Guide: How-To Setup An Atuin Server

This is a guide how to setup the atuin server component. I will use a local database and a service user under which atuin will run.

Create the database and user

Type pqsql as the postgres user:

CREATE USER atuin WITH ENCRYPTED PASSWORD 'supersecretpassword';

CREATE DATABASE atuin WITH OWNER = atuin;

\c atuin
REVOKE ALL PRIVILEGES ON SCHEMA public FROM PUBLIC;

Create the OS user to run atuin

The following steps in this guide must be run as the user root or invoked with sudo:

useradd -r -d /var/lib/atuin -s /sbin/nologin -c "user for atuin" atuin

Create the config file for atuin

mkdir /etc/atuin
chown atuin:atuin /etc/atuin
chmod 750 /etc/atuin

cat > /etc/atuin/atuin.cfg <<EOF
ATUIN_HOST="127.0.0.1"
ATUIN_PORT=8888
ATUIN_OPEN_REGISTRATION=true
ATUIN_DB_URI="postgres://atuin:supersecretpassword@127.0.0.1/atuin"
EOF

chown atuin:atuin /etc/atuin/atuin.cfg
chmod 640 /etc/atuin/atuin.cfg

Create the log directory

Even though atuin runs as the user atuin, systemd creates the log file as root, thus it is only necessary to lock down the log directory so that it is not world readable.

mkdir /var/log/atuin
chown atuin:atuin /var/log/atuin
chmod 750 /var/log/atuin

Create the systemd file

cat > /etc/systemd/system/atuin.service <<EOF
[Unit]
Description=atuin
After=network.target postgresql.service
Requires=postgresql.service
# Remove postgresql.service above, if database is remote

[Service]
Type=simple
User=atuin
Group=atuin
EnvironmentFile=/etc/atuin/atuin.cfg
WorkingDirectory=/etc/atuin
Environment=HOME="/etc/atuin"
ExecStart=/usr/sbin/atuin server start
StandardOutput=append:/var/log/atuin/atuin.log
StandardError=append:/var/log/atuin/atuin.log
Restart=on-failure
RestartSec=3
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload

systemctl enable atuin.service
systemctl start atuin.service

Instead of setting the HOME env var in the systemd unit file, it is also possible to set ATUIN_CONFIG_DIR. Either also as Environment directive or in the EnvironmentFile.

Setup an Apache reverse proxy (sublocation)

Setting up a reverse proxy is a simple step, but crucial, if you want to run a service that faces the Internet.
It is possible for the server component to handle TLS itself, but unless you setup the server in a private network (home or company), using a reverse proxy is more convenient and most likely the only viable option.
As an added bonus, you can terminate the TLS connection on the reverse proxy.

Add the following 2 directives to the config of the server or virtual server:

ProxyPass          /atuin   http://localhost:8888
ProxyPassReverse   /atuin   http://localhost:8888

Attention: You must not set the ATUIN_PATH in the atuin server config. This will only result in a 404 error, when accessing the sublocation.

RPM Package

I’ve also created an RPM package that does all the above steps, except creating the database and the database user.

Fedora (current release, x86_64)

The atuin-server package is built for the current release of Fedora, but may also be available for the previous release.
It also creates an atuin user/group and a systemd service.
The PostgreSQL server has to be setup seperately, as well as the database for atuin.

dnf config-manager --add-repo https://evermeet.cx/pub/repo/fedora/evermeet.repo
dnf install atuin-server

How-To Sync Your Clients

The following section was written by @MacSlow, who was also kind enough to proofread my guide. Here goes a big :tada: :+1: to MacSlow.

Get your client-machines sync’ing

Once you have your sync-server up and running, do the following steps to register, login and sync from any client-machine you wish to sync to your atuin sync-server.

Note: be sure you have a line like ATUIN_OPEN_REGISTRATION=true on your sync-server in file /etc/atuin/atuin.cfg. You can set that to false after registration, if you want and keep things closed to others. Once you change that config-file you have to stop and start atuin via systemd on your server-machine for the changes to take effect. On all of your client-machines, check that you have a line like sync_address = "https://joes.server.org/atuin" in ~/.config/atuin/config.toml.

Get your encryption-key

On one of your client-machines obtain atuin’s encryption-key with (this can only be done after registration and login):

$> atuin key 
a bunch of random words are the key

Write whatever atuin prints out down or add to your password manager. You will need this very encryption key once you login from other client-machines.

Register, login & sync

Now you are good to go to follow these steps:

  1. Register
    You have to do this only once from any one of your client-machines:

    $> atuin register
    Registering for an Atuin Sync account
    Please enter username: joe.doe.average
    Please enter email: joe.doe@example.org
    Please enter password:
    
  2. Login
    This has to happen on all client machines, except where you registered. Registering automatically logs you in.

    $> atuin login
    Please enter username: joe.doe.average
    Please enter password:
    Please enter encryption key [blank to use existing key file]:
    
  3. Sync
    This has to happen on all of your client-machines

    $> atuin sync -f
    

Enjoy you newly created atuin-sync-heaven across multiple machines!

4 Likes