dec 2025 12:51:52 +0100 Subject: [PATCH 9/9] chore: treefmt, checkout flake.lock --- flake.lock | 107 ++++++++++++++++++++++++++---------- nix/packages/gatekeeper.nix | 8 +-- 2 files changed, 81 insertions(+), 34 deletions(-) diff --git a/flake.lock b/flake.lock index 5e9e00ada..a28edf942 100644 --- a/flake.lock +++ b/flake.lock @@ -155,27 +155,6 @@ "type": "github" } }, - "nix-eval-jobs": { - "inputs": { - "flake-parts": "flake-parts_2", - "nix": "nix", - "nixpkgs": "nixpkgs", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1760478325, - "narHash": "sha256-hA+NOH8KDcsuvH7vJqSwk74PyZP3MtvI/l+CggZcnTc=", - "owner": "nix-community", - "repo": "nix-eval-jobs", - "rev": "daa42f9e9c84aeff1e325dd50fda321f53dfd02c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-eval-jobs", - "type": "github" - } - }, "nix-fast-build": { "inputs": { "flake-parts": [ @@ -202,6 +181,27 @@ "type": "github" } }, + "nix-eval-jobs": { + "inputs": { + "flake-parts": "flake-parts_2", + "nix": "nix", + "nixpkgs": "nixpkgs_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1760478325, + "narHash": "sha256-hA+NOH8KDcsuvH7vJqSwk74PyZP3MtvI/l+CggZcnTc=", + "owner": "nix-community", + "repo": "nix-eval-jobs", + "rev": "daa42f9e9c84aeff1e325dd50fda321f53dfd02c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-eval-jobs", + "type": "github" + } + }, "nix2container": { "inputs": { "flake-utils": [ @@ -227,15 +227,18 @@ }, "nixpkgs": { "locked": { - "lastModified": 315532800, - "narHash": "sha256-vhAtaRMIQiEghARviANBmSnhGz9Qf2IQJ+nQgsDXnVs=", - "rev": "c12c63cd6c5eb34c7b4c3076c6a99e00fcab86ec", - "type": "tarball", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre877036.c12c63cd6c5e/nixexprs.tar.xz" + "lastModified": 1712666087, + "narHash": "sha256-WwjUkWsjlU8iUImbivlYxNyMB1L5YVqE8QotQdL9jWc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "a76c4553d7e741e17f289224eda135423de0491d", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://nixos.org/channels/nixpkgs-unstable/nixexprs.tar.xz" + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-go124": { @@ -286,6 +289,34 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 315532800, + "narHash": "sha256-vhAtaRMIQiEghARviANBmSnhGz9Qf2IQJ+nQgsDXnVs=", + "rev": "c12c63cd6c5eb34c7b4c3076c6a99e00fcab86ec", + "type": "tarball", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre877036.c12c63cd6c5e/nixexprs.tar.xz" + }, + "original": { + "type": "tarball", + "url": "https://nixos.org/channels/nixpkgs-unstable/nixexprs.tar.xz" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1697269602, + "narHash": "sha256-dSzV7Ud+JH4DPVD9od53EgDrxUVQOcSj4KGjggCDVJI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9cb540e9c1910d74a7e10736277f6eb9dff51c81", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1712666087, "narHash": "sha256-WwjUkWsjlU8iUImbivlYxNyMB1L5YVqE8QotQdL9jWc=", @@ -301,16 +332,32 @@ "type": "github" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1744536153, + "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "flake-parts": "flake-parts", "flake-utils": "flake-utils", "git-hooks": "git-hooks", "nix-editor": "nix-editor", - "nix-eval-jobs": "nix-eval-jobs", "nix-fast-build": "nix-fast-build", "nix2container": "nix2container", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", + "nix-eval-jobs": "nix-eval-jobs", "nixpkgs-go124": "nixpkgs-go124", "nixpkgs-pgbackrest": "nixpkgs-pgbackrest", "rust-overlay": "rust-overlay", diff --git a/nix/packages/gatekeeper.nix b/nix/packages/gatekeeper.nix index 26aec3bab..f4f8b99d5 100644 --- a/nix/packages/gatekeeper.nix +++ b/nix/packages/gatekeeper.nix @@ -24,10 +24,10 @@ let ''; installPhase = '' - runHook preInstall - mkdir -p $out/lib/security - cp pam_jit_pg.so $out/lib/security/ - runHook postInstall + runHook preInstall + mkdir -p $out/lib/security + cp pam_jit_pg.so $out/lib/security/ + runHook postInstall ''; }; in