From 9efdd40372a0452c2ae05fc00e83ecda9182b704 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 25 Aug 2025 14:15:13 -0400 Subject: [PATCH 1/4] fix: needed to use buildGoModule builder from nixpkgs --- .gitignore | 1 + flake.nix | 54 ++++++++++++++++++++++++++---------------------------- 2 files changed, 27 insertions(+), 28 deletions(-) diff --git a/.gitignore b/.gitignore index e1f4673..5547837 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ **.so +result \ No newline at end of file diff --git a/flake.nix b/flake.nix index afc97ba..ca6f5db 100644 --- a/flake.nix +++ b/flake.nix @@ -3,37 +3,35 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { self, nixpkgs }: - let - systems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ]; - forAllSystems = f: builtins.listToAttrs (map (system: { - name = system; - value = f system; - }) systems); - in { - packages = forAllSystems (system: - let - pkgs = import nixpkgs { inherit system; }; - in { - default = pkgs.stdenv.mkDerivation { - pname = "gatekeeper"; - version = "0.1.0"; - src = ./.; + outputs = { self, nixpkgs, flake-utils }: + flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ] (system: + let + pkgs = import nixpkgs { inherit system; }; + in { + packages.default = pkgs.buildGoModule { + pname = "gatekeeper"; + version = "0.1.0"; + src = ./.; - buildInputs = [ pkgs.pam pkgs.gcc ]; + vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; - # Assuming your pam module source is pam_foo.c - buildPhase = '' - go build -buildmode=c-shared -o pam_jwt_pg.so - ''; + buildInputs = [ pkgs.pam ]; - installPhase = '' - mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ - ''; - }; - }); - }; + buildPhase = '' + runHook preBuild + go build -buildmode=c-shared -o pam_jwt_pg.so + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out/lib/security + cp pam_jwt_pg.so $out/lib/security/ + runHook postInstall + ''; + }; + }); } From b64dfcc4ee964fb68e235b9dc4afef6b1a4e66ac Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 25 Aug 2025 15:06:54 -0400 Subject: [PATCH 2/4] fix: allow go default and override --- flake.nix | 46 +++++++++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 19 deletions(-) diff --git a/flake.nix b/flake.nix index ca6f5db..4a78f92 100644 --- a/flake.nix +++ b/flake.nix @@ -10,28 +10,36 @@ flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ] (system: let pkgs = import nixpkgs { inherit system; }; - in { - packages.default = pkgs.buildGoModule { - pname = "gatekeeper"; - version = "0.1.0"; - src = ./.; + + makeGatekeeper = { go ? pkgs.go }: + let + buildGoModule = pkgs.buildGoModule.override { inherit go; }; + in + buildGoModule { + pname = "gatekeeper"; + version = "0.1.0"; + src = ./.; - vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; + vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; - buildInputs = [ pkgs.pam ]; + buildInputs = [ pkgs.pam ]; - buildPhase = '' - runHook preBuild - go build -buildmode=c-shared -o pam_jwt_pg.so - runHook postBuild - ''; + buildPhase = '' + runHook preBuild + go build -buildmode=c-shared -o pam_jwt_pg.so + runHook postBuild + ''; - installPhase = '' - runHook preInstall - mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ - runHook postInstall - ''; - }; + installPhase = '' + runHook preInstall + mkdir -p $out/lib/security + cp pam_jwt_pg.so $out/lib/security/ + runHook postInstall + ''; + }; + in { + packages.default = makeGatekeeper { }; + + lib.makeGatekeeper = makeGatekeeper; }); } From 34ba4a222c15b2480b837bbb3076508f36c9296f Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 25 Aug 2025 15:14:15 -0400 Subject: [PATCH 3/4] fix: account for darwin build needs --- flake.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 4a78f92..550a272 100644 --- a/flake.nix +++ b/flake.nix @@ -22,7 +22,9 @@ vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; - buildInputs = [ pkgs.pam ]; + buildInputs = [ pkgs.pam ] ++ pkgs.lib.optionals pkgs.stdenv.isDarwin [ + pkgs.darwin.apple_sdk.frameworks.Security + ]; buildPhase = '' runHook preBuild From f967c996fb88e825b48a9e918eda929714709b1d Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 29 Aug 2025 12:39:23 +0200 Subject: [PATCH 4/4] chore: standardize on pam_jit_pg.so --- README.md | 10 +++++----- default.nix | 4 ++-- flake.nix | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 86ee01c..ec5a78e 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ This allows for cross compiling to arm64 when using MacOS as a dev platform: ```bash docker build -t pam-builder . docker create --name extract pam-builder -docker cp extract:/src/supa_jitdb_pam.so ./pam_jwt_pg.so +docker cp extract:/src/supa_jitdb_pam.so ./pam_jit_pg.so docker rm extract ``` @@ -14,7 +14,7 @@ Build with nix (using docker as a standin here for a linux host): ```bash docker build -t nix-go-pam -f Dockerfile_nix . docker create --name temp nix-go-pam -docker cp temp:/app/result/lib/security/pam_jwt_pg.so ./pam_jwt_pg_nix.so +docker cp temp:/app/result/lib/security/pam_jit_pg.so ./pam_jwt_pg_nix.so docker rm temp ``` @@ -29,14 +29,14 @@ Copy the `.so` to the server. And add to the correct pam location, normally: In the case of `nix` builds, such as the Supabase image, it needs to go the nix store: ``` -cp pam_jwt_pg.so /nix/store/*-linux-pam-1.6.0/lib/security/ +cp pam_jit_pg.so /nix/store/*-linux-pam-1.6.0/lib/security/ ``` Next setup `/etc/pam.d/postgresql` with the following ``` -auth required pam_jwt_pg.so jwks=https://auth.supabase.green/auth/v1/.well-known/jwks.json mappings=/tmp/users.yaml -account required pam_jwt_pg.so jwks=https://auth.supabase.green/auth/v1/.well-known/jwks.json mappings=/tmp/users.yaml +auth required pam_jit_pg.so jwks=https://auth.supabase.green/auth/v1/.well-known/jwks.json mappings=/tmp/users.yaml +account required pam_jit_pg.so jwks=https://auth.supabase.green/auth/v1/.well-known/jwks.json mappings=/tmp/users.yaml ``` The `apiUrl` value should point to the URL of a valid api that accepts the PAT and/or JWT for authentication. The API should return a JSON struct with the roles the user associated to the PAT/JWT is allowed to assume: diff --git a/default.nix b/default.nix index f1ead38..d30a786 100644 --- a/default.nix +++ b/default.nix @@ -21,14 +21,14 @@ pkgs.buildGoModule { # Build as shared library for PAM buildPhase = '' runHook preBuild - go build -buildmode=c-shared -o pam_jwt_pg.so + go build -buildmode=c-shared -o pam_jit_pg.so runHook postBuild ''; installPhase = '' runHook preInstall mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ + cp pam_jit_pg.so $out/lib/security/ runHook postInstall ''; diff --git a/flake.nix b/flake.nix index 550a272..61ef95a 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ] (system: let pkgs = import nixpkgs { inherit system; }; - + makeGatekeeper = { go ? pkgs.go }: let buildGoModule = pkgs.buildGoModule.override { inherit go; }; @@ -28,20 +28,20 @@ buildPhase = '' runHook preBuild - go build -buildmode=c-shared -o pam_jwt_pg.so + go build -buildmode=c-shared -o pam_jit_pg.so runHook postBuild ''; installPhase = '' runHook preInstall mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ + cp pam_jit_pg.so $out/lib/security/ runHook postInstall ''; }; in { packages.default = makeGatekeeper { }; - + lib.makeGatekeeper = makeGatekeeper; }); }