gitea_admin
685de1816d
- Diun monitors Docker images - Automated updates for nginx, manual approval for gitea/postgres - Weekly cert renewal automation via cron - Health checks with automatic rollback on failure - AWS SES email notifications on update failures - Daily S3 backups + pre-update snapshots - Integration tests with Gitea Actions quality gate - Change domain from gitea.poll-streams.com to git.poll-streams.com - Add diagrams
3.5 KiB
3.5 KiB
Network Architecture Diagram
This diagram shows the VPC network design, subnets, and security group rules.
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#e5e7eb','primaryTextColor':'#111827','primaryBorderColor':'#9ca3af','lineColor':'#111827','secondaryColor':'#d1d5db','tertiaryColor':'#f3f4f6','edgeLabelBackground':'#ffffff','mainBkg':'#f5f5f4','nodeBorder':'#9ca3af','background':'#f5f5f4','clusterBkg':'transparent'},'themeCSS':'.node rect, .node circle, .node ellipse, .node polygon, .node path { filter: none !important; box-shadow: none !important; } .cluster rect { filter: none !important; box-shadow: none !important; } svg { background-color: #f5f5f4 !important; } .cluster-label { background-color: #ffffff !important; padding: 6px 12px !important; border-radius: 4px !important; font-size: 16px !important; font-weight: 700 !important; box-shadow: 0 1px 3px rgba(0,0,0,0.12) !important; border: 1px solid #d1d5db !important; } .edgePath, .edgePath path, .flowchart-link { z-index: 1 !important; }'}}%%
graph TB
Internet([Internet])
IGW[Internet Gateway]
subgraph VPC["VPC 10.0.0.0/16"]
IGW
subgraph PublicSubnet["Public Subnet 10.0.1.0/24"]
EC2[EC2 Instance<br/>Docker Host]
end
subgraph SG["Security Group: EC2"]
direction TB
SGRules["Inbound:<br/>- 22 SSH from Admin IP<br/>- 80 HTTP from 0.0.0.0/0<br/>- 443 HTTPS from 0.0.0.0/0<br/><br/>Outbound:<br/>- All traffic"]
end
end
Internet -->|HTTPS/HTTP| IGW
IGW --> PublicSubnet
EC2 -.->|Protected by| SG
style VPC fill:#e5e7eb,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
style PublicSubnet fill:#d1d5db,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
style SG fill:#f3f4f6,stroke:#6b7280,stroke-width:1px,stroke-dasharray: 5 5
style EC2 fill:#10B981,stroke:#333,stroke-width:1px,color:#fff
style IGW fill:#6366F1,stroke:#333,stroke-width:1px,color:#fff
style SGRules fill:#EF4444,stroke:#333,stroke-width:1px,color:#fff
Network Components
VPC Configuration
- CIDR Block:
10.0.0.0/16(65,536 IP addresses) - Region: Single AWS region
- DNS Hostnames: Enabled
- DNS Resolution: Enabled
Subnets
- Public Subnet:
10.0.1.0/24(256 IP addresses)- Auto-assign public IP: Enabled
- Contains: EC2 instance
- Route table: Routes to Internet Gateway
Internet Gateway
- Attached to VPC
- Enables internet access for resources in public subnet
Security Groups
EC2 Security Group:
- Inbound Rules:
- Port 22 (SSH): From admin IP only (for management)
- Port 80 (HTTP): From 0.0.0.0/0 (redirects to HTTPS, ACME challenge)
- Port 443 (HTTPS): From 0.0.0.0/0 (Gitea web access)
- Port 2222 (Git SSH): From 0.0.0.0/0 (Git push/pull via SSH)
- Outbound Rules:
- All traffic: To 0.0.0.0/0 (for updates, backups to S3, Secrets Manager)
Security Considerations
- SSH Access: Restricted to specific admin IP address (your IP)
- HTTP/HTTPS: Open to internet (required for Gitea web access)
- Git SSH: Port 2222 exposed for Git operations over SSH
- No Direct Gitea HTTP Access: Port 3000 not exposed; only nginx on 80/443
- Outbound: Allowed for Docker image pulls, package updates, S3 backups, AWS API calls
Traffic Flow
- User request → Internet → Internet Gateway
- Internet Gateway → Public Subnet → EC2 instance
- Security Group inspects and allows traffic on ports 80/443
- Nginx receives request, terminates SSL, proxies to Gitea