# AWS Infrastructure Diagram

This diagram shows the high-level AWS resources and their relationships.

```mermaid
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#e5e7eb','primaryTextColor':'#111827','primaryBorderColor':'#9ca3af','lineColor':'#111827','secondaryColor':'#d1d5db','tertiaryColor':'#f3f4f6','edgeLabelBackground':'#ffffff','mainBkg':'#f5f5f4','nodeBorder':'#9ca3af','background':'#f5f5f4','clusterBkg':'transparent'},'themeCSS':'.node rect, .node circle, .node ellipse, .node polygon, .node path { filter: none !important; box-shadow: none !important; } .cluster rect { filter: none !important; box-shadow: none !important; } svg { background-color: #f5f5f4 !important; } .cluster-label { background-color: #ffffff !important; padding: 6px 12px !important; border-radius: 4px !important; font-size: 16px !important; font-weight: 700 !important; box-shadow: 0 1px 3px rgba(0,0,0,0.12) !important; border: 1px solid #d1d5db !important; } .edgePath, .edgePath path, .flowchart-link { z-index: 1 !important; }'}}%%

graph TB
    Internet([Internet/Users])
    Route53[Route 53<br/>DNS]
    EC2[EC2 Instance<br/>Docker Host + Runners]
    S3[(S3 Bucket<br/>Backups)]
    Secrets[AWS Secrets Manager<br/>DB/Admin Credentials]
    IAM[IAM Role<br/>EC2 Permissions]
    
    Internet -->|HTTPS| Route53
    Route53 -->|DNS Resolution| EC2
    EC2 -->|Backup Upload| S3
    EC2 -->|Fetch Credentials| Secrets
    IAM -.->|Attached to| EC2
    EC2 -->|Update Runner Token| Secrets
    
    subgraph AWS["AWS Account"]
        subgraph VPC["VPC"]
            EC2
        end
        Route53
        S3
        Secrets
        IAM
    end
    
    style AWS fill:#e5e7eb,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
    style VPC fill:#d1d5db,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
    
    style EC2 fill:#10B981,stroke:#333,stroke-width:1px,color:#fff
    style S3 fill:#F97316,stroke:#333,stroke-width:1px,color:#fff
    style Route53 fill:#6366F1,stroke:#333,stroke-width:1px,color:#fff
    style Secrets fill:#8B5CF6,stroke:#333,stroke-width:1px,color:#fff
    style IAM fill:#F59E0B,stroke:#333,stroke-width:1px,color:#fff
```

## Components

- **Route 53**: DNS service that points domain to EC2 instance
- **EC2 Instance**: Single VM running Docker containers + 2 Gitea Actions runners (systemd services)
- **S3 Bucket**: Storage for database and application backups (with versioning)
- **AWS Secrets Manager**: Stores DB credentials, admin credentials, SES SMTP credentials, runner tokens
- **IAM Role**: EC2 instance profile with permissions for S3, Secrets Manager read/update
- **VPC**: Isolated network containing EC2 instance

## Traffic Flow

1. User accesses `git.poll-streams.com`
2. Route 53 resolves to EC2 public IP
3. Request hits EC2 (nginx handles SSL, proxies to Gitea)
4. EC2 regularly backs up data to S3
5. Ansible fetches credentials from Secrets Manager during deployment
6. Gitea generates runner token via API, stored back in Secrets Manager