From 5ca2b6f473ad6e516ff2e09f55f7b0afc8d298d1 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Wed, 12 Jun 2024 23:14:55 +0200
Subject: [PATCH] Add Atuin service

---
 kubenix-modules/all.nix     |  1 +
 kubenix-modules/atuin.nix   | 99 +++++++++++++++++++++++++++++++++++++
 kubenix-modules/volumes.nix |  2 +
 secrets/sops.yaml           |  7 ++-
 4 files changed, 107 insertions(+), 2 deletions(-)
 create mode 100644 kubenix-modules/atuin.nix

diff --git a/kubenix-modules/all.nix b/kubenix-modules/all.nix
index 52f4bf5..196271e 100644
--- a/kubenix-modules/all.nix
+++ b/kubenix-modules/all.nix
@@ -17,6 +17,7 @@ let
     ./dnsmasq.nix
     ./blog.nix
     ./attic.nix
+    ./atuin.nix
     # ./argo.nix
     # ./minecraft.nix
   ];
diff --git a/kubenix-modules/atuin.nix b/kubenix-modules/atuin.nix
new file mode 100644
index 0000000..75a630a
--- /dev/null
+++ b/kubenix-modules/atuin.nix
@@ -0,0 +1,99 @@
+{
+  kubernetes.resources = {
+    secrets.atuin.stringData = {
+      databasePassword = "ref+sops://secrets/sops.yaml#/atuin/databasePassword";
+      databaseURL = "ref+sops://secrets/sops.yaml#/atuin/databaseURL";
+    };
+
+    deployments.atuin = {
+      metadata.labels.app = "atuin";
+
+      spec = {
+        selector.matchLabels.app = "atuin";
+
+        strategy = {
+          type = "RollingUpdate";
+
+          rollingUpdate = {
+            maxSurge = 0;
+            maxUnavailable = 1;
+          };
+        };
+
+        template = {
+          metadata.labels.app = "atuin";
+
+          spec = {
+            volumes = {
+              data.persistentVolumeClaim.claimName = "atuin";
+              db.persistentVolumeClaim.claimName = "atuin-db";
+            };
+
+            containers = {
+              atuin = {
+                image = "ghcr.io/atuinsh/atuin:18.3.0";
+                imagePullPolicy = "Always";
+                ports.web.containerPort = 8888;
+                args = [ "server" "start" ];
+
+                env = {
+                  ATUIN_HOST.value = "0.0.0.0";
+                  ATUIN_PORT.value = "8888";
+                  ATUIN_OPEN_REGISTRATION.value = "false";
+
+                  ATUIN_DB_URI.valueFrom.secretKeyRef = {
+                    name = "atuin";
+                    key = "databaseURL";
+                  };
+                };
+
+                volumeMounts = [{
+                  name = "data";
+                  mountPath = "/config";
+                }];
+              };
+
+              database = {
+                image = "postgres:14";
+                ports.web.containerPort = 5432;
+
+                env = {
+                  POSTGRES_DB.value = "atuin";
+                  POSTGRES_USER.value = "atuin";
+
+                  POSTGRES_PASSWORD.valueFrom.secretKeyRef = {
+                    name = "atuin";
+                    key = "databasePassword";
+                  };
+                };
+
+                volumeMounts = [{
+                  name = "db";
+                  mountPath = "/var/lib/postgresql/data";
+                }];
+              };
+            };
+          };
+        };
+      };
+    };
+
+    services.atuin.spec = {
+      selector.app = "atuin";
+
+      ports.web = {
+        port = 80;
+        targetPort = "web";
+      };
+    };
+  };
+
+  lab.ingresses.atuin = {
+    host = "atuin.kun.is";
+
+    service = {
+      name = "atuin";
+      portName = "web";
+    };
+  };
+}
diff --git a/kubenix-modules/volumes.nix b/kubenix-modules/volumes.nix
index c167a89..9231b7c 100644
--- a/kubenix-modules/volumes.nix
+++ b/kubenix-modules/volumes.nix
@@ -26,6 +26,8 @@
       attic.storage = "15Gi";
       attic-db.storage = "150Mi";
       immich-test.storage = "10Gi";
+      atuin.storage = "600Mi";
+      atuin-db.storage = "100Mi";
     };
 
