updates from code review

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>

Author: gngram

modules/common/security/spire/agent.nix

@@ -141,7 +141,6 @@ in
             enable = true;
             serviceConfig = {
               Type = "oneshot";
-              User = "root";
               ExecStart = "${script}";
               Restart = "no";
               RemainAfterExit = true;

modules/common/security/spire/create-workload-entries.nix

@@ -0,0 +1,94 @@
+# SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  pkgs,
+  lib,
+  config,
+  spire-package,
+  socketPath,
+  spireAgentVMs,
+}:
+let
+  inherit (lib) escapeShellArg concatMapStringsSep;
+in
+pkgs.writeShellApplication {
+  name = "spire-create-workload-entries";
+  runtimeInputs = [
+    pkgs.coreutils
+    pkgs.gawk
+    pkgs.gnugrep
+    spire-package
+  ];
+  text = ''
+    SOCKET="${socketPath}"
+    echo "=== SPIRE Workload Entry Creator ==="
+
+    # Wait for server
+    echo "Waiting for SPIRE server..."
+    while true; do
+      if spire-server healthcheck -socketPath "$SOCKET" >/dev/null 2>&1; then
+        echo "Server ready"
+        break
+      fi
+      sleep 2
+    done
+
+    create_entry() {
+      local parentID="$1"
+      local spiffeID="$2"
+      local is_node="$3"
+      shift 3
+      local selectors=("$@")
+
+      if spire-server entry show -socketPath "$SOCKET" -spiffeID "$spiffeID" >/dev/null 2>&1; then
+        echo "Entry exists: $spiffeID"
+        return
+      fi
+
+      echo "Creating entry: $spiffeID"
+      local cmd=(spire-server entry create -socketPath "$SOCKET" -spiffeID "$spiffeID")
+
+      if [ "$is_node" = "true" ]; then
+        cmd+=(-node)
+      else
+        cmd+=(-parentID "$parentID")
+      fi
+
+      for s in "''${selectors[@]}"; do
+        cmd+=(-selector "$s")
+      done
+
+      "''${cmd[@]}"
+    }
+
+    ${concatMapStringsSep "\n" (
+      vmName:
+      let
+        agentCfg = config.ghaf.common.spire.agents.${vmName};
+        agentSpiffeID = "spiffe://${config.ghaf.common.spire.server.trustDomain}/${vmName}";
+
+        nodeEntryCmd =
+          if (agentCfg.nodeAttestationMode == "x509pop") then
+            ''
+              create_entry "" ${escapeShellArg agentSpiffeID} "true" "x509pop:subject:cn:${escapeShellArg vmName}"
+            ''
+          else
+            "";
+
+        workloadCmds = concatMapStringsSep "\n" (
+          workload:
+          let
+            workloadSpiffeID = "spiffe://${config.ghaf.common.spire.server.trustDomain}/${vmName}/${workload.name}";
+            selectors = concatMapStringsSep " " escapeShellArg workload.selectors;
+          in
+          ''
+            create_entry ${escapeShellArg agentSpiffeID} ${escapeShellArg workloadSpiffeID} "false" ${selectors}
+          ''
+        ) agentCfg.workloads;
+      in
+      nodeEntryCmd + workloadCmds
+    ) spireAgentVMs}
+
+    echo "Node and workload entries created successfully."
+  '';
+}

modules/common/security/spire/server.nix

@@ -9,7 +9,6 @@
 let
   cfg = config.ghaf.security.spire.server;
   inherit (lib)
-    escapeShellArg
     filterAttrs
     getExe
     mkIf
@@ -108,10 +107,16 @@ let
           echo "Agent ${vm} already registered, skipping token generation"
         else
           echo "Generating new token for ${vm}"
-          token="$(spire-server token generate \
-            -socketPath ${socketPath} \
-            -spiffeID spiffe://${cfg.trustDomain}/${vm} \
-            | awk '/^Token:/ {print $2}')"
+          output=$(spire-server token generate -socketPath "${socketPath}" -spiffeID "spiffe://${cfg.trustDomain}/${vm}")
+
+          # Check if the command actually worked
+          if [ $? -ne 0 ]; then
+              echo "Error: SPIRE token generation failed!" >&2
+              exit 1
+          fi
+
+          # Extract the token from the successful output
+          token=$(echo "$output" | awk '/^Token:/ {print $2}')
 
           printf '%s\n' "$token" > "$tokenFile"
           chmod 0644 "$tokenFile"
@@ -157,92 +162,15 @@ let
     '';
   };
 
