From cfa1a04dc1cc13d3b853438667863c1778222dbf Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Wed, 28 Jan 2026 18:18:49 +0100
Subject: [PATCH 1/2] chore: write version file pam_jit_pg

Write a version file for pam_jit_pg so that salt doesn't try overwrite
when applying to an image that already has the library installed.
Salt knows to check the version and only update if salt specifies a
different version should be used.
---
 ansible/tasks/stage2-setup-postgres.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml
index e04029b1c..cc2536c6e 100644
--- a/ansible/tasks/stage2-setup-postgres.yml
+++ b/ansible/tasks/stage2-setup-postgres.yml
@@ -5,7 +5,7 @@
         is_psql_oriole: "{{ psql_version in ['psql_orioledb-17'] }}"
         is_psql_17: "{{ psql_version in ['psql_17'] }}"
         is_psql_15: "{{ psql_version in ['psql_15'] }}"
-    
+
     - name: Execute tasks when (is_psql_oriole or is_psql_17) and stage2_nix
       become: true
       when:
@@ -83,7 +83,7 @@
             state: present
           when: is_psql_oriole and stage2_nix
           become: yes
-    
+
         - name: Add ORIOLEDB_ENABLED environment variable
           ansible.builtin.lineinfile:
             line: 'ORIOLEDB_ENABLED=true'
@@ -176,6 +176,13 @@
               shell: |
                 sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so
 
+            - name: Write version file
+              ansible.builtin.copy:
+                dest: "/root/pam_jit_pg-version"
+                group: "root"
+                owner: "root"
+                content: "1.0.0"
+
     - name: Create symlinks for Nix files into /usr/lib/postgresql/bin
       ansible.builtin.file:
         group: 'postgres'

From d5e4c048001ccbd720ea771ee450cbf43ad7c2d9 Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Thu, 29 Jan 2026 07:33:02 +0100
Subject: [PATCH 2/2] chore: dynamic get installed gk version

---
 ansible/tasks/stage2-setup-postgres.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ansible/tasks/stage2-setup-postgres.yml b/ansible/tasks/stage2-setup-postgres.yml
index cc2536c6e..9adef6f68 100644
--- a/ansible/tasks/stage2-setup-postgres.yml
+++ b/ansible/tasks/stage2-setup-postgres.yml
@@ -176,12 +176,17 @@
               shell: |
                 sudo ln -s /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so $(find /nix/store -type d -path "/nix/store/*-linux-pam-*/lib/security" -print -quit)/pam_jit_pg.so
 
+            - name: Get gatekeeper version
+              ansible.builtin.shell: |
+                sudo -u postgres bash -c "/nix/var/nix/profiles/default/bin/nix-store -q --requisites ~/.nix-profile | awk -F- '/gatekeeper/{print \$NF}'"
+              register: gatekeeper_version
+
             - name: Write version file
               ansible.builtin.copy:
                 dest: "/root/pam_jit_pg-version"
                 group: "root"
                 owner: "root"
-                content: "1.0.0"
+                content: "{{ gatekeeper_version.stdout }}"
 
     - name: Create symlinks for Nix files into /usr/lib/postgresql/bin
       ansible.builtin.file: