This will make deploying an Ekklesia installation quite easy using NixOS and NixOps.
Still WIP, VirtualBox should work for Portal and VVVote
There's a working example config for an Ekklesia Portal and two VVVote instances
in ekklesia.nix
. ekklesia-virtualbox.nix
specifies a virtualbox network with
3 VMs meant for testing.
The Nix shell sets up an ready-to-use deployment environment with NixOps and the VVVote admin script which can be used to create the needed keys.
Deploy to virtualbox with:
git clone https://github.com/edemocracy/ekklesia-deploy
cd ekklesia-deploy
nix-shell
You are now in a Nix shell that makes the nixops
command available.
# in Nix shell
nixops create -d ekklesia-test ./ekklesia.nix ./ekklesia-virtualbox.nix
nixops deploy -d ekklesia-test
Deploying the first time like that will fail because VVVote cannot find private keys files. They need to be created in a second step, followed by a redeploy:
# in Nix shell
python3 set-up-vvvote.py
nixops deploy -d ekklesia-test
This also works with NixOS containers. Use ekklesia-nixos-containers.nix
instead
of ekklesia-virtualbox.nix
. Note that the containers are deployed on the system
on which you are running NixOps. That means that your current user needs to be able
to SSH to root@localhost. You can also change the host to a remote system in
ekklesia-nixos-containers.nix
by using the deployment.container.host
option
in the machine definitions.
Generating and distributing keys must be done separately from the NixOps deployment.
It can be done on the deployment machine for all VVVote instances which is easy but you may not want the private keys to be moved around so you can also create them on the VM itself after the first deploy run. There's a script for the second case which uses SSH via NixOps to remotely create keys on the VMs, fetch public keys to the deployment machine and create additional secrets needed for VVVote.
Please read the VVVote Installation Instructions first.
This does everything needed to run VVVote. Keys are created if they do not exist. Existing private keys will not be replaced automatically for safety reasons. The script asks for an OAuth2 client secret and an Ekklesia Notify secret for both VMs.
# in Nix shell
python3 set-up-vvvote.py
The VVVote admin tool can be used directly like this:
vvvote-admin.sh createKeypair p 1 /tmp/vvvote/
The vvvote-admin.sh
command works the same in the Nix shell and the on the deployed VVVote VMs.
/tmp/vvvote
must have a subdir called voting-keys
which is expected by the script.