-  createEntryFunc = ''
-    create_entry() {
-      local parentID="$1"
-      local spiffeID="$2"
-      local is_node="$3"
-      shift 3
-      local selectors=("$@")
-
-      if spire-server entry show -socketPath "$SOCKET" -spiffeID "$spiffeID" >/dev/null 2>&1; then
-        echo "Entry exists: $spiffeID"
-        return
-      fi
-
-      echo "Creating entry: $spiffeID"
-      local cmd=(spire-server entry create -socketPath "$SOCKET" -spiffeID "$spiffeID")
-
-      if [ "$is_node" = "true" ]; then
-        cmd+=(-node)
-      else
-        cmd+=(-parentID "$parentID")
-      fi
-
-      for s in "''${selectors[@]}"; do
-        cmd+=(-selector "$s")
-      done
-
-      "''${cmd[@]}"
-    }
-  '';
-
-  createEntries = concatMapStringsSep "\n" (
-    vmName:
-    let
-      agentCfg = config.ghaf.common.spire.agents.${vmName};
-      agentSpiffeID = "spiffe://${config.ghaf.common.spire.server.trustDomain}/${vmName}";
-
-      nodeEntryCmd =
-        if (agentCfg.nodeAttestationMode == "x509pop") then
-          ''
-            create_entry "" ${escapeShellArg agentSpiffeID} "true" "x509pop:subject:cn:${escapeShellArg vmName}"
-          ''
-        else
-          "";
-
-      workloadCmds = concatMapStringsSep "\n" (
-        workload:
-        let
-          workloadSpiffeID = "spiffe://${config.ghaf.common.spire.server.trustDomain}/${vmName}/${workload.name}";
-          selectors = concatMapStringsSep " " escapeShellArg workload.selectors;
-        in
-        ''
-          create_entry ${escapeShellArg agentSpiffeID} ${escapeShellArg workloadSpiffeID} "false" ${selectors}
-        ''
-      ) agentCfg.workloads;
-    in
-    nodeEntryCmd + workloadCmds
-  ) spireAgentVMs;
-
-  spireCreateWorkloadEntriesApp = pkgs.writeShellApplication {
-    name = "spire-create-workload-entries";
-    runtimeInputs = [
-      pkgs.coreutils
-      pkgs.gawk
-      pkgs.gnugrep
+  spireCreateWorkloadEntriesApp = import ./create-workload-entries.nix {
+    inherit
+      pkgs
+      lib
+      config
       spire-package
-    ];
-    text = ''
-      SOCKET="${socketPath}"
-      echo "=== SPIRE Workload Entry Creator ==="
-
-      # Wait for server
-      echo "Waiting for SPIRE server..."
-      while true; do
-        if spire-server healthcheck -socketPath "$SOCKET" >/dev/null 2>&1; then
-          echo "Server ready"
-          break
-        fi
-        sleep 2
-      done
-
-      ${createEntryFunc}
-
-      ${createEntries}
-
-      echo "Done"
-    '';
+      socketPath
+      spireAgentVMs
+      ;
   };
 in
 {
@@ -305,8 +233,7 @@ in
           after = [ "local-fs.target" ];
           serviceConfig = {
             Type = "oneshot";
-            User = "root";
-            ExecStart = "${pkgs.rsync}/bin/rsync  --chown=root:root --chmod=g+rx /etc/givc/ca-cert.pem ${caCertPath}";
+            ExecStart = "${pkgs.rsync}/bin/rsync --chmod=g+rx /etc/givc/ca-cert.pem ${caCertPath}";
             Restart = "no";
           };
         };
@@ -324,7 +251,6 @@ in
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
-            User = "root";
             ExecStart = getExe spireGenerateJoinTokensApp;
           };
         };
@@ -336,7 +262,6 @@ in
 
           serviceConfig = {
             Type = "oneshot";
-            User = "root";
             ExecStart = getExe spirePublishBundleApp;
           };
         };
@@ -352,7 +277,6 @@ in
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
-            User = "root";
             ExecStart = getExe spireCreateWorkloadEntriesApp;
           };
         };