chore: install gatekeeper with ansible

Author: staaldraad

ansible/tasks/setup-postgres.yml

@@ -207,13 +207,11 @@
 
 - name: create placeholder pam config
   file:
-    path: '/etc/pam.d/{{ item }}'
+    path: '/etc/pam.d/postgresql'
     state: touch
     owner: postgres
     group: postgres
     mode: 0664
-  with_items:
-    - 'postgresql'
   when: (debpkg_mode or nixpkg_mode) and not is_psql_15
 
 # Add pg_hba.conf

ansible/tasks/stage2-setup-postgres.yml

@@ -147,6 +147,24 @@
         path: '/var/lib/postgresql/.nix-profile/bin/'
       register: 'nix_links'
 
+- name: Check psql_version and install gatekeeper if not pg15
+  block:
+    - name: Check if psql_version is psql_15
+      set_fact:
+        is_psql_15: "{{ psql_version == 'psql_15' }}"
+
+    - name: Install gatekeeper from nix binary cache
+      become: yes
+      shell: |
+        sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#gatekeeper"
+      when: stage2_nix and not is_psql_15
+
+    - name: Create symbolic link for linux-pam to find pam_jit_pg.so
+      shell: >
+        sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.s
+      become: yes
+      when: stage2_nix and not is_psql_15
+
     - name: Create symlinks for Nix files into /usr/lib/postgresql/bin
       ansible.builtin.file:
         group: 'postgres'

nix/packages/gatekeeper.nix

@@ -30,14 +30,14 @@ buildGoModule {
 
   buildPhase = ''
     runHook preBuild
-    go build -buildmode=c-shared -o pam_jwt_pg.so
+    go build -buildmode=c-shared -o pam_jit_pg.so
     runHook postBuild
   '';
 
   installPhase = ''
     runHook preInstall
     mkdir -p $out/lib/security
-    cp pam_jwt_pg.so $out/lib/security/
+    cp pam_jit_pg.so $out/lib/security/
     runHook postInstall
   '';