Production-ready Gitea Git hosting platform deployed on AWS with automated CI/CD
- 𧩠Infrastructure Components
- π§ Application Details
- β¨ Key Features
- π Quick Start
- π Monitoring
- π Security
| Service | Purpose | Key Features |
|---|---|---|
| Amazon ECS | Container orchestration platform | Fargate serverless, auto-scaling, health checks |
| Amazon ECR | Private Docker registry | Vulnerability scanning, lifecycle policies, secure access |
| ECS Service | Manages container deployment | Rolling updates, desired count management |
|
ποΈ Amazon EFS
|
π Amazon RDS PostgreSQL
|
AWS Systems Manager Parameter Store
Centralized, encrypted storage for:
- Database credentials
- API keys and secrets
- Application configuration
- Environment variables
Traffic Flow:
Internet β Route 53 β Application Load Balancer β ECS Containers
β
SSL Certificate (ACM) β HTTPS Encryption- Application Load Balancer: Health checks, traffic distribution
- AWS Certificate Manager: Automated SSL certificate management
- Route 53: DNS management with failover capabilities
Jenkins on EC2
β
β
β
Runtime Environment:
Platform: ECS Fargate
Port: 3000 (HTTP)
Database: PostgreSQL with SSL
Storage: EFS mounted at /data
Authentication: Parameter Store secrets
Features:
β
Git over HTTPS
β
Web interface
β
Issue tracking
β
Pull requests
β
SSH Infrastructure:
Instance: EC2 t3.medium (Ubuntu 22.04)
Container: Jenkins LTS in Docker
Backup: Automated daily S3 sync
Capabilities:
β
Docker-in-Docker builds
β
ECR integration
β
AWS CLI access
β
Automatic restoration
|
|
# Required tools
terraform --version # >= 1.0
aws --version # AWS CLI configured1οΈβ£ Deploy S3 Storage (Jenkins Backups)
cd jenkins-s3/
terraform init
terraform plan
terraform apply2οΈβ£ Deploy Gitea Infrastructure
cd ../gitea/
terraform init
terraform plan
terraform apply
# Note: Creates ECR, ECS, EFS, RDS, IAM roles3οΈβ£ Deploy Load Balancer & SSL
cd ../gitea-alb/
terraform init
terraform plan
terraform apply
# Outputs: DNS name and HTTPS URL4οΈβ£ Deploy Jenkins CI/CD
cd ../jenkins-ec2/
terraform init
terraform plan
terraform apply
# Outputs: Jenkins URL and SSH command| Service | URL | Purpose |
|---|---|---|
| Gitea | https://my-gitea.pp.ua |
Git hosting & web interface |
| Jenkins | http://jenkins-gitea.pp.ua:8080 |
CI/CD pipeline management |
Monitoring Stack:
π Container Insights: ECS cluster metrics
π Log Groups: Centralized application logs
π¨ Health Checks: ALB target health monitoring
π Custom Metrics: Database performance insights- ECS service CPU/Memory utilization
- RDS connection count and query performance
- EFS throughput and IOPS
- ALB response times and error rates
| Layer | Security Measures |
|---|---|
| Network | VPC isolation, Security Groups, Private subnets |
| Data | Encryption at rest (EFS, RDS, S3), SSL/TLS in transit |
| Access | IAM roles, least privilege principle, no hardcoded secrets |
| Container | Private ECR, vulnerability scanning, non-root users |
All sensitive data is stored in AWS Systems Manager Parameter Store:
- Database credentials (encrypted)
- Application secrets and API keys
- SSL certificates and domain configuration
Built with β€οΈ using AWS + Terraform + Open Source
This infrastructure follows AWS Well-Architected Framework principles
This infrastructure project provisions a complete AWS-based environment for running Gitea (a self-hosted Git service) and Jenkins (a CI/CD automation server) using Terraform. It includes container orchestration, persistent storage, secret management, backups, and secure public access via HTTPS.
| Component | Purpose |
|---|---|
| ECS | Runs the Gitea container using AWS Fargate |
| ECR | Stores the custom Gitea container image |
| EFS | Provides persistent, encrypted storage for Gitea |
| RDS | PostgreSQL backend for Gitea database |
| S3 | Stores Jenkins backups, versioned and encrypted |
| IAM | Grants EC2 and ECS access to needed services (S3, ECR, etc.) |
| Parameter Store | Holds all Gitea secrets and credentials securely |
| ALB + ACM | Public HTTPS access to Gitea via a load balancer and a self-signed cert |
| Route 53 | DNS zone management and custom domain routing |
| EC2 | Runs the Jenkins server via Docker, initialized via user_data |
- Gitea runs inside a container defined in
task-definition.json, hosted on ECS Fargate. - Application data is mounted via EFS, ensuring persistent
/data. - Secrets like DB credentials and admin account info are securely pulled from SSM Parameter Store.
- Public access is managed via Application Load Balancer (ALB) with:
- Automatic HTTP β HTTPS redirection
- Self-signed SSL certificate provisioned via ACM
- Domain mapping via Route 53
- Jenkins runs in a Docker container on an EC2 instance, provisioned with:
- SSH access
- Docker and AWS CLI pre-installed
- Automatic restore from S3 if backup is available
- Daily backups are uploaded to S3, versioned and encrypted
- EC2 instance uses an IAM role with permissions to read/write S3 and access ECR
Secrets are stored under /gitea/ namespace and injected into the Gitea container at runtime:
- Database host, user, password
- Admin username, password, email
- Security keys (e.g.
SECRET_KEY,INSTALL_LOCK)
- Bucket:
my-jenkins-storage - Used to store and version Jenkins backup data
- Public access is fully blocked
- Server-side encryption is enforced with AES256
- All services are deployed in
us-east-1 - Default VPC and subnets are used for quick setup
- Jenkins can be accessed at
[http://<EC2_PUBLIC_IP>:8080](http://jenkins-gitea.pp.ua:8080 - Gitea is available at
https://my-gitea.pp.ua