atuinsh · skymoore · Jul 1, 2025
diff --git a/deploy/base/config/atuin.env b/deploy/base/config/atuin.env
@@ -0,0 +1,3 @@
+ATUIN_HOST=0.0.0.0
+ATUIN_PORT=8888
+ATUIN_OPEN_REGISTRATION=true
diff --git a/deploy/base/deployment.yaml b/deploy/base/deployment.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: atuin
+spec:
+  replicas: 1
+  template:
+    spec:
+      containers:
+        - name: atuin
+          image: ghcr.io/atuinsh/atuin:latest
+          args:
+            - server
+            - start
+          envFrom:
+            - configMapRef:
+                name: atuin
+            - secretRef:
+                name: atuin
+          ports:
+            - containerPort: 8888
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: 8888
+            failureThreshold: 30
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8888
+            initialDelaySeconds: 3
+            periodSeconds: 3
+          readinessProbe:
+            tcpSocket:
+              port: 8888
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 250m
+              memory: 1Gi
+            requests:
+              cpu: 250m
+              memory: 1Gi
+          volumeMounts:
+            - mountPath: /config
+              name: atuin-data
+      volumes:
+        - name: atuin-data
+          emptyDir: {}
diff --git a/deploy/base/kustomization.yaml b/deploy/base/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: atuin
+
+labels:
+  - pairs:
+      app: atuin
+    includeSelectors: true
+
+configMapGenerator:
+  - name: atuin
+    envs:
+      - config/atuin.env
+
+secretGenerator:
+  - name: atuin
+    envs:
+      - secrets/atuin.env
+
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
diff --git a/deploy/base/namespace.yaml b/deploy/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: atuin
diff --git a/deploy/base/secrets/atuin.env b/deploy/base/secrets/atuin.env
@@ -0,0 +1 @@
+ATUIN_DB_URI=postgres://atuin:seriously-insecure@postgres/atuin
diff --git a/deploy/base/service.yaml b/deploy/base/service.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: atuin
+spec:
+  type: ClusterIP
+  ports:
+    - name: atuin
+      port: 8888
+      targetPort: 8888
diff --git a/deploy/overlays/example/config/atuin.env b/deploy/overlays/example/config/atuin.env
@@ -0,0 +1,3 @@
+ATUIN_HOST=0.0.0.0
+ATUIN_PORT=8888
+ATUIN_OPEN_REGISTRATION=false
diff --git a/deploy/overlays/example/ingress.yaml b/deploy/overlays/example/ingress.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: atuin
+  annotations:
+    haproxy.org/server-crt: atuin-domain-tld-cert-tls
+    cert-manager.io/cluster-issuer: some-issuer
+spec:
+  ingressClassName: haproxy
+  tls:
+    - hosts:
+        - atuin.domain.tld
+      secretName: atuin-domain-tld-cert-tls
+  rules:
+    - host: atuin.domain.tld
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: atuin
+                port:
+                  number: 8888
diff --git a/deploy/overlays/example/kustomization.yaml b/deploy/overlays/example/kustomization.yaml
@@ -0,0 +1,44 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: atuin
+
+labels:
+  - pairs:
+      app: atuin
+    includeSelectors: true
+
+configMapGenerator:
+  - name: atuin
+    behavior: replace
+    envs:
+      - config/atuin.env
+
+patches:
+  - patch: |-
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: atuin
+  - patch: |-
+      - op: replace
+        path: /spec/template/spec/volumes/0
+        value:
+          name: atuin-data
+          persistentVolumeClaim:
+            claimName: atuin-data
+      - op: add
+        path: /spec/template/spec/containers/0/volumeMounts/0/subPath
+        value: atuin/config
+    target:
+      kind: Deployment
+      name: atuin
+
+resources:
+  - ../../base
+  - nfs-pv.yml
+  - nfs-pvc.yml
+  - ingress.yaml
+  - serviceaccount.yaml
+  - secrets.yaml
diff --git a/deploy/overlays/example/nfs-pv.yml b/deploy/overlays/example/nfs-pv.yml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: atuin-data
+  annotations:
+    pv.kubernetes.io/provisioned-by: nfs.csi.k8s.io
+spec:
+  accessModes:
+    - ReadWriteMany
+  capacity:
+    storage: 10Mi
+  storageClassName: nfs-csi
+  claimRef:
+    namespace: atuin
+    name: atuin-data
+  csi:
+    driver: nfs.csi.k8s.io
+    # volumeHandle format: {nfs-server-address}#{sub-dir-name}#{share-name}
+    # make sure this value is unique for every share in the cluster
+    volumeHandle: some-nfs-server.domain.tld#atuin#/srv/nfs/k8s
+    volumeAttributes:
+      server: some-nfs-server.domain.tld
+      share: /srv/nfs/k8s
diff --git a/deploy/overlays/example/nfs-pvc.yml b/deploy/overlays/example/nfs-pvc.yml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: atuin-data
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Mi
+  volumeName: atuin-data
+  storageClassName: nfs-csi
diff --git a/deploy/overlays/example/secrets.yaml b/deploy/overlays/example/secrets.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: atuin
+spec:
+  provider:
+    vault:
+      server: https://some.vault.com
+      path: kv
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: k8s-mount-path
+          role: atuin
+          serviceAccountRef:
+            name: atuin
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: atuin
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: atuin
+    kind: SecretStore
+  target:
+    name: atuin
+    creationPolicy: Owner
+  data:
+    - secretKey: ATUIN_DB_URI
+      remoteRef:
+        key: atuin
+        property: ATUIN_DB_URI
diff --git a/deploy/overlays/example/secrets/bao-config.sh b/deploy/overlays/example/secrets/bao-config.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+export VAULT_TOKEN="some-vault-token"
+export VAULT_ADDR="https://some.vault.com"
+
+bao policy write atuin - <<EOF
+path "kv/data/atuin" {
+  capabilities = ["read", "list"]
+}
+EOF
+
+bao write auth/k8-rwx-dev/role/atuin \
+    bound_service_account_names=atuin \
+    bound_service_account_namespaces=atuin \
+    policies=atuin \
+    ttl=24h
+
+bao kv put kv/atuin @secret.json
diff --git a/deploy/overlays/example/secrets/secret.json b/deploy/overlays/example/secrets/secret.json
@@ -0,0 +1,3 @@
+{
+   "ATUIN_DB_URI": "postgres://atuin:seriously-insecure@postgres/atuin"
+}
diff --git a/deploy/overlays/example/serviceaccount.yaml b/deploy/overlays/example/serviceaccount.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: atuin
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		ATUIN_DB_URI=postgres://atuin:seriously-insecure@postgres/atuin