chore: add overlay

staaldraad · staaldraad · commit 3ff262da79c0 · 2025-12-01T16:10:19.000+01:00
diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml
@@ -167,13 +167,80 @@
       loop_control:
         loop_var: 'pg_config_item'
 
-    - name: Move custom read-replica.conf file to /etc/postgresql-custom/read-replica.conf
-      ansible.builtin.template:
-        dest: '/etc/postgresql-custom/read-replica.conf'
-        mode: '0664'
-        owner: 'postgres'
-        group: 'postgres'
-        src: 'files/postgresql_config/custom_read_replica.conf.j2'
+- name: Allow adminapi to write custom config
+  file:
+    path: '{{ item }}'
+    recurse: yes
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: 0775
+  with_items:
+    - '/etc/postgresql'
+    - '/etc/postgresql-custom'
+  when: debpkg_mode or nixpkg_mode
+
+- name: create placeholder config files
+  file:
+    path: '/etc/postgresql-custom/{{ item }}'
+    state: touch
+    owner: postgres
+    group: postgres
+    mode: 0664
+  with_items:
+    - '01-generated-optimizations.conf'
+    - '02-custom-overrides.conf'
+  when: debpkg_mode or nixpkg_mode
+
+# Move Postgres configuration files into /etc/postgresql
+# Add postgresql.conf
+- name: import postgresql.conf
+  template:
+    src: files/postgresql_config/postgresql.conf.j2
+    dest: /etc/postgresql/postgresql.conf
+    group: postgres
+  when: debpkg_mode or nixpkg_mode
+
+- name: Check if psql_version is psql_15
+  set_fact:
+    is_psql_15: "{{ psql_version in ['psql_15'] }}"
+
+- name: create placeholder pam config
+  file:
+    path: '/etc/pam.d/{{ item }}'
+    state: touch
+    owner: postgres
+    group: postgres
+    mode: 0664
+  with_items:
+    - 'postgresql'
+  when: (debpkg_mode or nixpkg_mode) and not is_psql_15
+
+# Add pg_hba.conf
+- name: import pg_hba.conf
+  template:
+    src: files/postgresql_config/pg_hba.conf.j2
+    dest: /etc/postgresql/pg_hba.conf
+    group: postgres
+  when: debpkg_mode or nixpkg_mode
+
+# Add pg_ident.conf
+- name: import pg_ident.conf
+  template:
+    src: files/postgresql_config/pg_ident.conf.j2
+    dest: /etc/postgresql/pg_ident.conf
+    group: postgres
+  when: debpkg_mode or nixpkg_mode
+
+# Add custom config for read replicas set up
+- name: Move custom read-replica.conf file to /etc/postgresql-custom/04-read-replica.conf
+  template:
+    src: "files/postgresql_config/custom_read_replica.conf.j2"
+    dest: /etc/postgresql-custom/04-read-replica.conf
+    mode: 0664
+    owner: postgres
+    group: postgres
+  when: debpkg_mode or nixpkg_mode
 
 # Install extensions before init
 - name: Install Postgres extensions
diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix
@@ -27,5 +27,14 @@
       inherit (final) stdenv;
       inherit (final) rust-bin;
     };
+
+    # place the gatekeeper module in the expected libpam location
+    gatekeeper = self.inputs.gatekeeper.packages.${final.system}.default;
+    linux-pam = prev.linux-pam.overrideAttrs (old: {
+      postInstall = (old.postInstall or "") + ''
+        mkdir -p $out/lib/security
+        cp ${final.gatekeeper}/lib/security/pam_jwt_pg.so $out/lib/security/
+      '';
+    });
   };
 }
