Production-ready Gitea Git hosting platform deployed on AWS with automated CI/CD
- 🧩 Infrastructure Components
- 🔧 Application Details
- ✨ Key Features
- 🚀 Quick Start
- 📊 Monitoring
- 🔒 Security
| Service | Purpose | Key Features |
|---|---|---|
| Amazon ECS | Container orchestration platform | Fargate serverless, auto-scaling, health checks |
| Amazon ECR | Private Docker registry | Vulnerability scanning, lifecycle policies, secure access |
| ECS Service | Manages container deployment | Rolling updates, desired count management |
|
🗄️ Amazon EFS
|
🐘 Amazon RDS PostgreSQL
|
AWS Systems Manager Parameter Store
Centralized, encrypted storage for:
- Database credentials
- API keys and secrets
- Application configuration
- Environment variables
Traffic Flow:
Internet → Route 53 → Application Load Balancer → ECS Containers
↓
SSL Certificate (ACM) → HTTPS Encryption- Application Load Balancer: Health checks, traffic distribution
- AWS Certificate Manager: Automated SSL certificate management
- Route 53: DNS management with failover capabilities
Jenkins on EC2
Runtime Environment:
Platform: ECS Fargate
Port: 3000 (HTTP)
Database: PostgreSQL with SSL
Storage: EFS mounted at /data
Authentication: Parameter Store secrets
Features:
✅ Git over HTTPS
✅ Web interface
✅ Issue tracking
✅ Pull requests
✅ SSH Infrastructure:
Instance: EC2 t3.medium (Ubuntu 22.04)
Container: Jenkins LTS in Docker
Backup: Automated daily S3 sync
Capabilities:
✅ Docker-in-Docker builds
✅ ECR integration
✅ AWS CLI access
✅ Automatic restoration
|
|
# Required tools
terraform --version # >= 1.0
aws --version # AWS CLI configured1️⃣ Deploy S3 Storage (Jenkins Backups)
cd jenkins-s3/
terraform init
terraform plan
terraform apply2️⃣ Deploy Gitea Infrastructure
cd ../gitea/
terraform init
terraform plan
terraform apply
# Note: Creates ECR, ECS, EFS, RDS, IAM roles3️⃣ Deploy Load Balancer & SSL
cd ../gitea-alb/
terraform init
terraform plan
terraform apply
# Outputs: DNS name and HTTPS URL4️⃣ Deploy Jenkins CI/CD
cd ../jenkins-ec2/
terraform init
terraform plan
terraform apply
# Outputs: Jenkins URL and SSH command| Service | URL | Purpose |
|---|---|---|
| Gitea | https://my-gitea.pp.ua |
Git hosting & web interface |
| Jenkins | http://jenkins-gitea.pp.ua:8080 |
CI/CD pipeline management |
Monitoring Stack:
📈 Container Insights: ECS cluster metrics
📋 Log Groups: Centralized application logs
🚨 Health Checks: ALB target health monitoring
📊 Custom Metrics: Database performance insights- ECS service CPU/Memory utilization
- RDS connection count and query performance
- EFS throughput and IOPS
- ALB response times and error rates
| Layer | Security Measures |
|---|---|
| Network | VPC isolation, Security Groups, Private subnets |
| Data | Encryption at rest (EFS, RDS, S3), SSL/TLS in transit |
| Access | IAM roles, least privilege principle, no hardcoded secrets |
| Container | Private ECR, vulnerability scanning, non-root users |
All sensitive data is stored in AWS Systems Manager Parameter Store:
- Database credentials (encrypted)
- Application secrets and API keys
- SSL certificates and domain configuration
Built with ❤️ using AWS + Terraform + Open Source
This infrastructure follows AWS Well-Architected Framework principles
This infrastructure project provisions a complete AWS-based environment for running Gitea (a self-hosted Git service) and Jenkins (a CI/CD automation server) using Terraform. It includes container orchestration, persistent storage, secret management, backups, and secure public access via HTTPS.
| Component | Purpose |
|---|---|
| ECS | Runs the Gitea container using AWS Fargate |
| ECR | Stores the custom Gitea container image |
| EFS | Provides persistent, encrypted storage for Gitea |
| RDS | PostgreSQL backend for Gitea database |
| S3 | Stores Jenkins backups, versioned and encrypted |
| IAM | Grants EC2 and ECS access to needed services (S3, ECR, etc.) |
| Parameter Store | Holds all Gitea secrets and credentials securely |
| ALB + ACM | Public HTTPS access to Gitea via a load balancer and a self-signed cert |
| Route 53 | DNS zone management and custom domain routing |
| EC2 | Runs the Jenkins server via Docker, initialized via user_data |
- Gitea runs inside a container defined in
task-definition.json, hosted on ECS Fargate. - Application data is mounted via EFS, ensuring persistent
/data. - Secrets like DB credentials and admin account info are securely pulled from SSM Parameter Store.
- Public access is managed via Application Load Balancer (ALB) with:
- Automatic HTTP → HTTPS redirection
- Self-signed SSL certificate provisioned via ACM
- Domain mapping via Route 53
- Jenkins runs in a Docker container on an EC2 instance, provisioned with:
- SSH access
- Docker and AWS CLI pre-installed
- Automatic restore from S3 if backup is available
- Daily backups are uploaded to S3, versioned and encrypted
- EC2 instance uses an IAM role with permissions to read/write S3 and access ECR
Secrets are stored under /gitea/ namespace and injected into the Gitea container at runtime:
- Database host, user, password
- Admin username, password, email
- Security keys (e.g.
SECRET_KEY,INSTALL_LOCK)
- Bucket:
my-jenkins-storage - Used to store and version Jenkins backup data
- Public access is fully blocked
- Server-side encryption is enforced with AES256
- All services are deployed in
us-east-1 - Default VPC and subnets are used for quick setup
- Jenkins can be accessed at
[http://<EC2_PUBLIC_IP>:8080](http://jenkins-gitea.pp.ua:8080 - Gitea is available at
https://my-gitea.pp.ua
