Guide: How-To Setup An Atuin Server

General
1

This is a guide how to setup the atuin server component. I will use a local database and a service user under which atuin will run.

Create the database and user

Type pqsql as the postgres user:

CREATE USER atuin WITH ENCRYPTED PASSWORD 'supersecretpassword';

CREATE DATABASE atuin WITH OWNER = atuin;

\c atuin
REVOKE ALL PRIVILEGES ON SCHEMA public FROM PUBLIC;

Create the OS user to run atuin

The following steps in this guide must be run as the user root or invoked with sudo:

useradd -r -d /var/lib/atuin -s /sbin/nologin -c "user for atuin" atuin

Create the config file for atuin

mkdir /etc/atuin
chown atuin:atuin /etc/atuin
chmod 750 /etc/atuin

cat > /etc/atuin/atuin.cfg <<EOF
ATUIN_HOST="127.0.0.1"
ATUIN_PORT=8888
ATUIN_OPEN_REGISTRATION=true
ATUIN_DB_URI="postgres://atuin:supersecretpassword@127.0.0.1/atuin"
EOF

chown atuin:atuin /etc/atuin/atuin.cfg
chmod 640 /etc/atuin/atuin.cfg

Create the log directory

Even though atuin runs as the user atuin, systemd creates the log file as root, thus it is only necessary to lock down the log directory so that it is not world readable.

mkdir /var/log/atuin
chown atuin:atuin /var/log/atuin
chmod 750 /var/log/atuin

Create the systemd file

cat > /etc/systemd/system/atuin.service <<EOF
[Unit]
Description=atuin
After=network.target postgresql.service
Requires=postgresql.service
# Remove postgresql.service above, if database is remote

[Service]
Type=simple
User=atuin
Group=atuin
EnvironmentFile=/etc/atuin/atuin.cfg
WorkingDirectory=/etc/atuin
Environment=HOME="/etc/atuin"
ExecStart=/usr/sbin/atuin server start
StandardOutput=append:/var/log/atuin/atuin.log
StandardError=append:/var/log/atuin/atuin.log
Restart=on-failure
RestartSec=3
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload

systemctl enable atuin.service
systemctl start atuin.service

Instead of setting the HOME env var in the systemd unit file, it is also possible to set ATUIN_CONFIG_DIR. Either also as Environment directive or in the EnvironmentFile.

Setup an Apache reverse proxy (sublocation)

Setting up a reverse proxy is a simple step, but crucial, if you want to run a service that faces the Internet.
It is possible for the server component to handle TLS itself, but unless you setup the server in a private network (home or company), using a reverse proxy is more convenient and most likely the only viable option.
As an added bonus, you can terminate the TLS connection on the reverse proxy.

Add the following 2 directives to the config of the server or virtual server:

ProxyPass          /atuin   http://localhost:8888
ProxyPassReverse   /atuin   http://localhost:8888

Attention: You must not set the ATUIN_PATH in the atuin server config. This will only result in a 404 error, when accessing the sublocation.

RPM Package

I’ve also created an RPM package that does all the above steps, except creating the database and the database user.

Fedora (current release, x86_64)

The atuin-server package is built for the current release of Fedora, but may also be available for the previous release.
It also creates an atuin user/group and a systemd service.
The PostgreSQL server has to be setup seperately, as well as the database for atuin.

dnf config-manager --add-repo https://evermeet.cx/pub/repo/fedora/evermeet.repo
dnf install atuin-server

How-To Sync Your Clients

The following section was written by @MacSlow, who was also kind enough to proofread my guide. Here goes a big :tada: :+1: to MacSlow.

Get your client-machines sync’ing

Once you have your sync-server up and running, do the following steps to register, login and sync from any client-machine you wish to sync to your atuin sync-server.

Note: be sure you have a line like ATUIN_OPEN_REGISTRATION=true on your sync-server in file /etc/atuin/atuin.cfg. You can set that to false after registration, if you want and keep things closed to others. Once you change that config-file you have to stop and start atuin via systemd on your server-machine for the changes to take effect. On all of your client-machines, check that you have a line like sync_address = "https://joes.server.org/atuin" in ~/.config/atuin/config.toml.

Get your encryption-key

On one of your client-machines obtain atuin’s encryption-key with (this can only be done after registration and login):

$> atuin key 
a bunch of random words are the key

Write whatever atuin prints out down or add to your password manager. You will need this very encryption key once you login from other client-machines.

Register, login & sync

Now you are good to go to follow these steps:

  1. Register
    You have to do this only once from any one of your client-machines:

    $> atuin register
Registering for an Atuin Sync account
Please enter username: joe.doe.average
Please enter email: joe.doe@example.org
Please enter password:

  2. Login
    This has to happen on all client machines, except where you registered. Registering automatically logs you in.

    $> atuin login
Please enter username: joe.doe.average
Please enter password:
Please enter encryption key [blank to use existing key file]:

  3. Sync
    This has to happen on all of your client-machines

    $> atuin sync -f

Enjoy you newly created atuin-sync-heaven across multiple machines!

5 Likes
2

For some reason, I’m getting error 113 when I try to register a new user or sync (aka ‘push’ in this instance) my existing atuin data to the empty atuin postgres database on my server:

Error: error sending request for url (http://XXX.XXX.XX.XXX:8919/atuin/sync/status): error trying to connect: tcp connect error: No route to host (os error 113)

Caused by:
   0: error trying to connect: tcp connect error: No route to host (os error 113)
   1: tcp connect error: No route to host (os error 113)
   2: No route to host (os error 113)

I think the issues stems from me misconfiguring something or perhaps something has broken due to atuin reconfigurations?

Here are my results for the atuin.cfg on the server:

ATUIN_HOST="127.0.0.1" #I had changed this to my local IP address but it doesn't seem to make a difference
ATUIN_PORT=8919
ATUIN_OPEN_REGISTRATION=true
ATUIN_DB_URI="postgres://atuin:supersecretpassword@127.0.0.1/atuin"  #I had changed this to my local IP address but it doesn't seem to make a difference

And here it the altered config line for the server:

sync_address = "http://XXX.XXX.XX.XXX:8919/atuin"

I know that the above aren’t working because of the error msg, and also because the atuin postgres db is empty when I query it w/ sudo -u atuin psql &

Potentially related: pgsql didn’t work for me.

  • I had to first install postgresql on debian and then run sudo -u postgres psql
  • Additionally, I didn’t use a reverse proxy since I’m using LAN-only. Not sure if I still need /atuin after sync address as a result?
  • Disabled ufw to ensure that there was no conflict w/ my firewall.

Please let me know if you have any suggestions!

3

When postgres is setup correctly and you start the atuin server via systemctl start atuin, the required tables are created in the database.

Thus, if your database does not have any tables, something is wrong with your postgres setup. In this case, check the /var/log/atuin/atuin.log. It should give you some info as to what went wrong.

If you are not using a reverse proxy, the sync address in your client config should be:

sync_address = "http://XXX.XXX.XX.XXX:8919
1 Like