     nfsVolumes = {
diff --git a/secrets/sops.yaml b/secrets/sops.yaml
index 53cf8fd..cfa011b 100644
--- a/secrets/sops.yaml
+++ b/secrets/sops.yaml
@@ -20,6 +20,9 @@ attic:
     jwtToken: ENC[AES256_GCM,data:bEf5v8KhIgyKqyjYOzBmJrZ71GagXqOTH+I3J0Iu+Q3X6XUbGxjwW5/RT3AuJAJ+Owp1Uyk26FmEuurYChG13rBWZ0R85MeMBb2sZ/Q22TXeBxRwzq4Izg==,iv:VlIhxGE8I8W+UFyDLnhUxDzf/us95H86V2FLbsKMSGw=,tag:ynz5eNuxkAl35qzcDNzoAw==,type:str]
     databaseURL: ENC[AES256_GCM,data:GZcr8hRVIDwhKKwzHygydXAuJpQjKjN95GK+oqb33QgS5HW647+J5wGXxYan9II6iC0N3oSi36cJIkwIjLr9SJhRcjCkdsCZfNrGmT+F9SqUIi8=,iv:HerbEz1oPCE1F1etWHpFkSvulGRU97KPTcrZauIZQNM=,tag:/UXgWvnmCexvxwQONnmATg==,type:str]
     databasePassword: ENC[AES256_GCM,data:AZXZyNJ6tGG3OU9CgC+bj43471Q=,iv:DoTSTIMLFi1+U7lvkix+QM8tP1tR0TtxuZRKlBneYek=,tag:+zk8TJRUzk9tNYXGLWIN2w==,type:str]
+atuin:
+    databaseURL: ENC[AES256_GCM,data:sE9zT6iwrsZB42nGd3fQtdIJqW/QE1qqgBtqHRsNfqm1+0Pvhc9VwIP9wchHlL7n030iRE8=,iv:pAXhb+W5FrWZabgULdMtosdvA7KAQJ2D5nqLUzLax9M=,tag:l8C8yj+m8Ic97qbHAsA2vg==,type:str]
+    databasePassword: ENC[AES256_GCM,data:Xyrn5LYgQ0/XvoHwAqKe9EPQxNk=,iv:wN5msdAPuVxMCkGYKag+Ppj65rQCHHjNwDH17+HTPVs=,tag:M1rjzLsEqJ9qe24RQs+FMA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -44,8 +47,8 @@ sops:
             cHJRZWpDdWZlSnh3Qm1GZ28vZ0p0ZjAK7+BS6YQ2cUD21XCISBeNLSUNgNFQfSKI
             zL/AAqsVoBTrEs7s9fxmWmVm21/M3ZTYfU6Z6gIr6YEWe1pehRd6ZQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-25T15:16:16Z"
-    mac: ENC[AES256_GCM,data:YMLsRN83mAm+nwi4tgEXHb2TPOel35/q3wLaxhv8lk+yPBiYra+oyGs/dlr6IgTtAGvjN9DM7Uvxng14Ya3l/NHx8ZpmArsnInAqmc4NRfowgB6ITuL4q4eU/XJjfuQNGl3xrrwgAZQJo8UGNc+mEmQMaykAvl03N5WMVaqFyQ0=,iv:SseCh1H76cwjvYD+Mqg/eMt9vJq0BLAhvMftoa8a+mc=,tag:Ochp8CYbtuSJCjdHvhoY3A==,type:str]
+    lastmodified: "2024-06-12T20:30:18Z"
+    mac: ENC[AES256_GCM,data:isinf4VigAI6UMTbaTxD/OxQSftK+EC5sJ4Kx8S1yOAmi1RPaKwpHLlrTq4Ah1beF91Q6BonObYyx3viJ0wq0KWnL+U064RBmFiQlHR7XeIzGv/YJA1jrqWI0VKMpG8cQkHtQf1LI1HsHI3SUw53reHAMX+5m+YkIz+mRNYWxoE=,iv:gCG0Ww2Fm/C4HOKYUqTCm9plt+DscWQWwvnpMAg614Q=,tag:a6s1pl5voaONf507XpGZbQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1