This is a guide how to setup the atuin server component. I will use a local database and a service user under which atuin will run.
Create the database and user
Type pqsql
as the postgres user:
CREATE USER atuin WITH ENCRYPTED PASSWORD 'supersecretpassword';
CREATE DATABASE atuin WITH OWNER = atuin;
\c atuin
REVOKE ALL PRIVILEGES ON SCHEMA public FROM PUBLIC;
Create the OS user to run atuin
The following steps in this guide must be run as the user root
or invoked with sudo
:
useradd -r -d /var/lib/atuin -s /sbin/nologin -c "user for atuin" atuin
Create the config file for atuin
mkdir /etc/atuin
chown atuin:atuin /etc/atuin
chmod 750 /etc/atuin
cat > /etc/atuin/atuin.cfg <<EOF
ATUIN_HOST="127.0.0.1"
ATUIN_PORT=8888
ATUIN_OPEN_REGISTRATION=true
ATUIN_DB_URI="postgres://atuin:supersecretpassword@127.0.0.1/atuin"
EOF
chown atuin:atuin /etc/atuin/atuin.cfg
chmod 640 /etc/atuin/atuin.cfg
Create the log directory
Even though atuin runs as the user atuin
, systemd creates the log file as root, thus it is only necessary to lock down the log directory so that it is not world readable.
mkdir /var/log/atuin
chown atuin:atuin /var/log/atuin
chmod 750 /var/log/atuin
Create the systemd file
cat > /etc/systemd/system/atuin.service <<EOF
[Unit]
Description=atuin
After=network.target postgresql.service
Requires=postgresql.service
# Remove postgresql.service above, if database is remote
[Service]
Type=simple
User=atuin
Group=atuin
EnvironmentFile=/etc/atuin/atuin.cfg
WorkingDirectory=/etc/atuin
Environment=HOME="/etc/atuin"
ExecStart=/usr/sbin/atuin server start
StandardOutput=append:/var/log/atuin/atuin.log
StandardError=append:/var/log/atuin/atuin.log
Restart=on-failure
RestartSec=3
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable atuin.service
systemctl start atuin.service
Instead of setting the HOME
env var in the systemd unit file, it is also possible to set ATUIN_CONFIG_DIR
. Either also as Environment
directive or in the EnvironmentFile
.
Setup an Apache reverse proxy (sublocation)
Setting up a reverse proxy is a simple step, but crucial, if you want to run a service that faces the Internet.
It is possible for the server component to handle TLS itself, but unless you setup the server in a private network (home or company), using a reverse proxy is more convenient and most likely the only viable option.
As an added bonus, you can terminate the TLS connection on the reverse proxy.
Add the following 2 directives to the config of the server or virtual server:
ProxyPass /atuin http://localhost:8888
ProxyPassReverse /atuin http://localhost:8888
Attention: You must not set the ATUIN_PATH
in the atuin server config. This will only result in a 404 error, when accessing the sublocation.
RPM Package
I’ve also created an RPM package that does all the above steps, except creating the database and the database user.
Fedora (current release, x86_64)
The atuin-server
package is built for the current release of Fedora, but may also be available for the previous release.
It also creates an atuin
user/group and a systemd service.
The PostgreSQL server has to be setup seperately, as well as the database for atuin.
dnf config-manager --add-repo https://evermeet.cx/pub/repo/fedora/evermeet.repo
dnf install atuin-server
How-To Sync Your Clients
The following section was written by @MacSlow, who was also kind enough to proofread my guide. Here goes a big to MacSlow
.
Get your client-machines sync’ing
Once you have your sync-server up and running, do the following steps to register, login and sync from any client-machine you wish to sync to your atuin sync-server.
Note: be sure you have a line like ATUIN_OPEN_REGISTRATION=true
on your sync-server in file /etc/atuin/atuin.cfg
. You can set that to false
after registration, if you want and keep things closed to others. Once you change that config-file you have to stop and start atuin via systemd on your server-machine for the changes to take effect. On all of your client-machines, check that you have a line like sync_address = "https://joes.server.org/atuin"
in ~/.config/atuin/config.toml
.
Get your encryption-key
On one of your client-machines obtain atuin’s encryption-key with (this can only be done after registration and login):
$> atuin key
a bunch of random words are the key
Write whatever atuin prints out down or add to your password manager. You will need this very encryption key once you login from other client-machines.
Register, login & sync
Now you are good to go to follow these steps:
-
Register
You have to do this only once from any one of your client-machines:$> atuin register Registering for an Atuin Sync account Please enter username: joe.doe.average Please enter email: joe.doe@example.org Please enter password:
-
Login
This has to happen on all client machines, except where you registered. Registering automatically logs you in.$> atuin login Please enter username: joe.doe.average Please enter password: Please enter encryption key [blank to use existing key file]:
-
Sync
This has to happen on all of your client-machines$> atuin sync -f
Enjoy you newly created atuin-sync-heaven across multiple machines!